Your SlideShare is downloading. ×
Information Governance-a programmatic perspective on driving value through RIMPractical Goals and Directions for managing information assets
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Information Governance-a programmatic perspective on driving value through RIMPractical Goals and Directions for managing information assets

1,164
views

Published on

Published in: Business, Economy & Finance

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,164
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Information Governance- a programmatic perspective on driving value through RIM Practical Goals and Directions for managing information assets.. Richard Gomes Citigroup- Director of Information Governance Richard R Gomes February 2010
  • 2. Information Management Services from Citi Global RIM RETENTION, DISPOSITION, AND ARCHIVING ARE CONSIDERED A SUPER-JURISDICTIONAL RISK It isn’t always clear what we are obliged to keep or how long it should be kept. INFORMATION MANAGEMENT SERVICES MITIGATE Though many Citi employees realize that RISK AND SAVE COST Questions about physical and they may be dealing with Records in the electronic files come in via a call or email course of their daily activities, only a Clients Records Management Officer (RMO) Internal can tell for certain. The query goes to the Employees The type of Record it turns out to be, the RMO responsible for the Sector, Global Function, jurisdiction it belongs to, and the type of Region, and Country • Record Status data it contains are just some of the many associated with the files • Jurisdiction of Record factors an RMO must take into account Identify • IS/Privacy flags to ensure we comply with our Legal and The RMO compiles the • Record Class/Code Regulatory obligations to compliantly retention, disposal, • Retention Schedule archive, and retrieval retain and dispose of Citi’s information. Classify • Deviation if required requirements. Contact your RMO before you act- • Assign RM-Unit The issue is tracked and • Update Inventory <link> Inventory • Declare Datasource managed by RIM until a The mishandling of Citi information is a compliant BAU retention big risk that can damage our reputation, and disposition process is in place Manage and Facilitate and cost us a lot of money. Retention, Disposal Active Matter Policy and Collection and After all, only Records Management Backup, and Eligibility and (e)Discovery Preservation Governance Custody Archiving Approval Holds Officers are trained and authorized to classify records, set retention periods, and process deviations. Richard R Gomes February 2010
  • 3. Records and Information Management (RIM) is a key competency that drives down the cost of protecting our information assets. The less information we retain, the lest costly it is to securely maintain. RIM Assets and Deliverables  POLICY DRIVEN DISPOSAL.  ‘Retain only what we are obliged to retain’  IAI (Information Asset Inventory) targeted protection  Worldwide golden source of the Information Citi has, where it is, and who is responsible for it.  DEFENSE-IN-DEPTH against Super Jurisdictional- Risk  Preventive Control- Information Asset Inventory (IAI) identifies IS and Privacy control gaps  Detective Control – Disposition Scheduling identifies IS and Privacy operational gaps  Corrective Control- GOC aligned RIM-organization coordinates and facilitates CAP responses  Service Delivery Model driven cost savings  Legal Matter Response – ‘eDiscovery’  Storage Demand  Data Privacy  Data Protection  Information Classification  Data Classification Richard R Gomes February 2010 3 Citi Internal
  • 4. Program History at a Glance “a packaged service that focuses on direct and timely benefits” CMM Level Global Program Evolution 1 – Ad Hoc 2005 – Policy and Governance standards • Policy and Control Process • Five Important Control elements developed- Master Record Catalog, Spans of Authority, Country Retention, Inventory Manifest, Custody Map 2– Repeatable 2006 – Organization and Control Processes • Platform Development and Deployment • Rev 1 of the IAI (Information Asset Inventory) with integrating the 5 important controls implemented, Physical Information BAU disposition (‘IC ‘)Project delivered 3– Defined 2007 – Enterprise Data Map and Global Process Control • Improved Process Fidelity • Continuous Data Disposition (CDD) of Structured and unstructured electronically stored information (ESI) initiated in NA, eMail disposition rules introduced • Broadened Scope and Effectiveness 2008 – CDD Process Development and Regionalization • Expanded CDD for structured ESI Globally, Prototype CDD for some unstructured ESI, Legal Hold process reengineering begun 2009 – CDD as BAU, Deploy RIM as a Service • Embedded RIM into the Data Centers • BAU Tape backup disposition and extended Archiving deployed, SharePoint and First Archive automated disposition process delivered (BAU eMail disposition in test in First Archive NA) 4– Managed 2010 – RIM Services Global Rollout and Regionalization • Major Gap in Reporting to be closed • Close Metrics and Reporting GAP, Improve Financial Reporting of Green and Blue $ saves, deploy automated classification and tagging for unstructured ESI 2011 – Push to CMM Level 4 RIM • Full benefit Capture • Deploy integrated dashboard to track effectiveness of savings, risk, and strategy enablement (Divestiture, M&A, Storage Reduction, etc) Richard R Gomes February 2010 4
  • 5. RIM is an effective way to manage the growth rate of retained Information volume because its about empowering people to act. RIM leads to less information in a form that is easier to manage Strategic 1. Minimally Intrusive to the business- Basis of advisory services that help business clients optimize their approach to compliance 2. Consistent in the eyes of auditors, regulators and the courts- Policy and Control Processes based on legal and regulatory requirements as interpreted by case law and regulatory findings 3. Straightforward and well documented – RIM is supported by job-aids and guidance and delivered through advisory teams composed of RMs, ISOs, and CoB personal Tactical 1. Policy aligned framework and methodology- Operational processes based on RM Policy which is risk based and integrated with RCSA, and ARR’s SAP 2. Enterprise-wide consistent, defensible, and actionable Global rules for Local application. 3. Serves all constituencies Addresses core Information Retention and Handling requirements that apply equally to the Business, Legal, Compliance and O&T, Actionable 1. Clearinghouse / CoE for process development and technology enablement initiatives 2. Cost saving identification and capture program 3. Knowledge exchange for collaborative sharing of locally developed practices Richard R Gomes February 2010 5
  • 6. Service Focus Cost Containment Over-retention creates a large drag on performance and is relatively easy to fix. Retention Driven Cost and Risk Factors Primary and secondary information handling costs  Electronically Stored Information (ESI) costs about $1.88 / GB-Year – (All in estimate of ESI on-line storage and administration costs this translates to at least $MM of savings in North America alone)  Back-up and Archive costs  System Back-up Times- (the need for more costly high throughput solutions and increased tape volumes)  Offline ESI-Archive Inventory Overhead- (indexing, retrieval, sampling, and restore overhead drive incremental storage requirements)  eDiscovery costs-  Collection, Culling, and 3rd Party review cost many large companies $10s of Millions annually Legal and Regulatory Exposure.  Matter Scope – (Out of context eMail, EUCs, logs, etc. widen investigation scope and drive up costs)  Missed/Overlooked information – (Untimely disclosure [e.g. Merrill $1.4B], Inaccurate Data Map [e.g. Qualcomm $200MM] resulting in large financial penalties and judicial prejudice)  Disposition Framework – (Retention inconsistency (e.g.. Intel, Arthur Andersen) resulting in serious and costly threats to the Franchise.. Richard R Gomes February 2010 6
  • 7. Internal Clients are a broad and diverse population Client Organization Expected Service Benefit Risk facing activities (e.g. Data Privacy, Data Protection, IDEM) derive direct expense and O&T/ Risk Organizations FTE benefits from volume reduction and efficiency benefits from a common Data Map- Case: IDEM u-ESI initiative Enterprise Data Map and Retention Schedules enable large scale economies O&T/ Technology Organizations associated with Info-centric architectures Enterprise Data Map provides baseline for Data Classification and forms the basis of a ISO Organization comprehensive Enterprise-Security Data Dictionary governing the risk based handling of Information in transit and at rest Right-sizing and cost management of the Information Infrastructure build-out based on Technology Infrastructure Organizations rules based predictive growth and volume information derived from well defined retention scheduling In aggregate, direct capital and expense savings are in the $.5B range with realization Financial Control within 12-24 months As a principle user of the Data Map and the Retention Processes associated with Legal Services / eDiscovery CDD, the direct benefit is in significant FTE / external resource reduction associated with the preservation, collection, culling, review, and production activities. Based on the effectiveness of the CDD methodology and the consistency of its Legal / Litigation implementation (e.g. SLAs) attorneys responsible for litigation can confidently delegate eDiscovery oversight to lower levels within their organization and improving skills alignment Framework for the development of Info-Centric applications that are aware of the Business / Application Development information they handle, can look up the rules for handling it, and can systematically enforce the information lifecycle Richard R Gomes February 2010 7
  • 8. Information Management Services from Citi Global RIM RETENTION, DISPOSITION, AND ARCHIVING ARE CONSIDERED A SUPER-JURISDICTIONAL RISK It isn’t always clear what we are obliged to keep or how long it should be kept. INFORMATION MANAGEMENT SERVICES MITIGATE Though many Citi employees realize that RISK AND SAVE COST Questions about physical and they may be dealing with Records in the electronic files come in via a call or email course of their daily activities, only a Clients Records Management Officer (RMO) Internal can tell for certain. The query goes to the Employees The type of Record it turns out to be, the RMO responsible for the Sector, Global Function, jurisdiction it belongs to, and the type of Region, and Country • Record Status data it contains are just some of the many associated with the files • Jurisdiction of Record factors an RMO must take into account Identify • IS/Privacy flags to ensure we comply with our Legal and The RMO compiles the • Record Class/Code Regulatory obligations to compliantly retention, disposal, • Retention Schedule archive, and retrieval retain and dispose of Citi’s information. Classify • Deviation if required requirements. Contact your RMO before you act- • Assign RM-Unit The issue is tracked and • Update Inventory <link> Inventory • Declare Datasource managed by RIM until a The mishandling of Citi information is a compliant BAU retention big risk that can damage our reputation, and disposition process is in place Manage and Facilitate and cost us a lot of money. Retention, Disposal Active Matter Policy and Collection and After all, only Records Management Backup, and Eligibility and (e)Discovery Preservation Governance Custody Archiving Approval Holds Officers are trained and authorized to classify records, set retention periods, and process deviations. Richard R Gomes February 2010
  • 9. Questions Richard R Gomes February 2010 9