11 Key Reasons To Develop a Governance Plan

For much of the Information Age, allowing information (even after its business function is fulfilled and there is no other obligation to keep it) to accumulate was relatively risk-free since storage devices were so cheap. But recently, three important developments have changed all this:

  1. Storage costs are now rising since information is created electronically at staggering amounts.
  2. Large quantities of data inhibit an organization’s ability to retrieve valuable information efficiently resulting in a loss of strategic opportunities.
  3. Information retained past its useful life increasingly poses significant legal risk including expensive discovery requests for litigation or governmental investigations.[1]

As organizations have tried to cope with this complex and ever-changing information landscape, they are finding the traditional strategies for addressing information compliance, risk and value to be inadequate. Particularly problematic has been the tendency of organizations to have their information-related actions driven by siloed disciplines (such as records and information management, privacy and data security, or litigation preservation), creating inefficiencies and risks for the organization as a whole. When departments or groups within an organization make autonomous decisions about information, inconsistencies and problems can result. What is needed is a more comprehensive and holistic approach to governing the organization’s information.

Equally problematic has been the tendency of most executives who manage information to view it from a cost and actuarial perspective. But information governance is more than just cost reduction and risk mitigation. It is actually a value proposition, challenging organizations to focus on the untapped value of information before making decisions based simply on cost and/or risk. This is an important distinction because capitalizing on the value of information requires a nuanced move away from mere information management to information governance.

What is information governance?

Part of the “buy in” to such a program includes understanding what information governance is. The Sedona Conference, a nonprofit research and educational institute that brings together jurists, lawyers, experts and academics to discuss how the law should go forward on cutting edge issues, provides a good definition:

“an information governance program is an organization’s coordinated, interdisciplinary approach to satisfying information compliance requirements and managing information risks while optimizing information value.”[2]

What I like about this definition is that it identifies the three key aspects of an organization’s relationship to information. First, it acknowledges the importance of compliance and the fact that organizations are subject to legal, regulatory and contractual requirements. Second, it recognizes organizations face information-related risks that need to be managed, i.e. risk management. And third, an organization’s information and related practices have an economic impact that can be enhanced by controlling information costs, improving processes, and maximizing the inherent value of the information itself, i.e. value delivery.[3] A discussion of each one of these aspects underscores why having an information governance program in place is critical. For those of you who would rather skip the “why discussion” and get to the point of this post, just scroll down to the last section, The Takeaways (11 Benefits of an Information Governance Program).

Why an organization needs an Information Governance Program.

Compliance.

That there are so many federal and state compliance laws regulating information, governing it is really not optional. For instance, record retention requirements mandate that records be kept for an explicit time period, usually after a triggering event. State data security laws require reasonable safeguards, breach notifications and consents when it comes to Personally Identifiable Information (“PII”) of state residents. The law of intellectual property requires certain measures for retention of trade secrets, patented inventions, trademarks, and copyrighted works. And organizations have a duty to preserve documents and other information that they know or reasonably know may be relevant to imminent or pending litigation (i.e., they need to put a “litigation hold” on the materials).

An information governance program helps organizations navigate this extensive and convoluted legal landscape. Instead of confronting these issues on an individual basis, a governance program recognizes that such legal requirements interrelate and interact across their respective disciplines’ boundaries. For instance, when information is kept longer than required by record retention laws, the chance of a security breach or the likelihood of a disclosure jeopardizing trade secret status increases. This adds to the amount of information subject to legal holds, which then returns pressure back onto retention and records compliance. The circular nature of this legal experience can be paralyzing without integrated governance.

And if this is not enough to convince even the most cynical of skeptics, certain legal requirements actually mandate that organizations establish what can be considered the foundational elements of an information governance program anyway. For instance, entities governed by the Gramm-Leach-Bliley Act and subject to the Safeguard’s Rule are required to “develop, implement and maintain a comprehensive information security program.”[4] Entities subject to the FTC’s Red Flags Rule must “develop and implement a written Identity Theft Program” designed to detect, prevent and mitigate identity theft.[5] In other words, organizations in certain sectors (e.g., the financial sector) must establish a working information governance program if they hope to stay on the right side of the law.

Risk Management.

In Part 1, I outlined several diverse information-related risks. Without repeating that discussion, suffice it to say that a functioning information governance program can assess these various risks and chart a course that aligns decisions with the organizations overall strategy and risk tolerance.

One of the most important characteristics of an information governance program is its risk-based approach to information and its commitment to a multi-disciplinary forum with cross-discipline discussions. In many business situations, opportunity will trump risk, but at least with the proper forum in place for considering risks, the organization can take appropriate steps to mitigate. For instance, IT may decide to move data to the cloud as part of a larger migration of services away from internal networks for any number of reasons. But if legal, privacy, records, and other specialists are not brought into the evaluation there is a much greater chance that key risks will not be addressed, particularly in negotiations with the cloud provider. For example, how quickly will data be available for discovery requests? Will the cloud provider be able to dispose of the information when it is no longer needed? On each of these issues, a considered collective evaluation is more likely to reach a conclusion in line with the organization’s strategy as a whole and its risk profile.

Organizations should also understand that information governance is not only the smart thing to do but also something that cannot be ignored in light of the expanding fiduciary duty of loyalty.[6] Boards and Senior Management now have the obligation to take reasonable measures to protect stakeholders from known risks to data security, and to oversee those measures regularly. Though this is not a new argument in support of information governance, it has not been a central focus of the conversation. Given the recent developments in the expansion of the fiduciary duties of an organization’s leadership, it should be.

Value Delivery.

a.Cost Optimization.

Considerations for managing “non-value” information should be a key part of an information program. Indeed, when organizations analyze how much it costs to store and manage information they will identify huge potential savings. Keep in mind, IT has traditionally lived in fear of being criticized for not maintaining certain information. In fact, oftentimes IT is used as a scapegoat for the loss of information when a litigation hold is not properly communicated and enforced.

Moreover, though IT is tasked with storing and maintaining information, it usually has neither the understanding of the content nor its value to the organization. Business, meanwhile, may know the value of the information, but rarely understands the total costs of owning the information. This is why the associated risk managers (e.g., legal, records and privacy) of an information program are so important. They may have little understanding of the business value of information or the alternative storage techniques available, but they can assess the risks associated with the different categories of information.

Therefore, when it comes to cost optimization, an information governance program can help on a number of fronts. For example, it can identify valueless information that is subject to legal hold and move it to cheaper storage. Similarly, it can identify information that though it still has value, should also be moved to cheaper storage with less immediate retrieval times. And lastly, such a program can provide an incentive for organizations to review legal holds placed long ago, lift those that are no longer required, and dispose of data that’s shelf life has expired.

b.Maximizing Inherent Value of Information.

To optimize the value of information the first step of an information governance program is to understand “what information exists, where it exists, how it is being used, how it is not being used, and – most importantly – how it might be additionally used to be of benefit.”[7] Referred to as finding the “Hidden ROI” (Return on Investment) such an analysis calls for the participation and interplay between the necessary constituent departments, specifically legal, records, IT and business. It involves an assessment of how each discipline can “give” and “get” something of value from the other disciplines.

There are several benefits that can be realized from such an exercise. First, it can help identify situations in which information created for one function can be repurposed with limited additional costs and reused by another function to help meet different business objectives and enhance revenue. For example, activity data on a website may provide clues to other services of interest to potential clients. Second, existing technologies can be used alternatively to improve efficiencies. A recent survey of CIO’s found that technology is only used to 43 percent of its potential.[8] Optimizing an organization’s existing technology could provide a significant boost to its performance. And lastly, a comprehensive cross-disciplinary analysis of the organization‘s various information-related policies and procedures can determine whether an organization can reasonably expect employees to understand and comply with the ones in place. Employees tend to ignore a hodgepodge of written policies. And since companies now face the potential for increased regulatory scrutiny, insuring their information policies are comprehensive and clear should be a priority. When an organization has a set of policies that align with its business strategies, employees are more likely to not only understand and comply with the policies, but also, to understand the mission of the organization and move forward as a unified team.[9]

c.Improving Business Processes.

Value is not just money. There are intangible things that cannot be easily quantified but still deliver value. For instance, some business processes bring product to market on time and within budget better than others. Improved process performance can enhance organizational reputation, customer trust and stakeholder satisfaction. The fact that some of this value may lie in perception does not mean it does not exist. Rather, the challenge is to find a way to illustrate its value to those that are skeptical. And there are several methodologies out there to do so. For example, some organizations use a measuring tool called the Balance Scorecard (“BSC”) in which an entity achieves better performance results when it achieves certain objectives (e.g., training or educating your workforce to master a proficiency or skill). Other organizations use benchmarking (i.e., imitating the “best in class” to learn from them and improve). That value exists is self-evident simply from the desire to imitate.

Remember, you cannot improve a business process if you have no way to measure its performance. An information governance program helps measure performance. For example, its assessment feature can determine whether the integrity of data in a records retention process is maintained and whether users are able to identify and retrieve valuable information efficiently. If they are not, the organization may choose to enhance its record-keeping systems. Likewise, the organization may establish a comprehensive data map, or matrix, that can be used for purposes of responding quickly to litigation or investment requests. This kind of business process mapping and performance measuring is a linchpin in many modern information governance programs and can improve an organization’s ability to govern information.

The Takeaways (11 Benefits of an Information Governance Program)

In short, an organization should establish an Information Governance Program for the following reasons:

  1. Find the “Hidden ROI” of latent information.
  2. Ensure that valuable information is readily accessible and reliable with appropriate reporting and retention systems.
  3. Navigate an ever-changing information landscape with an integrated program rather than a disjointed one formed through accretion.
  4. Protect confidential and proprietary information in accordance with the organization’s policies and legal duties.
  5. Develop a cohesive legal strategy to address conflicting rights and duties.
  6. Retain PII only as long as necessary and guard against unlawful access.
  7. Align risk decision making with the organization’s overall strategy and risk appetite.
  8. Optimize costs by keeping information only as long as necessary for legal or business purposes, and at storage costs appropriate to its use and needs.
  9. Maximize the inherent value of information by repurposing and reusing it for functions for which it was not initially intended.
  10. Align policies and procedures with an organization’s business goals and strategies so that employees are more likely to understand and comply with them.
  11. Measure the performance of business processes so that they can be improved.

How to build such a program will be addressed in Part 3.

[1] Charles R. Ragan, Information Governance: It’s a Duty and It’s Smart Business, 19 RICH. J.L. & TECH. 12, at 2.

[2] See The Sedona Conference, The Sedona Conference Commentary on Information Governance 5 (Conor R. Crowley ed., 2013), at 2.

[3] Note that this definition mirrors the three principles of governance: value delivery, risk management and resource optimization.

[4] 16 C.F.R. § 314.3(a)-b (2012).

[5] 16 C.F.R. § 681.1(d)(1).

[6] See In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996) and its progeny.

[7] See The Sedona Conference, The Sedona Conference Commentary on Finding the Hidden ROI in Information Assets, (February 2011 Version), at page 2.

[8] Evan Koblentz, Gartner Finds Corporate IT in “Crisis Mode”, LAW RECH. NEWS (Feb. 5, 2013).

[9] Charles R. Ragan, Information Governance: It’s a Duty and It’s Smart Business, 19 RICH. J.L. & TECH. 12, at page 13 citing Bruce W. Dearstyne, Groundbreaking Trends: The Foundation for Meeting Information Challenges and Opportunities, INFO. MGMT. MAG. 28 (Mar.-Apr. 2010)