introduction to imrm information governance survey & scenarios · 2020. 9. 4. · introduction...
TRANSCRIPT
Introduction to IMRMInformation GovernanceSurvey & Scenarios
May 5, 2010 Web MeetingLorrie Luellig Of Counsel, Ryley Carlock
Deidre Paknad, Founder of CGOC
Harry Pugh, former EVP Citigroup
PLEASE SITE CGOC AS THE SOURCE WHEN ANY OF THIS MATERIAL IS USED.
Agenda
Introduction to the Model Deidre Paknad
Preview of Information Governance Survey Results Lorrie Luellig
Information Governance Benchmark Kit Deidre Paknad
Global Operational Model for Information Governance Harry Pugh
2
Session Speakers
3
Deidre is widely credited with having launched the first commercial applications for legal holds, collections andretention management and is a recognized thought leader in legal and information governance. In 2004, shefounded the CGOC, a professional community on retention and preservation that IDC labeled a "think tank". Shehas been a member of several Sedona working groups since 2005 and leads EDRM IMRM sub-group 6.
Deidre is a seasoned entrepreneur and executive with 20 years' experience applying technology to inefficientbusiness processes to reduce cost and risk. Deidre has been inducted into the Smithsonian Institution forinnovation in 1999 and again in 2000.
Lorrie is Of Counsel to, and a founding member of, the Ryley Carlock & Applewhite Document Control Group. Lorriehas extensive experience counseling clients about retention policies and procedures for both litigation relatedmatters and overall company operations. She has helped to create and implement strategies for both Fortune 100companies and smaller privately and publicly held companies in the areas of legal and regulatory compliance,litigation holds, privacy and security issues as well as information handling and disposition. Lorrie also providedexpert testimony relating to disposition of records and other issues relating to records and informationmanagement. Lorrie received her LL.M. from Harvard Law School in Cambridge, Massachusetts.
Lorrie co-chairs the CGOC RIM Working Group and has been a faculty member since 2007. She is on the IMRMcorporate sub-group (6).
Harry Before retiring, Harry was the Managing Director of Reengineering for Operations and Technology atCitigroup where he led the development and implementation of a number of corporate policies. Prior to this role,he was Chief of Staff at Citigroup Mortgages. His long, successful tenure at Citigroup also included Director ofRecoveries US Card Products and Controller for Global Bank Cards. Harry holds a BA and a Masters degree fromHarvard University and is currently consulting with F50 clients in their information governance initiatives.
Harry co-chairs the CGOC RIM Working Group and has been a faculty member since 2006.
Deidre Paknad, CEO of PSS Systems , Founder of CGOC
Lorrie Luellig, of Counsel, Ryley Carlock & Applewhite
Harry Pugh, Former Executive Vice President, Citigroup
Agenda
Introduction to the Model Deidre Paknad
Preview of Information Governance Survey Results Lorrie Luellig
Information Governance Benchmark Kit Deidre Paknad
Global Operational Model for Information Governance Harry Pugh
4
5
A Counterpart to EDRM, not a SubsetThe IMRM will help bridge the gap between IT, Legal,Compliance, RM, and other stakeholder groups withinorganizations. The IMRM does NOT aim to produce a modelthat is prescriptive in nature; rather, it seeks to provide areference that will promote cross-functional dialogue andcollaboration.
www.edrm.net
Narrative:1> the “information management” box on EDRM is a completelyinadequate expression
2> and that despite the various lifecycle models available over theyears – including EDRM itself and those from AIIM and ARMA –companies still have too much risk and too much information. Asyou’ll see in the survey results Lorrie previews, the stakeholders ininformation governance don’t collaborate well or have enoughcross-functional transparency today.
3> the model is more of a responsibility model rather than adocument or case lifecycle model. It helps to identify thestakeholders, define their respective “stake” and to highlight theintersection and dependence across these stakeholders.
4> IMRM can provide a framework for cross functional andexecutive dialogue and can serve as a catalyst for defining aunified governance approach to information that links value andduty to information assets.
Information is at the center
6
Narrative:The information basics are distilled out and at the center –with the notable inclusion of “dispose” as the end state ofinformation. And the “information gates” in the middle.
It Starts with the Business & Value
7
Narrative:The line of business has an interest in informationproportional to its value – the degree to which it helps drivethe profit or purpose of the enterprise itself. Once thatvalue expires, they quickly lose interest in managing it,cleaning it up, or paying for it to be stored. One of thethings that the IMRM does is distinguish value fromregulatory obligation or IT efficiency.
Legal & RIM Have Responsibility for Legal Duties& Obligations for Information
8
Narrative:Their charter is typically to manage risk for the company. Itunderscores that it is the legal department’s responsibility todefine what to put on hold and what and when to collectdata for discovery; and RIM’s responsibility to ensure thatregulatory obligations for information are met including whatto retain archive for how long.
Together they both have an enormous role in how and whencompanies can dispose of data. As with the businesssegment, it calls on legal and RIM to be specific about theduties for information – what they are and when those dutiesend.
IT is Chartered with Efficiently Managing
Information
9
Narration:IT stores and secures information under their management.Of course their focus is efficiency and they’re typically underhuge pressure to increase efficiency and lower cost.
What these reliefs of this diagram show is that withoutcollaboration and unified governance, IT doesn’t know andcan’t speak to what information has value or what dutiesapply to specific information. One of the things IMRM canhelp companies address is that for IT to manage dataefficiently, it is essential to link specific duties and businessvalue to the information assets.
Framework for Progress
10
Unified governance• Transparent processes across functions• End of silo approach• Unified vocabulary, different interests
Structural linkage of duty + value to asset• Policies > procedure > execution• Specific rather than generic guidance
enables enterprise execution and disposal
Agenda
Introduction to the Model Deidre Paknad
Preview of Information Governance Survey Results Lorrie Luellig
Information Governance Benchmark Kit Deidre Paknad
Global Operational Model for Information Governance Harry Pugh
11
Joint CGOC & IMRM Survey
Assess perspectives of Legal, RIMand IT on:• Perception of the importance and value of
defensible disposal
• Current information management practices
• Perceived challenges in informationmanagement and governance
• Differences in perception across stakeholdersregarding opportunities and challenges toimprovement
12
Joint effort of CGOC and members of IMRM working group 6 spearheaded by Lorrie Luellig and Deidre Paknad
Consensus on Purpose
Said the purpose of information governance practice isDefensible Disposal
But IG Practices Don’t Work Well Today
gave themselves a C grade or lower
2/3 of IT
1/3 of Legal
1/2 of RIMrespondents said the current responsibility
model doesn’t work
Not Surprising
Because legal holds are still hand-stitched:
What linkage, if any, exists today between the company's legal obligations withrespect to information, the management of business records, IT assets and ITprocesses for managing data, and the business groups who need data for revenuegeneration?
People Glue
Very LittleLinkage
It’sSystematic13%
Narrative:80% of companies had weak or strainedlinkage between legal obligations forinformation, records management and ITdata management.And we all know that without a rigorousholds process, we can’t defensiblydispose of data …
Not Surprising
And retention management is unstitched
RIM Involved in EnablingDisposal
IT Uses Retention Scheduleto Migrate/Dispose
Schedule EncompassesElectronic Information
YES
NO YES
NO
DON’TKNOW
YES
NO
Narrative:Nearly half of RIM teams aren’t involved in enabling disposalDespite the fact that all of respondents were discovery-savvy, 1/3didn’t know whether IT used the retention schedule to managedata! Another third said they didn’t use it yet 80% said the retentionschedule included electronic data – which begs the question whatdo they use?
The Perceived Barriers
What Holds Us Back:
OperationalBlocks
Lack ofExecutiveSupport
Interesting Contrast
RIM & IT Point of View
Operational Blocks Lack of Executive Support
Legal Point of View
Operational Blocks Lack of Executive Support
Narrative:The perceived barriers varied by point of view.Both RIM and IT understood the issue as “Operational Blocks”.Legal felt it was due to lack of executive support.
Of perceived operational barriers, the singlemost challenging aspects of informationgovernance
Transparency
Ability to Dispose of Data
Federation of Holds andSchedules
Information Inventory byBusiness
Knowledgeable Delegateswithin Business Groups
Narrative:38% said lack of transparency was the most substantial challenge.The (in)ability to dispose of data came in second at 25%.
Greatest Perceived Value of GoodInformation Governance Practice
RIM
1. Transparency toobligations,collaboration withlegal and RIM
2. Ability to dispose
1. Transparency toobligations,collaboration withlegal and IT
2. Tie for ability todispose and ability tofederate schedulesand holds
1. Transparency andcollaboration with ITand RIM
2. Inventory of datasources andinformation inventoryby business group
Perceived Elements of Value from GoodInformation Governance Practice
0% 10% 20% 30% 40% 50%
True Inventory of All Legal Holds
Data Source Map & Departmental Information Inventory
Ability to Dispose of Data
Transparency & Collaboration across Legal, RIM, IT
Perceived Value of New IMRM
ManagementCatalystHelp Organize
Efforts
No Value
Provides VendorSelection Framework
Narrative:The real value is the ability of IMRM to enable the cross functionaldiscussion around responsibility and transparency, somethingrespondents recognized.
Agenda
Introduction to the Model Deidre Paknad
Preview of Information Governance Survey Results Lorrie Luellig
Information Governance Benchmark Kit Deidre Paknad
Global Operational Model for Information Governance Harry Pugh
23
Typical Information Governance Environment
24PSS SYSTEMSCONFIDENTIAL
Business
Records
2,000 matters, 300+ new/year
Custodian-focused holds
Records, repositories and theirstewards not captured
Holds and custodiansinfrequently communicated to IT
Triple-documentation oncollection process
12-page form to initiatecollection; a 2-page form iscompleted for each custodian
80,000 IT tickets a year
5.4 PB of data – 850% growth in 5 years
Continuous capacity allocation on 7000 servers
Dispose of C drives, remove H drive access withouthold determination
Imposing quotas on employee data
0% budget growth
Collection work broadly delegated, 100 pg manual
9 year old corporate master with 38business unit schedules for 200 countries
Legal codes obscure actual reason forretention
230 yearly change requests with 30 personreview board
Everything is a record
No link between records and IT
Can’t audit
Routing all paper to legal for dispositionreview – opposite of holds
Dispute over schedule and taxonomyrelevance
Raging at quotas
• Spending $3B on IT
Tool Kit for Benchmarking & Progressing
Information governance improvements and IMRM can
address 3 major pain points:• Dependency without transparency
• Discovery spend too high and legal risk still mounting
• Data growth 50% but IT budget growth is 0%
Assessing the maturity of your processes can• Identify the dependencies for all stakeholders
• Highlight the savings opportunities for all stakeholders
• Show you how to link duty and value to data
25
PROCESS Level 1: AD HOC, MANUAL,UNSTRUCTURED
Level 2: MANUAL,STRUCTURED
Level 3: SEMI-AUTOMATED Level 4: AUTOMATED AND INTEGRATEDACROSS FUNCTIONs
Your Level
ALegal Hold -ScopeCustodians
Multiple custodianspreadsheets.
Centralized custodianspreadsheet.
Scope by organization, people;systematically track all custodians inall holds including multiple holds percustodian; scopeterminated/transferred employees inreal time.
Continuous update of custodian roles,responsibilities, automatic employeetransition alerts; systematically use existingcustodian lists for similar matters.
BHold - ScopeInformation
Limited collection from datasources, custodian-based ratherthan information based;spreadsheet tracking/lists.
Identify data sources byorganization; understand backup procedures.
Have linked legacy tapes and datasources to organizations, and openholds/collections.
Automatically scope people, systems andtapes, information and records in holds;Scope terminated employee data andlegacy data/tapes where applicable.
CPublishHold
Manual notices, confirmations,no escalations Ad-hocdescription of record orinformation subject to holdrequires interpretation andmanual effort to comply.
Centralize reply email box forconfirmations, Process wellcommunicated, all holds onintranet.
Systematically send notices andreminders, require and trackconfirmations, ability to manageexceptions, employees can look uptheir holds at any time.Communications tailored to recipientrole (IT, RIM, employee).
Publish to system, propagate hold,automate hold enforcement. IT Staff havecontinuous visibility to current discoveryduties, holds during routine datamanagement activities; automatically flagrecords in appropriate systems.
DInterviewCustodians
Ad-hoc manual interviews andfollow up.
Questionnaire mailed tocustodians, responsescompiled manually forcollection and counsel followup.
Online/auto interviews with systemfollow-up, view individual andaggregated responses, auto non-response escalations, alerts forspecific answers, export for O/C.
Individual responses propagated tocollections, custodian-specific collectionsinstructions, interview results shared withoutside counsel to interview by exception.
ECollectionWorkflow
Detailed and duplicatespreadsheets of custodians andinformation between IT andLegal; multiple copies of thecollected data.
Centralized, version controlledspreadsheets of custodians andinformation; evidence serverwithout inventory.
IT can efficiently collect by custodianand content, avoid recollecting, autologging of files collected, source, chainof custody. IT self-service look up.
From their browsers, Attorney’s collectdirectly from custodians or any system.
FReviewVolume
Image drives or over-collectfrom custodians, over scopecustodians; high quantity of datafor review
Image drives or over-collectfrom custodians, over scopecustodians; high quantity ofdata for review.
Quantity of data reviewed fromtightly scoped custodians, leveragingprior scoping histories, accurateenterprise map.
Quantity of data reviewed from tightlyscoped custodians, leveraging prior scopinghistories, accurate enterprise map, detailedinstructions to IT.
GCost Control
Image drives or over-collectfrom custodians, over scopecustodians; high quantity of datafor review.
Estimate costs on the “bigmatters” in spreadsheets or byoutside counsel.
Discovery cost forecasts areautomatically generated as soon asthe hold is scoped, costs are calculatedcontinuously for matters.
Consistently make cost shifting argumentsto limit scope of collection and review;earliest/optimized matter resolution;manage cost at portfolio level.
HMonitoring,Compliance
Each attorney tracks their ownmatters, status.
Formal, but manual reportingof open holds; no summaryreporting on interviews,collections, response.
Automated reminders and escalations,online audit trail, managementreporting on discovery status, visibilitywithin legal dept across custodians,
Consistently make cost shifting argumentsto limit scope of collection and review;earliest/optimized matter resolution;manage cost at portfolio level.
KEY DISCOVERY PROCESSES
PROCESS Level 1: AD HOC, MANUAL,UNSTRUCTURED
Level 2: MANUAL,STRUCTURED
Level 3 : SEMI AUTOMATED Level 4 : AUTOMATED, FULLYINTEGRATED ACROSS FUNCTIONS
Your Level
IEstablishRetentionProgram, CatalogApplicable Laws
Define retention periods onlyfor physical records.
Updated retention schedulefor physical and electronicrecords.
Established retention period for allinformation, definecountry/jurisdiction specificschedules (without over- or under-retention of records).
Value-based retention appropriate forbusiness, country operations. Library ofcountry protocols for discovery, privacy,retention. Alert program, debt staff whenlaws change, schedules are impacted.
JManageDepartmentalInformationManagementProcedures
No knowledge of actualprocedures, information,location, use, value.
Conduct inventory ofdepartmental practice andinformation.
Define retention schedules andstores for departmentalinformation based on value andregulatory requirements; enablechange request workflow tomaster schedule anddepartment/country schedules.
Alerts IT and department delegates whensystems, business objectives change. Legal,IT and department delegates continuouslyaccess accurate retention schedules, legalholds , privacy procedures. Federateschedules to information repositoriesenabling routine disposition.
KRoutine Disposal
IT ‘keeps everything’ because ithas no systematic way todetermine obligations or value.
IT receives email whenevents require IT action,such as when an employee ison hold.
IT performs routine disposal withself-service awareness ofpreservation or retentionobligations; looks up any asset oremployee to determine value,current legal requirements.
Holds and retention schedules are appliedto data in place and data disposition isconsistent and automatic. IT analyzes,identifies redundant applications,consolidates instances, retires data,reduces data volume and overhead.
KDisposition LegacyData
No hold release notification,no lookup ability.
eMail hold releasecommunication from Legalto IT.
Closed loop between Legal, ITclearly defines legacy data subjectto hold. Systematic disposition - oflegacy tapes by cross referencingby org, time, and employees withopen matters - of terminatedemployee data by cross referencewith legal matters.
Legacy data is dispositioned and noadditional legacy data is accumulated.Routine disposition process on terminatingemployees; tape recycling process isconsistent and defensible.
LInformation PolicyAudit
We hope no one audits – we’dnever pass.
Audit of records limited tophysical records.
Annual audit of retention programacross electronic and physicalrecords.
Audit of retention, privacy, data protectionand discovery processes across physicaland electronic information.
KEY INFORMATION MANAGEMENT PROCESSES
Each Process Impacts Risk
A Good but Isolated Process Doesn’tMeaningfully Alter Risk or Cost Profile
At maturity level 2 and 3:• Majority of risk remains• No defensible disposal• Costs of discovery and data management continue to rise
The Greatest Proponent May Be the CIO
30
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Ideal
Investing Volume Hit Operating
0
10
20
30
40
50
60
2010 2011 2012 2013 2015
Unconstrained Growth Routine Disposal
Actual 2011 2012
Unmanageable growth adds unnecessary cost and risk.
Flat budget can’t absorb rising volume and sustainstrategic IT investments – failure scenario.
50% YoY Data Growth Cannibalizes Strategic IT Investment Capacity in Flat Budget Environment
Defensible DisposalOpportunity
Target
PB
Bu
dge
tA
lloca
tio
n
Defensible disposal enabled by rigorous discovery andvalue-based retention program frees resources andcapital for strategic investment and greater profit.
Agenda
Introduction to the Model Deidre Paknad
Preview of Information Governance Survey Results Lorrie Luellig
Information Governance Benchmark Kit Deidre Paknad
Global Operational Model for Information Governance Harry Pugh
31
Operational Models for Global GovernancePractice
32
Information Governance Group (IGG)
Business, Legal & IT ProvideInformation Governance DelegatesManaged Centrally by IGG
Narrative:Although we didn’t call it the Information Governance Group, at CitiI ran our program with a model very similar to this: wherebusiness, legal and IT are recognized stakeholders and have to berepresented; there is a network of persons, I call informationgovernance delegates here who have responsibility to reflect theinformation practices within their department in a framework thatprovided visibility to legal, IT and the centrally managed RIMprogram.To get the business on board, demonstrate the cost savings whichwe were certainly able to do.