Information Governance: Who's In Charge?
"Information governance" has become front-of-mind for many people who are involved in information management. I know because I get the press releases.
Just kidding. Partly. It's true that, as is often the case, trends in information management can be "vendor-driven" as they say in the comic books. Meaning, "we want to sell you something, and we're calling it (blank)." But this growing emphasis on governance got me wondering what the driving forces really are, and whether there's anything more than a simply hype cycle behind it.
So I convened a good old-fashioned roundtable-style conference call recently with the best people I can think of to address this issue. I met with David Gould, director of information governance software at HP; Theresa Kollath, vice president of ASG's information management line of business; Mary Leigh Mackie, vice president of product marketing for AvePoint; and Tamir Sigal, vice president of marketing at RSD.
We had a wide-ranging discussion around the subjects of governance, and compliance and records management and... other stuff. What follows below is a pretty accurate transcript of the conversation. I will not try to be fancy; I will simply let their words speak for themselves, which they do very well.
I started with a simple question.
Andy Moore: Let's get our language straight. What's the difference between governance and compliance?
David Gould: started. Information governance is defined very simply, with three words: compliance, cost and control. It has to do with having control over information that has business relevance, and determining which information doesn't have business relevance. There's certainly no need from a compliance standpoint to keep information you don't need, but more importantly (we'll get to that ‘more' later from a cost standpoint as well. Why pay to store information you don't need? We've seen a tremendous emergence of this cost factor recently.
Compliance, on the other hand, is what you HAVE to do, obviously. But I consider it a subset of the greater governance message—controlling, managing, retaining and disposing of information. They're all interrelated. But very few users have full control strategies in place. They have compliance strategies, but I don't see a lot of emphasis on automation to solve the many compliance and governance challenges. For example, I don't see a lot of alignment between what the compliance people need to do and what IT people need to do. So the common element now is this ‘cost and control' idea: if you control information, you can lower the cost. And that gets the attention of everybody.
Theresa Kollath: Cost is a significant factor, indeed. I met with a customer last week whose archive strategy is to keep absolutely everything for seven years. There are no other guidelines, there's no granularity. They just do it because it's easy to do; set the same policy for everything. Well, there are obvious cost savings to be found by doing that better! And there are risks in that strategy, too, because they're not dealing with the ‘what-if' factor of the business. They think they can manage that, but they're not proactively doing it. And that can be a costly problem.
Mary Leigh Mackie: It depends on the company you're talking about. Some companies have more stringent guidelines around the type of content they're managing. One of the ‘funny' conversations we get into around records management and compliance is: unless the fines and penalties cost more than the solution to avoid them, then companies make the decision to ignore governance. It's a cost-benefit analysis. But we are seeing more companies—regardless of the system they use—becoming more proactive. More often now, the compliance discussion defines the information management policies. The conversation around governance happens much sooner than it did a few years ago.
The trend toward mobile devices, BYOD (bring your own device), etc., is allowing a lot more power for the business side to drive IT solutions much more than before. They are taking a stronger stand in choosing the solutions they want to work with. The CEO is even saying, ‘I want to use my iPad. Make it happen.' Versus the IT department delivering solutions and requiring the use of them.
Tamir Sigal: It's absolutely business-driven. If the policy is to keep information for seven to 10 years, who do you think is making that decision? It's not IT. It's not legal. Business is driving that discussion.
And with the low cost of cloud—whether it's Amazon, Google or Dropbox or whatever, it's very easy to bypass the governance and compliance requirements mandated by the company. Take, for example, I'm a VP of marketing. I probably don't know what the rules and regulations are for my industry. So I need advice from the legal officer, and the compliance officer, to understand where the risks are to the business.
Compliance and governance is not the same thing. Compliance is simply one of the drivers for the governance program. But there are others: another driver might be reducing cost. Another driver—believe it or not—might be mergers and acquisitions. Because in an M&A situation, the company has to have all its documentation in order, and it needs to have all the Is dotted and the Ts crossed to make sure they comply with SEC and other regulations.
AM: So I pursued this line of questioning. I still wasn't clear on who's in charge. Business or IT?
TK: There is a growing awareness that collaboration among all departments needs to take place. Considering the fairly significant penalties that could take place if you DON'T do it right, and that the C-level is aware of that, folks realize they need to work together more synergistically than they have in the past. No part of the organization can be an island any longer. If you try to avoid a collaboration between IT and the business side, you're in for a costly surprise.
DG: This is the core issue—alignment among all the various organizations with the basic goal of governance. When Tamir said compliance is a subset of a larger governance story, I couldn't be in more violent agreement!