As long as the trouble seemed limited to managing storage, then it was a problem the corporation was content to live with. No one was particularly concerned about what was contained within all of that digital storage, and over time even the original owners of this electronic content forgot about it or moved on. So IT made do with additional storage devices and long-term tape-based retention. But then the eDiscovery process blew up in corporate faces, and the problem of unstructured data management blew up right along with it. eDiscovery morphed from a cost-of-doing-business process – and a great way for outside law firms to make a lot of money – into a quagmire of missed deadlines, sanctions, and multi-million dollar review costs.

Then the financial meltdown came along to complete the disaster, turning the regulatory atmosphere from complacent to threatening. The first change threatened the General Counsel’s office (GC); the second change threatened the Governance, Risk, and Compliance officers (GRC). These groups are starting to look to IT to fix the problem, but IT cannot do it alone. What this difficult situation needs is a technology that cost-effectively manages enterprise-wide unstructured data, and then customizes data delivery and actions for specific business processes. Its primary driver is the eDiscovery process, but the common platform enables effective management for GRC and storage management as well. In this Technology in Brief, we will share our take on the promise of these platforms, and how StoredIQ is fulfilling that promise.

Security of information is critical to all corporations and is one of the many areas of competency established with Enterprise Risk Management. The weakness of traditional risk management is the focus on historical precedence rather than forward looking investigative approach. For example, the number of cases reported historically leads corporate IT to the usual suspects such as external hackers. This leads to heavy investments in systems infrastructure and many times overly burdensome security restrictions that interfere with daily business activities. Unlike traditional risk management, Enterprise Risk Management avoids this silo mentality by using a root cause approach to take a comprehensive view of risk. The root cause method looks at risks, such as information security, from all angles including processes and relationships as well as people, systems and external sources. Enterprise Risk Management recognizes that the chain is only as strong as the weakest link. Over investment in one area without the others is understood as not a good use of resources.

Leading corporations are quickly adopting Enterprise Risk Management for this reason. However, some corporations are slow to adopt Enterprise Risk Management best practices and extend their programs to line management. According to a recent survey, although 70 percent of corporations say they intend to adopt Enterprise Risk Management in the next few years, many organizations have not met their Enterprise Risk Management goals. The following true story highlights the peril of not putting urgency behind rolling out an Enterprise Risk Management program to operational areas across the enterprise.

ChoicePoint is the largest data broker that assembles personal information records on all of us. ChoicePoint, like so many corporations, make assurances on data security. They probably truly believes that they are aware of all risks facing them as they claim and also believe that their organizations are effectively addressing those risks as needed. Certainty of conviction should not be mistaken for investigative knowledge, especially if that investigation may rely on a flawed process. According to a recent New York Times article, “Keeping Your Enemies Close” for years, ChoicePoint’s top management had assured the world that it carefully protected its databases from intruders: “Our systems are bulletproof. Intruder-proof. Believe us.”

However in February 2005, according to the New York Times, ChoicePoint had to acknowledge that it had focused so intently on preventing hackers from gaining access to its computers through digital back doors that it had simply overlooked real-world con artists entering unnoticed through the front door. This year, the Federal Trade Commission hit ChoicePoint with a $10 million fine, the largest civil penalty in the agency's history, for security and record-handling procedures that violated the rights of consumers. The ChoicePoint operations process for approving business partners was vulnerable. Fraudsters were officially becoming business partners by exploiting ChoicePoint's business process and practices. That kind of vulnerability can best be uncovered by using risk assessments conducted by the operations team which is typical of an Enterprise Risk Management approach. The more rigorous the Enterprise Risk Management framework used to conduct this assessment the more effective and valuable the results will be. Process-driven software with embedded frameworks can help create a repeatable and sustainable process.

Lessons learned from this story:

1) Roll-out your Enterprise Risk Management charter to your line managers

2) Use root cause as part of self-assessments to understand the source of risk

3) Use best practice risk indicators that are forward looking in nature to uncover risks

4) Develop clear measures of the penetration of your Enterprise Risk Management program

5) Measure the progress of your Enterprise Risk Management program roll-out and don’t allow the timetable to slip.

Review lesson number one or your successor may be doing that for you.