By Lane F. Cooper

CIOs are looking for better control over their information as it is created, shared, acted upon, stored and ultimately retired. Enter information governance. This combination of people, processes and technology has been designed to help companies effectively manage their growing volumes of business information and data — whether in paper or electronic form — in accordance with internal corporate policies and external legal, regulatory and market requirements.

Such a practice will help companies proactively reduce risk, be better prepared for discovery and audits, and create a more agile, information-driven business model that's ready for any competitive or legal challenge. "You're trying to govern the use and retention of information and vital business records," says David Hurwitz, VP for product marketing at CA.

Although a relatively new term, information governance is not a new concept. In many ways, it is an extension and integration of three technologies: information life cycle management, records management and electronic discovery. (The latter, sometimes known as eDiscovery, is the process by which electronic data is located, secured, searched and produced in connection with legal proceedings.)

More specifically, information governance deals with the proactive reduction of risk, while at the same time increasing preparedness for discovery and audit. All of this has to be accomplished while reducing costs, improving returns and promoting business agility.

One organization well-versed in the practice of information governance is Vedder, Price, Kaufman & Kammholz, P.C. The Chicago-based law firm — with offices also in New York, Washington and Roseland, N.J. — must maintain and protect the records and information it creates and collects about the clients it represents: "work product," in the parlance of attorneys. "We're obligated to maintain documents and related client records so that we have case information and a record of what work was performed," says Maureen Durack, director of management information systems at Vedder Price. "We have very precise policies and procedures on what we retain, how long we retain it, and what we do when the time comes to stop retaining it."

Vedder Price must also retain its clients' records where required — and manage those records per a client's specific policies and procedures. This can get tricky. "At any given time, we could have a number of different policies pertaining to how we keep information," Durack explains. "If we are holding corporate documents, then we're beholden to each of our clients' policies and procedures."

In the past, record retention applied only to paper documents, and there were few rules, regulations or other factors to consider. By contrast, today's regulatory environment is far more complex, and record retention now includes a large volume of electronic files.

This changing environment prompted Vedder Price to search for a solution. The goal: a system that could help the law firm govern a large volume of sensitive information in a way that would comply with both its own internal policies and those developed by its clients, as well as all applicable laws.

Defensive Measures
To start, Durack worked with her colleagues at Vedder Price to identify all pertinent policies and procedures. They took into account emerging standards in the records management industry. Ultimately, the firm turned to a set of U.S. Department of Defense guidelines, known as DOD 5015, which recommend how an electronic records management system should be designed, and to what standards such a system should adhere. (For more on DOD 5015, see defenselink.mil/webmasters/policy/dodd50152p.pdf.)

Next, Vedder Price found a software product, CA Records Manager (part of the CA Information Governance solution), that met the technical certification requirements.

But this was only a critical first step in meeting full compliance. The law firm also had to identify its business processes and other legal conventions, and then codify them into guidelines for treating different types of information appropriately. For this reason, information governance efforts are best led by teams of business, legal and technology executives, Durack argues. In fact, after Vedder Price selected the technology on which to build the system, the firm's next step was to assemble a multidisciplinary team that could create a game plan for the information governance implementation.

Selecting a point-person to oversee information governance can be a delicate process. The issue can easily become a game of hot potato, a race to see how quickly responsibility can be passed to someone else's area of the business. Some industry experts argue that corporate legal counsel should take the lead. That's because executives can be fined, or even imprisoned, for either failing to preserve and/or produce the appropriate information in a legal action, or failing to demonstrate that a systematically enforced procedure is in place to manage records.

Other experts, however, insist that information governance should reside with business unit leaders. That's because until there is a legal issue, the documents in question are an integral part of how a business unit operates. Therefore, these experts add, the documents should be owned by those with the greatest stake in the business process.

Still others contend that the duty should be taken up by the IT department. They base their argument on the fact that IT "owns" all the data that flows over the organization's networks and resides on its servers. Since the data is managed and administered by IT, they say, so should information governance.

The correct answer, of course, is "all of the above." From this group of peers, a leader must be selected who will be accountable for the group's decisions. Increasingly, organizations are naming chief compliance officers to oversee the effort. But the immediate need is to pursue a three-way alignment strategy in which business needs, technology requirements and legal imperatives are coordinated and reconciled.

Hardest First Step
The challenges associated with establishing an enterprisewide information governance program should not be underestimated. "It is probably the hardest first step," says Galina Datskovsky, CA's senior VP of development.

It's also the most important. Datskovsky recently visited a company where the officials said, "This company is 150 years old; how could we possibly get the information we have under control?" Her reply: "Well, if you wait another five years, you'll be 155 years old, and you'll still have no information under control." In other words, the first thing to do is to start and, in Datskovsky's words, "get something going."

When embarking on any information governance initiative, a CIO must understand the company's risks. Then, since companies cannot address all aspects of an information governance initiative at one time, a best practice is to focus on the greatest risk areas first. In addition, CIOs need to determine what their corporate information is, and where it resides. For example, Datskovsky says, a CIO should determine what constitutes a business record as opposed to a convenience copy. Then CIOs need to establish governance policies and enforce them across all the different information pathways used by the company. These rules can hold the organization in compliance with applicable laws, help mitigate risks and make the organization more agile. Of course, the company also needs to comply with its own governance policies.

CIOs need to centrally manage policies and implement controls for distributed content. A solution that combines software and services to address enterprise records management, archiving and discovery can help.

One important area is e-mail. In fact, Reed Irvin, director of product management for CA, says e-mail must be part of any solid information governance initiative. The volume may not be as bad as many CIOs fear. Although an estimated 70 percent of all business communication now occurs via e-mail, probably less than 10 percent of any organization's e-mail would need to be retained in some type of records repository, experts say. Nonetheless, much of the e-mail archive still needs to be retained for certain periods of time.

Information governance should also pertain to up-and-coming collaboration systems that companies use to spur communications, creativity, innovation and idea-sharing among employees. For example, Microsoft's SharePoint is a suite of tools for creating collaborative Web sites that groups can use to communicate, share information and keep tabs on projects. SharePoint includes built-in mechanisms for controlling and managing information, and Microsoft is partnering with information governance experts like CA to enable even more-comprehensive information governance for such collaborative systems.

"You need a structure that supports ad hoc collaborative environments where people can communicate easily and the IT organization can add controls for quotas, branding, workflow and other provisions," says Joel Oleson, senior technical product manager for Microsoft's SharePoint products and technology team. "That way, things don't feel out of control. Companies can manage things in a way that lets business users still feel empowered."

For CIOs seeking better control over their vital data, information governance could be just the ticket.

Lane F. Cooper is an editor and analyst covering the impact of technology on business operations. He has written for InformationWeek, Optimize, Enterprise Systems Journal and other publications.