An Information Governance Disaster?

Of the 2,320 respondents participating in 451 Research's 2013 report, "E-Discovery and E-Disclosure 2013: The Ongoing Journey to Proactive Information Governance," less than half believed that an information governance program was important to their organization, but more than half of the IT staff responding thought it important. The report also stated that only 32% of senior management believed information governance was important.

AIIM's 2013 Industry Watch Report, "Information Governance—Records, Risks and Retention in the Litigation Age," noted that only 24% of organizations train new recruits on information governance and only 16% regularly train all staff, while 31% don't do any training at all and 18% only train their records management personnel. Of all the AIIM survey respondents, only 63% had some type of information governance policy in place, which is good, but astonishingly half of those with a policy admit that it is largely un-referenced and unaudited. This points us back to the lack of training.

Compounding these issues associated with information governance is that information (unstructured content, records and data) is growing exponentially in organizations, but there isn't a consensus on how to manage that growth. For 29% of the respondents participating in the AIIM Industry Watch, the answer to the information deluge is to "buy more discs,"—with 9% who have actually made that their strategy. In contrast, eDiscovery Journal's Q1 2013 "Defensible Deletion Survey" showed that 96% of respondents affirmed that "defensible deletion of information is necessary in order to manage growing volumes of digital information." According to a December, 2012, ESG survey, "Defensible Disposition in Practice: Perspectives from Business and IT," a primary issue with using defensible deletion as a means to manage growth of corporate information is fear. In the survey, "fear of the inability to furnish data requested as part of a legal or regulatory matter" was the highest ranked reason organizations chose not to dispose of electronically stored information. To take this a step further, the AIIM survey also pointed out that, "while manual enforcement of deletion should not be so difficult, 28% would like to automate this process so that no one person is called upon to press the ‘confirm delete' button." This shouldn't be too surprising, because employees are not trained and empowered to manage information according to corporate information governance policies and procedures, and no one wants to be fired for not having information when needed. Thus, we tend to retain everything.

Are we teetering on the edge of an information governance disaster? Very likely. All companies, regardless of size, location and industry—and regardless of laws and regulations, need to have comprehensive information governance policies and procedures, with employees trained to implement them, and software systems in place to help manage their information assets (unstructured content, records and data) accordingly.

As we can see from the research referenced, companies and their employees are locked in an information governance and content management death spiral. It is easy to see why 9% of AIIM's Industry Watch respondents adopted the strategy to "buy more disc space"—even though that is a strategy that will eventually fail. Someone has to own information governance, implement the policies and procedures, train employees to follow them and ensure that corporate systems are correctly established to manage information in accordance with information governance rules. Further, as the AIIM survey noted, the owner of information governance also needs to conduct audits to ensure that policies and procedures are being followed. It should also be said that, when needed, information governance rules should be updated to reflect changes in polices, regulations, laws and corporate cultural shifts—they are not set in stone.

There are myriad information governance definitions in use. Depending on your role in an organization (IT, legal, business) and the industry in which you work, the words "information governance" may have a different meaning. Therefore, let's review a few definitions to ensure we're on the same page.

• Information: The communication or reception of knowledge or intelligence. In the corporate world, that communication tends to take the form of emails, documents (created or scanned), graphics, system-generated reports, application data, etc., and is stored on hard drives (USB drives, personal laptops, corporate servers, data centers), databases and offline storage.
• Governance: Risk oversight and business processes by which organizations manage, avoid and mitigate risk.
• Risk management: The concept of evaluating business and regulatory threats and establishing controls to monitor and mitigate exposure, thereby reducing corporate risk and loss.
• Compliance: The act of following business rules, whether they are corporate policies, industry mandates or government regulations.

If we agree that information governance should also encompass GRC (governance, risk and compliance), then one could argue that information governance is a holistic approach to manage the creation, valuation, use, storage, archival and deletion of corporate information as specified by a framework of policies and business procedures. This holds employees accountable, provides controls to monitor effective and efficient use of corporate information and ensures organizations can mitigate risk to reduce corporate loss and achieve organizational goals.

Ultimately, from an information management perspective, information governance gives organizations the ability to know what information is retained, where it is retained, how it is retained, why it is being retained and for how long, as well as who has access to the information, who has accessed it, when they accessed it and what they did with it. The policies and procedures for handling information arise from the information governance framework, which is a comprehensive set of documentation all companies should have, maintain, and use when auditing information and systems.

Managing information effectively is complex and represents a significant challenge for most organizations. As we have seen from the surveys noted herein and numerous reports on the subject of information/content management, the rising tide of enterprise content is scattered across the globe in disparate repositories, on different platforms and in many different formats. This situation is compounded by mergers and acquisitions, the deployment of business units, creation of new departmental solutions and the development of home-grown applications. To further illustrate this point, in Forrester's "Strategic Benchmarks 2013: IT Infrastructure report," "Forrester found that, on average, enterprises maintain upward of 3,200 TB of storage companywide, indicating about a 45% growth over the past two years, up from 2,200 TB in 2010." Much of this information is stored in disparate repositories that are associated with specific systems and applications. This in itself creates an information governance nightmare, because information in one repository likely has a relationship with information in another repository. For example, a CRM system has critical information pertaining to a customer, a content or document management system has another set of information about that customer, and an ERP system has its own set of information about the customer-but most companies haven't successfully integrated or aggregated this information so that employees can access it quickly and easily. According to AIIM's 2013 "Industry Watch: ECM at the Crossroads"—key strategy and choices for universal content management, approximately 40% of the respondents indicated that 70%-90% of their content stored in other systems is not accessible through their content management or document management system. This creates another set of issues: in the same report, for content stored in other enterprise systems, approximately 65% of respondents found it difficult to search for that information, and 55% reported that this information is not under records management retention rules.