John Mancini, in his digital landfill blog, makes the point that if we want management to care about information governance, they need to know why. http://bit.ly/14JCJI5
I think the Board needs to tell them, and if the Board doesn’t, then it’s a Board failure. If management disagrees with the Board, they have the option of leaving.
I argue that the Board has a duty to take reasonable steps to protect the assets of the company, including the information assets. And the corporation has a duty to comply with the law. And the Board needs to take steps to verify that management is taking steps to protect the assets and comply with the law. Given the number of laws that apply, it would be difficult for a company to do a pretty good job of protecting and complying if the Board doesn’t make a single person accountable for protecting the information assets and complying with the information-related laws.
So, why not a Chief Information Management Officer? The CIO doesn’t do it, and the CISO (Chief Information Security Officer) only does a part of it.