In 2002, the Nobel Prize in economics was awarded not to an economist, but to psychologist Daniel Kahneman for his work on the psychology behind judgment and decision-making. One thing Kahneman’s work showed was how quantifiably bad humans are at judging risk. We wildly overestimate some risks, like being bitten by a shark or dying in a plane crash, while consistently underestimating less horrific risks, such as being injured in a car accident.
Perhaps unsurprisingly, our inability to accurately judge risk also extends to business decision-making. This is especially true when it comes to how organizations manage information. Earlier this year, the Information Governance Initiative (IGI) and Guidance Software partnered to release a report exploring the idea of “quantified information governance.” IGI and Guidance Software investigated the philosophy and discipline of data-driven information governance, especially as it relates to decisions regarding data remediation—the decision to keep, delete or migrate information.
The report attempted to understand why so many businesses are seemingly terrified to remediate data. It found that most organizations that struggle with remediation share the same three dysfunctions:
Lack of insight into the information environment. Simply put, many organizations do not know much about their data. IGI research estimates that as much as 75% of stored information is data that an organization has no legal requirement or business need to keep. Further, much of this data is “dark,” meaning that organizations have little or no insight into its contents. This lack of insight is a huge source of risk.
Breakdowns in corporate governance. Organizations need a clear understanding and agreement on who actually has the mandate and authority to make remediation decisions (such as IT and legal). Uncertainty about where the buck actually stops often fuels stagnation and inaction.
Fear. Businesses are almost universally afraid to delete anything. This fear only fuels the problem of dark data and poor governance that drives up cost and risk.
While the report addresses each issue, the findings related to the fear of deleting data are perhaps the most interesting. Research and experience showed that decision-makers across various sectors make fear-based decisions about information governance. There is widespread fear that remediating any data will result in sanctions, fines, or even prosecution and potentially incarceration.
But are these fears strongly rooted in evidence or data? Overwhelmingly, the answer is no.
First, studies indicate that, in the United States, less than 2% of all federal civil cases even go to trial. Only a tiny fraction of those cases would involve data remediation issues. A 30-year study of U.S. federal civil cases found only 230 instances of any kind of sanction related to electronic discovery.
What’s more, cases where the wrong thing was thrown away are so infrequent that experts in the field can practically name them all (though the risk increases very steeply if an organization is actually doing something illegal, like attempting to destroy incriminating evidence).
The data on what is actually happing in courtrooms is clear. In addition, experts presume that recent changes to the relevant court rules will only make it less likely that organizations managing their information in good faith will be sanctioned. In other words, the fears that many executives seem to have that they will be hauled into a courtroom over data remediation decisions have little basis in fact. This perception, however, is common—and the fear around it is driving poor business decisions.
So what can risk managers do? In a seeming contradiction, the answer to this data problem lies in collecting more information. Most organizations have a relatively poor understanding of what data they store electronically, what data is most valuable, and who has access to it. This lack of information serves to reinforce fear, stall decision-making regarding data remediation, and ultimately create risk. What organizations really need is more data about their data.
Today, new technologies make it possible for organizations to gather comprehensive information about their data. Armed with the right information, businesses can make data-driven decisions about information governance, as they would with any other business issue. Starting an information governance project can be daunting, but there are simple steps organizations can follow. Furthermore, applying quantified information governance can show immediate returns on investment by reducing risk.
To start, businesses need to gain insight into their data. Sophisticated technologies can find and map data stored both inside an organization’s firewall and by service providers. Once mapped, organizations make better decisions on how that data is governed. Mapping data can also significantly reduce an organization’s data—and risk—footprint. For example, even with training and a strong security culture, sensitive information can leave an organization simply by accident, such as data stored in hidden rows in spreadsheets or included in notes within employee presentations or long email threads. Scanning the enterprise for sensitive data at rest and then removing any data stored where it does not belong greatly reduces the risk of an accidental loss of sensitive data.
The next step is analysis. Risk professionals need information governance tools that can assist with the analysis of data gathered and the presentation of insights to empower decision-making. Information governance strategies should happen at the most senior levels of an organization and have a major business impact. That said, new tools exist to allow risk management professionals to gather and analyze data to present compelling insights and reasons for change.
Finally, organizations need to take action. After collecting and organizing data, risk management professionals should create an actionable strategy. More often than not, organizations will find that, in many cases, digital risk will be reduced by deleting appropriate data.