Guest post written by Deidre Paknad
Deidre Paknad is founder of the Compliance, Governance and Oversight Counsel and Director of Information Lifecycle Governance Solutions at IBM.
Consider this: 90% of the data in the world today was created in the last two years, and data volumes are rising faster than storage prices are declining and technology is improving. A data growth rate of 40 percent can mean that 15 petabytes in 2011 will become 39 petabytes by the end of 2014. Even with a 20 percent decline in storage unit costs, the per petabyte cost of tier one storage for most large enterprises will likely range between $1.5 million and $5 million and will rise to consume close to 20 percent of the typical IT budget.
Most CIOs and all General Counsels know intuitively that half or more of stored data is debris, and the 2012 Compliance, Governance and Oversight Counsel (CGOC) Summit validated this, finding that typically 1 percent of corporate information is on litigation hold, 5 percent is in a records category, and 25 percent has current business value. This means that 69 percent of information in most companies has no business, legal or regulatory value. Companies that are able to dispose of this debris return more profit to shareholders, can use more of their IT budgets for strategic investments, and can avoid excess expense in legal and regulatory response.
The challenge for IT is that most storage cost-cutting programs simply don’t deal with the root cause of data debris, which is the disconnect between supply and demand. To determine what the business and legal team really need and what they no longer need, IT typically has to make a billion choices! Most companies I work with have:
- 100 to 15,000 matters and legal holds
- 300 to 3,000 record classes
- 1,000 to 15,000 regulations that mandate specific record keeping
- 1,000 to 50,000 file shares, SharePoint sites, ECM systems and applications
- 2,000 to 40,000 departments of people working on specific business functions
- 10,000 to 1 million employees
- 3 to 130 countries in which they operate
Taking the low end of each range, to defensibly dispose of data, IT needs to know which of 100 legal holds and 300 record categories apply to which of 10,000 people working in which of 2,000 departments whose data is located in which of 1,000 servers or apps. That’s a billion potential combinations of legal obligation or business value applicable to any one person and information source – and none of them are safe choices in a dynamic environment.
Developing a Defensible Disposal Program
To make defensible disposal possible, organizations like the CGOC are bringing together legal, compliance, records, business and IT stakeholders from top global organizations to establish standards and improve supply-and-demand practices and mature lifecycle processes. This effort is already helping companies curb storage growth and cut costs, increase e-discovery efficiency, and ensure that regulatory obligations for information are satisfied.
Program Leadership
Resources such as the “Information Lifecycle Governance Leader Reference Guide” details the drivers, benefits, strategies and core processes that information leaders need to lead this change in their organizations. But it is critical to get the right people to the table. The Executive Committee should include the CIO, CFO, General Counsel and other officers. A senior advisory group composed of line of business leaders ensures business responsiveness. A program office drives and measures progress toward goals and directs the efforts of a working group that matures and instruments the relevant processes.
Processes Required
The next step is developing a strategy for improving and unifying siloed processes and practices across legal, records, business and IT. The “Information Governance Reference Model” provides a framework for linking information duties and value to the data assets that IT stores and manages to more effectively tie information demand to infrastructure supply. In addition, the CGOC’s “Information Lifecycle Governance Leader Reference Guide” provides a maturity model for the 16 specific processes required to lower cost and risk and to institutionalize defensible disposal, value-based archiving and retention, and rigorous e-discovery. Finally, it is essential to have clear connections between the business objectives, the processes and actions required to achieve them, the capacity to execute those actions, and the measurement needed for accountability.
Supporting Technology
Today, companies must go beyond publishing policy to instrumenting those policies on data itself. Policies that require intensive manual labor from either IT or the business have a low success rate. Maintaining a defensible disposal program at the desired maturity and capacity requires the right technology and tools. Technology should automate legal holds, retention of records, de-duplication and proper tiering and disposing of data that no longer have business, legal or regulatory value. Storage virtualization should automate the continuous allocation of capacity freed from routine disposal and legacy data cleanup. There must also be a shared data source catalog across the policy makers in legal, records, the business and compliance and the organization that must execute them.
Capacity planning and monitoring are also critical because resource issues and allocations can undermine the results - especially in cross-functional projects. As the Information Lifecycle Governance Leader Reference Guide points out, make sure the people on the Executive Committee and Senior Advisory Group are fully aligned with those in operations who will actually carry out the agenda. Once processes are enhanced and defensible disposal is institutionalized, Internal Audit is an important partner in ensuring “business as usual” reflects policy and savings objectives. Audit criteria should be designed into the program as a core part of the strategy.
CIOs, GCs and CEOs challenged to drive financial performance today often must do so through cost reduction, and risk tolerance is dropping. A defensible disposal program with a joint-stakeholder model across legal, compliance, records, business and IT is one of the few options that help CIOs and other executives lower both cost and risk and support their innovation and revenue agendas.
