Governing Governance: Controlling the Sometimes-Uncontrollable
I often think of “information governance” as one of those non sequiturs that George Carlin liked, such as “military intelligence,” and “jumbo shrimp.” It’s very difficult to have it both ways. Either you have information as a messy, unmanageable and often unruly mass of mess, or you clamp down and deny the information to emerge to help you. There are very few companies that have it both ways.
But there’s no questioning the fact that information governance is entirely vogue right now. As my guest this month, Ed Hallock, director of product marketing for RSD, made the point with underscore: “The vendors—and there’s a large variety of them—use the term ‘information governance’ because they see it as a way to capitalize on a market opportunity.” So he thinks it’s primarily vendor-driven and some of it is also analyst-driven (and probably media-driven, too, I am thinking silently and somewhat guiltily). “Corporations are becoming more cognizant, but they by and large still think of it as simply information management,” says Ed.
And he’s right. There are many corporations which still today don’t acknowledge “governance” as a business imperative. In fact, the term itself has underlying implications of over-control and big-brotherism.
“The term ‘governance’ still raises some trepidation and fear,” agrees Ed. “It’s all about internal controls, and that’s not readily accepted. But the vendors love it! There are all sort of vendors talking about e-discovery—file analysis and file mediation, policy and managing information based upon business practice, folks on the analytics side… everyone’s talking about information governance! All that noise makes it hard for businesses to get their minds around information governance,” he claims.
Acknowledging the current tension between practice and requirement, Ed confesses, “I know that businesses understand they need to be in compliance, and they need to manage their information, but I don’t think they apply the term ‘information governance’ to the process yet. It’s more widely used by the vendors and analysts than by the C-level management to describe the policies and practices.”
That could be the crux of it. Manager-level folks care about top-line issues… revenue growth, stakeholder concerns, investor relations, stuff like that. But the information management issues are usually conscribed to the IT guys or maybe an outsourcer. It’s rare that C-level people care very much about information. Or is that changing??
Ed leads off that little discussion: “We help corporations manage their information and stay compliant to laws and regulations, and ensure the privacy of information within their organization. We can manage a bank account, for example, that you log onto to see your account details, and then your wife logs on because it’s a joint account,” says Ed. That’s the basics of today’s information governance profile. But there can be much more.
We’ve discussed the security side. But there’s a value side, too. If you have bought something on eBay, and log on again next week, you start seeing ads for things similar to the ones you’ve already bought. Those businesses can target-market to you, and that’s how they get value.
“Compliance is just a subset of governance,” insists Ed. “But governance is a vehicle to ensure compliance. Governance is more than just compliance to regulation, but it also encompasses people and processes and technologies to support the best practices of the organization.”
Making it to the C-Suite
Information governance as a concept has risen up on the radar screens, “but I don’t think most organizations refer to it as information governance yet,” says Ed.
“They ARE talking about the issues that information governance could solve, and maybe that’s not a bad disconnect. At least they’re signing the checks that allow the right vendors to work on the problems underlying the issue. They’re aware of things like risk management, cost reduction, valuation of information… but I’m not sure they refer to it as information governance,” he adds. At least not yet.
“They have gotten stung, and they have reacted. And the reaction had been ‘let’s go get some e-discovery technology.’ And it has usually been after the fact. But after the fact, they have decided they need to get better about this. First of all, e-discovery costs too much. We should have a better handle on our information assets, so we can serve them up in a litigation if it happens again. And in the meanwhile, we might have risk exposure that could have been minimized. So, yeah, we are more proactive about managing information assets, and that’s how it’s being driven from the C-suite today. It was originally a reactive process, due to a risk or event, but now they’re saying ‘we’re going to get more disciplined,’” claims Ed.
I ask, are the events fully responsible? “In this country they are. In the United States, information governance is driven more by litigation than most other countries,” answers Ed. “For a while, companies were ducking their heads and hoping they wouldn’t get stung. If you look back, there were plenty of companies that chose to pay their fines and go through that process rather than protect against that fine. But in recent history—because it’s gotten more expensive and more costly—companies have gotten more cognizant and more proactive in terms of how they manage their information. I’m sure there are organizations out there that feel like ‘we’ll just deal with it when it happens. We’ll incur the cost when it arises.’ But there are some organizations which are subject to much heavier penalties, and they, in my opinion, are becoming much more proactive.” Which, to me, sounds like a good thing.
“The more heavily your industry is regulated, the more severely you will be penalized. That’s what makes them better candidates for information governance programs,” explains Ed. “And I call them ‘programs’ because it’s a combination of people, process and technologies. Just to underscore that, our successes are in biomedical and pharmaceutical verticals, financial services and regulated manufacturing. So it’s very clear that the heavily regulated industries are much more proactive in information governance,” than, say, the car mechanic shop down the street. “Let’s just say we’ve had many more opportunities in regulated industries than non-regulated industries. But we certainly don’t turn business away!” Ed says. Makes sense. After all, the company responsible for Tracy Morgan’s injuries probably had far less oversight than the company that makes your aspirin. It just is a fact of life—some businesses have to cover themselves a little more. “The trucker in question in that event certainly has some responsibility, but absolutely, that kind of company is not that regulated as, say, a pharmaceutical company,” agrees Ed. “But I think they’re getting a little more aware of the need to be regulated.” Recent news surrounding security breaches in the retail business has certainly shone the spotlight on unexpected businesses. “I do not think we’ve seen the last of that,” he adds.
“Recent news such as that calls into mind information governance practices in all new areas. I think that companies of all kinds are making sure they have their hands around this,” Ed believes.