270 likes | 402 Views
Practical Information Governance – A Heretic’s View. Patrick Cunningham, FAI Sr. Director, Information Governance Motorola Solutions, Inc . Learning Objectives. Upon completion of this session, participants will be able to:
E N D
Practical Information Governance – A Heretic’s View Patrick Cunningham, FAI Sr. Director, Information Governance Motorola Solutions, Inc.
Learning Objectives Upon completion of this session, participants will be able to: • Explain the differences between controls-based and customer-based risk • Describe a strategy that shifts from RIM requiring actions to the customer determining what requirements can be met • Guide the customer to appropriately accept risks. 2
http://areyoukiddingme.kahnconsultinginc.com/2013/03/dont-shoot-messenger-records-management.htmlhttp://areyoukiddingme.kahnconsultinginc.com/2013/03/dont-shoot-messenger-records-management.html “Don’t shoot the messenger – records management, as we know it, is dead.” --Randy Kahn, “Are you Kidding Me?” blog, March 7, 2013 3
Problems and Opportunities • BYOD • “Cloud” • Social media • Consumerization • SOx • HIPAA • PCI DSS • Data privacy and consumer protection • Cyber security Initiatives Don’t these things dictate better – and more requiring – records management? 4
Cool, huh? • How does it translate into action? 5
“Months, days, hours. Always face it forward.” Forget most of what you have learned about records management 6
Risk Management International Information Systems Security Certification Consortium A discipline for living with the possibility that future events may cause harm Reduces risks by defining and controlling threats and vulnerabilities 7
Business Risks In the big scheme of things, how large is records management as a business risk? Given the choice between filing email properly and selling to a customer, what do you think your sales person will do? 8
More from Randy Kahn http://areyoukiddingme.kahnconsultinginc.com/2013/03/dont-shoot-messenger-records-management.html Is it practical to expect your employees to classify company information given today’s information volumes? Would your executives really want all employees to spend 10-20% of their day doing records management? Do record management procedures help the business be more agile and competitive? Should employees be expected to go through hundreds of millions of files from the past to determine if they still harness any ongoing business value? 9
More from Randy Kahn http://areyoukiddingme.kahnconsultinginc.com/2013/03/dont-shoot-messenger-records-management.html Does your records program really apply those retention rules to all electronic records across the company—or to any of it for that matter? Does keeping everything just in case you get sued make sense given that your company already struggles to find needed business information? Can your records program claim millions in savings from its activities? Truth is, most would answer each of the questions with a resounding NO. 10
The Risk Calculus Each of Randy’s questions comes with a calculus of risk versus reward for the organization Many organizations will find the rewards of good records management to be minimal Many organizations will also find the risks of poor records management to be minimal But is “do nothing” an effective strategy? 11
Risk Calculus • Consider likelihood • Consider impact • Consider the value • Outcomes: • Accept the risk • Mitigate the risk • Transfer the risk 12
Controls-Based Risk • Risk derived from the organization’s ability to comply with a set of controls or policies • Requires an understanding of how controls map to both internal and external policies and standards • Generally somewhat aloof from internal and external customer requirements • Often burdensome • Actual risk is usually higher than risk believed to be offset by controls 13
Customer-Based Risk • Risk derived from an organization’s ability to comply with customer’s willingness to accept controls and policies • Aligned to customer expectations, but often not aligned to independent standards • The customer’s appetite for risk may be higher than expected • Actual risk may be lower than expected 14
Customer Requirements Understand customer priorities Understand customer risk appetite What is the customer willing to do? What won’t the customer do? Who will accept the risk? What can be done to mitigate the risk? 15
Guiding the Customer Align requirements to risk appetite Understand that the customer’s priorities may not include information governance Get the information governance requirements addressed in some fashion Try to find low impact means of implementing controls Ensure that the customer understands the risk that will be accepted 16
Consider • Records managers often behave as though every email was being dictated and carefully typed onto linen letterhead by a waiting steno pool • What is reality? 17
Sarbanes-Oxley Think about what you know about SOx While SOx has some mandates for retention of records, does it ever mandate disposition of records? Do your SOx auditors ever ask you when you plan to dispose of relevant records? 19
File, Save As The ONLY opportunity you have to ensure proper disposition of a document 20
Do We Just Give Up? • Align your thinking to business priorities • Pick your battles • Articulate risk effectively – don’t rely on FUD • Your execs are unlikely to end up wearing handcuffs because they didn’t disposition records – and if they decide to do something unethical with records, your policies and processes are not going to stop them 21
Re-Engineer Your Program Limit retention periods (“big buckets”) Make it simple Leverage technology Make it happen in the background Find ways to make meaningful contributions to the bottom line Always consider proportionality – is the solution more expensive than the problem? 22
Opportunities • Application decommissioning • Where is the data? • Server decommissioning • Where is the data? Archiving. Migration. Retention. Legal holds. • Non-functional requirements • Build controls into new systems • Information attributes • Retention, security classification, vital records, data privacy flag, export controls, etc. 23
Do We Just Violate the Law? • Of course not • Companies that are highly regulated “get” the requirements imposed by law • But most companies aren’t that highly regulated • And most retention requirements are minimums, not maximums
Adapt or Die • Feeling marginalized? • Do you know why? • Could your program, as designed, pass a proper audit of controls? • Do you actually have a set of controls that could be audited? • Do you listen to -- or dictate to -- your customers? 25
That Randy Guy, Again… http://areyoukiddingme.kahnconsultinginc.com/2013/07/get-on-clue-bus-and-revisit-your-email.html “Records retention, if managed at the message or document level, if it was ever possible, would take a good part of the employees’ day every day and would be a very bad business decision. After all, businesses are in the business of selling things, providing service, making money, and not having employees use precious time and resources to manage records.” 26