Focus on CA
Optimizing Performance and Mitigating Risk
The changing business, political and social landscape is making it increasingly important for organizations to carefully manage information to avoid legal or regulatory problems. Historically, attention has been placed on the handling of structured data, such as personnel records and accounting data. Now, unstructured information such as emails, spreadsheets and instant messages are coming under intense scrutiny. Businesses must balance the often-conflicting demands of information availability with the compliance requirements defined by laws, statutes and regulations.
Balancing the needs of the business with corporate obligation can be a daunting challenge, but there are controls organizations can institute to achieve harmony between these demands. An example of this is a strategic information governance approach, which proactively manages documents—regardless of media and form—by applying process, product, policy and procedure to diverse and inconsistent business systems. This approach offers an efficient method to meet both business and compliance needs...without adversely affecting the infrastructure currently in place.
By applying processes and procedures across the enterprise, a well-tailored information governance approach helps:
- Mitigate potential compliance and legal risk;
- Decrease the costs associated with maintaining, managing and addressing discovery needs;
- Reduce "stale" content across the enterprise;
- Centrally manage document lifecycles; and
- Simplify business-specific access to information.
Balancing Availability and Compliance
More than ever before, organizations must carefully manage data to ensure they don’t place themselves in legal or regulatory jeopardy. This is especially the case with unstructured information, such as emails, spreadsheets, word processing documents and instant messages. Enterprises must harmonize the sometimes divergent demands of information availability with the compliance requirements defined by laws, statutes and regulations. Every organization should be capable of effectively managing information to meet its own needs—and without replacing existing infrastructure and investments—in accordance with legal and regulatory imperatives. These abilities are critical to meeting business obligations for optimizing performance and mitigating risk.
From a compliance perspective, there are two critical aspects to consider when managing information:
1. Lifecycle: Information must be stored for a specific time as defined by legal, regulatory and business requirements, managed correctly and then disposed of appropriately. And, the provenance and provability that the information has not been inappropriately or incorrectly changed must be maintained for the retention period.
2. Discovery: Information must be consistently maintained based on security and access standards and must be discoverable as required. The ability to search is insufficient alone. Information must be easily obtainable during the time that it is retained. For example, data preserved on backup tapes that are no longer accessible could pose a legal risk and may require substantial and expensive data recovery services.
Lifecycle management should enable organizations and individuals to access information when appropriate. Discovery, a more reactive process related to documents, is often on the flipside of lifecycle management. A discovery request needs to include all unstructured information, and a "hold" would be placed on those documents responsive to the discovery request, independent of media, form or location (for example, across all document repositories, file shares and email archiving systems).
The combination of lifecycle and discovery is defined as "information governance"—the alignment of business needs with corporate obligations. Information governance differs from the more generic area of "information management," which is generally driven by storage requirements, and is based on policies for maintaining, finding and, when appropriate, destroying documents.
Determining What to Manage
Organizations historically have exhausted substantial resources managing structured information, such as accounting data and personnel records, which reside within database applications. Structured information is well defined and controlled due to its format and its creation and management through specialized applications.
Unstructured information, on the other hand, has typically been managed only by allocating storage space, with little thought to information governance. The process and procedure for the creation, modification and access of unstructured data is less controlled and less organized than that for structured information. The result: most organizations are starting to think about applying information governance principles to unstructured information—especially with the increase in regulations and litigation in this area.
Even though the information governance requirements of lifecycle management and discovery need to be applied to unstructured data, organizations will gain substantial uniformity and value from consistently applying both to all information.
How does information governance align with the inconsistent business needs relating to unstructured information? Users must be able to easily access data to perform their jobs, but the organization must ensure that the retention lifecycle of, and access to, the relevant information—as well as discovery capabilities—are in place.
For electronic and physical documents, managing these diverse needs can be daunting. Numerous applications are used to create and edit information and documents. Rather than being stored in monolithic, application-specific databases, these items are often stored on numerous file shares, email and email archiving systems and other document storage locations. This results in numerous inconsistent and unmanaged repositories.
Avoiding Disruption to the Infrastructure
The problem can be resolved simply by creating a single repository for all documents. However, related departmental requirements differ, and documents—such as emails—may require specific capabilities as compared to images. Organizations have recognized that the "one-size-fits-all" approach cannot work; regardless of the implemented processes, users will still use network and local hard drives to store documents. Therefore, information governance should adapt to the current infrastructure without requiring replacement of existing software or processes.
The application of process and policies to these diverse and inconsistent systems is core to information governance. By supplying a centralized policy engine to all information independent of media, form and location (physical or electronic), an organization is able to enforce a single set of policies that directly map to each legal, regulatory or business requirement.