Information Governance: Trust is Good; Control is Better
Risk versus Cost
“Information Governance” has become a marketing buzzword, and there are many definitions that attempt to clarify its scope and purpose. In its 2014 annual report, the Information Governance Initiative provided a clear and concise definition:
Information Governance is defined as the activities and technologies that organizations employ to maximize the value to their information while minimizing associated risks and costs.
This is the core objective of Information Governance–maximize business value, minimize legal risk. The benefits of successful Information Governance programs are well documented: reduction in storage, IT, legal and eDiscovery costs; increase in efficiency, information value, and corporate assets. Information Governance saves money. So why is it that so many corporations are failing to implement Information Governance programs and policies? It comes down to perceived risk versus cost.
Time and time again, corporate officers are faced with difficult budget choices. Many still identify company-wide Information Governance policies as a luxury; why should they spend additional time, money and resources on a universal policy when individual departments already have it in their budget and charter to do the same? Information Technology, Human Resources, Legal, Management–each of these business functions have a specific charter; however, these siloes create the biggest risk because they inherently obfuscate the overall corpo rate objective: maximize value, minimize risk.
“The core objective of Information Governance– maximize business value, minimize legal risk”
In the 2014 IGI Annual Report, 19 separate facets of Information Governance were identified, including Records and Information Management, Compliance, Information Security, eDiscovery, Data Storage, Finance and Business Operations. These facets exist within and across company functions, and demonstrate how Information Governance should be employed as the coordinating policy across departments. Consider the proliferation of personal mobile devices, social media, and cloud storage– the potential business risks of these technologies do not sit within one department, they straddle several–IT, Human Resources, Legal, to name only a few. In order to manage this risk, Information Governance must be taken out of the individual department silos, and owned by the organization as a whole.
“Money's going to be spent….you can spend it now, or you can spend it later, but it's cheaper to spend it now.”
The holistic approach to Information Governance is not a new concept, and yet, corporations continue to gamble on existing programs rather than proactively overhaul their information management systems. Recent court decisions underpin how failures in Information Governance policies can impact legal proceedings.
In Pradaxa, the court imposed sanctions against defendants for various discovery abuses, most notably failure to preserve potentially relevant information from key custodians. Ultimately, the court concluded the defendants’ actions were in “bad faith” and imposed nearly $1 million in sanctions. In Ethicon, the court imposed sanctions against the defendant largely due to the failure to implement a sufficient and timely litigation hold notice. In Brown, the court addressed, among other things, the failure of defendants and counsel to uphold their discovery obligations. Most significant were defendants’ and counsel’s failure to address the preservation, and collection of a web-based application used by defendant’s sales force. In all of these cases, observance of a holistic and informed Information Governance policy would have proactively addressed these failures, and saved the companies tens of millions of dollars in legal fees and fines.
The first step to any Information Governance assessment is completing a full and complete network and information data map. Where does your information reside? Who controls it? What regulations govern it? Remember, the core objective for Information Governance is to manage all of your information (i.e., your assets), not just your records. To do this, you must connect your legal, privacy and regulatory obligations to your relevant information. Is your company regulated by federal guidelines such as Sarbanes-Oxley or Dodd- Frank? Do you operate in international locations, which require special handling of personal and private information? Having this information will inform your next steps on data retention, transmittal, and disposal.
Perhaps the most important, and often overlooked, imperative for Information Governance is the need for it to fit your particular organizations culture, structure, and strategy. Remember, governance policies are meant to maximize value, and minimize risk–if in reality they restrict an employee’s ability to satisfy their job requirements, they are more likely to be broken.
Next, evaluate your company’s information, and score its risk, value, and manageability. Some information scores high on all three dimensions, some scores low. The rating will define where the information should live in within your Information Governance framework.
Finally, ARMA International reminds us that “effective information governance requires a continuous focus.” It’s not enough to put Information Governance policies in place. They must be regularly reviewed, and updated, in order to address changes in corporate need, and regulatory requirements.
“Trust is good; Control, is better”
A client once said to me, “Trust is good; Control, is better.” I am constantly reminded of this sentiment when faced with Information Governance objections. It’s not flashy, but it is the number one way corporate officers can maximize business value, and minimize legal risk.
As I remind my daughter, you can hold on to the railing and control your descent, or you cannot, and trust that you won’t fall. You decide.