Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Taming the Beast: Information Management and Governance in a Global Environment
Last month, Part One of this article examined the catalysts motivating companies to take charge of their information and the need to develop a comprehensive information governance approach to support their objectives. This month, we look at policy and procedures development, the role of technology, document disposition, and the importance of change management.
Before future specifics can be decided, a working group should be established to assess the current status of records management against the ideal future state, and, from that, design a master plan and 'road map' for implementation. Once the guiding principles for information governance are in place, the focus shifts to drafting supporting documents and detailing program specifics, such as technology needs and destruction protocols.
Information Governance Policy and Procedures
After defining the information governance strategy and approach, the working group should draft governing documents, including policies and procedures as the foundation on which all subsequent implementation activities are built.
An over-arching information governance policy includes the scope, purpose, objectives, responsibilities and standards for comprehensive information management throughout the organization. In addition to the over-arching information governance policy, other existing policies, such as those that cover privacy, protection and electronic communications, should be re-examined and updated as needed to ensure they are in alignment with the information governance policy.
In conjunction with the development of the policy, the information governance infrastructure framework should be designed. The framework details roles, responsibilities, and accountabilities of the information governance executive sponsors, the Advisory and/or Steering Committees, the working teams, as well as the responsibilities of all employees. The identified roles and responsibilities should be documented and formalized as part of the information governance policy.
It is likely that each policy statement or requirement will require additional procedural guidance to ensure its implementation. In addition, any single policy requirement may call for multiple procedures, since implementation tactics may vary depending on the record media or storage repository. For example, the implementation of the policy requirement that 'records will be retained in accordance with the Company Retention Schedule' may be relatively straight forward in the hardcopy recordkeeping environment. However, applying the retention schedule in one of the unstructured electronic recordkeeping environments (i.e., ECM, SharePoint, shared drives) is challenging without detailed guidance. These additional procedural documents should be authored as the strategy and its related initiatives evolve.
Special mention should be made regarding the organization's retention schedule, since it should be cross-referenced in the policy as defining the organization's official position on retention time periods. The retention schedule is foundational to information governance, since it defines how long an organization is legally or operationally obliged to retain records, and when they can be destroyed. The retention schedule should be based on a review of regulatory requirements, interviews with business representatives/record owners, workflow analysis, and the scope of documents/data. Most retention schedules are developed by the records management department, with review and approval provided by Legal, Compliance and Tax. Retention schedules that were originally developed for paper records only, organized by department, may require revision to ensure they are based on business function and can be applied to electronic records as well.
Enabling Technologies
The goals of information governance and system operations set out in the governance documents provide the basis for identifying the technology necessary to effectuate the plan. Start by evaluating the capabilities needed for implementation. Then consider the most pressing priorities, budget constraints, technology in development or slated for purchase, and what is currently used across the organization. Existing technology might provide a viable solution after enhancement or upgrade. In-progress projects or purchases may need to be put on hold or redesigned.
One of the greatest challenges faced by most organizations today is the management and control of 'unstructured content.' Unstructured content includes e-mail files, word-processing text documents, presentations files, spreadsheets, JPEG and GIF image files. It may be stored on shared or personal drives, in collaborative environments such as SharePoint, in e-mail systems, and in document or content management systems. Unstructured content poses significant management challenges since its management relies heavily on individual user action and falls outside the purview of the traditional IT system information management model.
Most unstructured content is created in an ad hoc fashion by individual business users, with little consistency in creation, naming, storing, disposing, etc. As mentioned throughout this article, if left unmanaged, the sheer volume of unstructured content that is generated each year within an organization can be costly in terms of storage. In addition to these 'hard dollar' costs, significant inefficiencies result from ineffective use of staff time when searching for needed information. Unmanaged content can also pose a liability if information cannot be located in the event of an audit, investigation or litigation. There is further risk related to electronic content that should have been disposed of in accordance with a retention policy, but continues to be retained.
One 'enabling technology' that organizations may wish to consider is an enterprise content management system. These systems, if properly designed, developed and deployed, may allow an organization to apply the lifecycle controls (including disposition) to the terabytes of unstructured content in existence today.
Once initial needs are established, making sure to account for projected corporate expansion, vendors can be contacted to present potential solutions, RFPs can be issued, and a technology plan created.
Key Benefit of Information Governance: Defensible Destruction
A primary objective of a comprehensive information governance system is the disposition of data that has surpassed defined retention requirements. As discovery and storage costs skyrocket, the days of keeping everything forever have passed. Defensible destruction helps control discovery costs on the front end, before the need for discovery even arises, narrowing the amount of data that must be searched, collected and reviewed; in fact, the Electronic Discovery Reference Model (EDRM) specifically prescribes information management as the first step in the discovery process.'
Defensible destruction also helps manage data privacy issues. By methodically and consistently disposing of data that has exceeded its retention requirements, legal departments are left with a much smaller pool of information that is subject to regulatory and privacy laws, saving the company significant cost, time and risk. This alleviates challenges not only in the United States, but also globally, where both complexity and cost of missteps often far surpass those domestically and have been a continued source of difficulty for multi-national companies.
Defensible destruction is just that ' destruction that is neither arbitrary nor sporadic, does not violate a legal hold, and can be defended in a court or regulatory proceeding. As a result of implementing strategies for the lifecycle management of information, defensible destruction will be one of the key benefits. (Note: An organization should ensure it has a comprehensive legal hold policy and procedures in place before undertaking any disposition activities.)
Change Management
A critical success factor to implementing the many aspects of information governance is a solid change management plan. In all likelihood, the information governance plan will entail departures from previous records management processes. Employee acceptance and positive adoption of the new way of managing information is critical to the plan's success and realizing a return on potentially significant technology investments. Detailed communications plans and training should be offered at the initial roll-out of the each initiative and periodically reinforced. Usage metrics can be a powerful tool to manage change. Monitoring usage can reveal signs of resistance to program adoption or decreased utilization over time (which may illuminate technology or process inefficiencies that can be corrected). It is important to develop relevant audit and compliance plans under those departments' leadership and link them to the Governance, Risk Management and Compliance (GRC) system, if applicable. Lastly, a mechanism for employee feedback during the first year is a valuable tool for achieving program acceptance and optimization.
The information governance working team should take an active role in creating communications and conducting training. Providing examples of lawsuits or penalties incurred for poor information governance can help underscore the importance of corporate-wide adoption and 100% employee participation.
Conclusion
Information creation has come a long way since documents were created on manual typewriters and old files placed in boxes and shipped off to storage facilities. The speed and volume of information creation will only increase as new platforms evolve and lines between personal and work devices grow hazier. Similarly, the complexity of the regulations regarding that information will only increase as organizations grow globally or conduct more cross-border business. A traditional approach to records management does nothing to reduce the root causes of information volume, and even the best programs remain susceptible to human error and gaps in participation. By championing a comprehensive, inclusive information governance program that utilizes technology strategically, organizations can reduce costs, minimize failures, and free up time and resources for other priorities.
Laurie Fischer is a Managing Director at Huron Legal. She has extensive expertise in the design, development and implementation of records and information management programs for organizations of all types and sizes. Heather Yanak is a Manager at Huron Legal. With a background in corporate law, compliance, and risk management at companies both in the United States and abroad, Yanak possesses a unique combination of consulting with prior legal practice in the areas of tax and employee benefits.
Last month, Part One of this article examined the catalysts motivating companies to take charge of their information and the need to develop a comprehensive information governance approach to support their objectives. This month, we look at policy and procedures development, the role of technology, document disposition, and the importance of change management.
Before future specifics can be decided, a working group should be established to assess the current status of records management against the ideal future state, and, from that, design a master plan and 'road map' for implementation. Once the guiding principles for information governance are in place, the focus shifts to drafting supporting documents and detailing program specifics, such as technology needs and destruction protocols.
Information Governance Policy and Procedures
After defining the information governance strategy and approach, the working group should draft governing documents, including policies and procedures as the foundation on which all subsequent implementation activities are built.
An over-arching information governance policy includes the scope, purpose, objectives, responsibilities and standards for comprehensive information management throughout the organization. In addition to the over-arching information governance policy, other existing policies, such as those that cover privacy, protection and electronic communications, should be re-examined and updated as needed to ensure they are in alignment with the information governance policy.
In conjunction with the development of the policy, the information governance infrastructure framework should be designed. The framework details roles, responsibilities, and accountabilities of the information governance executive sponsors, the Advisory and/or Steering Committees, the working teams, as well as the responsibilities of all employees. The identified roles and responsibilities should be documented and formalized as part of the information governance policy.
It is likely that each policy statement or requirement will require additional procedural guidance to ensure its implementation. In addition, any single policy requirement may call for multiple procedures, since implementation tactics may vary depending on the record media or storage repository. For example, the implementation of the policy requirement that 'records will be retained in accordance with the Company Retention Schedule' may be relatively straight forward in the hardcopy recordkeeping environment. However, applying the retention schedule in one of the unstructured electronic recordkeeping environments (i.e., ECM, SharePoint, shared drives) is challenging without detailed guidance. These additional procedural documents should be authored as the strategy and its related initiatives evolve.
Special mention should be made regarding the organization's retention schedule, since it should be cross-referenced in the policy as defining the organization's official position on retention time periods. The retention schedule is foundational to information governance, since it defines how long an organization is legally or operationally obliged to retain records, and when they can be destroyed. The retention schedule should be based on a review of regulatory requirements, interviews with business representatives/record owners, workflow analysis, and the scope of documents/data. Most retention schedules are developed by the records management department, with review and approval provided by Legal, Compliance and Tax. Retention schedules that were originally developed for paper records only, organized by department, may require revision to ensure they are based on business function and can be applied to electronic records as well.
Enabling Technologies
The goals of information governance and system operations set out in the governance documents provide the basis for identifying the technology necessary to effectuate the plan. Start by evaluating the capabilities needed for implementation. Then consider the most pressing priorities, budget constraints, technology in development or slated for purchase, and what is currently used across the organization. Existing technology might provide a viable solution after enhancement or upgrade. In-progress projects or purchases may need to be put on hold or redesigned.
One of the greatest challenges faced by most organizations today is the management and control of 'unstructured content.' Unstructured content includes e-mail files, word-processing text documents, presentations files, spreadsheets, JPEG and GIF image files. It may be stored on shared or personal drives, in collaborative environments such as SharePoint, in e-mail systems, and in document or content management systems. Unstructured content poses significant management challenges since its management relies heavily on individual user action and falls outside the purview of the traditional IT system information management model.
Most unstructured content is created in an ad hoc fashion by individual business users, with little consistency in creation, naming, storing, disposing, etc. As mentioned throughout this article, if left unmanaged, the sheer volume of unstructured content that is generated each year within an organization can be costly in terms of storage. In addition to these 'hard dollar' costs, significant inefficiencies result from ineffective use of staff time when searching for needed information. Unmanaged content can also pose a liability if information cannot be located in the event of an audit, investigation or litigation. There is further risk related to electronic content that should have been disposed of in accordance with a retention policy, but continues to be retained.
One 'enabling technology' that organizations may wish to consider is an enterprise content management system. These systems, if properly designed, developed and deployed, may allow an organization to apply the lifecycle controls (including disposition) to the terabytes of unstructured content in existence today.
Once initial needs are established, making sure to account for projected corporate expansion, vendors can be contacted to present potential solutions, RFPs can be issued, and a technology plan created.
Key Benefit of Information Governance: Defensible Destruction
A primary objective of a comprehensive information governance system is the disposition of data that has surpassed defined retention requirements. As discovery and storage costs skyrocket, the days of keeping everything forever have passed. Defensible destruction helps control discovery costs on the front end, before the need for discovery even arises, narrowing the amount of data that must be searched, collected and reviewed; in fact, the Electronic Discovery Reference Model (EDRM) specifically prescribes information management as the first step in the discovery process.'
Defensible destruction also helps manage data privacy issues. By methodically and consistently disposing of data that has exceeded its retention requirements, legal departments are left with a much smaller pool of information that is subject to regulatory and privacy laws, saving the company significant cost, time and risk. This alleviates challenges not only in the United States, but also globally, where both complexity and cost of missteps often far surpass those domestically and have been a continued source of difficulty for multi-national companies.
Defensible destruction is just that ' destruction that is neither arbitrary nor sporadic, does not violate a legal hold, and can be defended in a court or regulatory proceeding. As a result of implementing strategies for the lifecycle management of information, defensible destruction will be one of the key benefits. (Note: An organization should ensure it has a comprehensive legal hold policy and procedures in place before undertaking any disposition activities.)
Change Management
A critical success factor to implementing the many aspects of information governance is a solid change management plan. In all likelihood, the information governance plan will entail departures from previous records management processes. Employee acceptance and positive adoption of the new way of managing information is critical to the plan's success and realizing a return on potentially significant technology investments. Detailed communications plans and training should be offered at the initial roll-out of the each initiative and periodically reinforced. Usage metrics can be a powerful tool to manage change. Monitoring usage can reveal signs of resistance to program adoption or decreased utilization over time (which may illuminate technology or process inefficiencies that can be corrected). It is important to develop relevant audit and compliance plans under those departments' leadership and link them to the Governance, Risk Management and Compliance (GRC) system, if applicable. Lastly, a mechanism for employee feedback during the first year is a valuable tool for achieving program acceptance and optimization.
The information governance working team should take an active role in creating communications and conducting training. Providing examples of lawsuits or penalties incurred for poor information governance can help underscore the importance of corporate-wide adoption and 100% employee participation.
Conclusion
Information creation has come a long way since documents were created on manual typewriters and old files placed in boxes and shipped off to storage facilities. The speed and volume of information creation will only increase as new platforms evolve and lines between personal and work devices grow hazier. Similarly, the complexity of the regulations regarding that information will only increase as organizations grow globally or conduct more cross-border business. A traditional approach to records management does nothing to reduce the root causes of information volume, and even the best programs remain susceptible to human error and gaps in participation. By championing a comprehensive, inclusive information governance program that utilizes technology strategically, organizations can reduce costs, minimize failures, and free up time and resources for other priorities.
Laurie Fischer is a Managing Director at Huron Legal. She has extensive expertise in the design, development and implementation of records and information management programs for organizations of all types and sizes. Heather Yanak is a Manager at Huron Legal. With a background in corporate law, compliance, and risk management at companies both in the United States and abroad, Yanak possesses a unique combination of consulting with prior legal practice in the areas of tax and employee benefits.
How Secure Is the AI System Your Law Firm Is Using?
What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.
COVID-19 and Lease Negotiations: Early Termination Provisions
During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.
Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support
The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.
Authentic Communications Today Increase Success for Value-Driven Clients
As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.
The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.