Drawing a new battle plan for conquering key information risks.

• Author: Gatewood, Brent

Today's information governance environment--with decentralized and sometimes ad hoc information creation and storage across multiple internally and externally controlled information systems--defy the traditional notion of records as discrete data objects that can be controlled in the way current regulations and laws expect. Taking an actuarial approach to managing risks associated with this reality may be the best plan.

Today's information governance environment has, increasingly, little correspondence with the traditional concepts of records management, which assume discrete, well-bounded data objects that live in well-defined locations and can be controlled. Though the objects being managed today most likely are not paper records, they are incorrectly assumed to look and behave very much like paper records.

The legal and regulatory environment makes the same general set of assumptions: records are known, quantified, identifiable objects that can be accessed and treated as discreet objects, as needed. However, these assumptions also have become dated as technologies used for creating and storing records electronically have become quite sophisticated, and the density of data storage has increased exponentially.

[ILLUSTRATION OMITTED]

Decentralizing data Control

An additional, highly complicating factor is the increasingly distributed nature of an organization's data systems. Thirty years ago, data resided in the electronic equivalent of a box stored in a warehouse or a centralized data store in a mainframe computer, which was typically on the organization's property.

Now, data resides in multiple, and often redundant, server farms that are commonly located around the world, increasingly in spaces the organization doesn't own and over which it has lit. tie, if any, control. Examples include cloud-based storage solutions from commercial providers, collaborative sites on space operated by third parties, and social media sites.

Additionally, users create their own networks, storing data on desktops, laptops, and a plethora of other portable devices, such as smartphones and flash drives. And, they create their own repositories on SharePoint[R] sites, shared drives, or other collaborative spaces they may have secured outside of the organization because that is easier and faster than working with internal resources.

Because of the decentralized nature of this sort of data system, the ad hoc way in which most of the repositories are created and used, and the sheer number of nodes on the system, centralized control is nearly impossible. To complicate matters even more, good search tools used to locate information within an organization are hard to find.

Managing Shadows

The current regulations and legal practices that assume records are discrete, bounded, stand-alone objects also require an organization to know where all its records are. And, if it is called upon to do so, the organization must be able to identify the ones that may be relevant to some matter or inquiry and put its hands on them.

However, even the ubiquitous word processing document complicates this process with its hidden formatting data, ability to recover deleted and prior versions of text, and all the other things that hide in the background and schema of what looks like a typed document when it's on screen. In fact, many of the documents or objects created today are actually containers for many fries and parts that make up the document--full of data shadows and wormholes.

It only gets more complicated from there. For example, information viewed within an enterprise resource planning system looks like a single record, but it's not. It's a temporary aggregation of numbers and other data pulled from other sources. Log off, and the thing once viewed on the screen vanishes, but the data still resides some place, or places, ready to be assembled the next time someone wants to view it.

In the interim, some of the data may change, so the record--even 10 seconds later--may not be the same as the...