From Compliance to Information Governance: Reducing Costs and Improving Security for Organizations

1215_AlfrescoBusinesses are increasingly concerned about compliance due to the myriad standards, agreements, regulations, legislation and mandates governing their industries. But compliance is simply a ticking of a box. Software standards met – check. Licensing agreement honored — check. Records management mandate met – check.

Organizations should instead focus on information governance, a term frequently used interchangeably with compliance. But information governance is more; it is the strategy, not only for compliance, but also for meeting your customers’ needs now and into the future. In short, compliance is what you do and information governance is how you do it. And information governance brings much greater value to organizations; it can uncover business opportunities and protect enterprises from security threats.

Information Overload

New technologies are facilitating profound changes in the way people and companies work together. Pervasive mobility and cloud computing, to name just two, have affected our work habits and processes. This is a good thing, of course. These technologies allow people to work where, when and how they want, theoretically making us more productive and efficient.

The problem is that these technologies have created an information deluge. Gone are the days when managing structured data, such as documents and spreadsheets, was the only requirement. IDC is projecting a stunning 50 times growth in digital content from 2010 to 2020, with 90 percent of it in unstructured information such as emails, documents and video. The rise of social media and collaboration tools has also created a new class of enterprise content, and its distribution spreads across the spectrum.

Often, meeting compliance requirements, particularly records management mandates, requires the collection of all of this content. As such, companies have and continue to collect massive amounts of digital content, reports, presentations, video files, spreadsheets, email and every other format you can think of. At best, this information is stored in legacy records management or enterprise content management (ECM) systems with few controls and little ability to store, access and organize it, creating a potential nightmare for executives in the form of data breaches of sensitive and personal information across every industry. In addition, these systems can’t help executives find those needles in a haystack that could help solve a business challenge, move a company to the next level, or solve a number of business challenges.

Unfortunately, a study conducted by the Association for Information and Image Management (AIIM) points to the fact that organizations aren’t taking information governance seriously enough. While around two-thirds of organizations had some level of information governance policy in place, nearly one-third admitted that their inferior electronic records keeping caused problems with regulators and auditors.

The results point to one big reason: most respondents did not include dynamic or personal content in their information governance policies. This includes all collaborative content, instant messaging and social media, just to name a few examples. In contrast, 37 percent of respondents agreed that there are important social interactions that are not being saved or archived, while fewer than 15 percent of organizations included social postings in their information governance policies.

Grandma’s Attic

Poor information governance is the equivalent of someone who throws every receipt, newspaper, magazine, letter, bill, invoice, photograph and other scrap of paper into shoeboxes that fill the attic from floor to ceiling and are now spilling out into the main part of the house. There’s no rhyme or reason about what needs to be saved, what should be locked up and what should be taken out with the trash. And there is so much that none of it can be easily sorted or accessed.

The problem is that some of this information has real value — it needs to be preserved with the ability to find it, tag it, manage it and protect it. Some of it should be accessible to executives who want to understand past opportunities and outcomes. If properly cared for, it might help solve new challenges. It might have historical importance. Or it might deserve extra protection because its inadvertent release could put the company at risk.

The risk of poor information governance varies from the unfortunate to the catastrophic. At best, a potential customer gets out-of-date pricing information and you are required to honor that. At worst, hackers break in and get hold of intellectual property or sensitive information, holding it ransom or selling to the highest bidder. In between are the all-too-common incidents of information mismanagement. This is what the U.S. government faced when Edward Snowden decided to go rifling through sensitive government files, allowing WikiLeaks to get hold of electronic files filled with secrets. It’s what happened to Target when hackers were able to obtain the credit card records of millions of customers. It’s what happened at Sony when employees started sharing information via email that they shouldn’t have shared.

This isn’t a new problem. It first emerged with shared drives with petabytes of information piling up in a big heap to be dealt with sometime in the future. Traditional ECM software jumped into the mess, addressing only a small fraction of the content by adding in some context and a few tools, but without solving the problem. The mess was mostly just swept into thousands of little corners. Fast forward, and now the problem has shifted from shared drives to the shared file services of the Internet — the Dropbox/Box/Evernotes of the digital age, creating a bigger mess to deal with. And, if not properly addressed, it will only grow as the amount of information we deal with continues to grow exponentially.

Good Information Governance

Businesses have focused on putting compliance, management and security controls in place. But what’s really needed is information governance. From a simplified perspective, information governance requires identifying the most important information and getting that under control. Organizations need to prioritize the processes and information in those processes that most affect risk — compliance risk, financial risk and reputational risk. Then the information should be stored where it can be most effectively used to address both the business opportunities and the risks, especially in the cloud. The end result is business agility, information hygiene and less detritus where it counts.

Information governance provides the practical benefit of being able to take information in any format, analyze what needs to be preserved and protected, and what can be permanently discarded, sort and inventory it, and provide management, access and monitoring controls. But what’s not as obvious are the cost savings information governance can provide. Information governance helps organizations manage information better. In some cases, enterprises will be able to prune old data, reducing the costs required to store it. In addition, knowing what information you have and being able to quickly access it can reduce the potential costs of discovery. Finally, information governance can help organizations protect their information from accidental or targeted information leaks. The average cost of a data breach is $6.5 million. And this doesn’t include the incalculable loss of trust and damage to your reputation.

Companies can take a few steps toward good information governance.
  1. Understand where all corporate information is currently being stored. Rationalize this to a minimum number of systems to make management easier.
  2. Audit what is being managed and define retention policies – what needs to be kept, for what purpose, who needs access and for how long. Delete content once it has outlived its useful life.
  3. Restrict access to non-approved tools. Stop the uncontrolled copying of content as employees save files to personal file sync services.

Information is an organization’s most important asset. But, right now, it is also its greatest threat. The $6.5 million question is, how can organizations protect this information from harm and better manage it to actually do good? Information governance is the answer, as it guides what enterprises should be doing with the deluge of information that they are, in some cases, required to collect.

Compliance can mean printing emails and keeping them in boxes in the basement, which obviously provides no benefit to your business and no protection of your information. Having full control over that information, knowing what is where and quickly being able to find it is information governance, and something most organizations are failing to do today. Better information governance can better position enterprises for success, save organizations money and, more importantly,  protect them from the increasing threats caused by information loss.

This article originally appeared in the December 2015 issue of Workflow.

Paul Hampton is director of product marketing, Alfresco.