A New Framework for Defensible Disposal

According to analyst firm Gartner, data governance is the way to mitigate ediscovery problems. In fact, they predict that companies without data governance strategy and technology in place will spend one third more on ediscovery than their peers (Cooperation is Key for Managing Ediscovery, March 2010). Gartner rightly identifies data volume and IT environmental complexity as the two sources of high cost and high risk in discovery.

In some companies, data growth started to spike at the same point that legal hold obligations and the Federal Rules of Civil Procedure were revised because “save everything” was the risk mitigation plan. During the last five years there has been a 50% year over year growth of data volume. IDC now predicts an even greater acceleration of this growth, forecasting an increase in data volume by a factor of 44 in the next ten years.

Historically, IDC consistently understates its growth projections. This far outpaces revenue growth so the tension between the “keep everything” risk mitigation plan and the company’s financial condition is rapidly mounting. New strategies and tactics to drive better data governance at more reasonable cost to the company are required.

Cooperation, collaboration and convergence

Data governance requires cooperation, collaboration and convergence of processes between legal, RIM (records and information management), IT and business groups. Collectively, these stakeholders can and must determine what legal duties apply to information, what value the information has and then manage accordingly. As individual or isolated functions, no one group can make the determination of what information to keep or when to dispose.

A recent survey conducted by EDRM and CGOC revealed, however, that while there is complete agreement between legal, RIM and IT that defensible disposal is the benefit of good data governance practice, there are many organizational and operational barriers today:

  • 100% of survey respondents agreed that defensible disposal was the purpose of data governance practice.

  • Most of IT and half of RIM respondents said their current responsibility model for data governance didn’t work.

  • 80% of respondents had little or very weak linkage between legal obligations for information and records management and data management.

  • Only 13% had a systematic process for linking holds to sources of data and records.

  • 80% had retention schedules that applied to electronic information, but only 38% said IT followed these schedules.

  • The single biggest pain point cited by legal, RIM and IT was lack of transparency and collaboration across stakeholders

What these results so clearly demonstrate is that companies are struggling to link legal obligations for information that arise in litigation and regulation and the business value of information to their actual information and data management practices. They lack structural connections of holds and retention schedules to data and they lack collaborative and transparent processes between the stakeholder organizations. This is a predictable result to “keep everything”, which results in massive and often mindless build up of more information without the corresponding reduction in risk initially sought.

IMRM – A catalyst for transparency and a responsibility model – The information management and reference model IMRM will be as important as EDRM as a catalyst for process improvement.

In many ways, it is more ambitious and constructive because it goes beyond the legal function to the enterprise. Unlike traditional information lifecycle and case lifecycle models (including EDRM), IMRM illuminates the multiple stakeholders in data governance, their responsibilities and inter-dependencies, and the critical importance of linking legal duties and business value to information sources to enable defensible disposal. More than 90% of survey respondents felt IMRM could help them organize cross-functional efforts and serve as a management catalyst — its primary purpose.

The “first generation” model is a responsibility model that helps to identify the stakeholders, define their respective “stake” in information and highlights the intersection and dependence across these stakeholders. IMRM can provide a framework for cross functional and executive dialogue and can serve as a catalyst for defining a unified governance approach to information that links value and duty to information assets.

Elements of IMRM – As you will see in the diagram above, the information basics are distilled out and at the center of the model (with the notable inclusion of “dispose” as the end state of information). Note the “information gates” in the middle, where information accumulates.

The business segment has an interest in information proportional to its value or the degree to which it helps drive the profit or purpose of the enterprise itself. Once that value expires, they quickly lose interest in managing it, cleaning it up, or paying for it to be stored. One of the things that the IMRM does is distinguish value from regulatory obligation or IT efficiency. The diagram defines the business group’s responsibility to define and declare the specific value of information; all data doesn’t have value and the value of data isn’t constant.

Legal and RIM on the left side are chartered typically to manage risk for the company. The diagram underscores that it is legal’s responsibility to define what to put on hold and what and when to collect data for discovery. Likewise, it is RIM’s responsibility to ensure that regulatory obligations for information are met including what to retain and archive for how long.

Together they both play an enormous role in how information is maintained by IT and when companies can dispose of it. As with the business segment, it calls on legal and RIM to be specific about the duties for information — what they are and when those duties end.

IT stores and secures information under their management. Of course, their focus is efficiency and they’re typically under huge pressure to increase efficiency and lower cost. One of the most valuable aspects of the diagram is that it highlights that, without collaboration and unified governance, IT doesn’t know and can’t speak to what information has value or what duties apply to specific information. Typical legal hold and retention practices don’t connect to IT data management practices.

For companies with hundreds or thousands of legal matters, hundreds of codes on their retention schedule and which operate in multiple countries that have thousands of file shares, SharePoint sites, ECM and business applications, this is an impossible situation for IT. There are more than a billion choices for what information in which systems is of value or subject to a legal duty. IMRM can help companies recognize that for IT to manage data efficiently, it is essential to link specific duties and business value to the information assets.

The inner ring of the diagram calls for that structural linkage of duty and value to information assets. This requires policies that can be articulated in departmental procedure and are executable by IT in practice; and specific rather than generic communication of legal holds and retention requirements that enables enterprise execution and disposal.

The outer rings of the diagram call for unified governance, which implies:

  1. Transparent cross-functional processes for legal holds, discovery, record retention, information value assessments, and information and data management.

  2. The end of a silo approach to legal holds and record retention practices — these are enterprise rather than departmental processes.

  3. Unified vocabulary across stakeholders which recognizes and reconciles their different interests in information

These enable stakeholders to understand true costs and to make better decisions, which reduce total cost through more precise determination of what to preserve and collect; optimal approaches for streamlining and even consolidating data management; and assessing true cost of information and discovery by business unit to enable practice improvements and behavior change.

The IMRM can help start the conversation in your company and the associated information governance process maturity model can help companies assess where they are today and set the course for improvement. The process maturity model offers a plan of action tied directly to process risk and cost, so stakeholders understand the implications of current practice and the benefits of change.

Lorrie Luellig is of counsel to, and a founding member of, the Ryley Carlock & Applewhite Document Control Group. Lorrie has extensive experience counseling clients about retention policies and procedures for both litigation related matters and overall company operations.

Deidre Paknad is CEO of PSS Systems, an IBM company, and is widely credited with having launched the first commercial applications for legal holds, collections and retention management in 2004. She founded the CGOC in 2004, a professional community on retention and preservation that IDC labeled a “think tank”. She has been a member of several Sedona working groups since 2005 and leads EDRM IMRM sub-group 6. Deidre has been inducted into the Smithsonian Institution for technology innovation twice.