February 16, 2011

Financial services firms already are struggling to manage their vast and ever-growing data stores in a way that satisfies existing privacy and regulatory requirements, but in the wake of the Dodd-Frank Act, this task will get exponentially more complex. As firms look to achieve greater transparency, as they seek to determine and expose actual risks, the challenge of wading through information detritus to find the handful of valuable nuggets will make finding a needle in a haystack seem a relatively painless task.

In the end, successfully adhering to the letter and spirit of the Dodd-Frank Act requires financial services firms to do a far better job of knowing what information they have and where it is. The only way to do this is to develop a practical strategy for disposing of the mountains of information that have no legal obligation, regulatory requirement or business value. But how is this possible? Isn't disposing of information by definition taking a risk of compliance failure?

Disposing of information is dangerous if a firm does not implement solid information governance policies and procedures. In fact, by implementing a robust program, firms can dramatically increase transparency and simplify the regulatory compliance process. Even better, they can significantly reduce information technology (IT) costs and the risks associated with information security (IS) and privacy issues.

A belief that storing data is cheap and protects companies from compliance violations has fueled a "save everything" mentality. But storing data isn't cheap. According to a 2010 Gartner report, IT shops already spend between 2 percent and 3 percent of revenues on data management, which can add up to millions or even hundreds of millions of dollars each year. Corporate data volume grew by about 50 percent in 2009, and research firm IDC predicts that data will grow by a factor of 44 in the next 10 years. Many firms have found that more than half of all the data currently being stored, archived, secured or otherwise managed has no legal, compliance or business value.

The True Cost of Data

Keeping this data not only results in unnecessary costs related to data storage and management, but also makes it far more difficult to comply with regulations, respond to requests for legal holds and use high-value business information effectively. Determining what information can be disposed of may seem like an insurmountable challenge. Simply indexing and searching all this data won't reveal what's subject to regulatory obligation, what's of business value or what may be subject to a legal hold.

Obligation and value must be determined by business people making systematic, informed decisions -- the "governance" in "information governance." Presenting them with an index of petabytes of data and asking them to make retrospective business decisions simply doesn't work. However, provided you have an overall plan, a global program based on key building blocks can be implemented in stages based on the way your businesses are organized; the jurisdictions where they operate; the perceived business, legal or regulatory risk levels of the information; or where your firm has expertise.

Studies by the Compliance, Governance and Oversight Council (CGOC) confirm the burden that this mountain of information places on organizations. Established in 2004, the CGOC is a community of information governance experts providing corporate litigation, discovery, IT and records management leaders and practitioners with the insight, interaction and information they need to develop a best practices approach to information governance. According to the CGOC, a key obstacle to disposing of unnecessary information -- creating a "defensible disposal" strategy -- is that most companies aren't able to give IT practical methods to determine what can be safely eliminated.

Even at a small firm, to dispose of data defensibly, IT would need to know which of 100 or more legal holds and 300-plus record categories apply to which employees working in which departments, whose data is located in 1,000 or more servers or apps. That's as many as 1 billion potential combinations of legal obligation or business value applicable to any one person and information source!

Even worse, many companies lack any systematic linkage and transparency between IT and the people who determine the legal obligations and business value. In a recent CGOC Benchmark Report on Information Governance, 85 percent of legal, records management and IT staff surveyed viewed this lack of consistent collaboration as the single biggest barrier to defensible data disposal and as a source of risk.