In the second entry of our “The Risks of Archiving Everything” series, Info-Tech highlighted how poor information governance, specifically, information retention, and disposition practices, can pose significant risk on a variety of fronts. Organizations often overlook these risks and instead adopt an “archive everything” approach as a catch-all to regulatory compliance, ignoring (or being unaware of) the value that proactive information lifecycle management can have. As it stands today, according to the Association for Information and Image Management, over 57% of organizations admit to having no formally accepted information governance policies, with over 23% indicating chaotic information governance where users manage and store their own information. Chaotic information governance and excessive content archiving often result in overall reductions in business productivity, ballooning storage and resourcing costs, sensitivities around content security, increased probability of regulatory non-compliance, and significant eDiscovery costs (penalties or expenses) in the event of a legal litigation.
If my archiving strategy is chaotic or focused on “archiving everything”, how do I mitigate the risks that threaten my business?
Ultimately, the best strategy to mitigate risks associated with chaotic or excessive archiving is to proactively create, institute, and enforce controlled information classification and policies that are aligned to regulatory, industry and organizational standards. Proper information classification schemes and policies, collectively referred to as the Information Lifecycle Management (ILM) strategy, ensure effective and accurate content creation, capture, and retention/disposition activities for all pieces of organizational content.
The creation of an ILM strategy is a strategic, complex, long-term approach to improving information governance and architecture. In our upcoming whitepaper, Info-Tech will discuss practical methods to assist with the creation of a customized ILM strategy that pre-emptively mitigates chaotic archiving risks before they manifest. However, below we will highlight how, self-diagnosed, risk-prone organizations can employ tactical initiatives in the short-term to help prioritize and mitigate risks before they have detrimental consequences.
How can I build tactical initiatives to reduce the severity of chaotic archiving risks that threaten my business?
Of course, the biggest factor to consider here is the “risk appetite” of your organization. Risk appetite refers to the levels of risk you are willing to accept in order to pursue your objectives, and what levels of risk are deemed unacceptable.
To quantify your risk appetite, you must articulate an actual, finite dollar-value that reflects your business’ ability and willingness to absorb financial losses. Typically, risk tolerant organizations embrace the potential of accelerating growth and the attainment of business objectives by taking calculated risks. Risk-averse organizations prefer consistent, gradual growth and goal-attainment by embracing a more cautious stance towards risk. If your organization has an Enterprise Risk Management function, adopt the existing acceptability threshold and align the mitigation strategies pertaining to content management and archiving accordingly.
How do I quantify the severity of each archiving risk?
To calculate the financial repercussions of a single risk event, every risk must be assessed to determine if the threat level of that risk (i.e. severity) surpasses your businesses the risk appetite (threshold). To calculate risk severity multiply the risk’s probable impact (a monetary value representing the financial impact if the risk event were to occur) by the probability of occurrence (the percentage of how likely the risk event is to occur).
Finitely calculating both of these metrics can be challenging, so Info-Tech recommends using investigational activities (through expert-consultation and research) for quantification. For example, to calculate the probable impact of excessive content/data storage (as discussed in blog two), investigate the process and methods to uncover the amount of resources required to store and manage the content (hardware, software, staffing, and energy). With this information in hand you can accurately estimate the actual cost of managing a defined quantity of data (GB, TB, PB, etc.). We can also consider the probable impact of excessive archiving on business productivity as outlined in blog two. In this scenario you could estimate the average salary of an employee and the average length of time they spend looking for content to calculate a financial value. To finalize the quantifiable severity for each of these archiving risks, you must determine probability of occurrence, which, in both of these scenarios is relatively difficult. If excessive archiving does occur within your organization, the degree to which it does, impacts the probability of that risk event’s occurrence. For example, business productivity risks are less probable in an organization with only 10% duplicated content, versus an organization with 50% of its content duplicated. Therefore, you must estimate the amount of “Redundant, Obsolete, or Trivial” to quantify the absolute probability of occurrence.
On the other hand, with more complex risks, where many variables impact probability and impact – such as security, regulatory, compliance or litigation risks – it can be more difficult to quantify risk severity through intuitive methods. Info-Tech recommends examining these threats though case studies – Have you or your competitors been impacted by the risk under investigation in the past? How frequently does this risk present itself? And what was the financial damage associated with a specific event? If this information is not readily available, the next best approach is an internal consensus building exercise augmented by internal checks. For example, if the probability of a risk event is deemed to be 10%, then consider: if ten organizations existed that were near identical, is it likely that one out of those ten would experience that risk within the next year?
I have assessed the severity of risks, how do I mitigate them?
By calculating the risk severity of each risk, you now have an understanding of which risks can cause severe financial repercussions (beyond your acceptable level) and therefore must be mitigated. Two key considerations at this point include:
- More than one risk surpasses the risk threshold
- A proposed mitigation initiative reduces the severity of one risk but increases severity of another
If more than one risk surpasses the risk threshold, you must determine which risks take precedence by considering: your industry, your regulatory requirements, your strategic objectives, and overall attitude towards risk. For example, healthcare organizations, particularly hospitals, are required to maintain confidential and secure patient records, as mandated by HIPAA. Any breach in confidentiality often results in legal action and penalties enforced by the Office for Civil Rights, with settlement fines reaching well into the millions. Healthcare organizations therefore experience amplified severity with regards to privacy and security threats and for most, any breach would threaten the integrity of the hospital and should be immediately prioritized.
When building tactical mitigation initiatives, the best action to mitigate chaotic archiving risks is to build a comprehensive ILM strategy as this is the true root-cause!; however, there are many short-term mitigation tactics that can help you reduce their immediate severity. When designing these tactics, it is critical to consider industry and organizational standards, as well as the dependencies that exist between mitigation actions. For example, a tactic designed to educate business stakeholders on how and when content should be created will likely have positive reductions on the severity of all chaotic archiving risks whereas a tactic mandating that business stakeholders search through all archived content before creating a new piece of content will likely have positive implications on storage risks but significant negative implications on business productivity. It is important to remember that you may even have a head start with certain tools or systems already in place (archives, content repositories, etc.) and it is a matter of building regulatory/industry-aligned disposition processes into these existing assets to ensure records disposition in a compliant manner.
By using the risks that we have outlined, and your tolerance for each, as a foundation of an archiving and broader ILM strategy, you can build a well-balanced strategy that aligns to the organization’s key mandates. While not all risks and mitigations are created equal, the measurement and calculation against each will ensure that content is created, managed, archived, and disposed of in accordance with the organization’s risk profile, and not a default position that amounts to archiving everything!
Other posts in this Series
Be sure to check out the other two posts in this series:
- Archiving EVERYTHING Adds More Risks Than Benefits
- The consequences of an “ARCHIVE EVERYTHING” approach to ECM
About the Author
Ryan Smith is an Associate Research Director in Info-Tech’s Enterprise Content Management (ECM) Advisory Practice specializing in the development, establishment, and governance of ECM strategies. Ryan regularly provides IT and business leaders with guidance, analysis, and tools required to optimize their ECM operations and unlock the true power of content as a business enabler. His client work includes developing strategic visions and roadmaps, requirements gathering and vendor evaluation, and the establishment of governance bodies including ECM centers of excellence. He is the author of Info-Tech’s ECM Strategy Development Framework which outlines the seven sub-disciplines of ECM and serves as the foundational methodology of Info-Tech’s ECM Practice. For more information, be sure to check-out Info-Tech’s Library of ECM Methodologies and Toolkits.
About Retain by Micro Focus
Micro Focus Retain provides archiving of email, social media, and mobile communication data. Retain archives all of this data into on central archive. Retain includes built-in eDiscovery tools, including browse, search, litigation holds, export, print, forward, and redaction archived data. Policy-based archiving ensures that you only keep what you need to keep, based on age of a message, mailbox, or post office. Once a message reaches the specified age for deletion, it is automatically removed from the archive. Retain allows you to manage and have oversight on your email, social media, and mobile communication data.
