A Conversation with ... Dr. Galina Datskovsky, CA
When Risk Isn’t Risky
The Fine Lines Between Many Rights and Many Wrongs
There’s a temptation to equate risk management with risk avoidance. But that would be wrong. They do not mean the same thing. In fact, one of the career-making skills that risk managers possess is the ability to determine when some amount of risk is an acceptable consequence of doing business.
One of the (relatively few) people in the world who understand that difference is on the phone with me right now. Galina Datskovsky is senior vice president and general manager for information governance at CA. I asked her to help me parse out this brave new acronym—GRC, or "governance, risk and compliance," that CA has embraced with gusto in recent months.
First: What’s the difference between governance and compliance? "That’s an excellent question, because they go hand-in hand, but they are not one and the same," Galina begins. "Governance is the overall control of corporate information for whatever reason—policy, procedure, legal compliance...any and all of those. Governance can apply to anything; it’s a very broad term covering how to run a business day-to-day.
"Compliance," she continues, "is one of the reasons why you want to govern certain things. Rules and regulations, corporate policy, Sarbanes-Oxley...in order to achieve compliance, you need some form of governance. But sometimes, you have to decide whether the risk is acceptable. If you’re not in compliance within a certain parameter, it’s part of risk management to decide whether or not to do something about it," states Galina. "Sometimes you don’t."
Second: Does information governance also involve the ethics and values of the corporation? Does it literally mean "doing the right thing?" "Sure, that’s another excellent question." (I like Galina because she says that a lot.) "And once again, that’s where compliance with regulations and risk management go hand in hand. If the governance oversight has done its job—for example, with discriminatory policies or email behavior policies—then compliance with HR regulations will be naturally taken care of. So corporate governance has a great deal to do with coping with potential risk.
"We often talk about the heavily regulated industries, such as pharmaceutical or financial services, as though they’re the only ones which are under scrutiny. But every company in the world has restrictions of some kind. Take human resource policies, for an example. HR policies are very clear on how to handle confidential records. There’s no such thing as an unregulated company."
The true meaning of "risk management" can be illustrated this way, says Galina: "Let’s say I have a document that, according to the records policy, has expired. In the strict governance sense, that document should be disposed of in the normal process.
But suppose I ask for an extension," she continues, "and I give a business case for why I need to keep this record longer. Now my legal or risk officer has to make a decision as to whether it’s an acceptable risk to keep that particular document." Apparently, like most things in life, risk management is a balancing act that is never carved in stone nor
easily codified. "The decision is something like: ‘Yes, we’re technically out of compliance, but we’re within the framework of our corporate governance in a conscious manner.’"
I know what you’re thinking. It sounds like Galina is advocating breaking the rules. But that’s too simplistic; Galina is advocating the intelligent application of risk management to achieve business goals without exposing the corporation to danger. It’s a delicate and beautiful distinction.
So...Why Do They Do It?
Now: Is governance thought of, by your customers, as primarily a matter of self-preservation, and avoiding the fines, litigation and PR damage that can follow a breach in governance?
"I personally do not think it’s only a matter of self-preservation," Galina answers. "Clearly, many companies are driven to purchase solutions because of litigation or what have you," she says, "BUT the larger consideration overall is the time- and cost-savings when proper governance is applied. If records management is properly applied, then finding the correct business record and being able to definitively and confidently say, ‘Yep, this is it’ is a tremendous cost saver. And if you can save on storage because you have a governance policy that deletes records that have no value, you are experiencing cost savings, and streamlining organizational and operational changes WHILE you’re also implementing good governance."
Next: But you would agree that a company that’s financially strapped (get in that long line) might make the conscious decision to skip the cost of compliance and governance? "That’s true, and that will always be the case," says Galina. "It depends on their regulatory landscape; whether they’re financially strapped or not, they might have no choice whatsoever," she says. Some industries simply must comply. "But as part of good governance, if they are not under the shadow of litigation or regulation, and they have no immediate concern, they may weigh that as an acceptable or unacceptable risk."
Finally: When you’re talking about corporate organizational decisions such as this, the question inevitably arises: Who’s in charge? Should the IT department own it? Should it be a matter for the legal or compliance officer? What about the line-of-business managers...haven’t we determined that they also have a say in the decision?
"Actually," says Galina, "I don’t think IT should own it. IT might be the custodian, but it’s the legal or compliance officers who are in charge of governance overall." And for CA, I think (Andy speaking here) that is a bold statement. CA is a great company that has long been known as a company that helps manage IT for organizations. But Galina’s efforts in "information governance" underscore a new direction for the company, and an effort to escape its identification with the "IT mold," as some of its representatives would put it.
And that’s smart. If information governance is a four-way pie chart, with one part risk management; one part compliance; one part cost savings; and one part business-driving, I would put my money on the "business driving" part every time. Which is the message that CA is delivering to the marketplace right now.