With many organisations struggling to deal with the rapid explosion of data, coupled with increasingly aggressive regulatory enforcement, how should they drive change in information governance?
This briefing reflects contributions from a panel of experts as part of a session on transforming risk and managing data at The Lawyer's Managing Risk and Litigation conference in November 2016.
The panellists: Jake Frazier, Global Information Governance & Compliance Services Leader, FTI Consulting
Nina Bryant, Unstructured Data Strategist, Deutsche Bank
Sarah Walker, Vice President & Global Chief Counsel, Aon Risk Solutions
The information governance challenge
Runaway data growth is probably one of the greatest risk factors facing organisations today.
According to a representative poll of over 80 senior legal, compliance and risk experts at the Managing Risk and Litigation conference, more than half of delegates expect data growth in their organisations to be between 20% and 40% over the next 12 months, with over a third expecting it to be greater than 40%.
With data growing unchecked for many years and expected to grow exponentially over the coming years, organisations face major challenges in complying with increasing regulations and managing the disposal of redundant, obsolete, trivial data. This is exacerbated by the prevalence of dark or unknown data, often stored on file shares, which means that, in some cases, businesses are not even able to estimate their potential risk exposure.
Organisations therefore need to implement defensible disposal and information governance (IG) programmes in order to stem or flatten the information growth curve and proactively mitigate risk.
FTI Consulting, Inc.
TRANSFORMING RISK: SHIFTING FROM REACTIVE TO PROACTIVE
It's a bit like a sink with the plug in and the tap running continuously it's overflowing and has been overflowing for some time now
Key drivers of IG
A further audience poll revealed that regulatory compliance is the primary driver for implementing an IG programme for more than two-thirds of delegates. Just under a quarter felt that the requirement to be better prepared to respond to litigation or investigations are the main driver, while the remainder of the audience believed cost reductions/ operational efficiencies are the most significant factor driving change.
Data breaches and regulatory risk
In addition to the substantial reputational risk of data breaches, regulatory changes such as the EU's General Data Protection Regulation (GDPR) and the Network Information Security (NIS) Directive involve potentially huge penalties for noncompliance. This has understandably led to a greater focus on ensuring that organisations have appropriate structures in place to govern personal data in compliance with the new regulations.
Investigation and litigation costs
Huge volumes of data held by corporations have resulted in significantly increased processing and review costs in disputes and investigations. The greater the volume of data, the higher the costs in terms of both internal and external counsel required as well as the technology needed to preserve, search and produce relevant information. Therefore, while the cost of storing data is relatively low, the financial burden associated with data disclosure and/or discovery is currently estimated to be around 13,500 per gigabyte. Some corporations struggle with large volumes of data and have to process and review hundreds or thousands of gigabytes of data, providing a sound financial rationale for disposing of unnecessary data.
Cost and operational efficiencies
The prevailing economic climate over the last few years has inevitably led many organisations to focus on IG as a means of achieving operational efficiencies and cost savings, in particular by having rigorous data disposal programmes in place. Although the unit cost of storing data is falling, the fully loaded cost associated with managing staff and the associated footprint of data again offers a compelling business case for the disposal of redundant, obsolete, and trivial data.
FTI Consulting, Inc.
Organisations need to focus on how to drive cultural change, how to address the key issues around effectively managing data, and how to engage all stakeholders across the business
the average cost of a data breach1
the potential penalty of not complying with GDPR3
the cost to review one GB of data2
The average year on year growth rate of corporate data4
Implementing effective IG and driving change
In order to solve the issue of runaway data growth, the key is to address the source of the problem, rather than the symptoms. Organisations should focus on three key areas in order to drive change.
1 Cross-functional collaboration: Best practice frameworks such as the Information Governance Reference Model (IGRM) reflect the importance of internal collaboration across business functions, stakeholder engagement and senior management buy-in to implement effective IG.
Particularly in larger organisations, where different functions may hold different pieces of the IG puzzle, breaking down silos and fostering crossfunctional dialogue across legal, risk, compliance, records, IT, privacy and security and the business is essential to success.
2 Solid foundations and policies: Managing data is not possible if the company does not know where all its systems and pockets of data are. This can be particularly problematic for firms that acquire or divest divisions, resulting in highly disparate systems. Companies have an obligation to have solid IG foundations in place in order to effect change and `make it real' at all levels of the organisation.
IG related policies should cover issues such as establishing a global data retention schedule, having clear senior management accountability for data retention and records management, and establishing an operating model with specific functions or roles to ensure organisation-wide compliance with regulations and retention policies.
3 Cultural change: Driving change and implementing a successful IG programme requires the right organisational culture.
While organisations may be able to get stakeholders to collaborate successfully, establish an appropriate policy framework and implement the necessary technology to address IG issues, success often depends on their ability to drive cultural and behavioural change throughout the organisation. This can be one of the most significant hurdles to overcome and should not be underestimated.
1 2016 Ponemon Cost of Data Breach Study . 2 RAND Study: Where the Money Goes, 2012 3 European Commission May 2016 4 Computerworld: "Data Growth Remains IT's Biggest Challenge, Gartner Says", Lucas Mearian
TRANSFORMING RISK: SHIFTING FROM REACTIVE TO PROACTIVE
When it comes to data and IG, businesses are putting their heads into the dragon's mouth. It is critical they understand that and ensure they have the right structures and resources in place
Ownership and accountability
An organisation should not underestimate the importance of having clarity over which part of the business is ultimately responsible for driving IG. There is often a degree of ambiguity over who holds overall accountability and ownership. Many organisations have traditionally looked to their IT function to take the lead or, given increasing regulatory scrutiny, to their legal and compliance teams. However, IG stretches across the entire business and effective risk management therefore requires accountability from within business operations.
Clearly, however, there is a key role for legal, compliance and risk functions in helping the business to understand and appreciate the severity of its obligations in an evolving regulatory environment and providing management boards with the information required to assess their appetite for risk in the context of business strategy. It is critical that these functions work hand-in-hand with the business to educate and advise on IG decisions.
Key action points
It is easy to be overwhelmed by the magnitude and complexity of IG, particularly for global multi-national firms operating in highly regulated industries or those with a litigious profile. However, the longer an organisation waits, the more painful it will be to bring runaway data under control. Here are three ways to get started with an IG programme:
1 Clean up: Getting rid of redundant, obsolete and trivial data can help save time and reduce costs associated with managing useless content. Using a combination of industry standard tools and interviews with the business and compliance can help accelerate this process.
2 Develop a business case: Embarking on an IG programme not only reduces your risk profile, but also helps to reduce costs associated with managing and reviewing excess data debris. There are quantifiable benefits associated with enhanced legal, records and IT operations as well as cost savings as a result of defensible disposal of data.
3 Get help: Don't be afraid to ask for help to make your pitch for sponsorship. There may be internal experts that you have in the organisation that may already be doing aspects of IG that are looking for additional stakeholder support. Additionally, engaging qualified external IG experts may help to get your programme off the ground more efficiently and provide the external validation and best practices needed to get funding from your steering committee.
Don't let perfection be the enemy of good.
While firms may take different approaches towards IG, the most important thing is to have an IG programme in place. Getting started is the most critical, but often the hardest, step when attempting to drive change. For businesses struggling to take the first step, it is often best to start in one area no matter how small demonstrate the benefit of IG, and then move toward an organisationwide programme.
Sonia Cheng Senior Director Information Governance & Compliance Services +44 (0)20 3727 1783 firstname.lastname@example.org
About FTI Consulting
FTI Consulting is an independent global business advisory firm dedicated to helping organisations manage change, mitigate risk and resolve disputes: financial, legal, operational, political & regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centres throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. For more information, visit www.fticonsulting.com and connect with us on Twitter (@FTIConsulting), Facebook and LinkedIn.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
2017 FTI Consulting Inc. All rights reserved