Manage Learn to apply best practices and optimize your operations.

Bottom-line benefits of a risk stress test for information governance

In this tip, Jeffrey Ritter explains how stress testing information governance controls enables better business and can even boost the bottom line.

Under Dodd-Frank Act regulations, qualifying banking institutions are required to conduct periodic "stress tests" to evaluate whether they have adequate capital to continue operations during periods of economic and financial stress.

Jeffrey RitterJeffrey Ritter

Stress testing is an important component in effective risk management as well, enabling companies to evaluate different security scenarios and the complex interactions those scenarios may present. Simply stated, stress testing answers "what if" questions about key vulnerabilities.

Few companies, however, include funding or resources for stress testing information governance programs. Whether the program is characterized as records management, records and information management, enterprise content management or information governance, they all have similar goals. These include improving compliance with record-keeping requirements, increasing the accessibility of historic business data and reducing the risk of information being improperly accessed or altered.

But even these conventional objectives fade in significance when compared to the importance of being able to find and rely on designated, specific information assets to make quick business decisions. A company's success demands that data asset-pertinent information is readily available. Even with corporate leadership's renewed information governance focus, however, the inability to quickly locate information assets is almost always overlooked as a key risk indicator that may mark the failure of a particular business objective.

Stress testing your information governance program is a structured methodology for measuring the adequacy, availability, integrity and velocity of your vital data assets in scenarios that are essential to business success. The driving goal is to demonstrate, before those scenarios are played out in real-time, that you can deliver the information within defined metrics.

A strong information governance program should be capable of almost self-authenticating any information asset by showing the controls employed and their effectiveness.

Initiate any Google search and the results show the total number of responsive assets and the time required to generate those results. It's all done with amazing, blinding speed. But we know that a Google search will not always deliver exactly the information we are looking for, and more analysis is often required. Questions need to be asked and additional searches may be conducted until you have the right information.

Similarly, whether you are building a quarterly sales report, organizing information to support a major joint venture negotiation, preparing a required regulatory filing or finding potential evidence in civil litigation, the process freezes the more time spent time searching for the right information.

Any loss of velocity costs money, and potentially lots of it. In addition, that money is not routinely accounted for in any ledger outlining information governance expenses. According to International Data Corporation statistics, knowledge workers only complete successful searches 25% of the time. For all other searches, they are spinning their wheels (and costing the company money) while they analyze the information.

In some scenarios, stress testing can help measure this velocity of information governance:

Joint venture disclosures. Create a scenario in which your company is trying to close a joint venture that will produce $2.5 million per month in new revenues. The prospective partner has asked for extensive information about your company, which is typical in a deal of this size. Every so often, the request for information triggers extensive, high-intensity search no different than an e-discovery exercise except that it doesn't come with a judicial sanction if you are slow to respond. Instead, if you take more than 30 days to produce the information, you have cost your company $2.5 million.

That does not include the added time consumed by your potential partner's legal and business team to review and analyze the information, as well as ask questions about the data's adequacy, availability and integrity. If that interaction takes another month, another $2.5 million in revenue has been lost.

A strong information governance program should be capable of almost self-authenticating any information asset by showing the controls employed and their effectiveness.

Product validation. For many companies, the launch of a new product often involves building and preserving records that demonstrate the design, integrity, safety and soundness of the product. Whether it's planes, trains, automobiles, drugs, software applications or financial investment products, they all require this documentation.

More on information governance from Jeffrey Ritter

The business case for data governance

The keys to information management in the digital age

Astonishingly, the adequacy and completeness of the records that validate a product's qualities are often suspect. Informally, members of U.S. Food and Drug Administration staff once shared with me that, prior to the 1999 Part 11 rules to improve the integrity of digital information within new drug applications and related filings, up to 70% of FDA resources were devoted to testing the accuracy and integrity of the supporting laboratory records.

Software developers are under pressure to create and release new applications, and as a result notoriously ignore documentation rules. This increases the costs involved in investigating and correcting mistakes or, in Toyota's recent uncontrolled accelerator cases, creates manufacturer liability. Those costs are directly a result of poor information governance controls.

Unauthorized intrusion. If a malicious actor gains unauthorized access to your company's information assets, one of the biggest post-incident costs is investigating what damage has been done. What files were accessed? What records were deleted? What information was altered?

Strong information governance is more than maintaining 20th century retention schedules. Reducing the time required during investigations can significantly reduce their costs and the ensuing damages the malicious actor can cause until their actions are documented.

In your next annual budget, plan to include the resources, time and money required to do some stress testing of your information governance program. The preceding examples are just three compelling illustrations of the potential economic gains you will achieve for your company.

About the author:
Jeffrey Ritter is one of the nation's experts in the converging complexity of information management, e-discovery and the emergence of cloud-based services. He advises companies and governments on successful 21st-century strategies for managing digital information with legal and evidential value. He is currently developing and teaching courses on information governance at Johns Hopkins University's Whiting School of Engineering and Georgetown University Law. Learn more at

Let us know what you think about the story; email Ben Cole, site editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Dig Deeper on Content management software and compliance

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Does your organization include any stress testing of information governance programs? If so, how?