Speaking to corporate officers about Information Governance is similar to cautioning my toddler to hold on to the railing when she descends the staircase – I remind her every time, and she knows she should, but she usually doesn’t, which in turn results in her falling face first down the stairs. Crying and screaming follow, and inevitably the process repeats itself the next day. In the same way, corporate stakeholders understand and agree with the value created by Information Governance, and yet, it is often abandoned in the face of time constraints, budget pressures, and shifting priorities. The neglect of Information Governance policies has a direct correlation to rising business, infrastructure, and legal costs as well as creating the greatest risk to corporate assets. If you want to have a real impact on your business, make Information Governance the directive that coordinates all aspects of your organization.
Risk versus Cost
“Information Governance” has become a marketing buzzword, and there are many definitions that attempt to clarify its scope and purpose. In its 2014 annual report, the Information Governance Initiative provided a clear and concise definition:
Information Governance is defined as the activities and technologies that organizations employ to maximize the value to their information while minimizing associated risks and costs.
This is the core objective of Information Governance – maximize business value, minimize legal risk. The benefits of successful Information Governance programs are well documented: reduction in storage, IT, legal and eDiscovery costs; increase in efficiency, information value, and corporate assets. Information Governance saves money. So why is it that so many corporations are failing to implement Information Governance programs and policies? It comes down to perceived risk versus cost.
Time and time again, corporate officers are faced with difficult budget choices. Many still identify company-wide Information Governance policies as a luxury; why should they spend additional time, money and resources on a universal policy when individual departments already have it in their budget and charter to do the same? Information Technology, Human Resources, Legal, Management – each of these business functions have a specific charter; however, these siloes create the biggest risk because they inherently obfuscate the overall corporate objective: maximize value, minimize risk.
In the 2014 IGI Annual Report, 19 separate facets of Information Governance were identified, including Records and Information Management, Compliance, Information Security, eDiscovery, Data Storage, Finance and Business Operations. These facets exist within and across company functions, and demonstrate how Information Governance should be employed as the coordinating policy across departments. Consider the proliferation of personal mobile devices, social media, and cloud storage – the potential business risks of these technologies do not sit within one department, they straddle several – IT, Human Resources, Legal, to name only a few. In order to manage this risk, Information Governance must be taken out of the individual department siloes, and owned by the organization as a whole.
“Money's going to be spent….you can spend it now, or you can spend it later, but it's cheaper to spend it now.”
The holistic approach to Information Governance is not a new concept, and yet, corporations continue to gamble on existing programs rather than proactively overhaul their information management systems. Recent court decisions underpin how failures in Information Governance policies can impact legal proceedings.
In Pradaxa, the court imposed sanctions against defendants for various discovery abuses, most notably failure to preserve potentially relevant information from key custodians. Ultimately, the court concluded the defendants actions were in “bad faith” and imposed nearly $1 million in sanctions. In Ethicon, the court imposed sanctions against the defendant largely due to the failure to implement a sufficient and timely litigation hold notice. In Brown, the court addressed, among other things, the failure of defendants and counsel to uphold their discovery obligations. Most significant were defendant’s and counsel’s failure to address the preservation, and collection, of a web-based application used by defendant’s sales force. In all of these cases, observance of a holistic and informed Information Governance policy would have proactively addressed these failures, and saved the companies tens of millions of dollars in legal fees and fines.
The first step to any Information Governance assessment is completing a full and complete network and information data map. Where does your information reside? Who controls it? What regulations govern it? Remember, the core objective for Information Governance is to manage all of your information (i.e., your assets), not just your records. To do this, you must connect your legal, privacy and regulatory obligations to your relevant information. Is your company regulated by federal guidelines such as Sarbanes-Oxley or Dodd-Frank? Do you operate in international locations, which require special handling of personal and private information? Having this information will inform your next steps on data retention, transmittal, and disposal.
Perhaps the most important, and often overlooked, imperative for Information Governance is the need for it to fit your particular organizations culture, structure, and strategy. Remember, governance policies are meant to maximize value, and minimize risk – if in reality they restrict an employee’s ability to satisfy their job requirements, they are more likely to be broken.
Next, evaluate your company’s information, and score its risk, value, and manageability. Some information scores high on all three dimensions, some scores low. The rating will define where the information should live in within your Information Governance framework.
Finally, ARMA International reminds us that “effective information governance requires a continuous focus.” It’s not enough to put Information Governance policies in place. They must be regularly reviewed, and updated, in order to address changes in corporate need, and regulatory requirements.
“Trust is good; Control, is better”
A client once said to me, “Trust is good; Control, is better.” I am constantly reminded of this sentiment when faced with Information Governance objections. It’s not flashy, but it is the number one way, corporate officers can maximize business value, and minimize legal risk.
As I remind my daughter, you can hold on to the railing and control your decent, or you cannot, and trust that you won’t fall. You decide.
This article was first published in CIO Review.