Best Practices for Information Governance

By Derek Gascon

It’s generally accepted that the more information we have, the better. Knowledge is power, right? And won’t big data lead to better products, more responsive customer service and enhanced shopping experiences?

That is true, but all that information also introduces significant cost and risk into an organization. In fact, because of the massive growth in the amount of information that typical enterprises collect and store, they are wasting millions of dollars in unnecessary costs and lost productivity, while also facing an increasing risk of compliance and legal violations.

In April 2014, the Compliance, Governance and Oversight Council (CGOC) brought together leading information lifecycle governance (ILG) practitioners from legal, records, security and IT for the 10th Annual CGOC Summit, “Information at Work: Reducing Data Cost & Risk.” Speakers from several Fortune 500 companies, including Joe Steffan, chief privacy compliance officer at Morgan Stanley; Karl Hennessee, vice president of law, technology and strategy at Halliburton; and Jason Federoff, director of records and information lifecycle management at Comerica, joined executives from UBS and Aon, as well as U.S. magistrate judge Kristen Mix, to discuss the trends and issues facing organizations as they seek to manage the information tsunami, control costs, and meet their legal and regulatory obligations.

Below, I’ve summarized the common themes and experiences based on the speakers’ ILG programs, as well as the top lessons and best practices that surfaced during the summit.

Below are the primary drivers that compel organizations to implement or improve ILG programs.

· Many executive and legal teams have fostered a “save everything” information culture to satisfy retention requirements, but businesses are now under increasing regulatory and cost pressures to dispose of some types of information after specific periods of time. They must understand what they have and where it is, and that must align with evolving regulations across jurisdictions. It’s virtually impossible to do this manually.

· Retaining too little information can result in fines and adverse judgments, but retaining excess means having to produce more than needed for e-discovery. This makes e-discovery more time-consuming and costly, and may provide litigants with more information than they are entitled to receive. 

· Retaining massive amounts of information—and not really knowing what the organization has and where it is—opens the door to security breaches and the leaking of private and sensitive data.

· Although storage hardware costs continue to decrease, it becomes very expensive to keep expanding a storage infrastructure, which includes hardware and software licenses, network bandwidth, floor space and personnel. Also, while the value of information to the organization drops significantly over time, the cost to maintain that data does not.

· Business users waste time searching for information among massive file shares. When they can’t find what they need, they often reproduce it—wasting more time and creating more unnecessary data—or they use whatever information is at hand, even if it is not the latest or most accurate.

· According to IDC, 90 percent of digital data is “dark”: unstructured, untagged and untapped data that hasn’t been analyzed or processed. This means organizations really don’t know what information they have, where it’s located or its value. Organizations that don’t understand the value of their information can’t make appropriate decisions about what to save and what to eliminate.

· Existing business processes, company culture, corporate governance models and executive attitudes all make it difficult to achieve a holistic, disciplined approach to information governance.

Information Governance Best Practices

1. Start with coordination and buy-in.

First, develop policies by coordinating the needs of all key information stakeholders, including legal, compliance, risk management, HR, IT, data privacy, information security and the business units. Executive management must buy into the program and form a consensus regarding the high-level objectives and scope. For example, is the top priority cost reduction, risk reduction or increased productivity?

The coordination model also requires designated operational and business unit contacts or committees to meet routinely and document their progress. As the program is implemented, regular monitoring and feedback should take place to ensure that the program is reaching its targets and goals.

2. Understand your information economics.

The full value of an ILG program can be assessed by understanding an organization’s “information economics”: a holistic, enterprisewide perspective and approach to leveraging information as a strategic asset in support of key organizational objectives and initiatives for success. For example, if the objective is to improve decision making, information may be a key asset in a big data initiative. If the objective is to improve agility and speed of execution, information may be a key asset in a bring-your-own-device (BYOD) initiative.

The value of this strategic asset can be derived by comparing the cost to produce, distribute and consume the information with the top- and bottom-line benefits the initiative brings to the organization. The goal of an ILG program, then, is to improve an organization’s information economics: increasing top-line revenue growth through improved decision making, while delivering bottom-line cost savings through reduced risk and cost.