Corporate attitudes to information governance are changing. The exponential growth of information that is created and cultivated within a business has in many ways become as much a liability as it has an asset.
Regulatory fines, internal fraud, and class action lawsuits, unexpected personal data leaks and loss can cost a business millions, and impact the corporate brand with a backlash of public opinion which can devastate a company for years and in some cases, such as that of Arthur Andersen, the damage can be irreversible.
In the corporate world these days the smoking gun is often found on a server and that is where the regulator has learned to look.
The two extreme policies of keeping everything, or alternatively keeping nothing, are in most industries now illegal and certainly out of date. While we may long for the days when a midnight e-mail from IT could kindly ask employees to clean up their network folders, stop using personal hard drives, or refrain from deleting germane files needed in a legal case, organisations are recognising that the potential damage from rogue (or uninformed) employees far outweighs reliance on principle alone.
These risks are driving organisations to implement strict information policies for accessing, holding and disposing of data in a timely manner to ensure compliance and avoid hefty fines or, in the worst cases, criminal prosecution.
Gone are the days when compliance used to be determined by a filing cabinet. Today more than 80 per cent of data in the enterprise is not neatly organised on shelves and resides outside the scope of structured databases on laptops, servers, and mobile devices across corporate divisions, languages and geographic boundaries.
With documents, e-mails, instant messages, blogs, and audio files being created at uncontrollable levels, and a huge influx of rich media into the business, this content has become particularly hard to retrieve, systematise and certainly govern.
Traditional approaches where companies simply preserve everything cannot be sustained. The cost of storage is far more than hardware alone, and organisations struggle to use basic search technologies to find relevant information when needed. Data protection laws may not allow retention and in any case unnecessarily retained information can cause cost and unexpected liability, for example during e-discovery for lawsuits.
The sheer volume of this unstructured data and the crude number of governing policies that can affect content have for long nourished the misconception that an organisation needs an army of professionals stationed at every digital intersection to decide the appropriate course of action: a model as unappealing as it is impractical.
True information governance goes beyond merely alerting a compliance officer to a potential set of policy violations or counting the number of privacy breaches. It includes broad control and action and does not leave enforcement to individuals who are unable to keep up with the volume and speed of modern business. This should happen in real-time with visibility into the process to foster collaboration among compliance officers, legal, and IT.
Unfortunately these challenges have led many executives to operate under the misguided notion that true information governance can only exist as a guiding force and not a proposed reality.
They fail to realise that a fundamental shift in the way computers operate enables intelligence and automation within governance. Meaning-based computing allows computers to ingest information in its native human-friendly format, form a conceptual understanding of the content, its inherent rules and security entitlements, and take action upon it.
This ability of computers to understand the meaning of data – the who, when, where and how of content – enables a fundamental shift from manual to automated, consistent, and secure governance.
Technology can now read an e-mail as it is sent, realise it is a compliance issue and prevent it being sent out. It can analyse the files on a laptop and lock down those relevant to a legal case. It can take a message and realise it concerns a national of a country that does not allow information on its citizens to be held outside its borders and route it to the right server for storage. It can take a message, read it and understand it and decide that it must be archived for seven years, while another message for only 30 days. Then after the allotted time it can automatically delete them.
By gaining a conceptual understanding of all corporate data, one is able to utilise a policy-based approach effectively to execute all processes associated with the retention, supervision and ultimate disposition of electronic information. Organisations are able to define and apply policies at the point of data creation, automating information classification based on its content, flagging any non-compliant documents, preserving data in archives and integrating disposition management systems that can honour any legal holds.
Just as we saw Sarbanes Oxley as a response to the Enron era, it is likely we will see a further acceleration of information governance regulations as a response to the events of the sub-prime crisis.
These new rules along with the consequences of the recent changes in the US Federal Rules of Civil Procedure (FRCP), Data Protection legislation, Compliance regulations and many countries’ new geographic storage rules will drive the need for companies to take a pan-enterprise view of information governance.
By automating information governance to reduce business risk, we ultimately safeguard the guiding principles that drive the vast majority of employees and officers to protect the integrity of the corporate brand, while not impeding the creativity and flexibility that drive value in modern business.