Designing an Information Governance Program
By Richard Kessler
Big data holds promise for firms that can collect and analyze it, but information governance leaders, especially those at multinational organizations, are struggling with a dilemma: The value of information declines over time, but the costs and risks associated with it don’t.
Information life-cycle governance (ILG) programs respond to this challenge, reducing information costs and risks by incorporating the value of information to the various stakeholders—business users, legal and compliance, records information management (RIM), privacy and security, and IT—and disposing of all information that has no value. Creating such a program is particularly challenging for multinational organizations, but it can be done with the right strategy, the right team and the right tools.
The massive volumes of information that organizations collect today come from a variety of sources, including social media feeds, company email, customer interactions, slide presentations and more. But much of this information loses its value quickly.
For example, social media feeds are great for trend analysis, but the business value can disappear within days. Meanwhile, much of the email stored on corporate servers loses its value as soon as it’s read. The storing of “data debris” is widespread.
According to a 2012 Compliance, Governance and Oversight (CGOC) survey, at any given time, 1 percent of corporate information is typically on litigation hold, 5 percent is in a records category, and 25 percent has current business value. This means that 69 percent of information in most companies has no current business, legal or regulatory value.
Keeping all this data is expensive. Despite the continual decrease in the unit cost of storage, other technology costs related to processingand accessing theinformation, retaining and producing it for regulators, and preservingand producing it for litigation are extremely high and rise as information ages.
While the obvious and logical response to this should be to delete information that loses its value, significant obstacles keep this from occurring. Despite the costs, many organizations have adopted a “retain all data just in case” strategy to avoid the possibility of deleting any information that might be of use to business users or required in the event of litigation.
While well-intentioned, this approach actually increases costs and risks. During litigation, the legal department must put far more information than necessary through the expensive legal review process. Also, business users are often frustrated by the inability to locate the information they need on data stores that are proliferating.
An additional obstacle to getting rid of data debris is that even if IT recognizes the cost benefits of regular deletion, it doesn’t have the information or insight to properly identify what data has no value. Meanwhile, legal, RIM and business users—the people who do have the knowledge to assign value to information—most often do not communicate this information to IT because of the time and effort required to do so.
For large, geographically dispersed organizations, the challenges are even greater. In addition to the decentralization of information management in general, these organizations must contend with rapidly evolving and often conflicting privacy regulations in the UnitedStates. and the rest of the world.
To address and overcome these obstacles, organizations must align and reconcile the needs of all information stakeholders. An ILG program can enable organizations to identify information that has legal, regulatory, business, or privacy and security value and defensibly dispose of all else.
Defensible disposal can dramatically reduce the amount of data retained by an organization—and therefore reduce information costs. It also ensures that all valuable information is protected and that all data that can and should be deleted is removed within appropriate time frames.
Creating an ILG
Creating and developing an ILG program requires bringing together the right people, assessing existing processes against the right criteria and acquiring the right technology.
People: Developing a collaborative approach to information across multinational organizations requires very careful consideration of the cross-functional team. An executive committee may include the global director of RIM, CIO, chief financial officer, general counsel and similar roles. An advisory group composed of functional representatives and line-of-business leaders can oversee implementation of the ILG strategy, identify and manage risks, and ensure policy compliance.
A global program office should drive and measure progress toward goals and direct the efforts of a working group that defines, develops and instruments the relevant processes. The internal audit department can measure progress toward the goals, report on process failures, help identify failure causes and ensure accountability for fixing issues.
Processes: The CGOC has identified 16 key business processes that should be developed maturely across multinational organizations to reduce risk and enable defensible disposal. The maturity level of these processes must be assessed based on criteria ranging from ad hoc and inconsistent at the immature end, to integrated and instrumented at the mature end.
Each of the 16 processes has an inherent risk, such as the failure to properly identify custodians or inadvertently exposing private customer data. The ILG team must identify the various processes across the organization that need to be matured and assess the operational capacity required to develop them and make them globally consistent.
Technology: Atechnology solution can support the ILG program by:
· creating a global standard taxonomy, a global retention policy and a global glossary that remain up to date with changing laws and regulations and bridge communications across all stakeholders;
· developing a catalog that lists the business value of all information;
· managing and automating legal holds;
· syndicating information that’s valuable for the IT systems that have custody of it, and communicating this value to the managers of the systems and their data; and
· implementing a shared data source catalog across all stakeholder organizations, along with a secure repository where records can be managed and automatically thrown out.
Getting started with an ILG program can seem daunting, but dividing the program into high-level tasks makes it more manageable. For example, here is a sample program charter that can be modified to suit your specific organization:
· Define and manage policies, governance and operating models pertaining to information governance, such as e-discovery, records management, legal hold, data protection and disposal.
· Lead process development for e-discovery records management, archiving and disposal, such as e-discovery management, fulfillment, legal hold, collections and preservation.
· Provide and communicate business requirements and standards, such as the records-retention schedule and the configuration specifications for regulatory archives.
· Monitor and track policy compliance globally to ensure functional and regional consistency.
It’s also important to look for assistance from expert sources, such as the CGOC, a forum of more than 1,900 legal, IT, records, privacy and information management professionals. CGOC conducts primary research, has dedicated practice groups on challenging topics, and hosts meetings throughout the UnitedStates and Europe, where practice leaders convene to discuss discovery, retention, privacy and governance.
Another excellent resource on information governance programs is the Electronic Discovery Reference Model (www.edrm.net). An EDRM project, the Information Governance Reference Model, offers a common, practical and flexible framework for developing and implementing effective, actionable information management programs that unify stakeholder processes.
Richard Kessler, a faculty member of the CGOC, is executive director and head of Group Information Management & Discovery Services, IT Contracting and Shared Services Legal, at UBS. He is responsible for information governance, including records and information management, legal and regulatory archives, corresponding policies and strategy.
The opinions expressed in this article are those of the author and not necessarily those of UBS AG or its affiliates.