Organisations not only need to safely store information (email, documents etc.) and make sure it is securely accessible, but they must also guarantee that all relevant information, irrespective of its origin or storage location, can be easily found for records management and regulatory compliance purposes. Craig Carpenter, VP & General Counsel at Recommind, discusses tackling information risk in a recession.
Compliance requirements, in particular, have become much stricter at the exact time the recession is making IT projects more difficult to fund; the result is enormous information risk, which will require organisations to take concrete steps to prepare for this ‘perfect storm’ - or risk damaging consequences.
Changes in the regulatory environment
The increasingly stringent regulatory environment, coupled with an ever-expanding wealth of data, is making compliance more complex and costly than ever before for UK businesses.
For example, companies must ensure they fully understand and remain compliant with the Companies Act 2006, which is due to be fully enforced by October this year, while also keeping up-to-date with existing regulations such as Sarbanes-Oxley and the Data Protection Act.
Falling foul of these regulations can leave businesses highly vulnerable to information risk and the associated consequences including breach of compliance, brand damage, and loss of stakeholder and customer confidence.
Furthermore, as the number and scope of regulatory inquiries from bodies such as the European Commission and the FSA increases, companies of all sizes will need to be in a position to quickly and accurately respond to any inquiry or investigation.
A key component of this is being able to respond to eDisclosure requests for the identification, collection, analysis and production of all relevant data. In the UK, 41 per cent of businesses* are already witnessing an increase in activity around eDisclosure compared to last year.
Yet, these organisations still do not seem to fully understand the need to prepare for these events, rating eDisclosure as their lowest priority below information security, email archiving and rolling out productivity-related tools.
However, with investigations, prosecutions and fines already here - and more on the way - those organisations which are not prepared will be the hardest hit. Not only will responding to these investigations cost such ill-prepared firms a hefty sum in terms of time spent finding all relevant information, but any delays will also increase the likelihood of a significant fine and the ultimate penalty could be even more extreme.
The financial meltdown is in part responsible for this emerging hyper-regulatory environment, but the recession has also seen information risk grow in a number of other ways. Firstly, the large number of layoffs has increased the likelihood of individuals misusing data or committing data theft for financial gain.
Secondly, increased mergers and acquisitions activity presents added challenges, as mergers frequently lead to difficulties in combining two disparate IT systems and ensuring the security of data when the transition is in process.
Similarly, as more companies are falling into insolvency, problems such as how to maintain control over the IT system, and give stakeholders the ability to quickly lock down data accessibility are surfacing. Falling victim to any of these scenarios can be severely damaging for an organisation and, in an already tough economic climate, the consequences could prove fatal to a business.
Taking control of the explosion of data
While most businesses are aware of these dangers, many may downplay their importance as actually taking control of all data within an organisation, making it searchable and discoverable and enforcing security policies is a massive undertaking. In addition, with budget restrictions tighter than ever before, it can be difficult to justify such investments to the board.
However, companies can actually minimise costs and upheaval by taking advantage of their existing enterprise search solutions to help them mitigate risk and ensure compliance. Where businesses have implemented or are in the process of evaluating enterprise search solutions, they should view these systems in the larger context of regulatory compliance and information risk.
Since compliance and records management issues present prototypical information risk challenges - namely the automated organisation, categorisation, security and accessibility of information - the same technology can also be used to help enterprises conduct risk assessments, comply with document retention policies and other regulations, and provide an audit of employee activities.
This can save significant money in the long run as it reduces the need to rely on expensive, external third parties when faced with regulatory and compliance investigations and eDisclosure requests.
Furthermore, automated concept search technology, used to dramatically improve enterprise search, can not only empower employees by providing them with all the information they need for their business roles, it can also solve many of the challenges of compliance investigations.
When faced with a disclosure demand, for example, concept search greatly increases the ability of early case assessment (ECA) and document review to hone in on the most relevant documents instantly.
Rather than relying solely on keyword search - which will both miss relevant data and scoop up a sea of clearly irrelevant documents containing a particular search term - concept search will locate, categorise and prioritise all relevant information, significantly speeding up and improving the accuracy of the regulatory compliance and eDisclosure processes.
Challenges for the future
Concept search will only become more important as the unprecedented growth in data shows no signs of abating, and in fact may be accelerating with the popularity and increasing use of blogs, wikis and social networking sites such as Facebook, LinkedIn and Twitter at work.
With a large proportion of the workforce now regularly using these tools, businesses cannot afford to ignore them. In fact, web 2.0 tools can actually help companies take control of their data reserves and can be used to locate knowledge within a firm, but they need to be effectively incorporated into existing information management systems.
For example, valuable ideas and thought processes that demonstrate specific experience can appear in the form of informal, IM conversations between workers, but these can be easily lost if not managed properly.
Equally, blogs and wikis can provide organisations with an opportunity to share and store ‘knowledge about knowledge’ in institutional memory, and features such as the ability to tag, rate and comment on documents can conveniently capture some of the thoughts and discussions associated with certain data, and preserve this knowledge for other workers to build on.
However, the use of web 2.0 tools also raises new issues and challenges for businesses in terms of information management. While these applications can offer a powerful means to fully capture all latent knowledge and experience within an organisation, businesses must enforce the appropriate usage policies to ensure the security and confidentiality of all information for regulatory compliance and records management purposes.
By using a single source for information - such as a unified search platform - to harness these data-producing technologies, organisations will be able to better tap into the collective wisdom of their resources (both people and content) while providing the security, control and focus that central administration enables. This will allow companies to embed web 2.0 tools directly into the business, without adding extra distractions or potential problems.
At a time when information reserves are growing almost uncontrollably and IT budgets are being squeezed, companies should be looking at the wider picture - specifically with a view to maximise their existing technologies now and in the future.
As information risk continues to grow, because of both the sheer volume and variety of data being created, combined with increased regulatory scrutiny, businesses must ensure they are fully prepared to combat the issue.
*Survey of CIOs and IT directors at 150 UK organisations with more than 1,000 employees conducted by Vanson Bourne in April 2009.
