Are You Saving Money With A Defensible Records Disposal Strategy?

February 2011, Vol. 238 No. 2

Deidre Paknad, Mountain View, CA; and Lorrie Luellig, Phoenix, AZ

Corporate data volume grew by about 50% last year and the budgets for that function grew by 0%, according to industry analysts. The explosion in data volume and diversity, including pipeline inspection documentation, is putting tremendous cost and control pressures on corporate information technology (IT) organizations.

When 40% or more of corporate data is not subject to a specific legal duty and has no business value – the capability to quickly identify this “digital waste” provides a compelling opportunity for IT groups to dramatically reduce costs and free up strategic IT investment dollars.

With flat budgets – and data volume growth estimated by one research firm to grow by a factor of 44 in the next 10 years1 – how will your organization invest in real-time information technologies that streamline planning, delivery and shipment?

How will you fund innovation with the latest 3-D pipeline inspection technologies?

How will you afford content management or data warehouse solutions needed to manage the 10,000+ pieces of preserved data mandated by the EPA?

Further – the revenue-generating business units likely need more storage and search tools so they can weed through the excess and find the right data to manage the business. All these projects are at risk if the budget is being consumed by excess data storage and information management expenditures.

Companies that can and do dispose of unnecessary information are able to return more profit to shareholders and use their IT budgets for strategic investments rather than managing digital waste.

Without a systematic, reliable way to determine the applicable legal obligations and value of data, to defensibly dispose of excess data, corporate IT departments typically adopt an extremely costly “keep everything” policy. Now more than ever, companies must invest in significant cost-reducing information governance “defensible disposal” processes.

Information Governance Defined
Information governance is the discipline of managing information according to its attendant legal obligations and its business value, enabling the defensible disposal of data and lowering the cost of legal compliance. Best practice has emerged that can guide corporate IT departments to a strategy of storing less and making more efficient use of IT resources.

A new study commissioned by the Compliance, Governance, and Oversight Council (CGOC) in concert with electronic discovery reference model (EDRM) and the new Information Management Reference Model project, assesses the challenges and how companies are addressing the problem.

CGOC members include executives from companies such as ExxonMobil, ConocoPhillips and Devon Energy. This first-of-its-kind survey includes legal group, records group and IT group stakeholders from oil, gas and energy companies, as well as other industries such as life sciences, insurance, consumer goods and chemicals.

CGOC asked participants what they perceived as the benefits and barriers to better information governance and how well the traditional tools and processes worked. The study (available at www.cgoc.com) captures the essence of painful compliance and governance disconnects, and in particular, the disconnects among legal, records and IT practitioners within the same company. Given the data explosion that continues to occur in oil, gas and energy companies, its lessons are germane today for the pipeline industry.

The Price of “Keep Everything”
Data storage is not cheap. Oil and gas IT shops already spend an estimated 3% of revenues on data management2, which can add up to hundreds of millions of dollars each year. And these amounts will only increase.

Some may argue that keeping everything is, in fact, a valid approach, as long as all the data is properly indexed and therefore searchable. But unfortunately, searching and indexing 5 petabytes of data will not tell you what is on hold, what is of value and what is subject to regulatory obligation. The obligation and value of information are not determined by their searchable text content but rather by business people making systematic, informed business decisions.

So what happens, for example, when the EPA comes knocking with an information request? As it is, most legal departments do not fully understand all the EPA’s regulations and how they apply across their lines of business and various departments, and even if they do, they have no mechanism for communicating this information to the IT group. These companies are already challenged to identify and communicate what parts of their enormous data volume is needed for regulatory, legal, environmental, and strategic market requirements. And, as the amount of data increases, the risk of compliance violations will continue to increase.

Are not legal holds and records management enough? The CGOC Benchmark Report on Information Governance found that across all industries, too many organizations lack systematic linkage and transparency among the people who determine the legal obligations, the people who determine value and the people who manage the information. In fact, 85% of legal, records management and IT staff surveyed viewed this lack of consistent collaboration as the single biggest barrier to defensible disposal and a source of risk.

In addition to the lack of connectivity and transparency, the form of legal hold and form of retention schedule are often part of the problem as well. Legal holds refer to the custodians and not to data sources. Retention schedules refer to business functions and record classes – again, not to data sources. Therefore the IT group has no legal obligations tied to the information sources in which the data resides.

Virtually 100% of the IT organizations surveyed in the CGOC Benchmark Report imposed capacity quotas to contain data growth, yet 77% said the retention schedule was not used or actionable by the IT organization for retiring data or applications.

Often, the form of retention schedule was never modernized from its application to paper records in a single location, and it was so generalized that it could not be reliably applied by people who manage electronic information in multiple sources (which may or may not be records but nonetheless need to be disposed of).

In fact, most large companies today operate multiple divisions or business units with very disparate products in many different countries – the actual value of specific information is determined by the business teams that generate it in the course of their business and the regulatory requirements are determined by the country or jurisdiction in which they operate and the information resides. The form of schedule or the absence of efficient schedule, information inventory, and taxonomy tools often leads companies to over-distill business value and legal requirements and results in schedules that are imprecise, unusable by general employees or IT specialists or are very difficult to maintain.

Some legal departments choose to manage legal holds as simple email notification to general employees and one or two IT staff members, ignoring the thousands of employees in IT involved in managing the data (and the risk this represents) and the dynamic employee base and information environment.

In many companies, no one in the legal department knows definitively who is on legal hold, so it is impossible for the IT group to know. Even where the legal department manages a master list of legal holds, few provide an accurate, real-time list of legal holds with the scope of people and information involved to the IT organization. For IT there is not enough specificity of instruction to guide consistent and confident execution, so they must keep everything. Occasionally legal staff recognizes that the lack of 1) transparency and 2) process controls prevents disposition of data, but they may justify this inefficiency because they believe the cost of information storage and management is cheap, the cost of precision process management systems are too high, or that saving more data reduces legal risk.

Ironically, quite the opposite is true. Information management costs companies on average 3.4% of revenues (2) (and almost twice that in financial services companies) and the most dramatic ediscovery failure cases resulted from the IT group’s inability to preserve or find data in their possession! When the legal department assumes that keeping all information forever reduces risk, they shift legal risk and an unspoken compliance standard –and related costs — to the IT group.

A comprehensive information governance (IG) plan that enables a pipeline company, for example, to demonstrate the defensible disposal of data that has no associated regulatory requirements, legal obligations or business value is mandatory.

Many pipeline companies have put programs in place to eliminate excess data. Their goals are to significantly reduce storage and other information management costs while improving their ability to comply with regulations, respond to requests for legal holds, and use high-value business information effectively.

Don’t Reinvent The Wheel
There are three resources that can help a manager define a vision and roadmap for his or her corporation, develop the processes and skills necessary, and enable change management for rigorous compliance in concert with defensible disposal:

1. CGOC – a corporate practitioners’ community with 800 members in legal, records management and IT functions from global companies. CGOC holds meetings throughout the year, publishes benchmark reports, papers, and an online reference library, and provides a professional network. The “CGOC Benchmark Report on Information Governance” is important reading for anyone focused on unifying processes across legal, records and IT functions to lower risk and cost. www.cgoc.com.

2. Information Management Reference Model (IMRM) – The model is promulgated by the electronic discovery reference model (EDRM) organization in recognition that the vast majority of ediscovery costs and risks arises from a company’s inability to dispose of data in the routine course of business. www.edrm.net.

3. Information Governance Process Maturity Model – this process maturity model helps companies to assess their current governance process maturity and determine the levels of risk and costs associated with current practices and process improvement. www.pss-systems.com/IGPMM.


What Is The Path For A Pipeline Company To Achieve Rigorous Data Discovery, Value-Based Retention And Defensible Disposal?

Leaders of change and operational excellence recognize that achieving the substantial reduction in cost and risk from information governance and defensible disposal requires a change in processes, including investments to:

1. Systematically link the business processes in the salient departments. Provide structural collaboration and transparency with automated workflow and collaboration wherever possible. Eliminate manual ties among thousands of data sources, thousands of regulations that dictate retention or privacy requirements and hundreds or thousands of legal holds across a diverse business.

2. Modernize the records management program to provide reliable, actionable information procedures to IT for execution. The diversity of business units requires capturing unique business value, local terminology and the many disparate locations where information is stored. Overlay schedules and procedures on this inventory in a shared application so IT can manage data by its value, legal can rapidly discover information, and the retention program can be systematically audited.

3. Treat legal holds as an enterprise process rather than a legal department task. Ensure that legal can initiate holds so that people, records, information categories and data sources subject to a hold are properly identified and precisely communicated to all information stakeholders so they can have accurate information as they perform their jobs. Consider systems that can automatically propagate holds in high volume data sources such as email archives, content management systems, and transaction applications so that routine disposition can also be automated.

4. Ensure that the IT group can determine, in their terms and with little or no interpretation, 1) who and what is on hold, 2) what is of value and 3) what is subject to regulatory obligation. In other words, enable IT to determine in real time how to more precisely and efficiently manage data for the enterprise. One of the biggest changes in records management and legal holds is that 98% of information is electronic under the stewardship of IT. As a result, IT must be viewed as the target “consumer” of legal hold communications and retention schedules and this requires changing the form of traditional tools to suit their purpose today – rigorous compliance, defensible disposal.

Authors
Deidre Paknad – founder of the Compliance, Governance, and Oversight Council (CGOC) – is president and CEO of PSS Systems, an IBM Company. Paknad is widely credited with having conceived of and launched the first commercial applications for legal holds, collections and retention management. She founded the CGOC, a professional community on retention and preservation that analyst firm IDC has labeled a “think tank.” She has been a member of several Sedona working groups and leads the EDRM IMRM working group 6. Her blog on information governance can be found at http://www.pss-systems.com/blog.

Lorrie Luellig serves as Of Counsel to – and is a founding member of – the Ryley Carlock & Applewhite Document Control Group. Luellig has extensive experience counseling clients about retention policies and procedures for both litigation-related matters and overall company operations. She has helped to create and implement strategies for Fortune 100 companies in the areas of legal and regulatory compliance, litigation holds, privacy and security issues. She leads the Electronic Discovery Reference Model’s (EDRM) Information Management Reference Model (IMRM) Corporations Subgroup and the CGOC Records and Information Management (RIM) Working Group and was instrumental in designing the recent CGOC study on information governance. She received her LL.M. from Harvard Law School, Cambridge, MA.

References
1. IDC Digital Universe Study, May 2010
2. Gartner IT Metrics: IT Spending and Staffing Report, 2010