Making the Case for Information Governance

By Barclay Blair

(Back to article)

In my last column, IT's Time for Information Governance, I provided an introduction to the concept of information governance (IG) and why it is an urgent and relevant concept for CIOs.

As promised, in this column, I am going to start to sketch out the case for IG. This is critical, because success in IG requires fundamental changes to the way that companies think about information and how they should manage it. This means that IG, more than anything, is a change management exercise. And change management requires powerful simple messages to drive it. That’s what I hope to provide here and in my next few columns.

Reason #1: We can’t keep everything forever

“Information workers, who comprise about 63% of the U.S. work force, are each bombarded with 1.6 gigabytes of information on average every day through emails, reports, blogs, text messages, calls and more.” - “Don’t You Dare Email This Story,” Wall Street Journal

IG makes sense because it enables organizations to get rid of unnecessary information in a defensible manner. Organizations need a sensible way to dispose of information in order to reduce the cost and complexity of IT environment. Having unnecessary information around only makes it more difficult and expensive to harness information that has value.

Most statistics on the volume of digital information organizations create contain numbers so large that they are hard to comprehend (for example, “the digital universe” is estimated by IDC at 281 exabytes in size or 1 EB = 1,000,000,000,000,000,000 (1018 bytes) = 1 million terabytes = 1 billion gigabytes). Organizations experience 30, 50, or even 100 percent annual growth in the volume of information they store. And the trend doesn’t seem to be slowing down.

Although the cost of storage hardware continues to drop, storage hardware costs are just the beginning. According to IDC, the total cost of storage ownership “far outweighs the initial purchase price” of the hardware, and includes factors such as migration, outage, performance, information governance, environmental, data protection, maintenance, and staff costs.

Organizations often claim that they are just keeping a piece of information “for now.” Without a firm plan in place, this really means “keeping it forever.” After all, unless you plan on keeping a piece of information forever, you will need to make a destruction decision about it at some point.

Will that destruction decision be easier or more difficult in the future? After all, in three, five, or ten years will:

IG, with its legal and compliance foundations, provides a defensible approach to disposing of unnecessary information. The combination of good policies around retention of information during normal business operations and preservation of information during legal holds and litigation or regulatory investigation protects your organization.

It's important to note that the law doesn’t require us to keep everything forever, but only IG provides a defensible framework to help us get rid of the information we don’t want and aren’t required to keep.

Reason #2: We can’t throw everything away

“Ensuring the right information is available to users when needed is regarded as the highest business priority for large companies . . . and the vast majority of decision-makers believe that an effective information strategy has a very significant impact on this top business goal.” - “Managing Information: Research Study on Customer Priorities and Challenges,” RONIN Corporation

IG makes sense because organizations can’t keep everything forever, nor can they throw everything away. We need the right information, in the right place, at the right time. Only IG provides the framework to make good decisions about what information to keep.

If we could throw away every piece of information created and received in our institutions whenever we wanted to, there would be little need for IG. The reality, of course, is much different. Information is how we do business and, to a greater degree each year, business success is influenced by how well we manage that information. Although most information is created by individuals, enterprises are responsible for the security, privacy, reliability, and compliance of most of the information these individuals create. This is the role of IG.

Some information we keep because of its business value. Some we keep because of legal requirements. By some calculations, there are thousands of laws and regulations in the U.S. alone that speak to the way organizations must manage their information. The role of IG is to parse those laws and regulations into practical policies and retention schedules that guide the organization on its proper management.

Without an IG program, organizations are at risk of breaking the law. Certain external events, such as litigation or a regulatory investigations, also create special legal requirements for the management of information. In these situations, even information that could normally be thrown away has to be preserved and properly managed. Failure to do so opens an organization and its employees up to serious criminal and civil penalties, such as those spelled out in Section 802 of Sarbanes Oxley:

“Whoever knowingly . . . destroy[s] . . . any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter . . . shall be fined under this title, imprisoned not more than 20 years, or both.

We can’t throw everything away. We need some way to determine which information has value either because of business goals or legal requirements. IG helps us with this.

Reason #3: E-Discovery

“It costs about 20 cents to buy 1GB of storage, however, it costs around $3500 to review 1 GB of storage.”- AIIM International Email Management ROI Calculator

IG makes sense because it reduces the cost and pain of legal discovery, now referred to as ediscovery since most information is stored electronically. Proactively managing information reduces the volume of information subject to ediscovery and simplifies the task of finding and producing responsive information.

In the past five years, ediscovery has evolved from a specialized legal issue into a disruptive force in the business, IT, legal, and information management realms. This transformation was kicked off in the U.S. by the 2006 amendments to the Federal Rules of Civil Procedure, and fueled by years of inattention to information management at many organizations, which had allowed vast stockpiles of unnecessary email, documents, and databases to accumulate.

Today, organizations can expect to spend millions of dollars finding, processing, and producing responsive digital information in the course of a major lawsuit. According to Fullbright and Jaworski LLP, one in five large organizations spends more than $10 million each year on litigation (excluding settlements and judgments). By 2011, it is expected that organizations will spend nearly $5 billion annually on ediscovery tools, according to Forrester.

The expense of ediscovery comes from many sources, but one of the most significant is the cost of finding, processing, and reviewing information that has been unnecessarily retained. The law on this point is quite simple: if you possess information at the time you know or suspect it will be responsive to a legal matter, you must preserve it -- even if you could have normally disposed of it in accordance with your records management program.

The proactive nature of IG means that unnecessary information is disposed of as soon as it is no longer needed and all legal requirements for its retention or preservation have been satisfied. IG enables us to get rid of unnecessary information in a defensible manner. As such, it can reduce the amount of information that needs to be reviewed in the course of a legal matter.

When working with clients, it is not uncommon to find that 75 to 95 percent of the information created by the organization in the email system, for example, has no long-term business value or legal retention requirement and can be disposed of in the ordinary course of business. These percentages vary by system and industry, but the amount of “record” content is usually much lower than “non-record.” Further, a good IG program reduces the amount of duplicate information stored by an enterprise. Duplication is expensive and wasteful. In our ediscovery practice, it is not uncommon to find that 30 percent or more of the data we collect from clients is duplicate information.

The value of IG then, is that it can help organizations defensibly reduce the amount of information stored by orders of magnitude -- a benefit that is felt not only in reduced management costs, but also reduced e-discovery costs and risks.

Barclay T. Blair is a consultant to Fortune 500 companies, software and hardware vendors, and government institutions, author, speaker, and internationally recognized authority on a broad range information governance issues. He is the founder and principal of ViaLumina Group, Ltd. His blog, Essays in Information Governance , is highly regarded in the information governance community. Barclay is the award-winning author of several books, including Information Nation, and is currently writing Information Governance for Dummies. Barclay is a faculty member of CGOC (www.cgoc.com).