Information Governance: Trust is Good; Control is Better

Ashley Smith, MD, Navigant

Speaking to corporate officers about Information Governance is similar to cautioning my toddler to hold on to the railing when she descends the staircase–I remind her every time, and she knows she should, but she usually doesn’t, which in turn results in her falling face first down the stairs. Crying and screaming follow, and inevitably the process repeats itself the next day. In the same way, corporate stakeholders understand and agree with the value created by Information Governance, and yet, it is often aban­doned in the face of time constraints, budget pressures, and shifting priorities. The neglect of Information Governance policies has a direct correlation to rising business, infrastructure, and legal costs as well as creating the greatest risk to corporate assets. If you want to have a real impact on your business, make Information Governance the directive that coordinates all aspects of your organization.

Risk versus Cost

“Information Governance” has become a marketing buzzword, and there are many definitions that attempt to clarify its scope and purpose. In its 2014 annual report, the Information Governance Initiative provided a clear and concise definition:

Information Governance is defined as the activities and technologies that organizations employ to maximize the value to their information while mini­mizing associated risks and costs.

This is the core objective of Information Governance–maximize business value, minimize legal risk. The benefits of successful Information Govern­ance programs are well documented: reduction in storage, IT, legal and eDis­covery costs; increase in efficiency, information value, and corporate assets. Information Governance saves money. So why is it that so many corporations are failing to implement Information Governance programs and policies? It comes down to perceived risk versus cost.

Time and time again, corporate officers are faced with difficult budg­et choices. Many still identify company-wide Information Governance policies as a luxury; why should they spend additional time, money and resources on a universal policy when individual departments already have it in their budget and charter to do the same? Information Technology, Human Resources, Legal, Management–each of these business functions have a specific charter; however, these siloes create the biggest risk because they inherent­ly obfuscate the overall corpo­ rate objective: maximize value, minimize risk.

“The core objective of Information Governance– maximize business value, minimize legal risk”

In the 2014 IGI Annual Report, 19 separate facets of Information Governance were identified, including Records and Information Management, Compliance, Information Security, eDiscovery, Data Storage, Finance and Business Operations. These facets exist within and across company functions, and demonstrate how Information Gov­ernance should be employed as the coordinating policy across departments. Consider the prolif­eration of personal mobile devices, social media, and cloud storage– the potential business risks of these technologies do not sit within one depart­ment, they straddle several–IT, Human Resources, Legal, to name only a few. In order to manage this risk, Information Governance must be taken out of the individual department silos, and owned by the organization as a whole.

“Money's going to be spent….you can spend it now, or you can spend it later, but it's cheaper to spend it now.”

The holistic approach to Information Governance is not a new concept, and yet, corporations con­tinue to gamble on existing programs rather than proactively overhaul their information manage­ment systems. Recent court decisions underpin how failures in Information Governance policies can impact legal proceedings.

In Pradaxa, the court imposed sanctions against defendants for various discovery abuses, most notably failure to preserve potentially rele­vant information from key custodians. Ultimately, the court concluded the defendants’ actions were in “bad faith” and imposed nearly $1 million in sanctions. In Ethicon, the court imposed sanctions against the defendant largely due to the failure to implement a sufficient and timely litigation hold notice. In Brown, the court addressed, among other things, the failure of defendants and counsel to up­hold their discovery obligations. Most significant were defendants’ and counsel’s failure to address the preservation, and collection of a web-based ap­plication used by defendant’s sales force. In all of these cases, observance of a holistic and informed Information Governance policy would have pro­actively addressed these failures, and saved the companies tens of millions of dollars in legal fees and fines.

Next Steps

The first step to any Information Governance as­sessment is completing a full and complete net­work and information data map. Where does your information reside? Who controls it? What regu­lations govern it? Remember, the core objective for Information Governance is to manage all of your information (i.e., your assets), not just your records. To do this, you must connect your legal, privacy and regulatory obligations to your relevant information. Is your company regulated by fed­eral guidelines such as Sarbanes-Oxley or Dodd- Frank? Do you operate in international locations, which require special handling of personal and private information? Having this information will inform your next steps on data retention, transmit­tal, and disposal.

Perhaps the most important, and often over­looked, imperative for Information Governance is the need for it to fit your particular organizations culture, structure, and strategy. Remember, gov­ernance policies are meant to maximize value, and minimize risk–if in reality they restrict an employ­ee’s ability to satisfy their job requirements, they are more likely to be broken.

Next, evaluate your company’s information, and score its risk, value, and manageability. Some information scores high on all three dimensions, some scores low. The rating will define where the information should live in within your Information Governance framework.

Finally, ARMA International reminds us that “effective information govern­ance requires a continuous focus.” It’s not enough to put Information Gov­ernance policies in place. They must be regularly reviewed, and updated, in order to address changes in cor­porate need, and regulatory require­ments.

“Trust is good; Control, is better”

A client once said to me, “Trust is good; Control, is better.” I am constantly reminded of this sentiment when faced with Information Governance objections. It’s not flashy, but it is the number one way corporate offic­ers can maximize business value, and minimize legal risk.

As I remind my daughter, you can hold on to the railing and con­trol your descent, or you cannot, and trust that you won’t fall. You decide.