I recently sat down with Mark Diamond, CEO of Contoural, to talk about the current state of Information Governance.
JM: What is the biggest challenge organizations face in getting rid of electronic information before it buries them?
MD: While there are a number of challenges, including compliance, classification, defensibility, I think the biggest challenge most organizations face is finding an owner for the problem. Everyone including, legal, RIM, IT, privacy, wants to see this problem addressed, but no one really wants to own it. Getting rid of unneeded electronic information requires agreement and joint ownership among multiple stakeholders. Without it, your initiative is likely to go nowhere.
JM: Why is it so difficult to stop organizations from being “hoarders” when it comes to electronic information?
MD: Too often, the focus of defensible disposition to combat hoarders promotes the benefits of compliance, lower eDiscovery costs, and other issues most employees don’t really care about. These programs don’t sell a win for employees, namely that if employees clean up what you don’t need or care about, it will be much easier for them to find the higher value information they do. These programs attempt to succeed by high-level mandates, which are often ignored. They require a smarter approach.
JM: Where do you think the Information Governance function should report in an organization?
MD: Working with hundreds of organizations, we have found that the most successful programs have a steering committee composed of legal, records, IT and other stakeholders, dividing responsibilities through a matrix approach, and often having the steering committee report up to an executive committee.
JM: What kinds of change management issues arise when an organization gets serious about information governance?
MD: A key component of information governance is behavior change management: changing older, entrenched, and less helpful employee behaviors such as “saving everything forever” into newer, compliant, and more productive behaviors of saving the right information in the right place. This is an explicit strategy that includes messaging, targeted stakeholder engagement (“selling the win” to the heads of business units), data placement strategies, training as well as audit strategies.
JM: What best practices can you suggest for email classification?
MD: There are three main approaches for email classification, including monolithic retention, trusted custodian, and auto-classification. Each approach has pluses and minuses, including effectiveness, cost to implement as well as compliance concerns. Probably these best approach is a hybrid approach, that both leverages technology as well as compliance risk. Unfortunately, there’s no silver bullet, but applying the right strategy can make this much, much easier.
JM: What is your take on the current email scandal at the IRS? Would a sound Information Governance program have made a difference?
MD: Just amazing. Saving emails – and making sure they are saved – is such a basic task for both litigation and investigations, one has to wonder why the IRS either didn’t have these processes in place or as alleged they were not followed. We’ve worked with a number of Federal Agencies that have sophisticated and proven legal hold processes in place. It’s just not clear. A good information governance program that included comprehensive, documented legal hold procedures would have allowed the IRS to avoid these issues.
JM: How do you see the current focus on Information Governance vs. the more traditional focus on Records Management? A step forward, or just marketing hype?
MD: There seems to be as many definitions of Information Governance as there are record types, but the need for information governance is real. For years records management has been bumping into eDiscovery, privacy, disposition, productivity, etc. All of these are different needs, yet solved by a common task – the control of information. Or simply put, all of these disciplines really seek to know what do you have, where is it, can you find it, save it, secure it, delete it consistently across the enterprise. Putting control of information under a single discipline, Information Governance, that serves multiple masters addresses a real need and is here to stay.