Information Governance: A “Must Have” Tool

Monday, December 22, 2014 - 14:57

The Editor interviews Jake Frazier, Senior Managing Director, FTI Consulting.

Editor: What are some of the common information governance challenges that your clients are talking about?

Frazier: Depending on which executive officer is speaking, there are two sets of challenges: cost and risk. A CIO, COO or CFO is focused on the cost of information and pressures resulting from the fact that data is growing between 40 and 60 percent per year. Some aspects of storage, like disk, are falling in price but not quickly enough to keep up with that data growth; therefore, most IT executives report that they are spending more and more on storage, which creates problems because this is not a strategic spend for the business. And even a CIO budget that increases 4 percent annually will not keep pace, so they have to do more with less and deal with the fact that storage is eating up a greater proportion of their budget. That's a huge problem on the cost side.

Data growth also is causing risk pressures. General counsel, chief compliance officers and chief information security officers, among others at their level, report that problems stem not only from data growth – certainly we see how increased e-discovery volumes and data breach fines relate on the cost side – but also from the risk created by complexities, such as the drive to move to the cloud (and associated data security concerns), that result from cost cutting.

Editor: Are certain industries more prone to these types of challenges?

Frazier: In my experience as an attorney, e‑discovery is an industry‑specific concern. Certain big industries, meaning financial services, energy, pharmaceutical and high-tech, were hit first and hit hard. They had to take action quickly, and their matters are the source of case law. In information governance, risk pressures are highest in those industries as well. What's interesting though is that cost-related pressures are the same across any industry, meaning they are horizontal and correlate with the data growth statistics I cited above. This means that there is always an opportunity for cost savings. Those industries that are less regulated and not a top target of plaintiffs or investigators – for instance, a manufacturing or holding company with low consumer exposure – simply will have fewer litigation holds. When we look at helping companies conduct defensible disposal, it’s more of a cost‑saving play for those less-regulated industries and more of a risk‑reduction play for the highly regulated industries.

Editor: What is the role of corporate counsel in this discussion?

Frazier: Corporate counsel are most concerned with litigation hold and preservation as key drivers in information governance. Let me refer your readers to the Information Governance Reference Model (IGRM), which essentially identifies the various stakeholders (legal, business, privacy/security, IT and risk) and how, ultimately, their interests are completely aligned. Legal is largely focused on preservation and e-discovery, with some attention to retention in the regulatory context.

Now, there are some exemplar companies where corporate counsel has taken a larger role and viewed these issues in the broader business context. They found themselves drowning in spreadsheets and emails and often having to spend money reactively, which depleted already stretched budgets. Software tools can automate e-discovery, legal hold notification and workflow tracking, which is a more productive use of legal spend as an investment in protecting the company’s business.  

This breed of in-house counsel is reaching out to the CIO or COO and saying, "Look, can we trade reduced e‑discovery costs for more capital expenditures to purchase proactive solutions that help us automate? Can we look at the business case and work something out?" And I've seen some go even further to say, "If we take a larger role in the defensive disposal of information, which saves the CIO money and helps our e‑discovery process, will you empower us with additional resources, such as for head count or budget?"

Editor: That's the proverbial win-win.

Frazier: Yes it is. I've acted as the bridge between legal and IT in meetings where both parties expected a negotiation and a zero-sum game but quickly realized that their interests were 100 percent aligned. IT often views legal as too risk-averse regarding the disposal of information, and legal often views IT as not providing the tools, infrastructure and other resources needed to gain visibility into data and make responsible determinations about what to cut. When I moderate, or essentially translate, this discussion for the parties, it comes out that legal really does want to engage in defensible disposal of information, but they need good tools.

Editor: Why is there a common perception that information governance is a "nice to have" rather than a "must do" project?

Frazier: It's an interesting psychological question, and a critical one. Let me start by defining information governance as an organization's obligations and opportunities with respect to how it creates, uses, stores, discovers, retains and disposes of information. The “nice to have” perception worked when CIOs were able to apply several standard tactics at the data layer ­– compression, tiering, offlining, deduplication and virtualization – which served the purpose of managing current data volumes. Those days are over, and with data volumes still increasing, CIOs “must” find a solution for the defensible disposal of information. We hit the economic tipping point for most organizations about a year and a half ago, with people realizing that less money spent on storage meant extra budget to invest in analytics and other tools that improve revenue and customer satisfaction. Given three- to five-year projections that make situations dire for some IT organizations, data disposal has become a C-level issue. The “must do” analysis also extends to the risk side, with email archives bursting at the seams and hindering search and production processes in connection with regulatory requirements, as well as affecting the legal side in the need for efficiency and automation of e-discovery.

Editor: How does FTI help clients address the challenges (and embrace the opportunities) of information governance?

Frazier: Companies face these challenges from different points of view, as software companies, services providers and so forth. If you take as a reactive example a high‑level government investigation with law enforcement involved, absent prior involvement, FTI's professionals can parachute into the organization and, with little or no assistance, not only understand unfamiliar data systems but actually access them, pull up the data in a forensically sound manner, and do so under very tight timelines. To continue the diving analogy, the degree of difficulty here is about as high as possible, but we can do that.

Take those same FTI professionals, bring them into proactive discussions, give them a little lead time, and they will provide amazing advice on optimizing systems. From a disposal standpoint, that's really where the opportunity is. Organizations looking to engage in defensible disposal have difficulty pulling the trigger because, while they have a policy in place and have identified what information to eliminate, there is no legal obligation attached to this process.

FTI’s experts are uniquely situated to help because of our experience with reactive matters; we understand what's reasonable and have served as expert witnesses and written affidavits on those very topics, all of which are tremendous assets to organizations that are experiencing analysis paralysis on decisions about the “defensible” piece. Often we do this work in concert with outside counsel. This is a key aspect of FTI's technology practice.

Across FTI's other practices, we have a robust bench of professionals who understand complex data models and can help with the difficult aspects of information governance projects, bringing in specific expertise in cybersecurity, investigations and economics, as needed.

Editor: FTI has a strong reputation within e-discovery. Tell us about the relationship between information governance and e‑discovery.

Frazier: Let me first give some background. I was a founding member of the Electronic Discovery Reference Model (EDRM), which gave rise to the IGRM, mentioned above. The IGRM is represented as a wheel that shows the interconnection of stakeholders within data processes, and often what's missing on the execution side is the hub of that wheel. FTI serves as the glue in the middle, both in providing expertise that translates the picture into actions and much-needed structure and in serving as a facilitator and catalyst for the organization’s plan of action. Once we provide this head start, organizations need us less and less as stakeholders start to see that their interests are aligned – that there is no loser in this process – and take matters into their own hands. This dynamic builds momentum very quickly.

To your question, the IGRM model shows that e‑discovery is an integrated aspect of information governance and comprises one set of obligations with regard to data. But this really is a lens issue. The director of e‑discovery at a law firm will want to focus on the EDRM, where information governance is just the beginning of a linear process. For corporations, e-discovery is a piece of the pie in the information governance wheel.

Editor: What are the signs that a company needs to examine its information governance program? How can FTI help?

Frazier: Some tactical indicia of a substandard information governance program include: using backup as a litigation hold device, storing data on tapes and being stuck in that cycle, and maintaining inefficient email archives that hold up search and extraction efforts. Resolving these issues is a very achievable goal and, if done properly, a “quick win” in a company’s initial efforts to improve information governance. Quick wins deliver success that can be demonstrated in dollars, gigabytes and hours and can provide the necessary motivation toward effecting a large transformation. The hallmarks of success are streamlined e‑discovery and proactive measures for locating, securing and defensively disposing of information – before a breach occurs.

Toward that goal, FTI can provide direct assistance, first by assessing the company’s current information governance program and then surgically achieving one or more of those results. Quickly, we help them get rid of backup tapes, establish a better email archive, defensively store information, and scan and secure critical data that carries cybersecurity risk. When we step in, nine times out of ten we'll find that projects, perhaps even funded projects, are already in place. Our job is to focus on particular issues, such as resolving an audit failure regarding the misplacement of sensitive data or providing advisory or maintenance services. In these cases, we not only help with the problem but we also achieve that all-important demonstrable return: risk reduction, satisfying the audit or finding dollars. The goal in these efforts is to come in, show how the puzzle pieces fit together to create a vision, identify low-hanging fruit and achieve a positive return on that, do it all without spending a lot of money and, finally, establish the groundwork for larger efforts.

Editor: What advice would you give to a company in developing an information governance program?

Frazier: First, organizations should contemplate the concept of the chief data officer. As with any corporate program, placing an accountable person at a high level and empowering him or her to make change will increase the likelihood of success. Appointing a chief data officer provides a home for the program and a hub for the wheel that will accelerate progress. Companies that don’t want to go from zero to sixty right away can name a manager or director of information governance to create the pathway for strong consideration of naming a chief data officer sometime in the future.

As with any problem that is getting worse over time and has a cumulative effect, resolving a company’s runaway data growth means achieving defensible disposal and bringing equilibrium back to its environment. We are seeing companies do amazing things: discarding hundreds of terabytes of junk per year or hundreds of thousands of backup tapes that have no value or obligation. Their efforts represent FTI’s best practices for getting started, and my advice is to start small, but start immediately. Remember, as you sit and analyze the situation, data is accumulating every second, and useless backup tapes are incurring storage costs. FTI is here to help, so don’t allow perfection to be the enemy of good.

Please email the interviewee at jake.frazier@fticonsulting.com with questions about this interview.