Much is made of big data and its potential to solve big business problems. The huge increase in data that is created every year by firms and their employees also creates big challenges, due to both the cost of maintaining large volumes of data as well as the operational risks associated with the retention and deletion of that data. Here we look at how the problem manifests itself and what some banks are doing to address the issue.
To put the cost issue into context, over 90% of the world’s data was created in the last two years. Most experts in this area believe that for most organizations, the volume of data will double every two years. Now of course the unit costs of storing data have seen some significant declines due to technology and business process advancements in recent years. But even with that decline, the cost of storing data consumed about 10% of the typical IT budget in 2011.
As well as the cost problem, there is also significant operational risk associated with this increase in data. Banks have faced increases in litigation from investors and state and federal regulators over the past decade. That has been coupled with a general increase in regulatory curiosity, as evidenced by the increase in examinations visited upon banks on a routine and extraordinary basis, mortgages, LIBOR, and FX, to name a few of the more recent examples. Careful risk management is needed to address two related aspects of the parallel increase in data and litigation. First, banks have to manage the process carefully by which data and evidence required by litigants and regulators is retained and collected. Second, banks have to review their stored data in relation to legal and business criticality retention requirements.
Whatever data then that does not need to be retained, should, as a general rule, be considered for deletion, and banks can save money and reduce risk accordingly. Most, however, have failed to dispose of unnecessary data accumulated over the last decade and have excess applications, data, back-ups, and tapes that no longer have any utility, but which will add cost and risk. The deletion of old data must be legitimate of course, and it can be if it is managed within a published archive and deletion schedule. Email deleted within that context of a broader policy framework can be legitimately defended. Without such a framework, deletion of email can appear suspicious and difficult to defend against.
Data retention, litigation, and e-discovery
When lawyers set out on the process of litigating a case only a few decades ago, before email was invented, the process was very different than today. Then the process of identifying and collecting evidence was a matter of combing through physical documents. Today, while the volume of documents to review has gone up considerably, the process of mining documents for relevant information is far easier. This is due to technology and computer keyword search techniques used to identify the relevant data and information. There are, however, still many obstacles to making the process efficient and fail-safe.
First, once a new case has been brought, there needs to be a process for ensuring that all related information and data is put on hold (i.e., not deleted), requiring individuals who are involved to, for example, retain email and any relevant data. The process also requires that such individuals confirm receipt of the hold request and that they comply with its requirements. For a large and complex company, this can be challenging, because it is not always clear who is a party to an action.
People leave. New people arrive and computer hardware gets replaced. It becomes hard to keep track. Second, data needs to be identified that is relevant and then retained until the case is closed, which again, is a fact that needs to be tracked and then acted upon at the appropriate time. That is far from straightforward and furthermore its continued retention can pose additional risk by making it subject to litigation where it need not have been (for banks that have retained data that could have been deleted from a legal and business perspective).
What should banks be doing to address the costs and risks associated with storing data? To start, deploying and managing a document management system effectively enables companies to keep track and control over different versions of a document. Knowing which is the final executed version of, say an investment banking engagement letter achieves two things: First, it enables the firm to discard redundant versions of documents and to save on time spent trying to find the final document. Second, it enables the firm to fight any claims against it more effectively.
In addition, banks need to build discipline around the information lifecycle and the process of deleting data that is no longer required from a legal and business standpoint. This is more complex than it sounds since different types of documents are subject to different legal and regulatory retention requirements. Given this complexity, it behooves banks to ensure they have access to an authoritative source of laws and regulations for each country they do business in and link their retention schedules to that legal and regulatory framework. Such a link should be clearly documented and traceable within a database that is internal to the bank. This process known as “defensible disposal” can help to ensure that banks can justify their data deletions to regulators, judges, litigants, etc.
Lastly, banks should consider tools to support the e-discovery process and its associated workflows, for example, by: automating the process of notifying the custodians of the data that is subject to legal hold, automating their confirmations that they will abide by the request, and automating the process of identifying and retaining the data that is associating with the case.
Deploying these various tools and techniques inked to information lifecycle governance will help both reduce costs and operational risk exposure. Like the adoption of any tools and processes that involve change, this is hard to do, but in the long run it should pay off for the far-seeing leaders in the industry.
Andrew Waxman writes on operational risk in capital markets and financial services. Andrew is a consultant in IBM's US financial risk services and compliance group. The views expressed her are those of his own. As an operational risk manager, Andrew has worked at some of the ... View Full Bio