Data Lifecycle Management and Information Governance A DOCULABS WHITE PAPER

Transcription

1 Data Lifecycle Management and Information Governance A DOCULABS WHITE PAPER

2 How do you purge your data? Are your data management practices in compliance with recordkeeping conventions and with legal standards? This white paper reports some surprising findings about how organizations approach data lifecycle management, discusses its impact on information governance, and offers recommendations for how to improve. [Type here]

3 Survey Overview Doculabs recently partnered with Executive Functions Management, Inc. (EFM) to develop and issue a survey to the EFM membership, which is made up of IT leaders at organizations of all sizes, from across all industries. The goal of the survey was to investigate how firms are governing the lifecycle and disposal of the data they generate. The questions ranged from how IT leaders manage, pay for, and cost their applications and storage, to what policies are in place for domains such as information security and records management, to whether they currently tier or purge data and whether they charge back to the business for services. We received 480 responses to the survey, with the respondents representing 432 organizations across a wide range of industries and of all sizes (see Figures 1 and 2). Figure 1: Respondents by Industry 3

4 Figure 2: Respondents by Firm Size Although there were many interesting points in the responses, in this white paper we re going to drill down into one issue in particular: how firms reported that they purge (or don t purge) data. Doculabs believes that where firms stand on this issue has significant consequences for their ability to adhere to core corporate compliance requirements and also has a direct impact on a company s legal and compliance risk profile. How a company purges its data has implications for its ability to meet compliance requirements as well having an impact on the company s risk profile. 4

5 Data Management Is a Compliance Issue Among the questions we asked was how our respondents companies purge data after it has passed its legal or operational life (see Figure 3). Figure 3: How Do You Purge Data that Has Passed Its Legal or Operational Life? At first glance, the response to this question seems to paint a fairly rosy picture of how organizations are purging data: Fully 70 percent of respondents reported that they purge in some way, with 25 percent reporting that they don t purge at all (5 percent were not sure whether they do or not). For all the keep everything forever, digital landfill doom and gloom we hear out there, this sounds pretty good. That is, until you look at the nature of the purging that s going on. Only one-third of respondents reported doing regular purging, whether automated (21 percent) or manual (12 percent). The rest reported purging on an ad hoc basis, whether automated (10 percent) or manual (26 percent). Considered from the perspective of records management and e- discovery, these percentages should give us pause. If a firm is purging on anything other than a regular basis and according to published policies and procedures, they re not compliant either with recordkeeping conventions or with the ways judges have tended to interpret the Federal Rules of Civil Procedure (FRCP) to apply to corporations. Ad hoc purging is risky because the courts typically regard it as capricious in that it doesn t follow established policies and procedures that provide an audit trail. Even if ad hoc purging doesn t lead to spoliation in a given case, the point is that it could have, because the organization didn t have controls in place to protect against it. 5

6 So what these numbers from our survey question suggest is that twothirds of respondents are not compliant with either recordkeeping conventions or the FRCP a very big number. We decided to do a more detailed analysis of how the responses to this particular question correlate to other questions in the survey, to see whether we could infer anything about why firms approach purging data the way they do, and what factors might contribute positively or negatively to their ability to be compliant in how they manage their data. Fully two-thirds of respondents to our survey reported that their organizations are not purging data regularly and therefore are not in compliance with good recordkeeping practices or with the FRCP. 6

7 Technology Usage A potentially important factor in whether and how organizations purge is the technology capabilities they have in place i.e. do they have in place the tools that would facilitate regular purging of data? For this survey, we asked participants about six categories of technology: Enterprise Content Management (ECM) Records Management (RM) Data Archiving (Application Level) Data Archiving (Across All Applications) Structured Application Decommissioning Unstructured Application Decommissioning We then analyzed the data according to respondents reported approach to data purging, looking to see the extent to which respondents in each group also made use of any of these technologies. For ECM and RM, respondents in all categories reported high usage (see Figures 4 and 5), which suggests that there isn t a strong correlation between having these technology capabilities and whether and how organizations purge. Figure 4: ECM Technology Usage But what s worth remarking is that 67 percent of those who report that they don t purge also report that they use RM tools moderately to extensively. The main value of RM tools is to allow organizations to retain documents and data for the time required by laws and regulations, and then purge them after their legal and operational usefulness is past so it s hard to imagine what these organizations are doing when they use RM tools if they re not purging data, i.e. if they are in effect keeping everything forever. 7

8 Figure 5: RM Technology Usage For data archiving tools, we found more disparity in how firms were leveraging these capabilities. For data archiving by application (i.e. within a single application), most firms are doing well, with 62 percent to 86 percent of firms reporting that they archive by application (see Figure 6). The outliers were firms that reported that they don t purge: Only 49 percent of them are archiving data by application. Figure 6: Data Archiving by Application For data archiving across all applications, the picture is substantially the same, but at lower levels across the board: 55 percent to 73 percent for most firms and 39 percent for firms that reported that they didn t purge (see Figure 7). 8

9 Figure 7: Data Archiving Across Applications When we turn to application decommissioning, however, the discrepancy between those who don t purge and those who do becomes more pronounced (see Figures 8 and 9). For both structured and unstructured application decommissioning, 78 percent and 71 percent respectively of those who reported that their organizations don t purge data also don t leverage application decommissioning tools. But overall, the number of firms who report using structured application decommissioning tools is low. Organizations that are purging using automated tools (whether ad hoc or regularly) reported the highest use of structured application decommissioning tools (54 percent and 57 percent, respectively). Figure 8: Structured Application Decommissioning 9

10 For unstructured application decommissioning, the glaring standouts are firms that purge on an ad hoc basis using automated tools: 73 percent of them reported using unstructured application decommissioning tools moderately or extensively, compared to a range of 29 percent to 58 percent for the rest of the respondents. Figure 9: Unstructured Application Decommissioning 10

11 Governance Maturity Next we looked at what we could discern about the respondent firms maturity of governance structures. After all, the technology capabilities we just discussed are hard pressed to deliver value if the organization does not have the people/process controls in place to leverage those capabilities adequately. We asked respondents to tell us how strongly they had governance in place around four domains: Records Management Regulatory Compliance Information Security /Privacy Disaster Recovery/Business Continuity (DR/BC) Let s look at each of these in more detail. Records Management There was a significant correlation between those firms which reported having a moderate to strong Records Management (RM) function and those who purge, whether ad hoc or on a regular basis (see Figure 10). Not surprisingly, those firms who reported that they have no or weak RM were the same firms which reported that they don t purge data. After all, without clear guidance on what corporate data needs to be kept and for how long, purging is difficult, if not impossible. And left to their own devices without guidance from RM, IT will tend to keep everything forever to avoid the risk of either deleting something the business needs or spoliation of data on legal hold. Figure 10: Records Management Maturity But if we look more closely at the firms that report having moderate to strong RM, 38 percent of those firms also reported that they don t purge data. As with the high number of firms that reported having moderate to strong use of RM tools yet didn t purge data, there s a disconnect here between the aims and goals of an RM program (retaining data for the amount of time required by the law and then disposing of it) and on-the-ground practices (keeping everything forever). The responses showed no correlation, however, between those who had moderate to strong RM and regular versus ad hoc purging. It seems the kind of purging was less significant than that they purged. 11

12 Regulatory Compliance The reported rates of moderate to strong regulatory compliance were high across all categories, no matter how firms reported they purged data (see Figure 11). This isn t surprising, given the importance of regulatory compliance for firms of all sizes across industries. However, those who reported purging using automated tools (whether regularly or ad hoc) reported 91 percent to 95 percent moderate or strong regulatory compliance, versus 71 percent to 85 percent for firms that purged manually or didn t purge at all. This seems to suggest at least a mild correlation between moderate/strong regulatory compliance and automated purging not surprising, because purging corporate data requires policies and guidelines to provide the framework within which purging can be executed defensibly. Figure 11: Regulatory Compliance Maturity Information Security and Privacy Given the increasing scrutiny of information security and privacy in the aftermath of high-profile data breaches at organizations such as Target, The Home Depot, Premera, Anthem, and CHS, it s not surprising that the reported levels of maturity for information security and privacy are as high as the regulatory numbers we saw in the previous subsection. And, as with regulatory compliance, those firms that reported they didn t purge data had a higher incidence of no or weak information security and privacy compliance than other firms: 29 percent versus 8 percent to 22 percent. Similar to the discussion of regulatory compliance above, we believe the correlation likely has a similar basis: I.e. good information security and privacy policies and controls in place (1) enable IT to purge data without fear of doing something wrong and also (2) encourage IT to do so in order to comply with corporate policies and standards. 12

13 Figure 12: Information Security and Privacy Compliance Maturity Disaster Recovery and Business Continuity Disaster recovery and business continuity (DR/BC) is a critical business capability; without it, an organization is at risk for disruptions to operations from a range of potential threats: so-called acts of God, terrorism, hardware and software failure, criminal activity, etc. So it s not surprising that respondents in general reported having high levels of DR/BC controls in place. Again, the outliers were those firms that reported either that they didn t purge or that they purged manually on an ad hoc basis. These two categories reported that they had no or weak DR/BC in 41 percent and 47 percent of cases, respectively. Firms that regularly purge or that purge on an ad hoc basis but with automated tools reported moderate to strong DR/BC in 71 percent to 85 percent of cases. Figure 13: Disaster Recovery and Business Continuity Maturity 13

14 Potential Incentives to Purge Data Getting buy-in to purge data that s passed its legal or operational life sometimes requires incentives. And the incentives that get the most attention are the ones that have an impact on costs. Here, we look at two areas of potential opportunity to incent business units to regularly purge their data: chargeback models and data center models. Chargeback Models Chargeback refers to IT billing its internal corporate customers for the products and service it provides on a granular, service-based model (e.g. per gigabyte of storage, per user of an application, etc.). In addition to chargeback, there are two other approaches to billing internal customers for IT products and services: Fixed fee: charging each business unit a percentage of total IT spend; can be straight, i.e. divide IT spend by number of cost centers; or variable, i.e. based on number of FTEs within each cost center Percentage of budget: charging each business unit a percentage of total IT spend, based on what percentage of total corporate spend that unit s divisional budget represents Without getting into a detailed discussion of the pros and cons of IT costing models, suffice it to say that, as incentives for data purging, neither the fixed fee nor the percentage of budget model is effective at encouraging business units to take ownership of data and purge it once its legal and operational usefulness is done. This is because at most organizations the cost of IT storage is tied to the total number of business units, the total number of FTEs, or the total departmental spend, so purging data and thereby reducing the volume of data IT manages for an individual business unit doesn t lower the money that particular business unit spends on IT. In fact, it actually increases the unit cost per gigabyte: For example, if a business unit has 10 TB of data and spends $10,000 per year with IT for it, when they purge half of it (and still pay $10,000 per year), their unit cost has doubled; but if they double their volume of data, their unit cost drops by 50 percent. Despite the compelling reasons for using chargeback, very few firms surveyed reported using either approach. Across all firms, the range was 16 percent to 32 percent. However, when we dig in to the results, we see some significant differences. Those who do regular, automated purging top this list of chargeback, at 32 percent. Those doing regular manual purging placed second, with 22 percent reporting that they chargeback. The remaining firms reported levels of chargeback of less than 20 percent. 14

15 Figure 14: Chargeback Models in Use Data Center Operational Model Third-party hosting of a corporate data center can be a powerful incentive to purge data, because many contracts for data center hosting include volume pricing i.e. a price per gigabyte per month. So if IT reduces the volume of content, its monthly costs go down a direct line between purging and operational costs. However, the respondents to this survey overwhelmingly hosted their own data: a range of from 61 percent to 74 percent host it mostly in house, with 17 percent to 24 percent reporting a hybrid model. Those reporting mostly outsourced data centers fell between 8 percent and 15 percent. Given this, it s not possible to draw a correlation from the survey data about hosting and purging, although intuitively we would assume that per gigabyte pricing would encourage purging. Figure 15: Data Center Hosting 15

16 Conclusion and Recommendations We believe the results of this survey provide the basis for some important conclusions about managing corporate data. Good governance is strongly correlated with regular data purging. Those firms that reported that they didn t purge data also reported that they had weaker records management, information security and privacy, and disaster recovery/ business continuity functions. Purging is strongly correlated with data hygiene in general. Those firms that reported that they didn t purge data also reported significantly lower levels of storage tiering and application decommissioning, possibly as a result of a pervasive culture of corporate hoarding or to an overall lack of discipline in information lifecycle management. Many organizations are not getting the value they should from records management. The high percentage of firms that reported usage of RM tools or moderate to strong RM functions (or both) also reported that they didn t purge data a clear disconnect between the purpose and value of RM and what these firms are actually realizing. Application decommissioning is underutilized relative to its potential returns. Applications are expensive (hardware, software, and FTE to maintain), so the low number of firms overall reporting that they decommission applications suggests that this is an area of opportunity for IT to deliver value to the organization. Given these conclusions, Doculabs recommends the following to firms looking to improve how they manage structured applications and data: Focus on information governance rather than technology. The survey results indicated a much stronger correlation between good data hygiene and good governance than between good data hygiene and technology capabilities. Without clarity and structure around the rules of the road, organizations will struggle to effectively manage their data. Incent good data hygiene with chargeback. If there isn t a direct tie between what a business unit pays for IT and how much data they have (or worse, an inverse relation, as in fixed fee or percentage of budget models), it s going to be difficult to get them to agree to purge their outdated data. It s also difficult for IT to prove the value they add to the organization in managing applications and data. Pursue application decommissioning. Very few firms reported decommissioning applications, so this is a significant opportunity area that has not only big dollar savings, but a positive compliance impact i.e. less outdated data reduces the impact and severity of data breaches and lowers the effort and cost of e-discovery. 16

17 About Doculabs We are experts in social collaboration and content management. We help our clients by delivering highly actionable and comprehensive strategic plans and roadmaps, helping our clients achieve their business goals and create competitive advantage. Our consulting services also help our clients improve their records management and information governance approaches to facilitate compliance, reduce risk, and reduce the cost of e-discovery. Founded in 1993, Doculabs has an established track record in helping its clients bring content under control and improving the ways they collaborate. Our engagements focus on guiding our clients with our expertise, analysis, and in-depth market knowledge. And we re independent; we don t sell software or implementation services, so our clients can be sure that our recommendations are objective. Our consultants are highly experienced, averaging more than 20 years of relevant professional background and many years of working together as part of the Doculabs team. We re recognized thought leaders in the industry, frequent speakers at industry events and webinars, and active contributors to leading publications, social media sites, and organizations such as AIIM. Hundreds of Fortune 1000 organizations and agencies of state and local government have turned to Doculabs for assistance with their information management strategies. For more information about our services, visit the web site at or call (312) About EFM Executive Function Management, Inc. (EFM) was created with a goal of providing strategic-level events and peer networking groups for technology leaders throughout the U.S. EFM offers events for technology leaders that provide an opportunity for select leading-edge suppliers to forge new relationships with IT professionals. EFM s IT Symposium Conferences are annual gatherings that allow CIOs and their senior IT leaders to explore critical business, technology, and leadership strategies and to build a stronger professional peer network and attain real-world knowledge on business changing technology and management solutions. EFM IT Symposiums are currently held in 28 cities across the U.S.