Simple questions can have complex answers, e.g. "daddy, why is the sky blue?" which leads to a discussion of Rayleigh scattering and other topics a bit too daunting for most seven-year-olds.
And in that category, we've got the simple question above -- when does IT (or anyone else) get to stop storing, protecting, managing a piece of information, and consign it to the dustbin of history?
The answer seems to lead towards a few of the themes I've written about before, and -- I now have met my first customer who has worked out a semi-practical way to decide when something gets deleted.
It's a tortuous journey, and not for everyone, but it's an interesting story.
The Simple Truth
No one wants to delete anything these days. The perception of risks associated with that act seem to outweigh the costs.
No one really knows what the consequences of consigning a piece of information to eternal oblivion might be. It's the worst form of risk -- it's perceived to be unbounded in its consequences. You just don't know what *might* happen down the road.
We might need it as part of some future business initiative. Or we're not really sure what our regulatory responsibility might be.
And, usually, the risk is perceived in one part of the organization, and the costs show up in another part (usually IT).
Some business function created it -- we can't delete *their* information, can we?
So information piles up. Costs escalate. More IT budget is spent here rather than value generation areas.
On one level, it's the classic information governance problem -- how do we balance cost, value and risk -- and how do we pay for our decisions?
A Recap on Information Governance
Forgive me if I give you the synopsis again, but ... if information is going to be as important (or more important!) than money, it's going to need governance.
I've written about this before, as well as talked about the increasing stable of customers who have set up information governance functions, and bringing non-IT voices to the table to discuss how best to balance cost, value and risk for the ever-growing pile of information we're all accumulating.
Last week, I was privileged to meet a customer who had not only done the information governance thing, but actually had used the construct to arrive at a potentially workable solution to this simple question above.
What They Did
After the information governance board had met for a while, and wrestled with getting a baseline understanding of the issues and forces at work, IT was able to get "information retention policy" on the agenda.
Sounds simple enough, doesn't it?
What do we keep, for how long, and why?
And -- more importantly -- how do we pay for our decisions here?
IT started to present the cost side of the equation. How much information was being stored, for how long, and what it was costing the business. They did some nice trending as well, demonstrating that in a few short years, it was conceivable that the majority of IT spend would be on simply saving stuff.
A black hole, voraciously consuming everything around it.
The legal guys presented a view that basically said "look, the requirements here are unclear, we're biasing towards keeping stuff, simply because we're not clear of the consequences if we start aggressively deleting stuff".
Which, of course, erupted into a debate around the pros and cons of discovery.
The business guys checked in two ways -- "look, at some point, we may want to go back and look at these historical records. We're not sure if we'll want to do this, but deletion takes that option on the table" and, in the same breath "how come IT isn't being more responsive to our needs?".
Stalemate? Not really.
IT's New Responsibility
The IT guys hadn't created a service level catalog for data retention. They hadn't created multiple retention offerings in terms of cost, service level, and risk of loss.
It became that some information needed to be accessed relatively quickly and couldn't be accidently lost, other information might cost more time and money to retrieve, and some loss was acceptable, and yet even another class of information where they could say "we have a copy somewhere", but there was no reasonable expectation of timely retrieval, and losing stuff was a definite possibility.
IT agreed that it was their job to (1) create a service level catalog of different archiving options at different costs, and (2) work with vendors and service providers to continually reduce retention costs over time.
Both pieces were important. Business people can make decisions when presented alternatives in costs, value and risk. IT hadn't really exposed the tradeoffs so that decisions could logically be made.
And, of course, everyone knew that technology and the industry kept focusing costs downward, so IT had to step up to making some of these cost saving available over time.
The Business Units' Responsibility
It turns out that the business units really hadn't done a good job of figuring out what was important to keep, and what wasn't so important.
If IT exposed costs and tradeoffs, they said, they could do a better job of making decisions. And it was pretty clear, given the magnitude of the costs involved, that excessive information retention requirements on behalf of a business unit ought to be accompianied by a cost center to charge things to.
The business units weren't absolutely clear how they were going to do this, but it was clear there were significant costs involved, and that -- to the extent that business value was generated for a business unit through data retention -- it was fair and reasonable that their should be some cost-covering.
Legal's Responsibility
Legal now was beginning to grasp that their "keep everything just in case" policy was pretty expensive. It also turned out that the legal budget included some line items for other forms of risk mitigation.
The consensus was that there was a corporate interest in risk mitigation in terms of information retention.
And no one really owned the balancing of cost vs. risks in this category.
Going forward, the legal group owned two key functions: determining what was cost-effective risk mitigation with information retention, and helping IT out with corporate-level funding to cover the costs associated.
On Paper, We Have A Winner
From my perspective, these folks have taken a major step forward in information governance.
They've identified an information management problem that's really big, and won't go away all by itself.
They've addressed the "everyone has a role in this" problem -- it's not just an IT problem, although IT has to do a few new things they weren't doing before.
Now, I don't know if this is going to work a year or so down the road, but it feels like the right type of solution for a very broad set of circumstances.
It's funny how simple questions can lead to very interesting outcomes. I wish them success in their new endeavor.
And I wonder how many similar stories I'll be hearing like this in the coming years.
Comments