ZONE SE7EN > Blog > Data & Information Management > From Compliance to Information Governance: Reducing Costs and Improving Security for Organisations

From Compliance to Information Governance: Reducing Costs and Improving Security for Organisations

By Paul Hampton, Director of Product Marketing, Alfresco

Businesses are increasingly concerned about compliance with the myriad standards, agreements, regulations, legislation and mandates governing their industries.  But compliance is simply a ticking of a box.  Software standards met – check.  Licensing agreement honoured – check.  Record’s management mandate met – check.

Organisations should instead focus on information governance, a term frequently used interchangeably with compliance.  But information governance is more; it is the strategy, not only for compliance, but also for meeting your customers’ needs now and into the future.  In short, compliance is what you do and information governance is how you do it.  And information governance brings much greater value to organisations; it can uncover business opportunities and protect enterprises from security threats.

Information Overload

New technologies are facilitating profound changes in the way people and companies work together.  Pervasive mobility and cloud computing, to name just two, have affected our work habits and processes.  This is a good thing, of course.  These technologies allow people to work where, when and how they want, theoretically making us more productive and efficient.

The problem is that these technologies have created an information deluge.  Gone are the days when managing structured data, such as documents and spreadsheets, were the only requirements.  IDC is projecting a stunning 50x growth in digital content from 2010 to 2020, with 90 per cent of it in unstructured information such as emails, documents and video.  The rise of social media and collaboration tools has also created a new class of enterprise content, and its distribution spreads across the spectrum.

Often meeting compliance requirements, particularly records management mandates, requires the collection of all of this content.  As such, companies have and continue to collect massive amounts of digital content, reports, presentations, video files, spread sheets, email and every other format you can think of.  At best, this information is stored in legacy records management or enterprise content management (ECM) systems with few controls and little ability to store, access and organise it, creating a potential nightmare for executives in the form of data breaches of sensitive and personal information across every industry.  In addition, these systems can’t help executives find those needles in a haystack that could help solve a business challenge, move a company to the next level, or solve a number of business challenges.

Unfortunately, a study conducted by the Association for Information and Image Management (AIIM) points to the fact that organisations aren’t taking information governance seriously enough.  While around two-thirds of organisations had some level of information governance policy in place, nearly one-third admitted that their inferior electronic records keeping caused problems with regulators and auditors.

The results point to one big reason; most respondents did not include dynamic or personal content in their information governance policies.  This includes all collaborative content, instant messaging and social media, just to name a few examples.  In contrast, 37 per cent of respondents agreed that there are important social interactions that are not being saved or archived, while less than 15 per cent of organisations included social postings in their information governance policies.

Grandma’s Attic

Poor information governance is the equivalent of someone who throws every receipt, newspaper, magazine, letter, bill, invoice, photograph and other scrap of paper into shoe boxes that fill the attic from floor to ceiling and are now spilling out into the main part of the house.  There’s no rhyme or reason about what needs to be saved, what should be locked up and what should be taken out with the trash.  And there is so much that none of it can be easily sorted or accessed.

The problem is that some of this information has real value—it needs to be preserved with the ability to find it, tag it, manage it and protect it.  Some of it should be accessible to executives who want to understand past opportunities and outcomes.  If properly cared for, it might help solve new challenges.  It might have historical importance.  Or it might deserve extra protection because its inadvertent release could put the company at risk.

The risk of poor information governance varies from the unfortunate to the catastrophic.  At best, a potential customer gets out of date pricing information and you are required to honour that.  At worst, hackers break in and get hold of intellectual property or sensitive information, holding it ransom or selling to the highest bidder.  In between are the all-to-often incidents of information mismanagement.  This is what the US government faced when Edward Snowden decided to go rifling through sensitive government files, allowing WikiLeaks to get a hold of electronic files filled with secrets.  It’s what happened to Target when hackers were able to obtain the credit card records of millions of customers.  It’s what happened at Sony when employees started sharing information via email that they shouldn’t have shared.

This isn’t a new problem.  It first emerged with shared drives with petabytes of information piling up in a big heap to be dealt with sometime in the future.  Traditional ECM software jumped into the mess, addressing only a small fraction of the content by adding in some context and a few tools, but without solving the problem.  The mess was mostly just swept into thousands of little corners.  Fast forward, and now the problem has shifted from shared drives to the shared file services of the Internet—the Dropbox/Box/Evernotes of the digital age, creating a bigger mess to deal with.  And, if not properly addressed, it will only grow as the amount of information we deal with continues to grow exponentially.

Good Information Governance

Businesses have focused on putting compliance, management and security controls in place.  But what’s really needed is information governance. From a simplified perspective, information governance requires identifying the most important information and getting that under control. Organisations need to prioritise the processes and information in those processes that most affect risk – compliance risk, financial risk and reputational risk.  Then the information should be stored where it can be most effectively used to address both the business opportunities and the risks, especially in the cloud.  The end result is business agility, information hygiene and less detritus where it counts.


About the author:

Paul Hampton, Director of Product Marketing, Alfresco

Paul Hampton is Sr. Director of Product Marketing at Alfresco. He has over 25 years’ experience working within the Enterprise Content Management industry. Paul joined Alfresco in 2009 and over the past seven years has been responsible for all product marketing activities at Alfresco. Paul has held senior positions at a number of companies including, Documentum, Ariba and SDL.

Prior to Hyland, David has worked as a market consultant and analyst at AIIM, and previously multiple IT consulting roles.

Twitter:     @PaulDHampton


To learn more about Governance Risk & Compliance and how it can help protect your organisation, view ZONE SE7EN’s GRC & Threat Intelligence event taking place on 16th November 2016, and register via ZONE SE7EN’s Insight Zone.

Subscribe to our mailing list

* indicates required Email Address * First Name * Last Name *