Information Governance and Data Challenges

Friday, July 1, 2011 - 08:20

With modern technology, it's important for organisations to be managing risk when it comes to their data. By Eddie Sheehy

When it comes to risk management in the digital age we all know that information is power.

In spite of the huge rise of digital documents and communication within the corporate sector, Australian executives all too often find themselves in the embarrassing (and unacceptable) position of needing to admit 'I didn't know' when faced with high-profile evidence of corporate fraud or inappropriate behaviour.

Increasingly, boards are realising that their company's key executives and directors have more data, but no more information. This has increased the focus on information governance, including the drive to increase visibility across risk and improve corporate decision-making.

Data challenges

One of the biggest culprits when it comes to creating excessive amounts of data is the vast quantities of email being created and sent at work. People also save, reply to and forward original communications to multiple persons. Email use is growing exponentially, at a rate of 60 per cent annually.

This problem is compounded by backup and archiving processes that make it more complicated to undertake a meaningful and comprehensive search for specific information when it needs to be found. Backups were created for disaster recovery purposes, while archives were created to store large volumes of email and data. Neither was designed for search.

With so little control of what is created, sent and stored in email systems by potentially hundreds of thousands of individuals, this has become an expensive storage and management issue.

However, technology does exist to gain control over the massive amounts of unstructured information and communication within every business division and, in the case of multinational corporations, every office. Every piece of communication, and all the relevant attachments, can be automatically, and regularly, indexed so as to be available for instant search when required for litigation, compliance or internal investigative purposes, for example.

In terms of processes that can help support governance, programs can also be used to identify suspicious content and bring it to the attention of relevant executives for follow-up. Email-monitoring technologies have been around for years, but new information-governance technology provides an opportunity for companies to dig deeper.

This technology can identify anomalies, perform sophisticated searches and escalate examples of communication to the appropriate levels when information may pose a risk to an organisation's reputation and authority.

The risks

Every organisation is at some risk of inappropriate activity from their staff. All cases of such behaviour come at a significant cost to security, reputation and internal processes. An example of the damage that such behaviour can cause to a company and its brand was illustrated through the high-profile case that enveloped David Jones only last year.

As a result of an incident in which the CEO himself later admitted he behaved "in a manner unbecoming of a chief executive to a female staff member", the retailer made an out-of-court settlement of $850,000.

More importantly, the incident harmed the company's reputation in the minds of its employees, customers and shareholders. It is likely that warning signs existed in company information and communication stores but went unnoticed by directors and other key executives because of poor information-governance practices.

Many corporations are putting themselves at unnecessary risk of finding out too late that there is bullying, the dissemination of pornography, or fraud occurring in their workplace. It's perhaps an unacceptable position for such practices not to be known to company executives when the technology exists to identify it.

The ability to search for and find critical evidence quickly to unequivocally prove or disprove allegations when they arise is a crucial element of risk management in the corporate sector.

It is important to plan proactively for risk situations, rather than simply react to circumstances or rely completely on a project management view of dealing with events in a time of crisis. It is also essential that these kinds of investigations are completed efficiently, accurately, with minimal disruption to the business, and with adequate security.

Fraud threat

Despite the attention of regulators and internal controls, fraud remains a problematic issue for companies in Australia. One key way to reduce the risk of fraud is to be able to identify when a 'hint of fraud' is occurring. Once there is a hint of something, it is possible to follow up. The strength of modern information governance solutions - which can index massive volumes of email and attachments quickly and easily - is that the technology can be set up to scan an entire company's email servers automatically, looking for that hint of fraud.

Another key to successful information governance in the private sector is to establish policies for information accountability, retention, archiving, review and destruction, and have a capable technology solution that enables the policy to be implemented. Companies should be better at managing the information they store, especially when it comes to preventing it from spiralling into potentially harmful time bombs.

As with many business issues, many corporations view the problem of managing legacy data as too big. With data stores so large and diverse it is easier to buy more storage and turn a blind eye than to investigate, invest in and create an information governance culture and program.

However, businesses are increasingly being held to account. With the shortening of the media news cycle and the hunger of news agencies to feed that cycle, the potential is huge for corporations to damage their reputation and endure unwarranted negative media attention due to their inability to retrieve important information and deal with relevant risks.

Telling the media, shareholders, customers and business partners that 'I just didn't know' only serves to make the company and its executives look incompetent as well as guilty. Spending the next few years in and out of court proving innocence is a high price for something that could be prevented.