Just Do It: Making Information Governance Work

Organizations of all types and sizes recognize they must improve their information governance capabilities—and they must do so soon. They are already dealing with too much information, but data collection rates continue to accelerate, further increasing the cost and complexity burden on IT while raising legal, compliance and security concerns throughout the organization.

Conceptually, the solution is simple. If we reduce the amount of information we store or slow its growth, we reduce both risk and costs. For many organizations, however, taking the first step toward developing an information lifecycle governance (ILG) program that addresses data growth is the most difficult one. Most people think that ILG programs are tedious and fraught with complexity. They worry about a significant commitment of effort and budget. But companies that rely on ILG resources and best practices developed by the Compliance, Governance and Oversight Counsel (CGOC) often find that getting started on the journey can actually be much simpler than most people think. CGOC is a forum of legal, IT, records and information management professionals.

Consider a $5 billion healthcare company that in early 2014 had more than 3,500 employees, with an IT infrastructure that included 3,500 desktops and laptops, 5,000 email mailboxes, 300 file servers, 50 TB of SAN storage, and 80 applications that retained data. The offsite information inventory included 14,000 storage boxes (dating back to 1986) and 6,000 backup tapes.

Like many organizations, to ensure it met its records retention requirements, the company never threw anything away. It also cited other “data hoarder” excuses, including “disk space is cheap,” “Google can find anything, so it’s not a problem,” and “IT can just push a few buttons and find the emails you need,” among others.

But this strategy simply wasn’t sustainable. Even though the unit cost of storage keeps going down, building and maintaining an ever-growing storage platform is very expensive, especially when floor space and personnel are factored in. In addition, email growth is out of control, and email file stores, such as PST files, are hard to manage, let alone discover properly. There are also new privacy rules that require the elimination of data. Even legal departments, which often insist on the save-everything policy, are overwhelmed by the ballooning cost of producing ever-increasing amounts of information in response to an eDiscovery request.

Besides, according to a survey conducted by the CGOC, of the information a typical enterprise has stored, only approximately 1 percent is under a legal hold, only 5 percent is considered a record that must be retained, and only 25 percent has actual business value. This means that as much as 69 percent of all that accumulated information has no business, legal or regulatory value at all!

In deciding to act to improve information governance practices, providers should focus on three goals:

* Ensuring compliance with all applicable laws and regulations, including satisfying HIPAA, SOX and other regulations, fulfilling Department of Justice requests, abiding by subpoenas and legal holds, and following the Federal Rules of Civil Procedure (FRCP).

* Being good stewards of data by properly preserving what needed to be preserved while properly disposing of data that had lost its value.

* Making it easier for business users to find the high-value information they need by disposing of information they don’t need.

The ILG strategy used for achieving these goals is called “defensible disposal,” and it requires bringing expertise from the legal, compliance and IT departments together with key information stakeholders from the business side to lay out more comprehensive records retention and destruction policies, develop the procedures to implement and enforce those policies, and, where necessary, deploy the technology to support and automate implementation and enforcement. In addition to business data, the targets of the defensible disposal program included offsite storage, email stores, backup tapes, and call recordings.

The following guiding principles and best practices help simplify decision making and minimize any unnecessary complexity:

*Executive Sponsorship—Given that an ILG program requires the participation of multiple groups, may impact how people do their jobs, and likely requires some investment in new technology, executive support from the beginning is absolutely essential.

*A Joint Venture—Information governance and defensible disposal must be a joint effort among multiple departments.

*Who Runs the Show—Only legal and compliance can set policies related to what must be kept or eliminated. Only business users can assess what is of value to them. IT is the service provider, not a decision maker.

*Policy, Process, People—Every policy must be supported by a process, but ultimately people must be responsible for ensuring that the policies and processes are followed.

*Identify Value—After legal, compliance and business stakeholders have determined what must and can be kept, the goal is to encourage the automatic disposal of everything else.   *All Records, Everywhere—It doesn’t matter whether they are paper or electronic, structured or unstructured. Records are form and media agnostic.   *Monitor and Measure—Carefully and regularly monitor your processes to ensure the defensible disposal policies are being followed. Measure success to find areas that need improvement.

*Culture Is Hard to Change—Don’t expect immediate and universal buy-in. Educate and take relatively small and simple steps to minimize disruption and encourage buy-in.

David Wesch is an independent information governance consultant and a faculty member of CGOC (Compliance Governance and Oversight Council). He previously served for two decades as director of enterprise records management at Cigna-HealthSpring.

For reprint and licensing requests for this article, click here.