Tip

Bottom-line benefits of a risk stress test for information governance

Under Dodd-Frank Act regulations, qualifying banking institutions are required to conduct periodic "stress tests" to evaluate whether they have adequate capital to continue operations during periods of economic and financial stress.

    Requires Free Membership to View

Jeffrey Ritter

Stress testing is an important component in effective risk management as well, enabling companies to evaluate different security scenarios and the complex interactions those scenarios may present. Simply stated, stress testing answers "what if" questions about key vulnerabilities.

Few companies, however, include funding or resources for stress testing information governance programs. Whether the program is characterized as records management, records and information management, enterprise content management or information governance, they all have similar goals. These include improving compliance with record-keeping requirements, increasing the accessibility of historic business data and reducing the risk of information being improperly accessed or altered.

But even these conventional objectives fade in significance when compared to the importance of being able to find and rely on designated, specific information assets to make quick business decisions. A company's success demands that data asset-pertinent information is readily available. Even with corporate leadership's renewed information governance focus, however, the inability to quickly locate information assets is almost always overlooked as a key risk indicator that may mark the failure of a particular business objective.

Stress testing your information governance program is a structured methodology for measuring the adequacy, availability, integrity and velocity of your vital data assets in scenarios that are essential to business success. The driving goal is to demonstrate, before those scenarios are played out in real-time, that you can deliver the information within defined metrics.

A strong information governance program should be capable of almost self-authenticating any information asset by showing the controls employed and their effectiveness.

Initiate any Google search and the results show the total number of responsive assets and the time required to generate those results. It's all done with amazing, blinding speed. But we know that a Google search will not always deliver exactly the information we are looking for, and more analysis is often required. Questions need to be asked and additional searches may be conducted until you have the right information.

Similarly, whether you are building a quarterly sales report, organizing information to support a major joint venture negotiation, preparing a required regulatory filing or finding potential evidence in civil litigation, the process freezes the more time spent time searching for the right information.

Any loss of velocity costs money, and potentially lots of it. In addition, that money is not routinely accounted for in any ledger outlining information governance expenses. According to International Data Corporation statistics, knowledge workers only complete successful searches 25% of the time. For all other searches, they are spinning their wheels (and costing the company money) while they analyze the information.

In some scenarios, stress testing can help measure this velocity of information governance:

Joint venture disclosures. Create a scenario in which your company is trying to close a joint venture that will produce $2.5 million per month in new revenues. The prospective partner has asked for extensive information about your company, which is typical in a deal of this size. Every so often, the request for information triggers extensive, high-intensity search no different than an e-discovery exercise except that it doesn't come with a judicial sanction if you are slow to respond. Instead, if you take more than 30 days to produce the information, you have cost your company $2.5 million.

That does not include the added time consumed by your potential partner's legal and business team to review and analyze the information, as well as ask questions about the data's adequacy, availability and integrity. If that interaction takes another month, another $2.5 million in revenue has been lost.

A strong information governance program should be capable of almost self-authenticating any information asset by showing the controls employed and their effectiveness.

Product validation. For many companies, the launch of a new product often involves building and preserving records that demonstrate the design, integrity, safety and soundness of the product. Whether it's planes, trains, automobiles, drugs, software applications or financial investment products, they all require this documentation.

More on information governance from Jeffrey Ritter

The business case for data governance

The keys to information management in the digital age

Astonishingly, the adequacy and completeness of the records that validate a product's qualities are often suspect. Informally, members of U.S. Food and Drug Administration staff once shared with me that, prior to the 1999 Part 11 rules to improve the integrity of digital information within new drug applications and related filings, up to 70% of FDA resources were devoted to testing the accuracy and integrity of the supporting laboratory records.

Software developers are under pressure to create and release new applications, and as a result notoriously ignore documentation rules. This increases the costs involved in investigating and correcting mistakes or, in Toyota's recent uncontrolled accelerator cases, creates manufacturer liability. Those costs are directly a result of poor information governance controls.

Unauthorized intrusion. If a malicious actor gains unauthorized access to your company's information assets, one of the biggest post-incident costs is investigating what damage has been done. What files were accessed? What records were deleted? What information was altered?

Strong information governance is more than maintaining 20th century retention schedules. Reducing the time required during investigations can significantly reduce their costs and the ensuing damages the malicious actor can cause until their actions are documented.

In your next annual budget, plan to include the resources, time and money required to do some stress testing of your information governance program. The preceding examples are just three compelling illustrations of the potential economic gains you will achieve for your company.

About the author:
Jeffrey Ritter is one of the nation's experts in the converging complexity of information management, e-discovery and the emergence of cloud-based services. He advises companies and governments on successful 21st-century strategies for managing digital information with legal and evidential value. He is currently developing and teaching courses on information governance at Johns Hopkins University's Whiting School of Engineering and Georgetown University Law. Learn more at
www.jeffreyritter.com.

Let us know what you think about the story; email Ben Cole, site editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

This was first published in January 2014

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Expert Discussion

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.