The Gamble: Risk Vs. Governance
And I quote: “Regulatory compliance is what you have to do. Information governance is what you should do. And risk avoidance is what you achieve when you do both of those correctly.”
That’s roughly what I wrote about a year ago, and it’s still pretty much true today. But a few things have changed in the records and risk-management business since then, so I set out to discover what those elements were.
To do so, I spoke at length with Miguel Rodriguez. Miguel is the senior product manager for ASG Software Solutions, and is as gentlemanly and poised as they come. He’s also got a sense of humor about his work, and we had a great talk a couple weeks back.
“For most business-side people, their contact with the reality of technology is limited. And for IT, their contact with the reality of the business is also very limited,” said Miguel. “Information governance is what brings the two sides together.”
I gave Miguel my two-cent definition (the first paragraph of this article) and he sort-of agreed. But he had a deeper—and more functional—definition of information governance than mine. “Information governance goes far beyond simply adhering to a regulation,” he said. “It has to do with how your employees are taught to manage files efficiently, to make them easier to locate in the future, and to conduct the business’ day-to-day activities properly.” These governance rules are communicated, known and hopefully adhered to by everyone within an organization, and lead to the smooth operation of the business, according to Miguel.
“Some companies, especially the larger ones, are beginning to recognize that information hasn’t been managed as well as it could be,” he said. “But it’s slowly happening. There’s still no such thing as a ‘C-level’ records manager, but there are executives out there who recognize they have too much unmanaged information, and acknowledge that records management is part of the solution to that problem. In fact,” he added, “we’ve seen examples where the CIO and the records management team have been mandated from the most top level to work together to accomplish better information management.” What’s driving that? I asked. “They are deeply motivated by fear!” he laughed.
Miguel said that it is becoming increasingly common for records and retention to be a topic of conversation at higher levels in the organization than in the old days. “It’s not all the way there yet,” he admitted, “but it’s growing more common. There are two trends in every company: one is the IT need to save money on storage costs and maintenance of storage devices and that kind of thing; and then there are the guys on the user side who want to keep everything ‘just in case.’ And in the middle is the legal department saying, ‘Keeping everything is not good, but deleting everything is not either.”’ So I asked: When these three groups get in the ring, who wins? “Probably the one who is closest to the pocket of the CEO,” answered Miguel. Amusing as this is, I said that would imply the CIO trumps the others, since he or she’s more senior than, say, records managers or even the legal people. “Yes, but in certain companies that have a long past history (with litigation), the legal department has a lot of weight in decisions.”
I wondered whether these groups ever formally sit down to discuss records management or retention policies? Miguel had some customer anecdotes of organizations that were pretty forward-thinking in this regard, but admitted, “more often than not, IT doesn’t have a clue about the retention needs of the records manager, and vice versa. It comes down to how they perceive their roles in light of the need to manage information. To the average IT guy, a business contract or a legal document only has value measured in bytes...that’s all. And records usually sees it in terms of how it’s ‘declared’ and how it’s ‘classified...’ and that’s all. But in a couple of cases, we’ve seen a new environment form that understands both the risk associated with information and its business value, too.”
The Power of Automation
We spent a while talking about the various responsibilities for records management and information governance in general.
As we all know, electronic information takes many forms—Word documents, PowerPoint presentations, spreadsheets, even transactional data coming from business applications, such as ERP systems. This led Miguel to a very interesting observation: “Where does all this information come from? The business side... the applications operated by line-of-business activities. So who should apply governance over that information?” he asked rhetorically. “Probably the people creating it—the business side.”
Yeah, but... “I know; it’s very difficult...a company with 50,000 employees creates payroll records every two weeks, and it’s usually output in one long string and stored as a single unit. But you may find a regulation in Germany that says upon termination of an employee ALL information related to that employee must be destroyed. Other countries have different regulations about employee records... in the US you have to keep them seven years. How do manage that level of complexity at those volumes? There is no way you could do that manually; you have to automate it. But many of the records management products are tuned to work on records created by humans, not by business applications such as PeopleSoft,” explained Miguel. “Many of the handoffs between the business side and the records side are still being managed manually. And in fact, many times the kind of application-generated information that comes out of large transactional systems never even SEES the records manager’s desk... those are considered IT issues, not records issues.” And therein lurks risk; Germany, for example, is very strict about what you keep and what you destroy, Miguel told me.
Recent and emerging regulations don’t make it any easier. The amendments to the FRCP and the upcoming changes to Federal sentencing guidelines (currently under review and due by the end of the year) have made a huge impact, because they don’t specify that only official “records” are subject to their coverage... they use terms like “electronically stored information” and “documents.” That’s a huge umbrella and opens the door to an enormous new amount of information that must be managed.
I know what you’re thinking. The investment may seem high at the outset. But it’s like an insurance policy—compared to the costs of NOT doing it, doing it is relatively inexpensive. And in addition, depending on the type of information you manage, you can also gain monetary benefits from information governance. So it’s not a wasted cost; information governance balances the cost with the benefit to achieve the highest possible advantage to the organization. It’s a win/win.
On the following pages are some more “win/win” scenarios to enjoy and employ. See if you can recognize yourself in any of these situations. My bet is—you will.