What is information governance?
You'll come across various definitions of information governance (IG), but a useful one comes from the analyst firm Gartner:
“The specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”
We know there is a lot to digest in that definition. We'll try to break it into more edible portions. Here are some important points to know about IG:
IG builds on a lot of the principles tied to traditional records management and enterprise content management. Those disciplines focus on the information lifecycle, how data is created, stored, organized, and ultimately deleted. IG speaks more to a comprehensive strategy, attempting to help organizations get the most value out of their digital information assets while minimizing potential risks. In that sense, IG is designed to guide records management and enterprise content management, not replace them, while also providing a framework for making smarter decisions with regards to what information is valuable and where it is best stored within the IT infrastructure.
Essential to Business Process
IG impacts many areas of the organization. Virtually every business process creates and relies on information to function effectively, so a company's IG strategy affects the entire organization, not just the IT and records departments.
Creating an IG strategy is a cross-disciplinary activity that relies on a multitude of stakeholders across the organization including IT, compliance, records management, legal, security/privacy, and business unit leaders. The Information Governance Reference Model (IGRM) shown below provides a helpful graphical representation of the cross-functional nature of IG.
When properly implemented, an IG strategy will allow you to, as they say, "separate the wheat from the chaff." That is, you will be able to focus on gaining insight and value from the content that actually has business value (estimated to be only about 30% of content in your network) while ignoring or deleting the redundant, obsolete, or trivial data that is clogging your servers.
Why Information Governance?
If you haven't noticed, we create a lot of data. The International Data Corporation (IDC) estimates that the digital universe doubles every couple years. Make no mistake, this data growth phenomenon - known as Big Data - creates a lot of opportunities for companies. All this digital information, when properly harnessed, drives faster, smarter decision making, delivers better insights into consumer behavior, and promotes greater efficiency. But from a legal and risk standpoint, Big Data can also be difficult to manage. A recent study from Forrester Research revealed that most companies estimate they are analyzing just 12 percent of their data. That means almost 90 percent of digital information is stored as "dark data," unstructured, untagged, and untapped.
In the days before Big Data, decisions on how and where data should be kept were mainly made by the individual employees who created and used the data (and this is still a prevalent model). Many companies have come to realize they need much more structure and centralized oversight into how data is stored, managed, and retained to protect against such things as the inadvertent disclosure or hacking of sensitive information, such as personally identifiable information (PII), personal health information (PHI) payment card information (PCI), or other confidential data. Records management and content management programs are designed to perform this important function but they tend to be applied reactively and have struggled to keep pace with the data deluge. And of course, there is always legal risk of information that could have been defensibly deleted hurting your case in future litigation if it is found to be responsive.
IG has emerged to fill this void by looking at information management much more comprehensively and proactively. If you revisit Gartner's definition above, you will see that IG is designed to connect the processes, roles, policies, standards, and metrics that traditionally have been managed as separate programs.
Though the price of data storage has fallen precipitously in recent years, that decline is far outpaced by the rate at which content is being created. Thus, data storage remains a significant cost drain for companies. That being said, a lot of people are hesitant to delete data, so IG can't be based solely on cost reduction. The more compelling reasons for adopting an IG program center on the ability to gain greater insights from the data that has business value and risk reduction. Significant data breaches can almost always be traced back to poor governance and create terrible publicity, damaging brands, and diminishing customer confidence (see the Sony data breach).
How does IG relate to E-Discovery?
You might be wondering why have IG in a guide about e-discovery. In fact, e-discovery and IG are very interrelated (after all, IG is listed as the first stage of the Electronic Discovery Reference Model (EDRM)).
Understanding the legal and regulatory obligations with which the enterprise must comply is essential to IG. To support e-discovery requests, IT managers and legal counsel must work together to deliver reliable and timely access to potentially relevant ESI. It is often difficult to meet court-mandated deadlines, because data is stored on numerous sources (e.g., file servers, content management systems, desktops, laptops, mobile devices, archives, and other storage assets), each with specific access requirements. Identifying which IT assets are most relevant to a case is the first step; systematically suspending disposition policies, preserving the ESI, and proactively de-duplicating, indexing, and searching the data is where the true importance of IG comes into focus (see our data mapping description below).
Other elements of IG that directly impact e-discovery activities include:
An effective IG strategy supports greater e-discovery efficiency by reducing the amount of discoverable ESI that is stored across the organization and improving how information is organized, so legal teams can get to what they need much quicker.
How IG relates to e-discovery
To learn more about how IG relates to e-discovery, watch Exterro's recent webcast, "Making a Molehill out of a Mountain."
Unlike the other sections of this guide that look at individual e-discovery processes, IG is a framework that isn't defined by specific stages or workflows. It serves to support and guide other processes and programs across the organization by establishing a common set of rules, policies, and procedures. This all begs the question: what does IG ultimately look like? There isn't an easy answer to that question. Many companies have started the IG conversation but have yet to move from theory to practice. And that jump isn't an easy one. Creating an IG program is full of many significant challenges. Here are three common hurdles.
Common IG Hurdles
IG doesn't fit neatly into an existing corporate silo. As such, it's not always clear who is supposed to champion the cause. Like cars simultaneously stopped at a four way intersection, the end result is a lot of yielding among key stakeholders with no one really stepping up to get the wheels in motion. Some companies have even created the position of Chief Information Governance Officer (CIGO) as a way of dealing with the ambiguity surrounding IG ownership, a trend that figures to gain even more steam in the years ahead. While it may not be the case that every organization needs a CIGO, it is becoming clear that IG absolutely needs an owner.
When you get the key stakeholders in a room to discuss IG you'll notice that there are a lot of competing interests. Business leaders' top priority is access and efficiency (there is a reason why products like Sharepoint and Dropbox are so popular). A company's IT team has to think about data security and protecting certain information, and this usually translates to a more restrictive approach to how data is created and stored throughout the enterprise. Meanwhile, corporate attorneys are consumed by risk mitigation. In practice, that means knowing where data resides and exacting some level of control over how certain media are used (i.e. no contract negotiations over instant messenger). If you transposed these priorities onto a venn diagram, you would see very little in the way of overlap, which underscores the challenge organizations face in developing IG programs while highlighting why they are so badly needed.
Like any large, complex endeavor, IG requires investment, and investment requires executive sponsorship. IG champions have to construct a business case for why IG is necessary. That means quantifying how unmanaged data truly impacts the company bottom line in order to present a compelling return on investment (ROI) case for IG.
It's easy to think about IG in terms of technology, but before tools are applied companies must develop an overall IG strategy. Once an organization defines its IG strategy, it needs to create a program that defines key stakeholders, policies, procedures, and measures. Of course, technology will be essential in supporting all of these elements (see the tools section below).
Here is a checklist of some helpful IG best practices to get your program off the ground:
IG Best Practices
Create a cross-functional IG team
No IG plan will be successful if it doesn't reflect the needs and goals of all key stakeholders, including legal, compliance, risk management, HR, IT, data privacy, information security and the business units. Each of these entities should be represented in the initial IG planning phase and have a say in defining success criteria, key measurables, and potential risks.
Conduct a comprehensive data audit
You cannot develop a strong information governance framework without first knowing what you have. Each business unit will likely be familiar with the main data sources that they interact with, but for IG everything must be accounted, including backup tapes, legacy/retired systems, and data archives that are likely not being actively managed at all.
Carefully assess and define legal and regulatory requirements
When getting an IG program off the ground, it's critically important to understand any and all external retention requirements. Figure out what data has to be kept and for how long, and revisit those requirements often to ensure that the IG plan stays up-to-date.
Prioritize IG activities
IG plans aren't created overnight, so it's critical to address the most pressing issues first. The data assessment described above should drive the prioritization of initial IG activities. For example, if the audit reveals a preponderance of decentralized data stored randomly across a bevy of shared drives, a good first step might be to create a data map which connects employees to the data sources with which they most frequently interact. Likewise, if the initial assessment reveals a large accumulation of unnecessary backup tapes, the IG plan should place greater emphasis on developing and executing a better defensible deletion policy, ridding the company of data it no longer needs. Every organization has its own unique set of challenges, and the prioritization of IG activities should be reflective of the specific data environment.
While select members of the organization will define the IG program, its ultimate success rests on the larger workforce actually executing on the plan. Training is essential. Employees have to know how the individual policies and procedures impact their day-to-day activities. It's also important to communicate why the program matters and what it's designed to accomplish so that employees better appreciate the need to make changes.
Develop enforcement criteria and follow through
Training is crucial, but achieving 100 percent employee compliance without a strong enforcement structure is wildly unrealistic. The best way to enforce the IG program is by conducting random, periodic audits of employee compliance and working with business unit leaders to establish firm corrective measures for non-compliance.
How will you demonstrate the effectiveness of the IG program? What are the key metrics to track? These considerations should be part of the IG planning phase. Project champions should develop targets and desired outcomes, and define how those will be measured early in the process.
Information Governance Tools
There are a variety of overlapping technologies that fall under the IG umbrella, far too many to cover in this guide. When it comes to IG technology, the discussion shouldn't just focus on what new tools are needed but also consider better utilization of existing technology investments as well as the interplay between systems. For example, many organizations have deployed journaling or archiving systems for managing corporate email, but they have not gone the next step to index this content for rapid retrieval. These systems can be huge productivity aids when automating e-discovery activities, such as preservation and data collection. Taking the time to think through how archiving and indexing of ESI can aid in the identification of content owners/editors/readers, creation/use dates, and search criteria relevance is a major component of a comprehensive IG program.
Here are five other IG tools that specifically support e-discovery activities:
We can't emphasize enough that it's a mistake to think of IG as part of the e-discovery process. As we continue through this guide you'll see elements of IG littered throughout each discussion of the various e-discovery stages. The e-discovery process drives important IG decisions and helps to shape the IG program. The important takeaway here is that IG is becoming a necessity for large companies. Organizations can make all the e-discovery process changes and investments they want, but without a solid IG program in place, it's virtually impossible to achieve all of the desired results of lower costs and risks.