assessment 3

profilenikhila chowdary
IGChapters6and7.pdf

71

Information Governance Policy Development

C H A P T E R 6

To develop an information governance (IG) policy, you must inform and frame the policy with internal and external frameworks, models, best practices, and standards—those that apply to your organization and the scope of its planned IG program. In this chapter, we fi rst present and discuss major IG frameworks and models and then identify key standards for consideration.

A Brief Review of Generally Accepted Recordkeeping Principles®

In Chapter 3 we introduced and discussed ARMA International’s eight Generally Accepted Recordkeeping Principles ® , known as The Principles 1 (or sometimes GAR Principles). These Principles and associated metrics provide an IG framework that can support continuous improvement.

To review, the eight Principles are:

1. Accountability 2. Transparency 3. Integrity 4. Protection 5. Compliance 6. Availability 7. Retention 8. Disposition2

The Principles establish benchmarks for how organizations of all types and sizes can build and sustain compliant, legally defensible records management (RM)t programs. Using the maturity model (also presented in Chapter 3 ), organizations can assess where they are in terms of IG, identify gaps, and take steps to improve across the eight areas The Principles cover.

72 INFORMATION GOVERNANCE

IG Reference Model

In late 2012, with the support and collaboration of ARMA International and the Com- pliance, Governance and Oversight Council (CGOC), the Electronic Discovery Ref- erence Model (EDRM) Project released version 3.0 of its Information Governance Reference Model (IGRM), which added information privacy and security “as pri-y mary functions and stakeholders in the effective governance of information.” 3 The model is depicted in Figure 6.1 .

The IGRM is aimed at fostering IG adoption by facilitating communication and collaboration between disparate (but overlapping) IG stakeholder functions, includ- ing information technology (IT), legal, RM, risk management, and business unit

Figure 6.1 Information Governance Reference Model Source: EDRM.net

Linking duty + value to information asset = efficient, effective management

Duty: Legal obligation for specific information

Value: Utility or business purpose of specific information

Asset: Specific container of information

VALUE

Create, Use

DUTY ASSET

Dispose

Hold, Discover

Store, Secure

Retain Archive

UNI FIED GOVERNANCE

BUSINESS Profit

IT Efficiency

LEGAL Risk

RIM Risk

PRIVACY AND

SECURITY Risk

PROCESS TRANS PA

RE NC

Y

POLIC Y INTEGRATION

Information Governance Reference Model / © 2012 / v3.0 / edrm.net

INFORMATION GOVERNANCE POLICY DEVELOPMENT 73

stakeholders. 4 It also aims to provide a common, practical framework for IG that will foster adoption of IG in the face of new Big Data challenges and increased legal and regulatory demands. It is a clear snapshot of where IG touches and shows critical in- terrelationships and unifi ed governance.5 It can help organizations forge policy in an orchestrated way and embed critical elements of IG policy across functional groups. Ultimately, implementation of IG helps organizations leverage information value, re- duce risk, and address legal demands.

The growing CGOC community (2,000+ members and rising) has widely adopted the IGRM and developed a process maturity model that accompanies and leverages IGRM v3.0. 6

Interpreting the IGRM Diagram *

Outer Ring Starting from the outside of the diagram, successful information management is about conceiving a complex set of interoperable processes and implementing the procedures and structural elements to put them into practice. It requires:

■ An understanding of the business imperatives of the enterprise, ■ Knowledge of the appropriate tools and infrastructure for managing informa-

tion, and ■ Sensitivity to the legal and regulatory obligations with which the enterprise

must comply.

For any piece of information you hope to manage, the primary stakeholder is the business user of that information [emphasis added]. We use the term “business” broadly; the same ideas apply to end users of information in organizations whose ultimate goal might not be to generate a profi t.

Once the business value is established, you must also understand the legal duty at- tached to a piece of information. The term “legal” should also be read broadly to refer to a wide range of legal and regulatory constraints and obligations, from e-discovery and government regulation to contractual obligations such as payment card industry requirements.

Finally, IT organizations must manage the information accordingly, ensuring pri- vacy and security as well as appropriate retention as dictated by both business and legal or regulatory requirements.

* This section is adapted with permission by EDRM.net, http://www.edrm.net/resources/guides/igrm (accessed January 24, 2014).

You must inform and frame IG policy with internal and external frameworks, models, best practices, and standards.

74 INFORMATION GOVERNANCE

Center

In the center of the diagram is a work-fl ow or life-cycle diagram. We include this com- ponent in the diagram to illustrate the fact that information management is important at all stages of the information life cycle—from its creation through its ultimate disposition. This part of the diagram, once further developed, along with other secondary-level diagrams, will outline concrete, actionable steps that organizations can take in imple- menting information management programs.

Even the most primitive business creates information in the course of daily operations, and IT departments spring up to manage the logistics; indeed, one of the biggest challeng- es in modern organizations is trying to stop individuals from excess storing and securing of information. Legal stakeholders can usually mandate the preservation of what is most critical, though often at great cost. However, it takes the coordinated effort of all three groups to defensibly dispose of a piece of information that has outlived its usefulness and retain what is useful in a way that enables accessibility and usability for the business user. s

How the IGRM Complements the Generally Accepted Recordkeeping Principles *

The IGRM supports ARMA International’s “Principles” by identifying the cross- functional groups of key information governance stakeholders and by depicting their intersecting objectives for the organization. This illustration of the relation- ship among duty, value, and the information asset demonstrates cooperation among stakeholder groups to achieve the desired level of maturity of effective information governance.

Effective IG requires a continuous and comprehensive focus. The IGRM will be used by proactive organizations as an introspective lens to facilitate visualization and discussion about how best to apply The Principles. The IGRM puts into sharp focus The Principles and provides essential context for the maturity model.

* This section is adapted with permission by EDRM.net, http://www.edrm.net/resources/guides/igrm (accessed January 24, 2014).

The business user is the primary stakeholder of managed information.

Information management is important at all stages of the life cycle.

Legal stakeholders can usually mandate the preservation of what is most criti- cal, though often at great cost.

INFORMATION GOVERNANCE POLICY DEVELOPMENT 75

Best Practices Considerations

IG best practices should also be considered in policy formulation . Best practices in IG are evolv- ing and expanding, and those that apply to organizational scenarios may vary. A best practices review should be conducted, customized for each particular organization.

In Chapter 5 , we provided a list of 25 IG best practices, with some detail. The IG world is maturing, and more best practices will evolve. The 25 best practices, summa- rized next, are fairly generic and widely applicable.

1. IG is a key underpinning for a successful ERM program. 2. IG is not a project but rather an ongoing program. 3. Using an IG framework or maturity model is helpful in assessing and guiding

IG programs. 4. Defensible deletion of data debris and information that no longer has value is

critical in the era of Big Data. 5. IG policies must be developed before enabling technologies are added to as-

sist in enforcement. 6. To provide comprehensive e-document security throughout a document’s life

cycle, documents must be secured upon creation using highly sophisticated technologies, such as information rights management (IRM) technology.

7. A records retention schedule and legal hold notifi cation process (LHN) are the two primary elements of a fundamental IG program.

8. A cross-functional team is required to implement IG. 9. The fi rst step in information risk planning is to consider the applicable laws

and regulations that apply to your organization in the jurisdictions in which it conducts business.

10. A risk profi le is a basic building block in enterprise risk management, assisting executives in understanding the risks associated with stated business objec- tives and in allocating resources within a structured evaluation approach or framework.

11. An information risk mitigation plan is a critical part of the IG planning process. An information risk mitigation plan involves developing risk mitiga- tion options and tasks to reduce the specifi ed risks and improve the odds of achieving business objectives. 7

12. Proper metrics are required to measure the conformance and performance of your IG program.

13. IG programs must be audited for effectiveness. 14. An enterprise-wide retention schedule is preferable because it eliminates the

possibility that different business units will have different records retention periods.

The IGRM was developed by the EDRM Project to foster communication among stakeholders and adoption of IG. It complements ARMA’s Generally Accepted Recordkeeping Principles.

76 INFORMATION GOVERNANCE

15. Senior management must set the tone and lead sponsorship for vital records program governance and compliance.

16. Business processes must be redesigned to improve the management of electron- ic records or implement an electronic records management (ERM) system. t

17. E-mail messages, both inbound and outbound, should be archived automati- cally and (preferably) in real time.

18. Personal archiving of e-mail messages should be disallowed. 19. Destructive retention of e-mail helps to reduce storage costs and legal risk

while improving “fi ndability” of critical records. 20. Take a practical approach and limit cloud use to documents that do not have

long retention periods and carry a low litigation risk. 21. Manage social media content by IG policies and monitor it with controls that en-

sure protection of critical information assets and preservation of business records. 22. International and national standards provide effective guidance for imple-

menting IG. 23. Creating standardized metadata terms should be part of an IG effort that

enables faster, more complete, and more accurate searches and retrieval of records. 8

24. Some digital information assets must be preserved permanently as part of an organization’s documentary heritage.

25. Executive sponsorship is crucial.

Standards Considerations

Standards must also be considered in policy development. There are two general types of standards: de jure and de facto. De jure (“the law”) standards are those published by recognized standards-setting bodies, such as the International Organization for Stan- dardization (ISO), American National Standards Institute (ANSI), National Institute of Standards and Technology (NIST—this is how most people refer to it, as they do not know what the acronym stands for), British Standards Institute (BSI), Standards Council of Canada, and Standards Australia. Standards promulgated by authorities such as these have the formal status of standards.

De facto (“the fact”) standards are not formal standards but are regarded by many as if they were. They may arise though popular use (e.g., Windows at the busi- ness desktop in the 2001–2010 decade) or may be published by other bodies, such as the U.S. National Archives and Records Administration (NARA) or Department of Defense (DoD) for the U.S. military sector. They may also be published by formal standards-setting bodies without having the formal status of a “standard” (such as some technical reports published by ISO). 9

Benefi ts and Risks of Standards

Some benefi ts of developing and promoting standards are:

■ Quality assurance support. If a product meets a standard, you can be confi dent of a certain level of quality.

INFORMATION GOVERNANCE POLICY DEVELOPMENT 77

■ Interoperability support. Some standards are detailed and mature enough to allow for system interoperability between different vendor platforms.

■ Implementation frameworks and certifi cation checklists. These help to provide guides for projects and programs to ensure all necessary steps are taken.

■ Cost reduction , due to supporting uniformity of systems. Users have lower main- tenance requirements and training and support costs when systems are more uniform.

■ International consensus. Standards can represent “best practice” recommenda- tions based on global experiences. 10

Some downside considerations are:

■ Possible decreased fl exibility in development or implementation. Standards can, at times, act as a constraint when they are tied to older technologies or methods, which can reduce innovation.

■ “Standards confusion” from competing and overlapping standards. For instance, ” an ISO standard may be theory-based and use different terminology, whereas regional or national standards are more specifi c, applicable, and understandable than broad international ones.

■ Real-world shortcomings due to theoretical basis. Standards often are guides based on theory rather than practice.

■ Changing and updating requires cost and maintenance. There are costs to develop- ing, maintaining, and publishing standards. 11

Key Standards Relevant to IG Efforts

Below we introduce and discuss some established standards that should be researched and considered as a foundation for developing IG policy.

Risk Management

ISO 31000:2009 is a broad, industry-agnostic (not specifi c to vertical markets) risk management standard. It states “principles and generic guidelines” of risk manage- ment that can be applied to not only IG but also to a wide range of organizational ac- tivities and processes throughout the life of an organization.12 It provides a structured framework within which to develop and implement risk management strategies and programs.

ISO 31000 defi nes a risk management framework as a set of two basic compo-k nents that “support and sustain risk management throughout an organization.” 13 The stated components are: foundations, which are high level and include risk management policy, objectives, and executive edicts; and organizational arrangements, which are more specifi c and actionable, including strategic plans, roles and responsibilities, al- located budget, and business processes that are directed toward managing an organiza- tion’s risk.

Additional risk management standards may be relevant to your organization’s IG policy development efforts, depending on your focus, scope, corporate culture, and demands of your IG program executive sponsor.

78 INFORMATION GOVERNANCE

Information Security and Governance

ISO/IEC 27001:2005 is an information security management system (ISMS) stan- dard that provides guidance in the development of security controls to safeguard information assets. Like ISO 31000, the standard is applicable to all types of organiza- tions, irrespective of vertical industry. 14 It “specifi es the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a docu- mented information security management system within the context of the organiza- tion’s overall business risks.”

ISO/IEC 27001 is fl exible enough to be applied to a variety of activities and pro- cesses when evaluating and managing information security risks, requirements, and objectives, and compliance with applicable legal and regulatory requirements. This includes use of the standards guidance by internal and external auditors as well as internal and external stakeholders (including customers and potential customers).

ISO/IEC 27002:2005, “Information Technology—Security Techniques—Code of Practice for Information Security,” 15

establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an orga- nization and is identical to the previous published standard, ISO 17799. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 27002:2005 contains best practices of control objectives and controls in the following areas of informa- tion security management:

■ security policy; ■ organization of information security; ■ asset management; ■ human resources security; ■ physical and environmental security; ■ communications and operations management; ■ access control; ■ information systems acquisition, development, and maintenance; ■ information security incident management; ■ business continuity management; and ■ compliance.

The control objectives and controls in ISO/IEC 27002:2005 are intended to be implemented to meet the requirements identifi ed by a risk assessment. ISO/ IEC 27002:2005 is intended as a common basis and practical guideline for de- veloping organizational security standards and effective security management practices, and to help build confi dence in inter-organizational activities.

ISO 31000 is a broad risk management standard that applies to all types of businesses.

INFORMATION GOVERNANCE POLICY DEVELOPMENT 79

ISO/IEC 38500:2008 is an international standard that provides high-level prin- ciples and guidance for senior executives and directors, and those advising them, for the effective and effi cient use of IT.16 Based primarily on AS 8015, the Australian IT governance standard, it “applies to the governance of management processes” that are performed at the IT service level, but the guidance assists executives in monitoring IT and ethically discharging their duties with respect to legal and regulatory compliance of IT activities.

The ISO 38500 standard comprises three main sections:

1. Scope, Application and Objectives 2. Framework for Good Corporate Governance of IT 3. Guidance for Corporate Governance of IT

It is largely derived from AS 8015, the guiding principles of which were:

■ Establish responsibilities ■ Plan to best support the organization ■ Acquire validly ■ Ensure performance when required ■ Ensure conformance with rules ■ Ensure respect for human factors

The standard also has relationships with other major ISO standards, and em- braces the same methods and approaches. It is certain to have a major impact upon the IT governance landscape. 17

Records and E-Records Management

ISO 15489–1:2001 is the international standard for RM. It identifi es the elements of RM and provides a framework and high-level overview of RM core principles. RM is defi ned as the “fi eld of management responsible for the effi cient and systematic control of the creation, receipt, maintenance, use and disposition of records, including the processes for capturing and maintaining evidence of and information about busi- ness activities and transactions in the form of records.”18

ISO/IEC 27001 and ISO/IEC 27002 are information security management systems standards that provide guidance in the development of security controls.

ISO 38500 is an international standard that provides high-level principles and guidance for senior executives and directors responsible for IT governance.

80 INFORMATION GOVERNANCE

The second part of the standard, ISO 15489–2:2001, contains the technical specifi cations and a methodology for implementing the standard, originally based on early standards work in Australia ( Design and Implementation of Recordkeeping Systems—DIRKS ). Note: Although still actively used in Australian states, the National Archives of Australia has not recommended use of DIRKS by Australian national agencies since 2007 and has removed DIRKS from its Web site.)19

The ISO 15489 standard makes little mention of electronic records, as it is written to ad- dress all kinds of records; nonetheless it was widely viewed as the defi nitive framework of what RM means.

In 2008, the International Council on Archives (ICA) formed a multination- al team of experts to develop “Principles and Functional Requirements for Records in Electronic Offi ce Environments,” commonly referred to as ICA-Req. q 20 The project was cosponsored by the Australasian Digital Recordkeeping Initiative (ADRI), which was undertaken by the Council of Australasian Archives and Records Authorities, which “com- prises the heads of the government archives authorities of the Commonwealth of Australia, New Zealand, and each of the Australian States and Territories.” 21 The National Archives of Australia presented a training and guidance manual to assist in implementing the prin- ciples at the 2012 International Congress on Archives Congress in Brisbane, Australia.

In Module 1 of ICA-Req, principles are presented in a high-level overview; Mod- ule 2 contains specifi cations for electronic document and records management sys- tems (EDRMS) that are “globally harmonized”; and Module 3 contains a require- ments set and “implementation advice for managing records in business systems.”22 Module 3 recognizes that digital recordkeeping does not have to be limited to the EDRMS paradigm—the insight that has now been picked up by “Modular Require- ments for Records Systems” (MoReq2010, the European standard released in 2011).23

Parts 1 to 3 of ISO 16175 were fully adopted in 2010–2011 based on the ICA-Req standard. The standard may be purchased at www.ISO.org, and additional information on the Australian initiative may be found at www.adri.gov.au.

ISO 16175 is guidance, not a standard that can be tested and certifi ed against. This is the criticism by advocates of testable, certifi able standards like U.S. DoD 5015.2 and the European standard, MoReq2010.

In November 2011, ISO issued new standards for ERM, the fi rst two in the ISO 30300 series, which are based on a managerial point of view and targeted at a manage-l ment-level audience rather than at records managers or technical staff:

■ ISO 30300:2011 , “Information and Documentation—Management Systems for Records—Fundamentals and Vocabulary”

■ ISO 30301:2011 , “Information and Documentation—Management Systems for Records—Requirements”

ISO 15489 is the international RM standard.

The ICA-Req standard was adopted as ISO 16175. It does not contain a testing regime for certifi cation.

INFORMATION GOVERNANCE POLICY DEVELOPMENT 81

The standards apply to “management systems for records ” (MSR), a term that, as of this printing, is not typically used to refer to ERM or RM application [RMA] software in the United States or Europe and is not commonly found in ERM research or literature.

The ISO 30300 series is a systematic approach to the creation and management of records that is “ aligned with organizational objectives and strategies. ” [italics added] 24

“ISO 30300 MSR ‘Fundamentals and Vocabulary’ explains the rationale behind the creation of an MSR and the guiding principles for its successful implementation. and it provides the terminology that ensures that it is compatible with other manage- ment systems standards.

ISO 30301 MSR ‘Requirements’ specifi es the requirements necessary to develop a records policy. It also sets objectives and targets for an organization to implement systemic improvements. This is achieved through designing records processes and systems; estimating the appropriate allocation of resources; and establishing bench- marks to monitor, measure, and evaluate outcomes. These steps help to ensure that corrective action can be taken and continuous improvements are built into the sys- tem in order to support an organization in achieving its mandate, mission, strategy, and goals.”25

Major National and Regional ERM Standards

For great detail on national and regional standards related to ERM, see the book l Managing Electronic Records: Methods, Best Practices, and Technologies (Wiley 2013) by s Robert F. Smallwood. Below is a short summary:

United States E-Records Standard

The U.S. Department of Defense 5015.2 Design Criteria Standard for Electronic Records Management Software Applications , standard was established in 1997 and is endorsed by s the leading archival authority, the U.S. National Archives and Records Administration (NARA). There is a testing regime that certifi es software vendors that is adminis- tered by JITC. JITC “builds test case procedures, writes detailed and summary fi nal reports on 5015.2-certifi ed products, and performs on-site inspection of software.” 26 The DoD standard was built for the defense sector, and logically “refl ects its govern- ment and archives roots.”

Since its endorsement by NARA, the standard has been the key requirement for ERM system vendors to meet, not only in U.S. public sector bids, but also in the com- mercial sector.

The 5015.2 standard has since been updated and expanded, in 2002 and 2007, to include requirements for metadata, e-signatures and Privacy and Freedom of Information Act requirements, and, as previously stated, was scheduled for update by 2013.

The U.S. DoD 5015.2-STD has been the most infl uential worldwide since it was fi rst introduced in 1997. It best suits military applications.

82 INFORMATION GOVERNANCE

Canadian Standards and Legal Considerations for Electronic Records Management *

The National Standards of Canada for electronic records management are: (1) Electronic Records as Documentary Evidence CAN/CGSB-72.34–2005 (“72.34”), published in December 2005; and, (2) Microfi lm and Electronic Images as Documen- tary Evidence CAN/CGSB-72.11–93, fi rst published in 1979 and updated to 2000 (“72.11”).27 72.34 incorporates all that 72.11 deals with and is therefore the more important of the two. Because of its age, 72.11 should not be relied upon for its “legal” content. However, 72.11 has remained the industry standard for “imaging” procedures—converting original paper records to electronic storage. The Canada Revenue Agency has adopted these standards as applicable to records concerning taxation.28

72.34 deals with these topics: (1) management authorization and accountability; (2) documentation of procedures used to manage records; (3) “reliability testing” of electronic records according to existing legal rules; (4) the procedures manual and the chief records offi cer; (5) readiness to produce (the “prime directive”); (6) records recorded and stored in accordance with “the usual and ordinary course of business” and “system integrity,” being key phrases from the Evidence Acts in Canada; (7) re- tention and disposal of electronic records; (8) backup and records system recovery; and, (9) security and protection. From these standards practitioners have derived many specifi c tests for auditing, establishing, and revising electronic records man- agement systems. 29

The “prime directive” of these standards states: “An organization shall always be prepared to produce its records as evidence.”30 The duty to establish the “prime directive” falls upon senior management:31

5.4.3 Senior management, the organization’s own internal law-making author- ity, proclaims throughout the organization the integrity of the organization’s records system (and, therefore, the integrity of its electronic records) by establishing and de- claring:

a. the system’s role in the usual and ordinary course of business; b. the circumstances under which its records are made; and c. its prime directive for all RMS [records management system] purposes, i.e.,

an organization shall always be prepared to produce its records as evidence. This dominant principle applies to all of the organization’s business records, including electronic, optical, original paper source records, microfi lm, and other records of equivalent form and content.

* This section was contributed by Ken Chasse J.D., LL.M., a records management attorney and consultant, and mem- ber of the Law Society of Upper Canada (Ontario) and of the Law Society of British Columbia, Canada.

The 5015.2 standard has been updated to include specifi cations such as those for e-signatures and FOI requirements.

INFORMATION GOVERNANCE POLICY DEVELOPMENT 83

Being the “dominant principle” of an organization’s electronic records manage- ment system, the duty to maintain compliance with the “prime directive” should fall upon its senior management.

Legal Considerations Because an electronic record is completely dependent upon its ERM system for every- thing, compliance with these National Standards and their “prime directive” should be part of the determination of the “admissibility” (acceptability) of evidence and of electronic discovery in court proceedings (litigation) and in regulatory tribunal proceedings. 32

There are 14 legal jurisdictions in Canada: 10 provinces, 3 territories, and the federal jurisdiction of the Government of Canada. Each has an Evidence Act (the Civil Code in the province of Quebec 33 ), which applies to legal proceedings within its leg- islative jurisdiction. For example, criminal law and patents and copyrights are within federal legislative jurisdiction, and most civil litigation comes within provincial legisla- tive jurisdiction. 34

The admissibility of records as evidence is determined under the “business record” provi- sions of the Evidence Acts.35 They require proof that a record was made “in the usual and ordinary course of business,” and of “the circumstances of the making of the record.” In addition, to obtain admissibility for electronic records, most of the Evidence Acts contain electronic record provisions, which state that an electronic record is admis- sible as evidence on proof of the “integrity of the electronic record system in which the data was recorded or stored.” 36 This is the “system integrity” test for the admissibility of electronic records. The word “integrity” has yet to be defi ned by the courts. 37

However, by way of sections such as the following, the electronic record provi- sions of the Evidence Acts make reference to the use of standards such as the National Standards of Canada:

For the purpose of determining under any rule of law whether an electronic record is admissible, evidence may be presented in respect of any standard, procedure, usage or practice on how electronic records are to be recorded or stored, having regard to the type of business or endeavor that used, recorded, or stored the electronic record and the nature and purpose of the electronic record. 38

U.K. and European Standards

In the United Kingdom, The National Archives (TNA) (formerly the Public Record Offi ce, or PRO) “has published two sets of functional requirements to promote the development of the electronic records management software market (1999 and 2002).” It ran a program to evaluate products against the 2002 requirements.39 Initially these requirements were established in collaboration with the central government, and they later were utilized by the public sector in general, and also in other nations. The Na- tional Archives 2002 requirements remain somewhat relevant, although no additional development has been underway for years. It is clear that the second version of Model Requirements for Management of Electronic Records, MoReq2, largely supplanted the UK standard, and subsequently the newer MoReq2010 may further supplant the UK standard.

84 INFORMATION GOVERNANCE

MoReq2010 “unbundles” some of the core requirements in MoReq2, and sets out functional requirements in modules. The approach seeks to permit the later creation of e-records software standards in various vertical industries such as defense, health care, fi nancial services, and legal services.

MoReq2010 is available free—all 525 pages of it (by comparison, the U.S. DoD 5015.2 standard is less than 120 pages long). For more information on MoReq2010, visit www.moreq2010.eu. The entire specifi cation may be downloaded at: http:// moreq2010.eu/pdf/moreq2010_vol1_v1_1_en.pdf.

MoReq2010 In November 2010, the DLM Forum, a European Commission–supported body, announced the availability of the fi nal draft of the MoReq2010 specifi cation for electronic records manage- ment systems (ERMS), following extensive public consultation. The fi nal specifi cation was published in mid-2011. 40

The DLM Forum explains that “With the growing demand for [electronic] re- cords management, across a broad spectrum of commercial, not-for-profi t, and gov- ernment organizations, MoReq2010 provides the fi rst practical specifi cation against which all organizations can take control of their corporate information. IT software and services vendors are also able to have their products tested and certifi ed that they meet the MoReq2010 specifi cation.” 41

MoReq2010 supersedes its predecessor MoReq2 and has the continued support and backing of the European Commission.

Australian ERM and Records Management Standards

Australia has adopted all three parts of ISO 16175 as its e-records management standard. 42 (For more detail on this standard go to ISO.org.)

Australia has long led the introduction of highly automated electronic document management systems and records management standards. Following the approval and release of the AS 4390 standard in 1996, the international records management com- munity began work on the development of an International standard. This work used AS 4390–1996 Records Management as its starting point.

Development of Australian Records Standards In 2002 Standards Australia published a new Australian Standard on records manage- ment, AS ISO 15489, based on the ISO 15489 international records management stan- dard. It differs only in its preface verbiage. 43 AS ISO 15489 carries through all these main components of AS 4390, but internationalizes the concepts and brings them up to date. The standards thereby codify Australian best practice but are also progressive in their recommendations.

Additional Relevant Australian Standards The Australian Government Recordkeeping Metadata Standard Version 2.0 pro- vides guidance on metadata elements and subelements for records management. It is a baseline tool that “describes information about records and the context in which they are captured and used in Australian Government agencies.” This standard is intended to help Australian agencies “meet business, accountability and archival requirements

INFORMATION GOVERNANCE POLICY DEVELOPMENT 85

in a systematic and consistent way by maintaining reliable, meaningful and accessible records.” The standard is written in two parts, the fi rst describing its purpose and features and the second outlining the specifi c metadata elements and subelements.44

The Australian Government Locator Service , AGLS, is published as AS 5044– 2010, the metadata standard to help fi nd and exchange information online. It updates the 2002 version, and includes changes made by the Dublin Core Metadata Initiative (DCMI).

Another standard, AS 5090:2003, “Work Process Analysis for Recordkeep- ing ,” complements AS ISO 15489 and provides guidance on understanding business g processes and workfl ow so that recordkeeping requirements may be determined. 45

Long-Term Digital Preservation

Although many organizations shuffl e dealing with digital preservation issues to the back burner, long-term digital preservation (LTDP) is a key area in which IG policy should be applied. LTDP methods, best practices, and standards should be applied to preserve an organization’s historical and vital records ( those without which it cannot operate or restart operations) and to maintain its corporate or organizational memory. The key standards that apply to LTDP are listed next.

The offi cial standard format for preserving electronic documents is PDF/A-1, based on PDF 1.4 originally developed by Adobe. ISO 19005–1:2005, “Document Manage- ment—Electronic Document File Format for Long-Term Preservation—Part 1: Use of PDF 1.4 (PDF/A-1),” is the published specifi cation for using PDF 1.4 for LTDP, which is applicable to e-documents that may contain not only text characters but also graphics (either raster or vector). 46

ISO 14721:2012 , “Space Data and Information Transfer Systems—Open Archival Information Systems—Reference Model (OAIS),” is applicable to LTDP. 47 ISO 14271 “specifi es a reference model for an open archival information system (OAIS). The pur- pose of ISO 14721 is to establish a system for archiving information, both digitalized and physical, with an organizational scheme composed of people who accept the re- sponsibility to preserve information and make it available to a designated commu- nity.” 48 The fragility of digital storage media combined with ongoing and sometimes rapid changes in computer software and hardware poses a fundamental challenge to ensuring access to trustworthy and reliable digital content over time. Eventually, ev- ery digital repository committed to long-term preservation of digital content must have a strategy to mitigate computer technology obsolescence. Toward this end, the

The ISO 30300 series of e-records standards are written for a managerial audi- ence and encourage ERM that is aligned to organizational objectives.

LTDP is a key area to which IG policy should be applied.

86 INFORMATION GOVERNANCE

Consultative Committee for Space Data Systems developed the OAIS reference model to support formal standards for the long-term preservation of space science data and information assets. OAIS was not designed as an implementation model.

OAIS is the lingua franca of digital preservation, as the international digital pres- ervation community has embraced it as the framework for viable and technologically sustainable digital preservation repositories. An LTDP strategy that is OAIS compliant offers the best means available today for preserving the digital heritage of all organizations, private and public. (See Chapter 17 .)

ISO TR 18492 (2005) , “ Long-Term Preservation of Electronic Document Based Information,” provides practical methodological guidance for the long-term preser- vation and retrieval of authentic electronic document-based information, when the retention period exceeds the expected life of the technology (hardware and software) used to create and maintain the information assets. ISO 18492 takes note of the role of ISO 15489 but does not cover processes for the capture, classifi cation, and disposition of authentic electronic document-based information.

ISO 16363:2012 , “ Space Data and Information Transfer Systems—Audit and Certifi cation of Trustworthy Digital Repositories,” “defi nes a recommended prac- tice for assessing the trustworthiness of digital repositories. It is applicable to the entire range of digital repositories.”49 It is an audit and certifi cation standard orga- nized into three broad categories: Organization Infrastructure, Digital Object Man- agement, and Technical Infrastructure and Security Risk Management. ISO 16363 represents the gold standard of audit and certifi cation for trustworthy digital repositories. (See Chapter 17 .)

Business Continuity Management

ISO 22301:2012, “Societal Security—Business Continuity Management Systems— Requirements,” spells out the requirements for creating and implementing a stan- dardized approach to business continuity management (BCM, also known as di- saster recovery [DR]), in the event an organization is hit with a disaster or major business interruption. 50 The guidelines can be applied to any organization regard- less of vertical industry or size. The specifi cation includes the “requirements to plan, establish, implement, operate, monitor, review, maintain and continually im- prove a documented management system to protect against, reduce the likelihood

An LTDP strategy that is OAIS compliant (based on ISO 14721) offers the best means available today for preserving the digital heritage of all organizations.

ISO 16363 represents the gold standard of audit and certifi cation for trustwor- thy digital repositories.

INFORMATION GOVERNANCE POLICY DEVELOPMENT 87

of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.”

The UK business continuity standard, BS25999-2, which heavily infl uenced the newer ISO standard, was withdrawn when ISO 22301 was released. 51 The business rationale is that, with the increasing globalization of business, ISO 22301 will allow and support more consistency worldwide not only in business continuity planning and practices but also will promote common terms and help to embed various ISO management systems standards within organizations. U.S.-based ANSI, Standards Australia, Standards Singapore, and other standards bodies also contributed to the development of ISO 22301.

Benefi ts of ISO 22301

■ Threat identifi cation and assessment. Discover, name, and evaluate potential seri- ous threats to the viability of the business.

■ Threat and recovery planning. so the impact and resultant downtime and recov- ery from real threats that do become incidents is minimized

■ Mission-critical process protection. Identifying key processes and taking steps to ensure they continue to operate even during a business interruption.

■ Stakeholder confi dence. Shows prudent management planning and business re- silience to internal and external stakeholders, including employees, business units, customers, and suppliers. 52

Making Your Best Practices and Standards Selections to Inform Your IG Framework

You must take into account your organization’s corporate culture, management style, and organizational goals when determining which best practices and standards should receive priority in your IG framework. However, you must step through your business rationale in discussions with your cross-functional IG team and fully document the reasons for your approach. Then you must present this approach and your draft IG

ISO 22301 spells out requirements for creating and implementing a standard- ized approach to business continuity management.

You must take into account your organization’s corporate culture, manage- ment style, and organizational goals when determining which best practice and standards should be selected for your IG framework.

88 INFORMATION GOVERNANCE

framework to your key stakeholders and be able to defend your determinations while allowing for input and adjustments. Perhaps you have overlooked some key factors that your larger stakeholder group uncovers, and their input should be folded into a fi nal draft of your IG framework.

Next, you are ready to begin developing IG policies that apply to various aspects of information use and management, in specifi c terms. You must detail the policies you expect employees to follow when handling information on various information deliv- ery platforms (e.g., e-mail, blogs, social media, mobile computing, cloud computing). It is helpful at this stage to collect and review all your current policies that apply and to gather some examples of published IG policies, particularly from peer organiza- tions and competitors (where possible). Of note: You should not just adopt another organization’s polices and believe that you are done with policy making. Rather, you must enter into a deliberative process, using your IG framework for guiding principles and considering the views and needs of your cross-functional IG team. Of paramount importance is to be sure to incorporate the alignment of your organizational goals and business objectives when crafting policy.

With each policy area, be sure that you have considered the input of your stake- holders, so that they will be more willing to buy into and comply with the new policies and so that the policies do not run counter to their business needs and required busi- ness processes. Otherwise, stakeholders will skirt, avoid, or halfheartedly follow the new IG policies, and the IG program risks failure.

Once you have fi nalized your policies, be sure to obtain necessary approvals from your executive sponsor and key senior managers.

Roles and Responsibilities

Policies will do nothing without people to advocate, support, and enforce them. So clear lines of authority and accountability must be drawn , and responsibilities must be assigned.

Overall IG program responsibility resides at the executive sponsor level, but beneath that, an IG program manager should drive team members toward mile- stones and business objectives and should shoulder the responsibility for day-to-day program activities, including implementing and monitoring key IG policy tasks. These tasks should be approved by executive stakeholders and assigned as appropri- ate to an employee’s functional area of expertise. For instance, the IG team member from legal may be assigned the responsibility for researching and determining legal requirements for retention of business records, perhaps working in conjunction with the IG team member from RM, who can provide additional input based on interviews with representatives from business units and additional RM research into best practices.

Lines of authority, accountability, and responsibility must be clearly drawn for the IG program to succeed.

INFORMATION GOVERNANCE POLICY DEVELOPMENT 89

Program Communications and Training

Your IG program must contain a communications and training component, as a stan- dard function. Your stakeholder audience must be made aware of the new policies and practices that are to be followed and how this new approach contributes toward the organization’s goals and business objectives.

The fi rst step in your communications plan is to identify and segment your stake- holder audiences and to customize or modify your message to the degree that is neces- sary to be effective. Communications to your IT team can have a more technical slant, and communications to your legal team can have some legal jargon and emphasize le- gal issues. The more forethought you put into crafting your communications strategy, the more effective it will be.

That is not to say that all messages must have several versions: Some core concepts l and goals should be emphasized in communications to all employees.

How should you communicate? The more ways you can get your IG message to your core stakeholder audiences, the more effective and lasting the message will be. So posters, newsletters, e-mail, text messages, internal blog or intranet posts, and company meetings should all be a part of the communications mix. Remember, the IG program requires not only training but re training, and the aim should be to create a compliance culture that is so prominent and expected that employees adopt the new practices and policies and integrate them into their daily activities. Ideally, employees will provide valuable input to help fi ne-tune and improve the IG program.

Training should take multiple avenues as well. Some can be classroom instruc- tion, some online learning, and you may want to create a series of training videos. But the training effort must be consistent and ongoing to maintain high levels of IG effectiveness. Certainly, this means you will need to add to your new hire training pro- gram for employees joining or transferring to your organization.

Program Controls, Monitoring, Auditing, and Enforcement

How do you know how well you are doing? You will need to develop metrics to de- termine the level of employee compliance, its impact on key operational areas, and progress made toward established business objectives.

Testing and auditing the program provides an opportunity to give feedback to employees on how well they are doing and to recommend changes they may make. But having objective feedback on key metrics also will allow for your executive sponsor to see where progress has been made and where improvements need to focus.

Communications regarding your IG program should be consistent and clear and somewhat customized for various stakeholder groups.

90 INFORMATION GOVERNANCE

CHAPTER SUMMARY: KEY POINTS

■ You must inform and frame IG policy with internal and external frameworks, models, best practices, and standards

■ The business user is the primary stakeholder of managed information.

■ Information management is important at all stages of the life cycle.

■ Legal stakeholders usually can mandate the preservation of what is most criti- cal, though often at great cost.

■ The IGRM was developed by the EDRM Project to foster communication among stakeholders and adoption of IG. It complements ARMA’s The Principles.

■ ISO 31000 is a broad risk management standard that applies to all types of businesses.

■ ISO/IEC 27001 and ISO/IEC 27002 are ISMS standards that provide guidance in the development of security controls.

■ ISO 15489 is the international RM standard.

■ The ICA-Req standard was adopted as ISO 16175. It does not contain a test- ing regime for certifi cation.

■ The ISO 30300 series of e-records standards are written for a managerial au- dience and encourage ERM that is aligned to organizational objectives.

■ DoD 5015.2 is the U.S. ERM standard; the European ERM standard is MoReq2010. Australia has adopted all three parts of ISO 16175 as its e-records management standard.

■ LTDP is a key area to which IG policy should be applied.

■ An LTDP strategy that is OAIS compliant (based on ISO 14721) offers the best means available today for preserving the digital heritage of all organizations.

■ ISO 16363 represents the gold standard of audit and certifi cation for trust- worthy digital repositories.

■ ISO 38500 is an international standard that provides high-level principles and guidance for senior executives and directors responsible for IT governance.

■ ISO 22301 spells out requirements for creating and implementing a standardized approach to business continuity management.

Clear penalties for policy violations must be communicated to employees so they know the seriousness of the IG program and how important it is in helping the orga- nization pursue its business goals and accomplish stated business objectives.

INFORMATION GOVERNANCE POLICY DEVELOPMENT 91

Notes

1. ARMA International, “Generally Accepted Recordkeeping Principles,” www.arma.org/r2/generally- accepted-br-recordkeeping-principles/copyright (accessed November 25, 2013).

2. ARMA International, “Information Governance Maturity Model,” www.arma.org/r2/generally- accepted-br-recordkeeping-principles/metrics (accessed November 25, 2013).

3. Electronic Discovery, “IGRM v3.0 Update: Privacy & Security Offi cers As Stakeholders – Electronic Discovery,” http://electronicdiscovery.info/igrm-v3-0-update-privacy-security-offi cers-as-stakehold- ers-electronic-discovery/ (accessed April 24, 2013).

4. EDRM, “Information Governance Reference Model (IGRM),” www.edrm.net/projects/igrm (accessed October 9, 2013).

5. Ibid. 6. Ibid. 7. Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK Guide ),

4th ed. (Newtown Square, PA, Project Management Institute, 2008), ANSI/PMI 99-001-2008, pp. 273–312.

8. Kate Cumming, “Metadata Matters,” in Julie McLeod and Catherine Hare, eds., Managing Electronic Records , p. 34 (London: Facet, 2005).s

9. Marc Fresko, e-mail to author, May 13, 2012. 10. Hofman, “The Use of Standards and Models,” in Julie McLeod and Catherine Hare, eds., Managing

Electronic Records , p. 34 (London: Facet, 2005) pp. 20–21. s 11. Ibid. 12. International Organization for Standardization, “ISO 31000:2009 Risk Management—Principles and

Guidelines,” www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=43170 (accessed April 22, 2013).

13. Ibid. 14. International Organization for Standardization, ISO/IEC 27001:2005, “Information Technology—

Security Techniques—Information Security Management Systems—Requirements,” www.iso.org/iso/ catalogue_detail?csnumber=42103 (accessed April 22, 2013).

15. International Organization for Standardization, ISO/IEC 27002:2005, “Information Technology— Security Techniques—Code of Practice for Information Security Management,” www.iso.org/iso/cata- logue_detail?csnumber=50297 (accessed July 23, 2012).

16. International Organization for Standardization, ISO/IEC 38500:2008, www.iso.org/iso/catalogue_ detail?csnumber=51639 (accessed March 12, 2013).

17. ISO 38500 IT Governance Standard, www.38500.org/ (accessed March 12, 2013). 18. International Organization for Standardization, ISO 15489-1: 2001 Information and Documentation—

Records Management. Part 1: General (Geneva: ISO, 2001), section 3.16. l

■ You must take into account your organization’s corporate culture, manage- ment style, and organizational goals when determining which best practices and standards should be selected for your IG framework.

■ Lines of authority, accountability, and responsibility must be clearly drawn for the IG program to succeed.

■ Communications regarding your IG program should be consistent and clear and somewhat customized for various stakeholder groups.

■ IG program audits are an opportunity to improve training and compliance, not to punish employees.

CHAPTER SUMMARY: KEY POINTS (Continued )

92 INFORMATION GOVERNANCE

19. National Archives of Australia, www.naa.gov.au/records-management/publications/DIRKS-manual .aspx (accessed October 15, 2012).

20. International Council on Archives, “ICA-Req: Principles and Functional Requirements for Records in Electronic Offi ce Environments: Guidelines and Training Material,” November 29, 2011, www .ica.org/11696/activities-and-projects/icareq-principles-and-functional-requirements-for-records-in- electronic-offi ce-environments-guidelines-and-training-material.html.

21. Council of Australasian Archives and Records Authorities, www.caara.org.au/ (accessed May 3, 2012). 22. Adrian Cunningham, blog post comment, May 11, 2011. http://thinkingrecords.co.uk/2011/05/06/

how-moreq-2010-differs-from-previous-electronic-records-management-erm-system-specifi cations/. 23. Ibid. 24. “Relationship between the ISO 30300 Series of Standards and Other Products of ISO/TC 46/SC

11: Records Processes and Controls,” White Paper, ISO TC46/SC11- Archives/Records Management (March 2012), www.iso30300.es/wp-content/uploads/2012/03/ISOTC46SC11_White_paper_rela- tionship_30300_technical_standards12032012v6.pdf

25. Ibid. 26. Julie Gable, Information Management Journal, November 1, 2002, www.thefreelibrary.com/Everything-

+you+wanted+to+know+about+DoD+5015.2:+the+standard+is+not+a…-a095630076. 27. These standards were developed by the CGSB (Canadian General Standards Board), which is a stan-

dards-writing agency within Public Works and Government Services Canada (a department of the federal government). It is accredited by the Standards Council of Canada as a standards development agency. The Council must certify that standards have been developed by the required procedures be- fore it will designate them as being National Standards of Canada. 72.34 incorporates by reference as “normative references”: (1) many of the standards of the International Organization for Standardiza- tion (ISO) in Geneva, Switzerland. (“ISO,” derived from the Greek word isos (equal) so as to provide s a common acronym for all languages); and (2) several of the standards of the Canadian Standards Association (CSA). The “Normative references” section of 72.34 (p. 2) states that these “referenced documents are indispensable for the application of this document.” 72.11 cites (p. 2, “Applicable Pub- lications”) several standards of the American National Standards Institute/Association for Information and Image Management (ANSI/AIIM) as publications “applicable to this standard.” The process by which the National Standards of Canada are created and maintained is described within the standards themselves (reverse side of the front cover), and on the CGSB’s Web site (see, “Standards Develop- ment”), from which Web site these standards may be obtained; http://www.ongc-cgsb.gc.ca.

28. The Canada Revenue Agency (CRA) informs the public of its policies and procedures by means, among others, of its Information Circulars (IC’s), and s GST/HST Memoranda . (GST: goods and services tax; HST: harmonized sales tax, i.e. , the harmonization of federal and provincial sales taxes into one retail sales tax.) In particular, see: IC05-1 , dated June 2010, entitled, Electronic Record Keeping , paragraphs 24, 26 and 28.g Note that use of the National Standard cited in paragraph 26, Microfi lm and Electronic Images as Documen- tary Evidence CAN/CGSB-72.11-93 is mandatory for, “Imaging and microfi lm (including microfi che) reproductions of books of original entry and source documents . . .” Paragraph 24 recommends the use of the newer national standard, Electronic Records as Documentary Evidence CAN/CGSB-72.34-2005, “To ensure the reliability, integrity and authenticity of electronic records.” However, if this newer standard is given the same treatment by CRA as the older standard, it will be made mandatory as well. And similar statements appear in the GST Memoranda, Computerized Records 500-1-2, s Books and Records 500-1. IC05-s 1. Electronic Record Keeping , concludes with the note, “Most Canada Revenue Agency publications areg available on the CRA Web site www.cra.gc.ca under the heading ‘Forms and Publications.’”

29. There are more than 200 specifi c compliance tests that can be applied to determine if the principles of 72.34 are being complied with. The analysts—a combined team of records management and legal expertise—analyze: (1) the nature of the business involved; (2) the uses and value of its records for its various functions; (3) the likelihood and risk of the various types of its records being the subject of legal proceedings, or of their being challenged by some regulating authority; and (4) the consequences of the unavailability of acceptable records—for example, the consequences of its records not being accepted in legal proceedings. Similarly, in regard to the older National Standard of Canada, 72.11, there is a comparable series of more than 50 tests that can be applied to determine the state of compliance with its principles.

30. Electronic Records as Documentary Evidence CAN/CGSB-72.34-2005 (“72.34”), clause 5.4.3 c) at p. 17; and Microfi lm and Electronic Images as Documentary Evidence CAN/CGSB-72.11-93 (“72.11”), paragraph 4.1.2 at p. 2, supra note 49.

31. 72.34, Clause 5.4.3, ibid. 32. “Admissibility” refers to the procedure by which a presiding judge determines if a record or other

proffered evidence is acceptable as evidence according the rules of evidence. “Electronic discovery”

INFORMATION GOVERNANCE POLICY DEVELOPMENT 93

is the compulsory exchange of relevant records by the parties to legal proceedings prior to trial.” As to the admissibility of records as evidence see: Ken Chasse, “The Admissibility of Electronic Business Records” (2010), 8 Canadian Journal of Law and Technology 105; and Ken Chasse, “Electronic Re- cords for Evidence and Disclosure and Discovery” (2011) 57 The Criminal Law Quarterly 284. For the electronic discovery of records see: Ken Chasse, “Electronic Discovery— Sedona Canada is Inadequate on Records Management—Here’s Sedona Canada in Amended Form,” Canadian Journal of Law and Tech- nology 9 (2011): 135; and Ken Chasse, “Electronic Discovery in the Criminal Court System,” Canadian Criminal Law Review 14 (2010): 111. See also note 18 infra , and accompanying text.

33. For the province of Quebec, comparable provisions are contained in Articles 2831-2842, 2859-2862, 2869-2874 of Book 7 “Evidence” of the Civil Code of Quebec, S.Q. 1991, c. C-64, to be read in con- junction with, An Act to Establish a Legal Framework for Information Technology, R.S.Q. 2001, c. C-1.1, ss. 2, 5-8, and 68.

34. For the legislative jurisdiction of the federal and provincial governments in Canada, see The Constitu- tion Act, 1867 (U.K.) 30 & 31 Victoria, c. 3, s. 91 (federal), and s. 92 (provincial), www.canlii.org/en/ca/ laws/stat/30—31-vict-c-3/latest/30—31-vict-c-3.html.

35. The two provinces of Alberta and Newfoundland and Labrador do not have business record provisions in their Evidence Acts. Therefore “admissibility” would be determined in those jurisdictions by way of the court decisions that defi ne the applicable common law rules; such decisions as, Ares v. Venner [1970]r S.C.R. 608, 14 D.L.R. (3d) 4 (S.C.C.), and decisions that have applied it.

36. See for example, the Canada Evidence Act, R.S.C. 1985, c. C-5, ss. 31.1-31.8; Alberta Evidence Act, R.S.A. 2000, c. A-18, ss. 41.1-41.8; (Ontario) Evidence Act, R.S.O. 1990, c. E.23, s. 34.1; and the (Nova Scotia) Evidence Act, R.S.N.S. 1989, c. 154, ss. 23A-23G. The Evidence Acts of the two provinces of British Columbia and Newfoundland and Labrador do not contain electronic record provisions. However, because an electronic record is no better than the quality of the record system in which it is recorded or stored, its “integrity” (reliability, credibility) will have to be determined under the other provincial laws that determine the admissibility of records as evidence.

37. The electronic record provisions have been in the Evidence Acts in Canada since 2000. They have been applied to admit electronic records into evidence, but they have not yet received any detailed analysis by the courts.

38. This is the wording used in, for example, s. 41.6 of the Alberta Evidence Act, s. 34.1(8) of the (Ontario) Evidence Act; and s. 23F of the (Nova Scotia) Evidence Act, supra note 10. Section 31.5 of the Canada Evidence Act, supra note 58, uses the same wording, the only signifi cant difference being that the word “document” is used instead of “record.” For the province of Quebec, see sections 12 and 68 of, An Act to Establish a Legal Framework for Information Technology, R.S.Q., chapter C-1.1.

39. “Giving Value: Funding Priorities for UK Archives 2005–2010, a key new report launched by the Na- tional Council on Archives (NCA) in November 2005,” www.nationalarchives.gov.uk/documents/stan- dards_guidance.pdf (accessed October 15, 2012).

40. DLM Forum Foundation, MoReq2010 ® : Modular Requirements for Records Systems—Volume 1: Core Ser- vices & Plug-in Modules, 2011, http://moreq2010.eu/ (accessed May 7, 2012, published in paper form ass ISBN 978-92-79-18519-9 by the Publications Offi ce of the European Communities, Luxembourg.

41. DLM Forum, Information Governance across Europe, www.dlmforum.eu/ (accessed December 14, 2010).

42. National Archives of Australia, “Australian and International Standards,” 2012, www.naa.gov.au /records-management/strategic-information/standards/ASISOstandards.aspx (accessed July 16, 2012).

43. E-mail to author from Marc Fresko, May 13, 2012. 44. National Archives of Australia, “Australian Government Recordkeeping Metadata Standard,” 2012,

www.naa.gov.au/records-management/publications/agrk-metadata-standard.aspx (accessed July 16, 2012).

45. National Archives of Australia, “Australian and International Standards,” 2012, www.naa.gov.au /records-management/strategic-information/standards/ASISOstandards.aspx (accessed July 16, 2012).

46. International Organization for Standardization, ISO 19005-1:2005, “Document Management— Electronic Document File Format for Long-Term Preservation—Part 1: Use of PDF 1.4 (PDF/A-1),” www.iso.org/iso/catalogue_detail?csnumber=38920 (accessed July 23, 2012).

47. International Organization for Standardization, ISO 14721:2012, “Space Data and Information Trans- fer Systems Open Archival Information System—Reference Model,” www.iso.org/iso/iso_catalogue/ catalogue_ics/catalogue_detail_ics.htm?csnumber=57284 (accessed November 25, 2013).

48. Ibid. 49. International Organization for Standardization, ISO 16363:2012, “Space Data and Information

Transfer Systems—Audit and Certifi cation of Trustworthy Digital Repositories,” www.iso.org/iso/ iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=56510 (accessed July 23, 2012).

94 INFORMATION GOVERNANCE

50. International Organization for Standardization, ISO 22301:2012 “Societal Security—Business Conti- nuity Management Systems—Requirements,” www.iso.org/iso/catalogue_detail?csnumber=50038 (ac- cessed April 21, 2013).

51. International Organization for Standardization, “ISO Business Continuity Standard 22301 to Replace BS 25999-2,” www.continuityforum.org/content/news/165318/iso-business-continuity-standard-22301- replace-bs-25999-2 (accessed April 21, 2013).

52. BSI, “ISO 22301 Business Continuity Management,” www.bsigroup.com/en-GB/iso-22301-business- continuity (accessed April 21, 2013).

PART THREE Information Governance Key Impact Areas Based on the IG Reference Model

97

Business Considerations for a Successful IG Program

C H A P T E R 7

By Barclay T. Blair

The business case for information governance (IG) programs has historically been diffi cult to justify. It is hard to apply a strict, short-term return on invest-ment (ROI) calculation. A lot of time, effort, and expense is involved before true economic benefi ts can be realized. So a commitment to the long view and an un- derstanding of the many areas where an organization will improve as a result of a successful IG program are needed. But the bottom line is that reducing exposure to business risk, improving the quality and security of data and e-documents, cutting out unneeded stored information, and streamlining information technology (IT) develop- ment while focusing on business results add up to better organizational health and viability and, ultimately, an improved bottom line.

Let us take a step back and examine the major issues affecting information costing and calculating the real cost of holding information, consider Big Data and e-discov- ery ramifi cations, and introduce some new concepts that may help frame information costing issues differently for business managers. Getting a good handle on the true cost of information is essential to governing it properly, shifting resources to higher- value information, and discarding information that has no discernible business value and carries inherent, avoidable risks.

Changing Information Environment

The information environment is changing. Data volumes are growing, but unstructured information (such as e-mail, word processing documents, social media posts) is grow- ing faster than our ability to manage it. Some unstructured information has more structure than others containing some identifi able metadata (e.g., e-mail messages all have a header, subject line, time/date stamp, and message body). This is often termed as semistructured information, but for purposes of this book, we use the term “unstruc-d tured information” to include semistructured information as well.

The volume of unstructured information is growing dramatically. Analysts estimate that, over the next decade, the amount of data worldwide will grow by 44 times (from .8 zettabytes to 35 zettabytes: 1 zettabyte = 1 trillion gigabytes). 1 However, the volume

98 INFORMATION GOVERNANCE

of unstructured information will actually grow 50 percent faster than structured data. Analysts also estimate that fully 90 percent of unstructured information will require formal governance and management by 2020. In other words, the problem of unstruc- tured IG is growing faster than the problem of data volume itself.

What makes unstructured information so challenging? There are several factors, including

■ Horizontal versus vertical. Unstructured information is typically not clearly at- tached to a department or a business function. Unlike the vertical focus of an enterprise resource planning (ERP) database, for example, an e-mail system serves multiple business functions—from employee communication to fi ling with regulators—for all parts of the business. Unstructured information is much more horizontal, making it diffi cult to develop and apply business rules.

■ Formality. The tools and applications used to create unstructured information often engender informality and the sharing of opinions that can be problematic in litigation, investigations, and audits—as has been repeatedly demonstrated in front-page stories over the past decade. This problem is not likely to get any easier as social media technologies and mobile devices become more common in the enterprise.

■ Management location. Unstructured information does not have a single, obvious home. Although e-mail systems rely on central messaging servers, e-mail is just as likely to be found on a fi le share, mobile device, or laptop hard drive. This makes the application of management rules more diffi cult than the application of the same rules in structured systems, where there is a close marriage between the application and the database.

■ “Ownership” issues. Employees do not think that they “own” data in an accounts receivable system like they “own” their e-mail or documents stored on their hard drive. Although such information generally has a single owner (i.e., the organization itself), this non-ownership mind-set can make the imposition of management rules for unstructured information more challenging than for structured data.

■ Classifi cation. The business purpose of a database is generally determined prior to its design. Unlike structured information, the business purpose of unstruc- tured information is diffi cult to infer from the application that created or stores the information. A word processing fi le stored in a collaboration environment could be a multimillion-dollar contract or a lunch menu. As such, classifi ca- tion of unstructured content is more complex and expensive than structured information.

Taken together, these factors reveal a simple truth: Managing unstructured infor- mation is a separate and distinct discipline from managing databases. It requires different

The problem of unstructured IG is growing faster than the problem of data volume itself.

BUSINESS CONSIDERATIONS FOR A SUCCESSFUL IG PROGRAM 99

methods and tools. Moreover, determining the costs and benefi ts of owning and man- aging unstructured information is a unique—but critical—challenge.

The governance of unstructured information creates enormous complexity and risk for business managers to consider while making it diffi cult for organizations to generate real value from all this information. Despite the looming crisis, most organi- zations have limited ability to quantify the real cost of owning and managing unstruc- tured information. Determining the total cost of owning unstructured information is an essential precursor to managing and monetizing that information while cutting information costs—key steps in driving profi t for the enterprise.

Storing things is cheap . . . I’ve tended to take the attitude, “Don’t throw elec- tronic things away.”

—Data scientist quoted in Anne Eisenberg, “What 23 Years of E-Mail May Say About You,” New York Times, ” April 7, 2012

The company spent $900,000 to produce an amount of data that would con- sume less than one-quarter of the available capacity of an ordinary DVD.

— Nicholas M. Pace and Laura Zakaras, “Where the Money Goes: Understanding Litigant Expenditures for Producing Electronic

Discovery,” RAND Institute for Civil Justice, 2012

Calculating Information Costs

We are not very good at fi guring out what information costs— truly costs. Many orga- nizations act as if storage is an infi nitely renewable resource and the only cost of in- formation. But, somehow, enterprise storage spending rises each year and IT support costs rise, even as the root commodity (disk drives) grows ever cheaper and denser. Obviously, they are not considering labor and overhead costs incurred with managing information, and the additional knowledge worker time wasted sifting through moun- tains of information to fi nd what they need.

Some of this myopic focus on disk storage cost is simple ignorance. The executive who concludes that a terabyte costs less than a nice meal at a restaurant after browsing storage drives on the shelves of a favorite big-box retailer on the weekend is of little help.

Rising information storage costs cannot be dismissed. Each year the billions that or- ganizations worldwide spend on storage grows, even though the cost of a hard drive is less than 1 percent of what it was about a decade ago. We have treated storage as a resource that has no cost to the organization outside of the initial capital outlay and basic operational costs. This is shortsighted and outdated.

Some of the reason that managers and executives have diffi culty comprehending the true cost of information is old-fashioned miscommunication. IT departments do not see (or pay for) the full cost of e-discovery and litigation. Even when IT “part- ners” with litigators, what IT learn rarely drives strategic IT decisions. Conversely, law departments (and outside fi rms) rarely own and pay for the IT consequences of their litigation strategies. It is as if when the litigation fi re needs to be put out, nobody calculates the cost of gasoline and water for the fi re trucks.

100 INFORMATION GOVERNANCE

But calculating the cost of information—especially information that does not sit neatly in the rows and columns of enterprise database “systems of record”—is complex. It is more art than science. And it is more politics than art. There is no Aristotelian Golden Mean for information.

The true cost of mismanaging information is much more profound than simply calculating storage unit costs. It is the cost of opportunity lost—the lost benefi t of in- formation that is disorganized, created and then forgotten, cast aside and left to rot. It is the cost of information that cannot be brought to market. Organizations that realize this, and invest in managing and leveraging their unstructured information, will be the winners of the next decade.

Most organizations own vast pools of information that is effectively “dark”: They do not know what it is, where it is, who is responsible for managing it, or whether it is an asset or a liability. It is not classifi ed, indexed, or managed according to the or- ganization’s own policies. It sits in shared drives, mobile devices, abandoned content systems, single-purpose cloud repositories, legacy systems, and outdated archives.

And when the light is fi nally fl icked on for the fi rst time by an intensive hunt for information during e-discovery, this dark information can turn out to be a liability. An e-mail message about “paying off fat people who are a little afraid of some silly lung problem” might seem innocent—until it is placed in front of a jury as evidence that a drug company did not care that its diet drug was allegedly killing people. 2

The importance of understanding the total cost of owning unstructured informa- tion is growing. We are at the beginning of a “seismic economic shift” in the informa- tion landscape, one that promises to not only “reinvent society,” (according to an MIT data scientist) but also to create “the new oil . . . a new asset class touching all aspects of society.” 3

Big Data Opportunities and Challenges

We are entering the epoch of Big Data—an era of Internet-scale enterprise infrastruc- ture, powerful analytical tools, and massive data sets from which we can potentially wring profound new insights about business, society, and ourselves. It is an epoch that, according to the consulting fi rm McKinsey, promises to save the European Union public sector billions of euros, increase retailer margins by 60 percent, and reduce U.S. national health care spending by 8 percent, while creating hundreds of thousands of jobs. 4 Sounds great, right?

However, the early days of this epoch are unfolding in almost total ignorance of the true cost of information. In the near nirvana contemplated by some Big Data

Smart leaders across industries will see using big data for what it is: a manage- ment revolution.

—Andrew McAfee and Erik Brynjolfsson, “Big Data: The Management Revolution,” Harvard Business Review ” (October 2012)

BUSINESS CONSIDERATIONS FOR A SUCCESSFUL IG PROGRAM 101

proponents, all data is good, and more data is better . Yet it would be an exaggeration to r say that there is no awareness of potential Big Data downsides. A recent study by the Pew Research Center was positive overall but did note concerns about privacy, social control, misinformation, civil rights abuses, and the possibility of simply being over- whelmed by the deluge of information. 5

But the real-world burdens of managing, protecting, searching, classifying, retain- ing, producing, and migrating unstructured information are foreign to many Big Data cheerleaders. This may be because the Big Data hype cycle 6 is not yet in the “trough of disillusionment” where the reality of corporate culture and complex legal require- ments sets in. But set in it will, and when it does, the demand for intelligent analysis of costs and benefi ts will be high.

IG professionals must be ready for these new challenges and opportunities—ready with new models for thinking about unstructured information. Models that calculate the risks of keeping too much of the wrong information as well as the s benefi ts of clean,s reliable, and accessible pools of the right information. Models that drive desirable behavior in the enterprise, and position organizations to succeed on the “next frontier for innovation, competition, and productivity.”7

Full Cost Accounting for Information

It is diffi cult for organizations to make educated decisions about unstructured infor- mation without knowing its full cost. Models like total cost of ownership (TCO) and ROI are designed for this purpose and have much in common with full cost account- ing (FCA) models. FCA seeks to create a complete picture of costs that includes past, g future, direct, and indirect costs rather than direct cash outlays alone.

FCA has been used for many purposes, including the decidedly earthbound task of determining what it costs to take out the garbage and the loftier task of calculating how much the International Space Station really costs. A closely related concept, often called triple bottom line, has gained traction in the world of environmental account- ing, positing that organizations must take into account societal and environmental costs as well as monetary costs.

The U.S. Environmental Protection Agency promotes the use of FCA for mu- nicipal waste management, and several states have adopted laws requiring its use. It is fascinating—and no accident—that this accounting model has been widely used to calculate the full cost of managing an unwanted by-product of modern life. The anal- ogy to outdated, duplicate, and unmanaged unstructured information is clear.

Applying the principles of FCA to information can increase cost transparency and drive better management decisions. In municipal garbage systems where citizens do not see a separate bill for taking out the garbage, it is more diffi cult to get new

IG professionals must be ready with new models that calculate the risks of stor- ing too much of the wrong information and also the benefi ts of clean, reliable, accessible information.

102 INFORMATION GOVERNANCE

spending on waste management approved. 8 Without visibility into the true cost, how can citizens—or CEOs—make informed decisions?

Responsible, innovative managers and executives should investigate FCA models for calculating the total cost of owning unstructured information. Consider costs such as:

■ General and administrative costs, such as cost of IT operations and personnel, facilities, and technical support.

■ Productivity gains or losses related to the information. s ■ Legal and e-discovery costs associated with the information and information systems. y ■ Indirect costs, such as the accounting, billing, clerical support, contract manage-

ment, insurance, payroll, purchasing, and so on. ■ Up-front costs, such as the acquisition of the system, integration and confi gura-

tion, and training. This should include the depreciation of capital outlays. ■ Future costs, such as maintenance, migration, and decommissioning of informa-

tion systems. Future outlays should be amortized.

Calculating the Cost of Owning Unstructured Information

Any system designed to calculate the cost or benefi t of a business strategy is inher- ently political. That is, it is an argument designed to convince an t audience. Well-known models like TCO and ROI are primarily decision tools designed to help organizations predict the economic consequences of a decision. While there are certainly objective truths about the information environment, human decision making is a complex and imperfect process. There are plenty of excellent guides on how to create a standard TCO or ROI. That is not our purpose here. Rather, we want to inspire creative think- ing about how to calculate the cost of owning unstructured information and help or- ganizations minimize the risk—and maximize the value—of unstructured information.

Any economic model for calculating the cost of unstructured information depends on reliable facts. But facts can be hard to come by. A client recently went in search of an accurate number for the annual cost per terabyte of Tier 1 storage in her company. The company’s storage environment was completely outsourced, leading her to believe that the number would be transparent and easy to fi nd. However, after days spent poring over the massive contract, she was no closer to the truth. Although there was a line item for storage costs, the true costs were buried in “complexity fees” and other opaque terms.

Organizations need tools that help them establish facts about their unstructured information environment. The business case for better management depends on these facts. Look for tools that can help you:

■ Find unstructured information wherever it resides across the enterprise, including s e-mail systems, shared network drives, legacy content management systems, and archives.

Organizations can learn from accounting models used by cities to calculate the total cost of managing municipal waste and apply them to the IG problem.

BUSINESS CONSIDERATIONS FOR A SUCCESSFUL IG PROGRAM 103

■ Enable fast and intuitive access to basic metrics , such as size, date of last access,s and fi le type.

■ Provide sophisticated analysis of the nature of the content itself to drive classifi ca-s tion and information life cycle decisions.

■ Deliver visibility into the environment through dashboards that are easy to fors nonspecialists to confi gure and use.

Sources of Cost

Unstructured information is ubiquitous. It is typically not the product of a single-pur- pose business application. It often has no clearly defi ned owner. It is endlessly duplicat- ed and transmitted across the organization. Determining where and how unstructured information generates cost is diffi cult.

However, doing so is possible. Our research shows that at least 10 key factors that s drive the total cost of owning unstructured information. These 10 factors identify where organizations typically spend money throughout the life cycle of managing un- structured information. These factors are listed in Figure 7.1 , along with examples of elements that typically increase cost (“Cost Drivers,” on the left side) and elements that typically reduce costs (“Cost Reducers,” on the right side).

1. E-discovery: fi nding, processing, and producing information to support law- suits, investigations, and audits. Unstructured information is typically the most common target in e-discovery, and a poorly managed information environment can add millions of dollars in cost to large lawsuits. Simply reviewing a gigabyte of information for litigation can cost $14,000 or more. 9

2. Disposition: getting rid of information that no longer has value because it is duplicate, out of date, or has no value to the business. In poorly man- aged information environments, separating the wheat from the chaff can cost large organizations millions of dollars. For enterprises with frequent litigation, the risk of throwing away the wrong piece of information only increases risk and cost. Better management and smart IG tools drive costs down.

3. Classifi cation and organization: keeping unstructured information organized so that employees can use it. It also is necessary so management rules supporting privacy, privilege, confi dentiality, retention, and other requirements can be applied.

4. Digitization and automation. Many business processes continue to be a combi- nation of digital, automated steps and paper-based, manual steps. Automating

Identifying and building consensus on the sources of cost for unstructured information is critical to any TCO or ROI calculation. It is critical that all stake- holders agree on these sources, or they will not incorporate the output of the calculation in their strategy and planning.

104 INFORMATION GOVERNANCE

and digitizing these processes requires investment but also can drive signifi - cant returns. For example, studies have shown that automating accounts pay- able “can reduce invoice processing costs by 90 percent.”10

5. Storage and network infrastructure: the cost of the devices, networks, software, and labor required to store unstructured information. Although the cost of the baseline commodity (i.e., a gigabyte of storage space) continues to fall, for most organizations overall volume growth and complexity means that storage budgets go up each year. For example, between 2000 and 2010, organization more than doubled the amount they spent on storage-related software even though the cost of raw hard drive space dropped by almost 100 times. 11

6. Information search, access, and collaboration: the cost of hardware, software, and services designed to ensure that information is available to those who need it, when they need it. This typically includes enterprise content management systems, enterprise search, case management, and the infrastructure necessary to support employee access and use of these systems.

7. Migration: the cost of moving unstructured information from outdated sys- tems to current systems. In poorly managed information environments, the cost of migration can be very high—so high that some organizations maintain legacy systems long after they are no longer supported by the vendor just to avoid (more likely, simply to defer ) the migration cost and complexity.rr

8. Policy management and compliance: the cost of developing, implementing, enforcing, and maintaining IG policies on unstructured information. Good policies, consistently enforced, will drive down the total cost of owning un- structured information.

9. Discovering and structuring business processes: the cost of identifying, improv- ing, and systematizing or “routinizing” business processes that are currently ad hoc and disorganized. Typical examples include contract management and

Cost Drivers: Examples

Outdoted, unenforced policies

Poorly defined information ownership and governance

Open loop, reactive e-discovery processes

Uncontrolled information respositiories

Modernist, paper-focused information rules

Ad hoc, unstructured business processes

Disconnected governance programs

Formal, communicated, and enforced policies

Automated classification and organization

Defensible deletion and selective content migration

Data maps

Proactive, repeatable e-discovery procedures

Clear corporate governance

Managed and structured repositories

Cost Reducers: Examples

1

2

3

4

5

6

7

8

9

10

E-Discovery

Disposition

Classification and Organization

Digitization and Automation

Storage and Network Infrastructure

Information Search, Access, Collaboration

Migration

Policy Management and Compliance

Discovering and Structuring Business Processes

Knowledge Capture and Transfer

Figure 7.1 Key Factors Driving Cost Source: Barclay T. Blair

BUSINESS CONSIDERATIONS FOR A SUCCESSFUL IG PROGRAM 105

accounts receivable as well as revenue-related activities, such as sales and cus- tomer support. Moving from informal e-mail and document-based processes to fi xed work fl ows drives down cost.

10. Knowledge capture and transfer: the cost of capturing critical business knowl- edge held at the department and employee level and putting that information in a form that enables other employees and parts of the organization to ben- efi t from it. Examples include intranets and their more contemporary cousins such as wikis, blogs, and enterprise social media platforms.

The Path to Information Value

At its peak during World War II, the Brooklyn Navy Yard had 70,000 people coming to work every day. The site was once America’s premier shipbuilding facility, build- ing the steam-powered Ohio in 1820 and the aircraft carrier USS Independence in the 1950s. But the site fell apart after it was decommissioned in the 1960s. Today, an “Admiral’s Row” of Second Empire–style mansions once occupied by naval offi cers are an extraordinary sight, with gnarled oak trees pushing through the rotting mansard roofs. 12

Seventy percent of managers and executives say data are “extremely impor- tant” for creating competitive advantage. “The key, of course, is knowing which data matter, who within a company needs them, and fi nding ways to get that data into users’ hands.”

— The Economist Intelligence Unit, “Levelling the Playing Field: How Companies Use Data to Create Advantage” (January 2011)

However, after decades of decay, the Navy Yard is being reborn as the home of YY hundreds of businesses—from major movie studios to artisanal whisky makers—taking advantage of abundant space and a desirable location. There were three phases in the yard’s rebirth:

1. Clean. Survey the site to determine what had value and what did not. Dispose of toxic waste and rotting buildings, and modernize the infrastructure.

2. Build and maintain. Implement a plan to continuously improve, upgrade, and maintain the facility.

3. Monetize. Lease the space.

Most organizations face a similar problem. However, our Navy Yards are the vast YY piles of unstructured information that were created with little thought to how and when the pile might go away. They are records management programs built for a dif- ferent era—like an automobile with a metal dashboard, six ashtrays, and no seat belts. Our Navy Yards are information environments no longer fi t for purpose in the Big YY Data era, overwhelmed by volume and complexity.

We are doing a bad job at managing information. McKinsey estimates that in some circumstances, companies are using up to 80 percent of their infrastructure to store duplicate data.13 Nearly half of respondents in a survey ViaLumina recently conducted

106 INFORMATION GOVERNANCE

said that at least 50 percent of the information in their organization is duplicate, out- dated, or unnecessary. 14 We can do better.

1. Clean

We should put the Navy Yard’s blueprint to work, fi rst by identifying our piles of rot-YY ting unstructured information. Duplicate information. Information that has not been accessed in years. Information that no longer supports a business process and has little value. Information that we have no legal obligation to keep. The economics of such “defensible deletion” projects can be compelling simply on the basis of recovering the storage space and thus reallocating capital that would have been spent on the annual storage purchase.

2. Build and Maintain

Cleaning up the Navy Yard is only the fi rst step. We cannot repeat the past mistakes.YY We avoid this by building and maintaining an IG program that establishes our infor- mation constitution (why), laws (what), and regulations (how). We need a corporate governance, compliance, and audit plan that gives the program teeth, and a technology infrastructure that makes it real. It must be a defensible program to ensure we comply with the law and manage regulatory risk.

3. Monetize

IG is a means to an end, and that end is value creation. IG also mitigates risk and drives down cost. But extracting value is the key. Although monetization and value creation often are associated with structured data, new tools and techniques create exciting new opportunities for value creation from unstructured information.

For example, what if an organization could use sophisticated analytics on the e- mail account of their top salesperson (the more years of e-mail the better), look for markers of success, then train and hire salespeople based on that template? What is the pattern of a salesperson’s communications with customers and prospects in her territory? What is the substance of the communications? What is the tone? When do successful salespeople communicate? How are the patterns different between suc- cessful deals and failed deals? What knowledge and insight resides in the thousands of messages and gigabytes of content? The tools and techniques of Big Data applied to e-mail can bring powerful business insights. However, we have to know what questions to ask. According to Computerworld , “the hardest part of using big data is trying to get business people to sit down and defi ne what they want out of the huge amount of unstructured and semi-structured data that is available to enterprises these days.”15

Key steps in driving information value are: (1) clean; (2) build and maintain; and (3) monetize.

BUSINESS CONSIDERATIONS FOR A SUCCESSFUL IG PROGRAM 107

The analytics challenges of Big Data create opportunities. For example, McKinsey pre- dicts that demand for “deep analytical talent in the United States could be 50 to 60 percent greater than its projected supply by 2018.” A chief reason for this gap is that “this type of talent is diffi cult to produce, taking years of training in the case of some- one with intrinsic mathematical abilities.” However, the more profound opportunity is for the “1.5 million extra additional managers and analysts in the United States who can ask the right questions and consume the results of the analysis of big data effectively.” 16

Some companies are using analytics to set prices. For example, the largest dis- tributor of heating oil in the United States sets prices on the fl y, based on commodity prices and customer retention risks. 17 In a case that caught the attention of morning news shows, with breathless headlines like “Are Mac Users Paying More?” an online travel company revealed that “Mac users are 40 percent more likely to book four or fi ve-star hotels . . . compared to PC users.”18 Despite the headlines, the company was not charging Mac users more. Rather, computer brand was a variable used to deter- mine which products were highlighted.

The path to information value is not necessarily linear. Different parts of your business may achieve maturity at different rates, driven by the unique risks and op- portunities of the information they possess.

Challenging the Culture

The best models for calculating the total cost of owning unstructured are those that information professionals can use to challenge and change organizational culture. Much of the unstructured information that represents the greatest cost and risk to organizations is created, communicated, and managed directly by employees—that is, by human beings. As such, better IG relies in part on improving the way those human beings use and manage information.

New Information Models

The “information calorie” and “information cap-and-trade,” explored next, are two new models designed to help with the challenge of governing information.

Table 7.1 Key Steps in the IG Process

1. Clean 2. Build and Maintain 3. Monetize

Information inventory IG policies and procedures Create value through information, e.g., drive sales and improve customer satisfaction

Defensible deletion Corporate governance, compliance and audit

Business insights

Records retention and legal hold Technology Increase margins

Source: Barclay T. Blair

108 INFORMATION GOVERNANCE

Information Calorie

The Western world is suffering from an embarrassment of riches when it comes to calories. The calorie has been weaponized in the form of tasty, cheap, and fast food loaded with sugar and fat. Even a cup of “coffee” can contain as much as 800 calories.19 We have gotten very, very good at maximizing available calories, at a staggering cost: $190 billion per year in additional medical spending as a result of obesity in the United States, greater than the cost of smoking. 20

Governments are taking action. A new national health care law in the United States requires restaurant chains to disclose calorie counts for the food they sell by 2013, building on similar state laws.21 Calories are not inherently bad. We would liter- ally die without them. But too many calories make us sick.

The analogy to information is clear. Information is the “lifeblood” of our organi- zations and is central to our survival. But too much unmanaged unstructured informa- tion leaves us fat, slow, and coughing and wheezing at the back of the pack.

In 2012, New York City initially passed a controversial law limiting the size of soft drinks that can be sold at movie theaters and convenience stores (later chal- lenged in court). The “Bloomberg soda ban” was based on the premise that humans need help making good choices. There is some basis for this approach, with studies showing that, for example, the size of the candy scoop determines how much free candy we eat.22 Under the new law, it was still possible in New York to buy two smaller cups of soda, but it was hoped that inconvenience (and cost) will reduce overconsumption.

A new study . . . examined consumer behavior before and after calorie counts were posted, and determined that when restaurants post calories on menu boards, there is a reduction in calories per transaction.

—Bryan Bollinger, Phillip Leslie, Alan Sorensen, “Calorie Posting in Chain Restaurants,” Stanford University, January 2010

Thinking about information as calories at your organization can improve aware- ness of its costs and drive change. The goal is not to add friction to desirable behaviors, like collaboration and mobile work, but rather to make it more diffi cult to create and consume empty information calories.

Here are some tips to get started:

■ Educate executives and employees about the cost of information mismanagement s through anecdotes, case studies, and facts.

■ Show employees their information footprint by regularly exposing them to the t amount of data storage they are using in e-mail, shared drives, content man- agement systems, and other environments they work with. With a little creative programming, you can post “information calories” on your menus.

■ Design systems to minimize information calories. Examples include: preventing employees from exporting e-mail to .pst fi les; turning off the ability to store documents on desktop hard drives to encourage the use of managed collabo- ration environment; and requiring employees to send links to shared content rather than creating yet another e-mail attachment. Clever technology and social engineering, like the soda ban, can drive healthy information behavior.

BUSINESS CONSIDERATIONS FOR A SUCCESSFUL IG PROGRAM 109

Information Cap-and-Trade

Originally designed as a regulatory approach for fi ghting acid rain in the 1980s, cap-and-trade has gained new attention as a method of curbing carbon emissions. Cap-and-trade systems differ from command-and-control regulatory approaches that mandate, rather than economically encourage, a course of action. In other words, rather than forcing companies to install scrubbers on power plant exhausts (command and control), cap-and-trade provides companies with an emissions quota, which they can hit as they see fi t, and even profi t from. Companies with unused room on their quota can sell those “credits” on specialized markets.

Consider a cap-and-trade system for information. Do not limit the creation and storage of useful information—that defeats the purpose of investing in IT in the fi rst l place. Rather, design a cap-and-trade system that controls the amount of information pollution and rewards innovation and management discipline.

While there is no objective “right amount” of information for every organization or department, we can certainly do better than “as much as you want, junk or not.” After all, “nearly all sectors in the US economy had at least an average of 200 terabytes of stored data . . . and many sectors had more than 1 petabyte in mean stored data per company.” 23 Moreover, up to 50 percent of that information is easily identifi able as data pollution. 24 So, we have a reasonable starting point.

Here are some tips for creating an information cap-and-trade system:

■ Baseline the desired amount of information per system, department, and/or type t of user. How much information do you currently have? How much has value? How much should you have? These are not easy questions to answer, but even rough calculations can make a big difference.

■ Create information volume targets or quotas, and allocate them by business unit, system, or user. This is the “cap” part of the system.

■ Calculate the fully loaded cost of a unit of information , and adopt it as a baseline metric for the “trade” part of the system. Consider whether annual e-discovery costs can be allocated to this unit in a reasonable way.

■ Create an internal accounting system for tracking and trading information units, s or credits within the organization. Innovative departments will be rewarded, laggards will be motivated.

■ Get creative in what the credits can purchase. New revenue-generating software? Headcount?

“There’s not a person in a business anywhere who gets up in the morning and says, ‘Gee, I want to race into the offi ce to follow some regulation.’ On the other hand, if you say, ‘There’s an upside potential here, you’re going to make money,’ people do get up early and do drive hard around the possibility of fi nding themselves winners on this.”

—Dan Etsy, environmental policy professor at Yale University, quoted in Richard Conniff, “The Political History of Cap and Trade,”

Smithsonian Magazine (August 2009)

110 INFORMATION GOVERNANCE

Future State: What Will the IG-Enabled Organization Look Like?

When an organization is IG enabled, or “IG mature”—meaning IG is infused into op- erations throughout the enterprise and coordinated on an organization-wide level—it will look signifi cantly different from most organizations today. Not only will the or- ganization have a solid handle on the total cost of information; not only will it have shifted resources to capitalize on the opportunities of Big Data; not only will it be managing the deluge in a systematic, business-oriented way by cutting out data debris and leveraging information value; it will also look signifi cantly different in key opera- tional areas including legal, records and information management (RIM), and IT.

In legal matters, the mature IG-enabled organization will be better suited to ad- dress litigation in a more effi cient way through a standardized legal hold notifi cation (LHN) process. Legal risk is reduced through improved IG, which will manage infor- mation privacy in accordance with applicable laws and regulations. During litigation, your legal team will be able to sort through information more rapidly and effi ciently, improving your legal posture, cutting e-discovery costs, and allowing for attorney time to be focused on strategy and to zero in on key issues. This means attorneys should have the technology tools to be more effective. Adherence to retention schedules means that records and documents can be discarded at the earliest possible time, which reduces the chances that some information could pose a legal risk. Hard costs can be saved by eliminating that approximately 69 percent of stored information that no lon- ger has business value. That cost savings may be the primary rationale for the initial IG program effort. By leveraging advanced technologies such as predictive coding, the organization can reduce the costs of e-discovery and better utilize attorney time.

Your RIM functions will operate with more effi ciency and in compliance with laws and regulations. Appropriate retention periods will be applied and enforced, and authentic, original copies of business records will be easily identifi able, so that manag- ers are using current and accurate information on which to base their decisions. Over the long term, valuable information from projects, product development, marketing programs, and strategic initiatives will be retained in corporate memory, reducing the impact of turnover and providing distilled information and knowledge to contribute to a knowledge management (KM) program. KM programs can facilitate innovation int organizations, as a knowledge base is built, retained, expanded, and leveraged.

In your IT operations, a focus on how IT can contribute to business objectives will bring about a new perspective. Using more of a business lens to view IT projects will help IT to contribute toward the achievement of business objectives. IT will be work- ing more closely with legal, RIM, risk, and other business units, which should help these groups to have their needs and issues better addressed by IT solutions. Having a standardized data governance program in place means cleaning up corrupted or dupli- cated data and providing users with clean, accurate data as a basis for line-of-business software applications and for decision support analytics in business intelligence (BI) applications. Better data is the basis for improved insights, which can be gained by leveraging BI and will improve management decision-making capabilities and help to provide better customer service, which can impact customer retention. It costs a lot more to gain a new customer than to retain an existing one, and with better data quality, the opportunities to cross-sell and upsell customers are improved. This can provide a sustainable competitive advantage. Standardizing the use of business terms will facilitate improved communications between IT and other business units, which

BUSINESS CONSIDERATIONS FOR A SUCCESSFUL IG PROGRAM 111

should lead to improved software applications that address user needs. Adhering to information life cycle management principles will help the organization to apply the proper level of IT resources to its high-value information while decreasing costs by managing information of declining value appropriately. IT effectiveness and effi ciency will be improved by using IT frameworks and standards, such as CobiT 5 and ISO/ IEC 38500:2008, the international standard that provides high-level principles and guidance for senior executives and directors, and those advising them, for the effec- tive and effi cient governance of IT. 25 Implementing a master data management pro- gram will help larger organizations with complex IT operations to ensure that they are working with consistent data from a single source. Improved database security through data masking, database activity monitoring, database auditing, and other tools will help guard the organization’s critical databases against the risk of rogue attacks by hackers. Deploying document life cycle security tools such as data loss prevention and informa- tion rights management will help secure your confi dential information assets and keep them from prying eyes. This helps to secure the organization’s competitive position and protect its valuable intellectual property.

By securing your electronic documents and data, not only within the organization but also for mobile use, and by monitoring and complying with applicable privacy laws, your confi dential information assets will be safeguarded, your brand will be bet- ter protected, and your employees will be able to be productive without sacrifi cing the security of your information assets.

Moving Forward

We are not very good at fi guring out what unstructured information costs. The Big Data deluge is upon us. If we hope to manage—and, more important, to monetize— this deluge, we must form cross-functional teams and challenge the way our organi- zations think about unstructured information. The fi rst and most important step is developing the ability to convincingly calculate what unstructured information really costs and then to discover ways we can recue those costs and drive value. These are foundational skills for information professionals in the new era of Big Data. In this era, information is currency—but a currency that has value only when IG professionals drive innovation and management rigor in the unstructured information environment.

CHAPTER SUMMARY: KEY POINTS

■ The business case for IG programs has historically been diffi cult to justify.

■ It takes a commitment to the long view to develop a successful IG program.

■ The problem of unstructured IG is growing faster than the problem of data volume itself.

■ IG professionals must be ready with new models that calculate the risks of storing too much of the wrong information and also the benefi ts of clean, reliable, accessible information.

(continued)dd

112 INFORMATION GOVERNANCE

■ Key steps in driving information value are: (1) clean; (2) build and maintain; and (3) monetize.

■ The information calorie approach and information cap-and-trade are two new models for assisting in IG.

■ Legal risk is reduced through improved IG, and legal costs are reduced.

■ Leveraging newer technologies like predictive coding can improve the ef- fi ciency of legal teams.

■ Adherence to retention schedules means that records and documents can be discarded at the earliest possible time, which reduces costs by eliminating unneeded information that no longer has business value.

■ RIM functions will operate with more effi ciency and in compliance with laws and regulations under a successful IG program.

■ A compliant RIM program helps to build the organization’s corporate memo- ry of essential “lessons learned,” which can foster a KM program.

■ KM programs can facilitate innovation in organizations.

■ Focusing on business impact and customizing your IG approach to meet business objectives are key best practices for IG in the IT department.

■ Effective data governance can yield bottom-line benefi ts derived from new insights, especially with the use of business intelligence software.

■ IT governance seeks to align business objectives with IT strategy to deliver business value.

■ Using IT frameworks like CobiT 5 can improve the ability of senior manage- ment to monitor IT value and processes.

■ Identifying sensitive information in your databases and implementing data- base security best practices help reduce organizational risk and the cost of compliance.

■ By securing your electronic documents and data, your information assets will be safeguarded and your organization can more easily comply with privacy laws and regulations.

■ We are not very good at fi guring out what unstructured information costs. To thrive in the era of Big Data requires challenging the way we think about the cost of managing unstructured information.

CHAPTER SUMMARY: KEY POINTS (Continued )

  • PART TWO—Information Governance Risk Assessment and Strategic Planning
    • CHAPTER 6 Information Governance Policy Development
      • A Brief Review of Generally Accepted Recordkeeping Principles®
      • IG Reference Model
        • Interpreting the IGRM Diagram
        • Center
        • How the IGRM Complements the Generally Accepted Recordkeeping Principles
      • Best Practices Considerations
      • Standards Considerations
      • Benefits and Risks of Standards
      • Key Standards Relevant to IG Efforts
        • Risk Management
        • Information Security and Governance
        • Records and E-Records Management
      • Major National and Regional ERM Standards
        • United States E-Records Standard
        • Canadian Standards and Legal Considerations for Electronic Records Management
        • U.K. and European Standards
        • Australian ERM and Records Management Standards
        • Long-Term Digital Preservation
        • Business Continuity Management
      • Making Your Best Practices and Standards Selections to Inform Your IG Framework
      • Roles and Responsibilities
      • Program Communications and Training
      • Program Controls, Monitoring, Auditing and Enforcement
      • Notes
  • PART THREE—Information Governance Key Impact Areas Based on the IG Reference Model
    • CHAPTER 7 Business Considerations for a Successful IG Program
      • Changing Information Environment
      • Calculating Information Costs
      • Big Data Opportunities and Challenges
      • Full Cost Accounting for Information
      • Calculating the Cost of Owning Unstructured Information
        • Sources of Cost
      • The Path to Information Value
      • Challenging the Culture
      • New Information Models
        • Information Calorie
        • Information Cap-and-Trade
      • Future State: What Will the IG-Enabled Organization Look Like?
      • Moving Forward