The recent revelations about Wikileaks and its release of 250,000 confidential State Department diplomatic cables shines a new light on the challenges faced by the financial services industry in controlling information risks. Growth in digital universe is already well documented, and recentreseach and analysis that I’ve participated in one form or another suggest the potential problems are getting more difficult to solve, not less. For instance…
The not-so-recent focus on information governance has generated a renewed interest in records management, the records management profession, and the value of records management to the organization. The role is being redefined in business to be a strategic resource to the CEO as organizations look to better understand, measure, and manage the unprecedented growth in electronic information and the complexities inherent in determining what information to trust, to keep, to secure, to connect, and of course, to discard.
The recognition of the records manager as key component of information governance, and the focus of information governance as a business enabler, are long overdue. Today, one of the most critical asset to any organization is its business information and records. Organizations are struggling to use huge volumes of information to produce better business outcomes. At the same time, the number of high-profile examples of data mismanagement is growing (the Wikileaks leak just one of the most recent), making the need for proper oversight and use of information key to success. A few data points:
- Over the last 10 years, as electronic information has grown to represent 90% of all information, information management strategies have been in reactive mode, responding to gaps in principles and infrastructure exposed by legal or regulatory imperatives.
- Most information management technology investments have also been reactive, stopgap measures designed to address a specific problem, such as electronic discovery.
- Massive adoption of collaboration tools including Sharepoint, the web, and social media has blurred the distinction between content and records and increased risks associated with over retention, information loss, legal and regulatory compliance.
- End-to-end information management automation across electronic and physical records does not exist. If it did, it would allow the enterprise to address record keeping principles intelligently and declare, classify, store, secure, retain, discover, and ultimately dispose of content based on policy and automated, defensible enforcement.
- Poorly architected solutions have turned information assets into liabilities – systems that once satisfied basic requirements laid out decades ago buckle under the increased pressure for interoperability, scalability, end-to-end security, and discoverability. This predicament has fielded unsustainable solutions along with upward spiraling integration costs.
- Progress on establishing an information management strategy, which is essential for mid-size to large enterprises, has been extreme slow. For example, just in the financial industry, the FSTC reports that over 50% of data is over-retained, and data duplication/copy ratios run as high as 20:1. And according to the AMA only 1% of all healthcare providers have an electronic records management strategy, and 94% have yet to start planning for the information management requirements of HITECH.
- Records managers cannot get the e-discovery monkey off their backs. Even in 2010, records managers have been consumed with managing e-discovery risk leaving little time for strategic information management programs and activities.
- The effectiveness of DLP to prevent data leakage is in question, as most end-users report these implementations to be configured in monitor or warning modes only.
In the era of Wikileaks, it’s clear that poor information management practices in the public and private sectors presents a significant global risk to organizations, particularly in those industries that get alot of attention – financial services, government, health. It really is only a matter of time before the next corpus of sensitive information is put into the market unexpectedly. In financial services, it’s a “back to basics” issue for the CIO, CRO, and information/records managers. It’s time to do the homework to understand the value of information management programs built on tried-and-true principles and leading technologies, and to use these principles as the discipline for effective information risk management (IRM).