Taming the Beast

Part One of a Two Part Article

Ninety percent of information in existence today was created in the last two years and experts estimate that, currently, over 90% of corporate data is in a digital format. Data is currently being created at a rate of two million terabytes per year, and industry analysts surmise that number will explode to four million terabytes per day in the near future. See, 'What Is Big Data?' IBM.com.'

Corporate law departments acknowledge the need to manage and control this unabated and explosive growth of digital information, yet understand that the traditional approach will not work. In the past, the responsibility for creating and implementing an organization's records management program has typically fallen to the records manager, with support from the corporate law department for certain activities such as approving the company records retention schedule. Records management programs focused primarily on paper records management. Now, with information ever growing and primarily in digital format, most organizations acknowledge that a different approach needs to be taken.

Compounding the problem are regulatory and privacy issues. There are thousands of regulations, both in the United States and abroad, that affect recordkeeping and require research and compliance. Further, there is no single set of global data privacy criteria, and laws outside the U.S. ' particularly in the E.U. ' are more stringent. In addition, business units within a single company may have very different information management needs and have developed their own policies and procedures, often in contradiction of one another. Resolving these issues, including the immediate need for institutional policy consistency, as well as the exceptionally complex aspects of policy implementation across all electronic repositories, seems a Herculean task.

Comprehensive Strategy Required

Absent a comprehensive and strategic plan to manage and control records and information, organizations have attempted myriad approaches, both manual and technical. Asking employees to spend hours sorting shared drives and e-mails has proven untenable. Technical approaches, such as arbitrary time-based or volume caps on e-mail Inboxes to force e-mail deletion, have often resulted in employee work-arounds, including the creation of personal storage tables (PSTs). Costly technology solutions, originally considered the Holy Grail, often fail for lack of upfront comprehensive and holistic analysis of information lifecycle requirements. Many such 'solutions' have been implemented by the IT department, ignoring the fact that Legal, IT, Records Management, and the business often speak different languages. A comprehensive analysis of requirements across the organization to yield an acceptable translation of seemingly conflicting priorities is often ignored due to a lack of internal expertise to conduct such an analysis and the amount of time required for its completion.

Faced with the seemingly insurmountable odds against truly comprehensive management and control over digital information, some general counsel have concluded, 'we've never had any significant litigation due to keeping records too long, and no 'smoking gun' records have ever cost us a major case or settlement dollars,' and have chosen simply to keep everything. This position, however, is no longer acceptable. Although legal risk may have been low in the past, an organization's inability to promptly retrieve information related to an audit, litigation or investigation may lead to fines, sanctions and penalties in the future.

Further, there is risk of producing an incorrect version or rendition of a document or record. Add to that the inefficiencies and ineffective use of staff time, and the burgeoning cost of storage and e-discovery, and organizations can no longer bury their heads in the sand.
Increasingly, many law departments, along with their IT and Records Management colleagues, agree on three things: 1) information management is not an issue they can adequately solve on their own; 2) it goes far beyond the retention and destruction of documents; and 3) effective information management should be part of a much larger corporate information management strategy. Organizations realize they will not be able to avoid litigation, control spiraling costs, and stay ahead of the proliferation of information without a fundamental shift in approach toward one of information governance, corporate-wide partnership and holistic technology solutions.

Effective Information Governance

Law departments have a vested interest in corporate information governance, and they should be an active participant in the solution. Ineffective records management directly preys on a corporate law department's time, money and people ' hours spent searching for needed records or the proper version of a document, poor partnering with law firms and costly duplicative efforts, and an inability to respond on a timely basis to legal or audit inquiries or government investigations are but a few examples. But ineffective information governance sneaks up on the law department in the form of fallout related to privacy breaches, violations of legal holds, spoliation claims, corporate governance missteps, data leaks and flawed corporate risk strategy and management.

Gartner defines information governance as 'the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival, and deletion of information. It includes the processes, roles, standards, and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.' See, Gartner IT Glossary. In layman's terms, information governance can be thought of as the application of systematic controls to records and information, regardless of media, through the entire life cycle ' from creation or receipt to destruction or permanent retention. This new lens for viewing information governance brings into focus not just the traditional legal and compliance aspects of records and information management, but those associated with technology, operations, risk management and safety/security/privacy across the business. Information governance will help an organization attain the following key information management objectives:

• Retention of records and information for as long as legally or operationally required;
• Systematic destruction of records and information in the normal course of business (absent a legal hold);
• Improved access to needed records and information;
• Ability to read records and information when found;
• Protection of vital and confidential records and information; and
• Improved customer service.

Although Legal, Compliance, IT, and Records Management all have various responsibilities and accountabilities for policies, technologies, processes and procedures, the establishment of an information governance strategy will help fuse the seemingly disparate elements into a focused and comprehensive approach. Key activities for the development of an information governance strategy, as well as several essential components, are further discussed below.

Diagnostic Assessment and Information Governance Strategy

In order to ensure all aspects of an organization's information management needs are included in a comprehensive strategy, a cross-functional team of representatives from Legal, Compliance, IT, Records Management and other key business stakeholders should be designated as members of the information governance working group. Ideally, this core team will oversee the information governance initiative, from diagnostic assessment through implementation, bringing in subject matter experts as needed. The working group's job is to assess the organization's current state of records and information management, analyze this 'as is' state against standards and industry best practices, and then identify the gaps between the current state and the desired outcome.

The group's first task is to review the current state of the organization's record or information management program. The initial assessment includes items such as the policies and processes currently in existence, the identification of risks and opportunities, jurisdictions in which business is or may be conducted, applicable regulatory agencies and regulations, and the current information creation and management lifecycle.

One of the key questions to ask during the diagnostic assessment is: 'What is impeding the organization's ability to readily apply retention schedules to records and information?' This inability often results in an ever-growing volume of information that is likely being retained'beyond all legal, regulatory and operational needs. Likely answers to this query include:

• Retention schedules are not 'actionable' in a digital environment;
• The sheer amount of data requires hundreds of man-hours to manually delete;
• Employees do not have the time or expertise to understand how to classify information;
• Database 'records' are different than what has traditionally been considered a 'record';
• Resources (time, money, people) have not been budgeted; and
• The business keeps waiting for IT to solve the problem.

Using the results of the diagnostic assessment as a baseline, the working team can then begin to identify the specific people, processes and technologies needed to evolve from the current state to the desired future state. The strategy may include:

• An overall vision for information governance that incorporates 'best practice' program governance, enabling technology and enhanced business practices;
• Identification of key information management initiatives that will help realize the organization's information governance vision, reducing risk while balancing legal, compliance and business requirements and objectives. Initiatives should be prioritized in alignment with the organization's overall corporate objectives and should aim to establish consistency in lifecycle information management. Initiatives might include:
• • A strategy for the management of unstructured content, leveraging existing technology and tools where appropriate. Strategies may incorporate a range of tactics ' policy, design, implementation and standards-based; and
  • A process for a risk-based assessment and resulting prioritized plan to address structured data and source systems to meet records and information management requirements.
• An overall information governance infrastructure that defines accountability and authority, and related roles and responsibility for comprehensive information governance throughout the enterprise. Responsibilities should include executive sponsorship, advisory and steering committees, and working teams; and
• Methodologies for change management to allow for an effective/efficient implementation of change.

In addition to the development of the strategic initiatives, the working group should develop a 'roadmap' as a blueprint for prioritizing the implementation of the initiatives. This will allow the organization to move sensibly from its current state to a fully deployed and sustainable program. Identifying high-level, short and long term priorities will allow the organization to address critical improvements in key areas while moving forward with foundational improvements in information management technology and processes that may require several years to fully achieve. A phased approach should also take into consideration the organization's global footprint and differing requirements per jurisdiction.

Transforming a records management process into a comprehensive information governance approach does not happen overnight. Establishing a working group that is dedicated and engaged is a critical first step. The working group's assessment and strategic vision will guide and oversee the quality and progress of the information governance initiatives, from the development of policies and procedures through to implementation, including defensible destruction protocols.

Part II, next month, examines policy and procedures development, the role of technology, document disposition, and the importance of change management.

Laurie Fischer is a Managing Director at Huron Legal. She has extensive expertise in the design, development and implementation of records and information management programs for organizations of all types and sizes. Heather Yanak is a Manager at Huron Legal. With a background in corporate law, compliance, and risk management at companies both in the United States and abroad, Yanak possesses a unique combination of consulting with prior legal practice in the areas of tax and employee benefits.'

'

Part One of a Two Part Article

Ninety percent of information in existence today was created in the last two years and experts estimate that, currently, over 90% of corporate data is in a digital format. Data is currently being created at a rate of two million terabytes per year, and industry analysts surmise that number will explode to four million terabytes per day in the near future. See, 'What Is Big Data?' IBM.com.'

Corporate law departments acknowledge the need to manage and control this unabated and explosive growth of digital information, yet understand that the traditional approach will not work. In the past, the responsibility for creating and implementing an organization's records management program has typically fallen to the records manager, with support from the corporate law department for certain activities such as approving the company records retention schedule. Records management programs focused primarily on paper records management. Now, with information ever growing and primarily in digital format, most organizations acknowledge that a different approach needs to be taken.

Compounding the problem are regulatory and privacy issues. There are thousands of regulations, both in the United States and abroad, that affect recordkeeping and require research and compliance. Further, there is no single set of global data privacy criteria, and laws outside the U.S. ' particularly in the E.U. ' are more stringent. In addition, business units within a single company may have very different information management needs and have developed their own policies and procedures, often in contradiction of one another. Resolving these issues, including the immediate need for institutional policy consistency, as well as the exceptionally complex aspects of policy implementation across all electronic repositories, seems a Herculean task.

Comprehensive Strategy Required

Absent a comprehensive and strategic plan to manage and control records and information, organizations have attempted myriad approaches, both manual and technical. Asking employees to spend hours sorting shared drives and e-mails has proven untenable. Technical approaches, such as arbitrary time-based or volume caps on e-mail Inboxes to force e-mail deletion, have often resulted in employee work-arounds, including the creation of personal storage tables (PSTs). Costly technology solutions, originally considered the Holy Grail, often fail for lack of upfront comprehensive and holistic analysis of information lifecycle requirements. Many such 'solutions' have been implemented by the IT department, ignoring the fact that Legal, IT, Records Management, and the business often speak different languages. A comprehensive analysis of requirements across the organization to yield an acceptable translation of seemingly conflicting priorities is often ignored due to a lack of internal expertise to conduct such an analysis and the amount of time required for its completion.

Faced with the seemingly insurmountable odds against truly comprehensive management and control over digital information, some general counsel have concluded, 'we've never had any significant litigation due to keeping records too long, and no 'smoking gun' records have ever cost us a major case or settlement dollars,' and have chosen simply to keep everything. This position, however, is no longer acceptable. Although legal risk may have been low in the past, an organization's inability to promptly retrieve information related to an audit, litigation or investigation may lead to fines, sanctions and penalties in the future.

Further, there is risk of producing an incorrect version or rendition of a document or record. Add to that the inefficiencies and ineffective use of staff time, and the burgeoning cost of storage and e-discovery, and organizations can no longer bury their heads in the sand.
Increasingly, many law departments, along with their IT and Records Management colleagues, agree on three things: 1) information management is not an issue they can adequately solve on their own; 2) it goes far beyond the retention and destruction of documents; and 3) effective information management should be part of a much larger corporate information management strategy. Organizations realize they will not be able to avoid litigation, control spiraling costs, and stay ahead of the proliferation of information without a fundamental shift in approach toward one of information governance, corporate-wide partnership and holistic technology solutions.

Effective Information Governance

Law departments have a vested interest in corporate information governance, and they should be an active participant in the solution. Ineffective records management directly preys on a corporate law department's time, money and people ' hours spent searching for needed records or the proper version of a document, poor partnering with law firms and costly duplicative efforts, and an inability to respond on a timely basis to legal or audit inquiries or government investigations are but a few examples. But ineffective information governance sneaks up on the law department in the form of fallout related to privacy breaches, violations of legal holds, spoliation claims, corporate governance missteps, data leaks and flawed corporate risk strategy and management.

Gartner defines information governance as 'the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival, and deletion of information. It includes the processes, roles, standards, and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.' See, Gartner IT Glossary. In layman's terms, information governance can be thought of as the application of systematic controls to records and information, regardless of media, through the entire life cycle ' from creation or receipt to destruction or permanent retention. This new lens for viewing information governance brings into focus not just the traditional legal and compliance aspects of records and information management, but those associated with technology, operations, risk management and safety/security/privacy across the business. Information governance will help an organization attain the following key information management objectives:

• Retention of records and information for as long as legally or operationally required;
• Systematic destruction of records and information in the normal course of business (absent a legal hold);
• Improved access to needed records and information;
• Ability to read records and information when found;
• Protection of vital and confidential records and information; and
• Improved customer service.

Although Legal, Compliance, IT, and Records Management all have various responsibilities and accountabilities for policies, technologies, processes and procedures, the establishment of an information governance strategy will help fuse the seemingly disparate elements into a focused and comprehensive approach. Key activities for the development of an information governance strategy, as well as several essential components, are further discussed below.

Diagnostic Assessment and Information Governance Strategy

In order to ensure all aspects of an organization's information management needs are included in a comprehensive strategy, a cross-functional team of representatives from Legal, Compliance, IT, Records Management and other key business stakeholders should be designated as members of the information governance working group. Ideally, this core team will oversee the information governance initiative, from diagnostic assessment through implementation, bringing in subject matter experts as needed. The working group's job is to assess the organization's current state of records and information management, analyze this 'as is' state against standards and industry best practices, and then identify the gaps between the current state and the desired outcome.

The group's first task is to review the current state of the organization's record or information management program. The initial assessment includes items such as the policies and processes currently in existence, the identification of risks and opportunities, jurisdictions in which business is or may be conducted, applicable regulatory agencies and regulations, and the current information creation and management lifecycle.

One of the key questions to ask during the diagnostic assessment is: 'What is impeding the organization's ability to readily apply retention schedules to records and information?' This inability often results in an ever-growing volume of information that is likely being retained'beyond all legal, regulatory and operational needs. Likely answers to this query include:

• Retention schedules are not 'actionable' in a digital environment;
• The sheer amount of data requires hundreds of man-hours to manually delete;
• Employees do not have the time or expertise to understand how to classify information;
• Database 'records' are different than what has traditionally been considered a 'record';
• Resources (time, money, people) have not been budgeted; and
• The business keeps waiting for IT to solve the problem.

Using the results of the diagnostic assessment as a baseline, the working team can then begin to identify the specific people, processes and technologies needed to evolve from the current state to the desired future state. The strategy may include:

• An overall vision for information governance that incorporates 'best practice' program governance, enabling technology and enhanced business practices;
• Identification of key information management initiatives that will help realize the organization's information governance vision, reducing risk while balancing legal, compliance and business requirements and objectives. Initiatives should be prioritized in alignment with the organization's overall corporate objectives and should aim to establish consistency in lifecycle information management. Initiatives might include:
• • A strategy for the management of unstructured content, leveraging existing technology and tools where appropriate. Strategies may incorporate a range of tactics ' policy, design, implementation and standards-based; and
  • A process for a risk-based assessment and resulting prioritized plan to address structured data and source systems to meet records and information management requirements.
• An overall information governance infrastructure that defines accountability and authority, and related roles and responsibility for comprehensive information governance throughout the enterprise. Responsibilities should include executive sponsorship, advisory and steering committees, and working teams; and
• Methodologies for change management to allow for an effective/efficient implementation of change.

In addition to the development of the strategic initiatives, the working group should develop a 'roadmap' as a blueprint for prioritizing the implementation of the initiatives. This will allow the organization to move sensibly from its current state to a fully deployed and sustainable program. Identifying high-level, short and long term priorities will allow the organization to address critical improvements in key areas while moving forward with foundational improvements in information management technology and processes that may require several years to fully achieve. A phased approach should also take into consideration the organization's global footprint and differing requirements per jurisdiction.

Transforming a records management process into a comprehensive information governance approach does not happen overnight. Establishing a working group that is dedicated and engaged is a critical first step. The working group's assessment and strategic vision will guide and oversee the quality and progress of the information governance initiatives, from the development of policies and procedures through to implementation, including defensible destruction protocols.

Part II, next month, examines policy and procedures development, the role of technology, document disposition, and the importance of change management.

Laurie Fischer is a Managing Director at Huron Legal. She has extensive expertise in the design, development and implementation of records and information management programs for organizations of all types and sizes. Heather Yanak is a Manager at Huron Legal. With a background in corporate law, compliance, and risk management at companies both in the United States and abroad, Yanak possesses a unique combination of consulting with prior legal practice in the areas of tax and employee benefits.'

'