introduction to imrm information governance survey & scenarios · 2020. 9. 4. · introduction...

Introduction to IMRMInformation GovernanceSurvey & Scenarios

May 5, 2010 Web MeetingLorrie Luellig Of Counsel, Ryley Carlock

Deidre Paknad, Founder of CGOC

Harry Pugh, former EVP Citigroup

PLEASE SITE CGOC AS THE SOURCE WHEN ANY OF THIS MATERIAL IS USED.

Agenda

Introduction to the Model Deidre Paknad

Preview of Information Governance Survey Results Lorrie Luellig

Information Governance Benchmark Kit Deidre Paknad

Global Operational Model for Information Governance Harry Pugh

2

Session Speakers

3

Deidre is widely credited with having launched the first commercial applications for legal holds, collections andretention management and is a recognized thought leader in legal and information governance. In 2004, shefounded the CGOC, a professional community on retention and preservation that IDC labeled a "think tank". Shehas been a member of several Sedona working groups since 2005 and leads EDRM IMRM sub-group 6.

Deidre is a seasoned entrepreneur and executive with 20 years' experience applying technology to inefficientbusiness processes to reduce cost and risk. Deidre has been inducted into the Smithsonian Institution forinnovation in 1999 and again in 2000.

Lorrie is Of Counsel to, and a founding member of, the Ryley Carlock & Applewhite Document Control Group. Lorriehas extensive experience counseling clients about retention policies and procedures for both litigation relatedmatters and overall company operations. She has helped to create and implement strategies for both Fortune 100companies and smaller privately and publicly held companies in the areas of legal and regulatory compliance,litigation holds, privacy and security issues as well as information handling and disposition. Lorrie also providedexpert testimony relating to disposition of records and other issues relating to records and informationmanagement. Lorrie received her LL.M. from Harvard Law School in Cambridge, Massachusetts.

Lorrie co-chairs the CGOC RIM Working Group and has been a faculty member since 2007. She is on the IMRMcorporate sub-group (6).

Harry Before retiring, Harry was the Managing Director of Reengineering for Operations and Technology atCitigroup where he led the development and implementation of a number of corporate policies. Prior to this role,he was Chief of Staff at Citigroup Mortgages. His long, successful tenure at Citigroup also included Director ofRecoveries US Card Products and Controller for Global Bank Cards. Harry holds a BA and a Masters degree fromHarvard University and is currently consulting with F50 clients in their information governance initiatives.

Harry co-chairs the CGOC RIM Working Group and has been a faculty member since 2006.

Deidre Paknad, CEO of PSS Systems , Founder of CGOC

Lorrie Luellig, of Counsel, Ryley Carlock & Applewhite

Harry Pugh, Former Executive Vice President, Citigroup

Agenda





4

5

A Counterpart to EDRM, not a SubsetThe IMRM will help bridge the gap between IT, Legal,Compliance, RM, and other stakeholder groups withinorganizations. The IMRM does NOT aim to produce a modelthat is prescriptive in nature; rather, it seeks to provide areference that will promote cross-functional dialogue andcollaboration.

www.edrm.net

Narrative:1> the “information management” box on EDRM is a completelyinadequate expression

2> and that despite the various lifecycle models available over theyears – including EDRM itself and those from AIIM and ARMA –companies still have too much risk and too much information. Asyou’ll see in the survey results Lorrie previews, the stakeholders ininformation governance don’t collaborate well or have enoughcross-functional transparency today.

3> the model is more of a responsibility model rather than adocument or case lifecycle model. It helps to identify thestakeholders, define their respective “stake” and to highlight theintersection and dependence across these stakeholders.

4> IMRM can provide a framework for cross functional andexecutive dialogue and can serve as a catalyst for defining aunified governance approach to information that links value andduty to information assets.

Information is at the center

6

Narrative:The information basics are distilled out and at the center –with the notable inclusion of “dispose” as the end state ofinformation. And the “information gates” in the middle.

It Starts with the Business & Value

7

Narrative:The line of business has an interest in informationproportional to its value – the degree to which it helps drivethe profit or purpose of the enterprise itself. Once thatvalue expires, they quickly lose interest in managing it,cleaning it up, or paying for it to be stored. One of thethings that the IMRM does is distinguish value fromregulatory obligation or IT efficiency.

Legal & RIM Have Responsibility for Legal Duties& Obligations for Information

8

Narrative:Their charter is typically to manage risk for the company. Itunderscores that it is the legal department’s responsibility todefine what to put on hold and what and when to collectdata for discovery; and RIM’s responsibility to ensure thatregulatory obligations for information are met including whatto retain archive for how long.

Together they both have an enormous role in how and whencompanies can dispose of data. As with the businesssegment, it calls on legal and RIM to be specific about theduties for information – what they are and when those dutiesend.

IT is Chartered with Efficiently Managing

Information

9

Narration:IT stores and secures information under their management.Of course their focus is efficiency and they’re typically underhuge pressure to increase efficiency and lower cost.

What these reliefs of this diagram show is that withoutcollaboration and unified governance, IT doesn’t know andcan’t speak to what information has value or what dutiesapply to specific information. One of the things IMRM canhelp companies address is that for IT to manage dataefficiently, it is essential to link specific duties and businessvalue to the information assets.

Framework for Progress

10

Unified governance• Transparent processes across functions• End of silo approach• Unified vocabulary, different interests

Structural linkage of duty + value to asset• Policies > procedure > execution• Specific rather than generic guidance

enables enterprise execution and disposal

Agenda





11

Joint CGOC & IMRM Survey

Assess perspectives of Legal, RIMand IT on:• Perception of the importance and value of

defensible disposal

• Current information management practices

• Perceived challenges in informationmanagement and governance

• Differences in perception across stakeholdersregarding opportunities and challenges toimprovement

12

Joint effort of CGOC and members of IMRM working group 6 spearheaded by Lorrie Luellig and Deidre Paknad

Consensus on Purpose

Said the purpose of information governance practice isDefensible Disposal

But IG Practices Don’t Work Well Today

gave themselves a C grade or lower

2/3 of IT

1/3 of Legal

1/2 of RIMrespondents said the current responsibility

model doesn’t work

Not Surprising

Because legal holds are still hand-stitched:

What linkage, if any, exists today between the company's legal obligations withrespect to information, the management of business records, IT assets and ITprocesses for managing data, and the business groups who need data for revenuegeneration?

People Glue

Very LittleLinkage

It’sSystematic13%

Narrative:80% of companies had weak or strainedlinkage between legal obligations forinformation, records management and ITdata management.And we all know that without a rigorousholds process, we can’t defensiblydispose of data …

Not Surprising

And retention management is unstitched

RIM Involved in EnablingDisposal

IT Uses Retention Scheduleto Migrate/Dispose

Schedule EncompassesElectronic Information

YES

NO YES

NO

DON’TKNOW

YES

NO

Narrative:Nearly half of RIM teams aren’t involved in enabling disposalDespite the fact that all of respondents were discovery-savvy, 1/3didn’t know whether IT used the retention schedule to managedata! Another third said they didn’t use it yet 80% said the retentionschedule included electronic data – which begs the question whatdo they use?

The Perceived Barriers

What Holds Us Back:

OperationalBlocks

Lack ofExecutiveSupport

Interesting Contrast

RIM & IT Point of View

Operational Blocks Lack of Executive Support

Legal Point of View

Operational Blocks Lack of Executive Support

Narrative:The perceived barriers varied by point of view.Both RIM and IT understood the issue as “Operational Blocks”.Legal felt it was due to lack of executive support.

Of perceived operational barriers, the singlemost challenging aspects of informationgovernance

Transparency

Ability to Dispose of Data

Federation of Holds andSchedules

Information Inventory byBusiness

Knowledgeable Delegateswithin Business Groups

Narrative:38% said lack of transparency was the most substantial challenge.The (in)ability to dispose of data came in second at 25%.

Greatest Perceived Value of GoodInformation Governance Practice

RIM

1. Transparency toobligations,collaboration withlegal and RIM

2. Ability to dispose

1. Transparency toobligations,collaboration withlegal and IT

2. Tie for ability todispose and ability tofederate schedulesand holds

1. Transparency andcollaboration with ITand RIM

2. Inventory of datasources andinformation inventoryby business group

Perceived Elements of Value from GoodInformation Governance Practice

0% 10% 20% 30% 40% 50%

True Inventory of All Legal Holds

Data Source Map & Departmental Information Inventory

Ability to Dispose of Data

Transparency & Collaboration across Legal, RIM, IT

Perceived Value of New IMRM

ManagementCatalystHelp Organize

Efforts

No Value

Provides VendorSelection Framework

Narrative:The real value is the ability of IMRM to enable the cross functionaldiscussion around responsibility and transparency, somethingrespondents recognized.

Agenda





23

Typical Information Governance Environment

24PSS SYSTEMSCONFIDENTIAL

Business

Records

2,000 matters, 300+ new/year

Custodian-focused holds

Records, repositories and theirstewards not captured

Holds and custodiansinfrequently communicated to IT

Triple-documentation oncollection process

12-page form to initiatecollection; a 2-page form iscompleted for each custodian

80,000 IT tickets a year

5.4 PB of data – 850% growth in 5 years

Continuous capacity allocation on 7000 servers

Dispose of C drives, remove H drive access withouthold determination

Imposing quotas on employee data

0% budget growth

Collection work broadly delegated, 100 pg manual

9 year old corporate master with 38business unit schedules for 200 countries

Legal codes obscure actual reason forretention

230 yearly change requests with 30 personreview board

Everything is a record

No link between records and IT

Can’t audit

Routing all paper to legal for dispositionreview – opposite of holds

Dispute over schedule and taxonomyrelevance

Raging at quotas

• Spending $3B on IT

Tool Kit for Benchmarking & Progressing

Information governance improvements and IMRM can

address 3 major pain points:• Dependency without transparency

• Discovery spend too high and legal risk still mounting

• Data growth 50% but IT budget growth is 0%

Assessing the maturity of your processes can• Identify the dependencies for all stakeholders

• Highlight the savings opportunities for all stakeholders

• Show you how to link duty and value to data

25

PROCESS Level 1: AD HOC, MANUAL,UNSTRUCTURED

Level 2: MANUAL,STRUCTURED

Level 3: SEMI-AUTOMATED Level 4: AUTOMATED AND INTEGRATEDACROSS FUNCTIONs

Your Level

ALegal Hold -ScopeCustodians

Multiple custodianspreadsheets.

Centralized custodianspreadsheet.

Scope by organization, people;systematically track all custodians inall holds including multiple holds percustodian; scopeterminated/transferred employees inreal time.

Continuous update of custodian roles,responsibilities, automatic employeetransition alerts; systematically use existingcustodian lists for similar matters.

BHold - ScopeInformation

Limited collection from datasources, custodian-based ratherthan information based;spreadsheet tracking/lists.

Identify data sources byorganization; understand backup procedures.

Have linked legacy tapes and datasources to organizations, and openholds/collections.

Automatically scope people, systems andtapes, information and records in holds;Scope terminated employee data andlegacy data/tapes where applicable.

CPublishHold

Manual notices, confirmations,no escalations Ad-hocdescription of record orinformation subject to holdrequires interpretation andmanual effort to comply.

Centralize reply email box forconfirmations, Process wellcommunicated, all holds onintranet.

Systematically send notices andreminders, require and trackconfirmations, ability to manageexceptions, employees can look uptheir holds at any time.Communications tailored to recipientrole (IT, RIM, employee).

Publish to system, propagate hold,automate hold enforcement. IT Staff havecontinuous visibility to current discoveryduties, holds during routine datamanagement activities; automatically flagrecords in appropriate systems.

DInterviewCustodians

Ad-hoc manual interviews andfollow up.

Questionnaire mailed tocustodians, responsescompiled manually forcollection and counsel followup.

Online/auto interviews with systemfollow-up, view individual andaggregated responses, auto non-response escalations, alerts forspecific answers, export for O/C.

Individual responses propagated tocollections, custodian-specific collectionsinstructions, interview results shared withoutside counsel to interview by exception.

ECollectionWorkflow

Detailed and duplicatespreadsheets of custodians andinformation between IT andLegal; multiple copies of thecollected data.

Centralized, version controlledspreadsheets of custodians andinformation; evidence serverwithout inventory.

IT can efficiently collect by custodianand content, avoid recollecting, autologging of files collected, source, chainof custody. IT self-service look up.

From their browsers, Attorney’s collectdirectly from custodians or any system.

FReviewVolume

Image drives or over-collectfrom custodians, over scopecustodians; high quantity of datafor review

Image drives or over-collectfrom custodians, over scopecustodians; high quantity ofdata for review.

Quantity of data reviewed fromtightly scoped custodians, leveragingprior scoping histories, accurateenterprise map.

Quantity of data reviewed from tightlyscoped custodians, leveraging prior scopinghistories, accurate enterprise map, detailedinstructions to IT.

GCost Control

Image drives or over-collectfrom custodians, over scopecustodians; high quantity of datafor review.

Estimate costs on the “bigmatters” in spreadsheets or byoutside counsel.

Discovery cost forecasts areautomatically generated as soon asthe hold is scoped, costs are calculatedcontinuously for matters.

Consistently make cost shifting argumentsto limit scope of collection and review;earliest/optimized matter resolution;manage cost at portfolio level.

HMonitoring,Compliance

Each attorney tracks their ownmatters, status.

Formal, but manual reportingof open holds; no summaryreporting on interviews,collections, response.

Automated reminders and escalations,online audit trail, managementreporting on discovery status, visibilitywithin legal dept across custodians,

Consistently make cost shifting argumentsto limit scope of collection and review;earliest/optimized matter resolution;manage cost at portfolio level.

KEY DISCOVERY PROCESSES

PROCESS Level 1: AD HOC, MANUAL,UNSTRUCTURED

Level 2: MANUAL,STRUCTURED

Level 3 : SEMI AUTOMATED Level 4 : AUTOMATED, FULLYINTEGRATED ACROSS FUNCTIONS

Your Level

IEstablishRetentionProgram, CatalogApplicable Laws

Define retention periods onlyfor physical records.

Updated retention schedulefor physical and electronicrecords.

Established retention period for allinformation, definecountry/jurisdiction specificschedules (without over- or under-retention of records).

Value-based retention appropriate forbusiness, country operations. Library ofcountry protocols for discovery, privacy,retention. Alert program, debt staff whenlaws change, schedules are impacted.

JManageDepartmentalInformationManagementProcedures

No knowledge of actualprocedures, information,location, use, value.

Conduct inventory ofdepartmental practice andinformation.

Define retention schedules andstores for departmentalinformation based on value andregulatory requirements; enablechange request workflow tomaster schedule anddepartment/country schedules.

Alerts IT and department delegates whensystems, business objectives change. Legal,IT and department delegates continuouslyaccess accurate retention schedules, legalholds , privacy procedures. Federateschedules to information repositoriesenabling routine disposition.

KRoutine Disposal

IT ‘keeps everything’ because ithas no systematic way todetermine obligations or value.

IT receives email whenevents require IT action,such as when an employee ison hold.

IT performs routine disposal withself-service awareness ofpreservation or retentionobligations; looks up any asset oremployee to determine value,current legal requirements.

Holds and retention schedules are appliedto data in place and data disposition isconsistent and automatic. IT analyzes,identifies redundant applications,consolidates instances, retires data,reduces data volume and overhead.

KDisposition LegacyData

No hold release notification,no lookup ability.

eMail hold releasecommunication from Legalto IT.

Closed loop between Legal, ITclearly defines legacy data subjectto hold. Systematic disposition - oflegacy tapes by cross referencingby org, time, and employees withopen matters - of terminatedemployee data by cross referencewith legal matters.

Legacy data is dispositioned and noadditional legacy data is accumulated.Routine disposition process on terminatingemployees; tape recycling process isconsistent and defensible.

LInformation PolicyAudit

We hope no one audits – we’dnever pass.

Audit of records limited tophysical records.

Annual audit of retention programacross electronic and physicalrecords.

Audit of retention, privacy, data protectionand discovery processes across physicaland electronic information.

KEY INFORMATION MANAGEMENT PROCESSES

Each Process Impacts Risk

A Good but Isolated Process Doesn’tMeaningfully Alter Risk or Cost Profile

At maturity level 2 and 3:• Majority of risk remains• No defensible disposal• Costs of discovery and data management continue to rise

The Greatest Proponent May Be the CIO

30

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Ideal

Investing Volume Hit Operating

0

10

20

30

40

50

60

2010 2011 2012 2013 2015

Unconstrained Growth Routine Disposal

Actual 2011 2012

Unmanageable growth adds unnecessary cost and risk.

Flat budget can’t absorb rising volume and sustainstrategic IT investments – failure scenario.

50% YoY Data Growth Cannibalizes Strategic IT Investment Capacity in Flat Budget Environment

Defensible DisposalOpportunity

Target

PB

Bu

dge

tA

lloca

tio

n

Defensible disposal enabled by rigorous discovery andvalue-based retention program frees resources andcapital for strategic investment and greater profit.

Agenda





31

Operational Models for Global GovernancePractice

32

Information Governance Group (IGG)

Business, Legal & IT ProvideInformation Governance DelegatesManaged Centrally by IGG

Narrative:Although we didn’t call it the Information Governance Group, at CitiI ran our program with a model very similar to this: wherebusiness, legal and IT are recognized stakeholders and have to berepresented; there is a network of persons, I call informationgovernance delegates here who have responsibility to reflect theinformation practices within their department in a framework thatprovided visibility to legal, IT and the centrally managed RIMprogram.To get the business on board, demonstrate the cost savings whichwe were certainly able to do.

introduction to imrm information governance survey & scenarios · 2020. 9. 4. · introduction...

Documents