In Search of Information Governance in the Enterprise

It’s an understatement to say companies are drowning in digital information. Since the death of the floppy disk and the rise of networked computing, barriers to creating and sharing information have steadily come down. Combined with increased digitization paper-laden business processes, most companies find themselves struggling to harness the volume and diversity of information on their networks for business benefit. What’s startling is just how little progress we've made in maximizing the value and minimizing risks associated with the digital content and data we collect. 

Any discussion of information governance always brings me back to this depressing little anecdote:
"Monday September 8, 2008, is a day that the executives at United Airlines will remember. The company’s stock fell 76 percent to $3 by 11:08 a.m. when trading was halted. The decline was not the result of a pending acquisition or recent financial results announced by the company. Instead, an article that said “UAL Declares Bankruptcy” appeared on the South Florida Sun Sentinel Web site that Sunday, got picked up by Google News, and then quickly summarized and republished to Bloomberg by a reporter tasked with summarizing stories about companies in distress. Then the trading began and the stock collapsed. The problem: the article was from 2002, not 2008."
Of course the incident led to a flurry of finger pointing: was it the Webmaster at the newspaper's site that let an old article get out? Was it the Google search bot that couldn't detect the article was old? Was it the reporter that failed to check facts? Or was it the traders that made trades on un-vetted information? Who knows, but the point is that all the goodness that has come with digital information  sharing has also brought its share of costs and risks.
This is as true on the Internet as it is on the networks of the worlds’ largest companies. Consider, for example, the amount of communications traffic generated by the 85% of US information workers that use email regularly at work. It's no surprise that Forrester clients report their storage capacity requirements are growing 20% to 40% each year. Storage costs have grown to 17% of the IT hardware budget, up from 10% in 2007. Beyond sheer data volumes, enterprises now face more diverse data formats including video, audio, micro-formats, instant messages, application data, document data, and more.
Yet storage costs pale in comparison to the risk of fines, fees, and reputation risk associated with compliance and eDiscovery.  Onerous regulations and recordkeeping requirements have led to significant investment in information management technologies. Yet still, only 28% of archiving decision-makers we surveyed are very confident they can demonstrate their digital information is accurate, accessible, and trustworthy.
Information Management pros are between a rock and a several hard places.
IT pros are rarely empowered to bulk delete information on networks. Businesspeople (we're told at least) are too busy to manage anything that leaves their own precious personal hard drives. Perhaps that's why network file shares (and more recently SharePoint sites) continue to grow into digital landfills with everything from useful collectibles to moldy toothbrushes no one wants to touch. Simultaneously, Moore's Law is giving enterprises denser storage capacity at ever-lower price points, keeping the financial pain of more storage capacity perpetually below the radar of senior-most bean-counters. And finally, increasing regulations and threats of lawsuits make digital information as much a liability as an asset.
So what's the answer?
While there are a slew of technology providers that stand ready to throw more software and hardware technology at this problem, my sense is a lot more is needed. Companies like Autonomy, IBM, EMC, and others are working feverishly to build more intelligence into suites of software to assist with information governance. In fact, entire software segments are thriving across archiving, records and retention management, legal discovery apps like legal hold and pre-case assessment, and more.
Software innovations like federation, intelligent indexers, and advanced information analytics will all help IT to better understand and take action on information that should and shouldn't reside on corporate networks. These tools will also help automate some portion of information governance processes and policy enforcement. For example, one defense contractor Forrester works with uses intelligent crawlers to perpetually scan, detect, and sequester top-secret documents that have mistakenly been removed from secured databases and stored on public file shares. 
But technology will do little to solve the core issue of accountability for enterprise information. Instead, accountability will require people, policy, and processes for managing the lifecyle of information more effectively.
Forrester is beginning to take a closer look at wholistic approaches to information governance. We'd like to hear how you think information governance will work in the future from a technology, people, policy and process perspective. Here are a few nutty and unconventional ideas to get the creativity going:
- An enterprise information "tax". Taxes on gas help control consumption. Taxes on cigarettes mean fewer smokers. Would a tax on storage consumption in the enterprise finally get people to think twice about what they save? I can think of hundreds of ways I'd reinvest those tax dollars in more innovative and differentiated business initiatives than perpetuating a digital landfill.
- Periodic "non-essential" information purges. Company sanctioned information destruction days have worked in the analog world. Many professional services firms already allocate a day here and there for employees to shred paper files that are no longer needed. Why hasn't this practice bled over into digital world? Or has it? Our research suggests only 40% of information workers in enterprises create documents weekly. So with the right leadership support, getting some of them to clean up their virtual playpens may not be as taboo as IT pros perceive.
Our thesis is changing behaviors, along with better defining policy and processes will play an important role in a holistic information governance strategy. Agree/disagree?


Making information governance work

My, my, I can't resist this one.

An information tax would be great if you could tell who is consuming storage. Few organizations can actually tax named individuals and who is to say when the consumption is or is not appropriate for the value generated? Unfortunately in my experience IT operations have difficulty accurately determining this. Try as I might the answer that always comes back is, "that's a very good question and unfortunately it's just too difficult to give you the figures". I know it can be done with proper planning at the outset but I have rarely seen this happen in practice. We deal today with a legacy of poor planning because "information" is not well understood.

What's "non-essential"? One should not get caught up in concepts such as digital or analog. Information is a data asset with meaning to a user regardless of medium. Certainly a regulated environment must take care to treat the value of these assets consistently regardless of format/media.

Changing behaviors is the great mantra of information managers, but we often forget that the behaviors causing the issues or not social or even cultural. These are deep-seeded personal behaviors that have been re-enforced through years of experience and frustration, and are the most difficult to change. IM initiatives have a high failure rate because they can not seem to change behaviors.

How about this one? Get our (IM professionals) acts together, challenge our own deep-seeded behaviors and biases, model and design the environment to make the required governance controls transparent, implement it (then we'll see who needs a behavior change) and then enable the user to get on with what they are paid to do - add value.

We should stop trying to change users into us. Spend some of our effort working for them, not just the organization and its need for the bottom line and risk minimization. By supporting users you also support the organization in its objectives.

I suggest we start looking at changing ourselves and develop a new understanding of how to achieve IM visions.

Your Information Governance Comments

Thanks for these comments Theresa. Your suggestion to make governance and controls transparent is a good one. A couple point on your other thoughts. I do expect over time transparency into storage, and information consumption overall will improve. Why? Content-centric middleware platforms from Microsoft, IBM, EMC, OpenText, Autonomy and others will continue to evolve, letting us better analyze what's inside our digital content stores, who created it, when it was used last, etc. I think cloud-based services will play a role here too because pricing and metering around email, storage consumption, and services uptime and utilization will continue to grow more transparent as the likes of Google, Microsoft, and IBM duke it out with cloud-based collaboration tools. But both of these trends will take time to unfold. To your "what is non-essential?" question. For me it starts with the low-hanging fruit: exact duplicates. Our anecdotal research with clients and vendors suggests anywhere from 20-40% of unstructured content on networks is exact duplicate. Then you get to near duplicates (you know, the slick PowerPoint deck with a single slide change). Fortunately, software can now help us reduce duplicates and near duplicates. Another category here is personal stuff. One IT pro recently told me about a 50 gig network drive an executive in his company uses to share his MP3s with colleagues. Yikes. That's a liability, not an asset. I agree that where things get dicey is in casting judgement on quality, usefulness, and value of clearly business content. We have seen some success here, but generally speaking, it's hard to do well.

The answer starts with policy definition

Your article well describes the coming collision between ECM and Discovery vendors on the issue of governance. If your hypothesis of "changing behaviors" includes clearer articulation of ownership for critical processes, then I'd agree. However, companies will continue to be hampered in their attempt to rationalize the conflicting vendor pitches unless they start by defining policy for three distinct use cases:
1. Everyday business information requirements
2. Regular, periodic regulatory and other GRC requirements (e.g. regulatory filings)
3. Non-standard process exceptions - e.g. discovery requests (non-standard from the standpoint of 'event' occurring at random, unpredictable intervals, and containing unique requests in terms of scope, scale, and nature)

Attempting to apply a one-size-fits-all approach to governance - and attempting to source technology with the goal of optimally addressing each unique use case - will leave many companies risk exposed and unable to fulfill the cost containment promises pitched by the vendors.

Your feedback on information governance

I do think a big part of changing behaviors involves more clearly articulating ownership for critical information governance processes. In your list of use cases it seems to me that #2 is the most well understood at this point. No? Items 1 and 3 seem to be the least well understood from a policy perspective. We surveyed companies last year about ad-hoc eDiscovery requests and were shocked to learn how rudimentary their procedures were ... in even some very large companies. Thanks for the feedback.