Getting Rid of Data: Why it's So Hard
Many organizations think they are taking the right approach to information overload: buy ever-cheaper storage solutions, lower compliance risk by saving all data and focus more resources on solutions for turning all this data into actionable intelligence. Unfortunately, storing and managing data stores that only get bigger with time is very expensive, and instead of reducing risk, it dramatically increases costs and risks associated with e-discovery.
According to Gartner, IT shops already spend between 2 and 3 percent of revenues on data management, which can add up to hundreds of thousands or even millions of dollars each year. And according to IDC, corporate data volumes grew by about 50 percent last year. The fact is, no matter how inexpensive storage devices become, the total cost of managing data will continue to grow. And while some data must be retained for its business, legal or compliance value, retaining data that has no such value increases the complexity and cost of every hold issued by the legal department in response to an e-discovery request.
How can IT organizations defensibly dispose of data to control IT costs while satisfying the requirement for legal holds? The answer is a robust, cross-functional information governance program.
The Rise of Information Governance
Gartner's defines information governance as "the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals." This complex definition reveals that the domain of information governance is a function of information management and also extends beyond it, because it implies managing information according to its legal and regulatory obligations.
In practical terms, a key operational business goal of information governance is to resolve the disconnect that exists between legal and record information management on one side, and IT on the other. Legal and RIM answer to a "records retention schedule," which defines not only how certain information must be stored but also how long information should be kept based on all the myriad complex laws and regulations that govern a business (e.g., privacy, safety, hiring practices, Sarbanes-Oxley, Dodd-Frank legislation, etc.).
While legal and RIM struggle to keep their records retention schedule up to date, they have no robust mechanism for communicating this schedule to IT. And even if they manage to publish an updated schedule, it is typically built around the now ancient concept of one paper form and one location for a record in any given class with no conflicts between country laws and no costs associated with choosing the longest retention period where several regulations apply.
In the face of this, IT, with its ever-changing, business-driven, complex and often global information storage structures and the same information existing in hundreds or thousands of places, has no way to confidently identify relevant information and ensure it gets retained or disposed of. Modernizing and unifying data governance processes based on information as digital data managed by IT, not RIM, is essential to reducing IT costs, improving regulatory compliance and ensuring a proper e-discovery process.
It Must Be an Enterprise-Wide Initiative
A study commissioned by the Compliance, Governance, and Oversight Council, in concert with Electronic Discovery Reference Model and the new Information Management Reference Model project, set out to assess the gap and how companies are addressing the problem. This first-of-its-kind survey of legal, records and IT stakeholders from financial services, energy, life sciences, insurance, consumer goods, chemical and other industries asked participants what they perceived as the benefits and barriers to better information governance and how well the traditional tools and processes worked. The study captures the essence of painful compliance and governance disconnects, and in particular, the disconnects across legal, RIM and IT practitioners within the same company. Several survey findings underscore the problem's scope:
- Only 22 percent of responding companies are able to dispose of data today.
- Although most of today's data is electronic, 70 percent of respondents claimed their retention schedules were not actionable by IT or could be used only in disposition of physical records.
- A majority of IT respondents reported that they managed data volume by simply applying flat data quotas instead of strategically assigning business, legal or regulatory value to the data.
- Seventy percent of companies use "people glue" to connect legal duties and business value to information assets.
But there is also some good news:
- Ninety-eight percent of respondents believe defensible disposal of unnecessary data is a key outcome of an information governance program.
- Eighty-five percent reported that the most critical success factor to information governance is more consistent collaboration and systematic linkage among IT, legal and records.
Most illuminating perhaps, the survey reveals several areas of confusion around responsibilities, sponsorship and return on investment:
- When asked if RIM staff are involved in establishing, enabling or monitoring routine disposal of information, 60 percent of RIM respondents said yes, while 60 percent of IT respondents (typically from the same company) said no.
- Fifty-seven percent of companies have governance committees in place, but just 25 percent believe the right stakeholders are at the table.
- While data disposal was an objective for 98 percent of respondents, IT efficiency was a factor in executive sponsorship for just 12 percent of companies.
Clearly there is a disconnect.
Perhaps the biggest organizational challenge leading to this information governance disconnect is that no single department can independently achieve the desired goals and benefits. Legal holds practices, retention procedures (encompassing regulatory, privacy and business needs) and data management practices must move past departmental silos and intersect to meet legal obligations and business requirements to efficiently and defensibly dispose of data. It must be a true cross-functional practice requiring harmonization of activities involving thousands of individuals in a global organization.
The Economic Benefits of Disposal
That IT efficiency was a driver of information governance only 12 percent of the time suggests that executives remain unaware of the enormous economic benefits of data disposal. According to the 2010 Gartner study, "IT Metrics: IT Spending and Staffing Report," IT costs are 3.4 percent of revenue. IT spending is increasing faster than revenue, and 61 percent of the costs are a function of information volume, which is doubling every 18 months.
It's no coincidence that this sharp increase in data accumulation coincides with the 2004 Zubulake opinion on legal holds for electronic data and the emergence of the "keep everything" approach to mitigating legal risk as a substitute for a more precise legal hold definition and improved execution. A key problem here is the widely held misperception in the legal community that IT costs are trivial, declining naturally as a function of technology advances rather than headcount or budget reductions, and remain unaffected by blanket legal holds or the dictum "keep everything." This silo view ignores other departments' increasing, yet wasteful, management time spent and contributes to operational challenges inhibiting IT from working closely with legal and compliance staff on a coordinated approach to data disposition.
Modernizing data retention schedules based on the electronic form of data is essential to reducing both IT and compliance costs - both in terms of human resources and capital cost. The CGOC survey may point the way to how this can be accomplished. Some 30 percent of responding companies are already achieving information governance benefits and they exhibit four characteristics:
- Leaders in IT recognize that clear, reliable and specific instructions on what information to keep and what to eliminate can massively simplify compliance and can and have saved several hundreds of millions of dollars in large enterprises.
- Leaders in legal and records management recognize that having information stewards and custodians actually use legal holds and retention schedules is the hallmark of success - rather than merely publishing the retention schedules.
- CFOs recognize that when IT doesn't know what information to keep or eliminate, the company overspends on risk without actually reducing it, and therefore achieves lower profits.
- Executive committees recognize that operational excellence in information governance is strongly aligned with shareholder interests to reduce risk exposure and improve operating margins, and that well-run, cross-functional initiatives can produce material results on both measures.
This cross-functional awareness of the mutual benefits of information governance leads to getting the management support and funding necessary to put new systems in place, mandate changes in behavior and hold teams accountable for projected outcomes. In other words, only by working together can IT, legal and RIM make the necessary investments to:
- Systematically link the business requirements and processes in legal, RIM and IT to provide structural collaboration and transparency with systematic workflow and automated collaboration wherever possible. This is the only way to achieve an understanding of which holds and regulations apply to which data and systems and consistently dispose of information that has no business, legal or compliance value.
- Modernize the records management program so it can provide reliable, actionable information procedures to IT for execution. This is the only enforceable way that IT can manage data by its value, that legal can rapidly discover information and that the retention program can be systematically audited.
- Treat legal holds as an enterprise process rather than a legal task. This will ensure that legal can initiate - and IT can execute - legal holds so that people, records, information categories and data sources subject to a hold are properly identified.
- Ensure that IT, using its own terms and with little or no interpretation, can determine who and what is on hold, what is of value and what is subject to regulatory obligation.
While information governance requires a huge cross-functional effort, IT must realize that it will benefit most from the effort, not only by dramatically reducing costs, but also by developing the ability and agility to determine in real time how to more precisely and efficiently manage data for the enterprise.
For more information on information governance, check out the CGOC at www.cgoc.com and the Information Management Reference Model (IMRM) at www.edrm.net.