|
|
|
Features
< Back
Sarbanes Oxley : Technology : Internal Controls
Data Retention: It ain?t what it used to be
By
Bill Lyons
|
|
Bill Lyons
CEO
AXS-One
|
Face it: It?s a different world out there. Some differences are obvious, of course. The staggering volume of data can confound even the best business forecaster: 36.2 billion e-mails a day? That?s the number researchers are estimating for 2006, and it keeps climbing.
The data also originates and arrives in a host of formats that didn?t even exist a few years ago. Then there?s the abundance of new regulations that seek to bring transparency to business-as-usual operations (including a few that would be more effective if they didn?t keep evolving).
Some regulations cover every aspect of compliance, others delve deep into one industry or another, and some matter greatly in one geographic region but don?t affect another. On the flip side, storage has become very economical, which can make it one less thing to worry about.
But to the more experienced eye, the changes go much further. More than the data itself, all of the issues related to electronic content?regulatory compliance, corporate governance, legal discovery?have not only become top of mind, they?ve rapidly climbed up the ladder of management priorities. There?s definitely a new urgency in the air, and it can be felt all the way to the boardroom.
It?s most visible in the headlines. Once confined to the back-of-the-business section, data compliance-related issues seem to be a weekly if not daily occurrence. Either directly or indirectly, they?ve caused companies to be levied huge financial penalties, been the grounds for executive turnover (sometimes for operational reasons, at other times through prosecution and conviction), led companies to actively enforce policies that no one took seriously, been the beneficiary of significant budgetary upgrades and, perhaps most importantly, become a companywide priority rather than one relegated to the IT department.
Still, the coverage is often negative. One financial services conglomerate was hit with a huge fine in part because it couldn?t guarantee that it had turned over every e-mail related to a particular transaction. (In its own defense, the company clearly tried to track down all the relevant e-mails, yet backup tapes kept turning up in closets, yielding more e-mails that had to be combed through. Eventually, the judge lost patience.) Only a few months earlier, in another case involving a major financial services firm, it was found that despite counsel?s instructions, employees had deleted some relevant e-mails while the defendant had withheld others. The judge subsequently instructed jurors to presume that the withheld information was prejudicial.
These companies, by the way, were hardly novices: They had billions in reserve, sophisticated executives in the boardroom, high-priced counsel on the payroll, stringent data retention policies in place and an expensive technology infrastructure. It could almost be argued that these companies were doing everything right.
The judgments, and several others like them, sent shock waves down the spine of many executives involved with these issues?compliance, IT, finance, legal, etc. They?ve surely wondered what would happen if their own enterprises were suddenly asked to retrieve every bit of data related to a long-past transaction. And just to drive the point home, there?s now a slew of high-profile cases where core data?e-mails, reports, memos?will be at the heart of the legal discovery process.
Bottom line: With rising volumes of data and falling prices for storage, corporate America?s IT infrastructure has become a data landfill. With basic backup procedures, the vast majority of content that?s supposed to be stored is usually stored. However, backup and restore procedures were never designed to provide a 100% complete and accurate record of what happened, but rather a method to restore operations if some catastrophe occurred. But the right data can?t be identified, retrieved and reproduced with any speed or accuracy. When data needs to be pulled up for routine business reasons, this is a definite handicap; when there?s a legal discovery order, it?s a definite nightmare.
In other words, all the data that?s backed up is about as useful as a winning lottery ticket buried under mountains of trash at a landfill site. And by the way, here?s an argument that always goes over well: There?s a huge upside. Do it right, and your company will see major benefits?enhanced business procedures, better organization, lower costs. In fact, the General Counsel Roundtable has estimated that each additional dollar spent on compliance saves corporations $5.21 in avoidance of legal liabilities and lost productivity.
So how can this be done with the greatest efficiency?
Corporations need a global hierarchical data archival and retention management system that governs both the technologies and the users involved. This should be done strictly according to regulatory requirements, risk measures and other corporate mandates that allow an organization to build policies meeting all regulatory requirements and allowing the corporation to set standards of operation that are consistent, auditable and enforceable across the firm and that are modifiable if the rules or policies change.
Let?s acknowledge that in the real world it?s never quite so neat. Just as government regulations continue to evolve and litigation tries to zero in on the ?smoking gun,? corporations will have to work to implement policies and technologies that make sense, protect the corporation while maintaining investor confidence and manage it all without overwhelming those responsible for compliance, legal issues and information technology. This in turn involves some other complications.
First, sort through the intricacies of what exactly constitutes ?data.? In addition to e-mail?now the backbone of virtually all business communication, so basic that users forget the complexity at the back end?there are other media to worry about, such as Instant Messaging. There?s an entire generation now in the workplace that interacts through IM, yet most corporations don?t capture this data, let alone archive and retain it.
In this context, remember that the most mundane Microsoft Excel and Word documents count as business-critical content. There are an estimated 150 million Excel users, many of them using the application for reporting and analysis of corporate data. Just imagine the detail that purchasing departments compile and organize?hundreds of contracts with different renewal dates, and more than one person checking a centrally held spreadsheet. Organizations are required to retain and archive these live, dynamic documents?a hair-raising compliance issue by any standard.
Next, remember that no two industries are exactly alike. What do the regulations governing your particular business require relative to your corporation?s information? That?s not an easy question to answer, since many corporations have found a competitive advantage in developing complexity across their diverse systems: more integration, more customized applications, etc. Yet, with respect to compliance, this very complexity creates challenges in audit ability and controls. Bottom line: Simpler is better.
Finally, since technology is the foundation of many of these processes, don?t forget what these systems can and can?t do. Many of the technologies that now make up the IT infrastructure in corporate America were developed when compliance issues were not a top priority, and when content didn?t come in as many formats as it does now.
Volume is a huge factor. Today, an organization with 15,000 email-boxes will generate more than 100 gigabytes a day in e-mail alone, which is the equivalent of between 1 million and 1.5 million e-mails a day with their attachments. After one year of retention and factoring in index data and compression, that?s easily 40-50 terabytes of data: equivalent to the total amount of other records a similar-sized company might expect to generate in 10 years or more. Looking ahead, an organization with 45,000 e-mail users that retains all messages will need to store up to 1 petabyte?that?s a billion megabytes?in just three years. And that?s just in e-mail! Now add instant messages to the mix.
Given the massive numbers involved, even with smaller organizations, an enterprise archive solution, through elimination of duplicate data and compression of offline data, delivers significant cost savings on storage, servers and data management. By dramatically easing the burden on IT administrators, less time is needed to complete backups and restore data from backup tapes to retrieve lost/deleted items. At the same time, primary applications run better due to the primary servers not being overloaded, and suffer less from unexpected downtime. This makes the IT department?s service-level agreements (SLAs) easier to achieve. As backup and maintenance windows are improved and the staff spends considerably less time searching for historical data, so are their productivity levels enhanced as they have continual access to archived data.
Of course, it?s not just about the technology. Despite the very different terrain, many best practices haven?t changed much. Maybe it?s because compliance is like old-fashioned investing: It?s all about the fundamentals.
Exhibit real leadership: A failure to ensure true and effective data retention with regulatory compliance represents a failure of management. Even the best policies and technologies won?t work without companywide adoption and buy-in, and it is management?s job to get it.
Make compliance and governance a no-brainer: Wise companies will build and support a high-visibility compliance competency training program that has the authority and resources needed to develop, implement and enforce participation across all levels. Roles, responsibilities and accountability must be clearly defined.
Keep it transparent: Make it as easy as possible for employees to retain, preserve and archive all the necessary data, but also ensure that your company has the ability to detect policy violations and do what is legally required if and when that happens. Otherwise, the problem won?t go away.
Prioritize the data, not the data type: The medium doesn?t matter; the fact that one relevant piece of data was in e-mail form while another was in an SAP report makes no difference in the final analysis.
Put the right tools in place: Conduct a thorough needs analysis to ensure that the technology can do the job. The infrastructure must be scalable; it must have the ability to handle multiple content types; and it must have the capacity to meet the records management and regulatory compliance tasks that come down the pike today, such as global risk and e-mail search-and-retrieve.
Stay ahead of the curve: Accept that we are in the midst of ongoing paradigm shifts in the way we perceive our technological infrastructures, as well as the applications and data they are designed to deliver. Technology evaluation is routine in most corporations, but balancing it with compliance needs is a new twist. That?s why many companies often believe their backup processes are sufficient. Measured against compliance directives, they?re usually not. For example, a compliance and archival strategy with data expiration policies is a huge waste of time if the expired data continues to exist on multiple back-up tapes, as well as at disaster recovery sites.
These processes have to be reviewed with an eye toward managing both the regulatory requirements and the risk associated with the data. Similarly, the underlying operating systems might allow security breaches that, in addition to other problems, violate compliance policies. Bottom line: The entire technology infrastructure, from the smallest applet to the largest server, needs to be assessed along strict compliance metrics.
At the same time, it?s vital that companies implement both continual process improvement and reliable audit capabilities. We?re long past the point where silos can continue to grow virtually unchecked, each with its own domain. Build a single platform that can be expanded, then evolve when necessary. This will allow technologies, processes and business needs to keep pace with incoming regulations and changing market conditions.
Above all, it?s critical to remember that data retention cannot be seen as a pedestrian, IT-specific, low-level function?it?s nothing short of a top-line management priority. Any company that sees it differently does so at its own peril.
|
|
|
|
