The Ediscovery Goat Rodeo

Every major organization is involved in several ediscovery requests at any given time. Industry statistics on costs and time requirements are startling. Organizations routinely spend millions of dollars on a single ediscovery request. Sometimes an organization feels compelled to settle a case purely to avoid excessive legal expenses necessary to adequately comply with current laws, regulations, and the increasingly strict requirements from courts. According to the 2008 Socha-Gelbmann Survey, commercial expenditures on electronic data discovery topped $2.7 billion in 2007, up 43 percent from 2006.

The Goat Rodeo
Goat rodeo: An especially chaotic situation, typically in a corporate or bureaucratic setting. (Source: Wikipedia. Special thanks to our former boss, Marcel Bryar, for introducing us to the term.) Anyone who has managed or responded to an ediscovery request knows the challenges—and that those challenges are not going away.

• Companies don't know where their information lives. Information in a large organization is not just siloed. It is also duplicated, often with multiple versions of the same information existing in several locations. Documents rarely contain metadata and often lack controls around ownership. Many organizations simply do not have the motivation, resources, and expertise to even begin to get their arms around the information management problem.
• The amount of data is skyrocketing! Searching, processing and producing information is a very expensive process. As computing costs come down, especially costs for data storage – adhering, more or less, to Moore’s law – the explosion of electronically stored information (ESI) rages. The amount of information produced by the average information worker keeps rising while the number of newer information channels such as instant messaging, SharePoint and related collaboration tools, and Web 2.0 tools continue to grow. And, likewise, the percentage of unmanaged data sources continues to grow in many organizations. Putting the brakes on the cycle of cost increases is not easy.
• Panic mode—let the goat rodeo begin!!! When a subpoena hits IT, legal, compliance, and business leaders assemble task forces and SWAT teams to gather and catalog potential responsive documents (paper and electronic). The focus is on meeting the deadlines and getting the response package out quickly. Minimal repeatable processes are leveraged and most requests end up taking time away from current business tasks and claiming organizational resources. For example, if a subpoena requires the production of emails for a set time period, IT and legal spend a significant amount of time searching for certain keywords, combing through and coming up with the right set of emails. The next time a subpoena hits, IT and legal may again spend a similar amount of time combing through the same emails looking for a different set of keywords. 
• IT and legal departments speak different languages. Another challenging aspect of ediscovery is that IT and legal are rarely on the same page when it comes to information management. Searching for and processing information has traditionally been a business function. Now with ediscovery, legal often requires IT to come up with all relevant ESI (emails, network files, desktop documents, applications) irrespective of where it resides. The truth is that IT really does not have the skill set or the business focus to collaboratively support ediscovery. In some cases, IT is simply helping with ediscovery because there is management pressure to do so. At the same time, IT complains that legal does not provide sufficient guidance to personnel regarding policies and procedures, which results in an inefficient ediscovery process.
• Information is everywhere. Information in an organization resides everywhere. Both structured and unstructured repositories continue to grow and in some cases data is retained indefinitely. Even when records management systems are in place and retention policies call for disposal of records, employees continue to maintain copies of these records “just-in-casesomething- happens.” Thus organizations are exposed to the double-edged sword of claiming records are being destroyed based on established policies while records continue to be retained on laptops, CDs, thumb drives, external drives, desktops, and backup devices. To make matters worse, many organizations continue to create paper copies of electronic records. In a large organization, 90 percent of records that were traditionally maintained in hard copy are now produced electronically. In short, most of us have not gotten rid of paper; we’ve just added terabytes of data to the mix. Having a current data map  of all sources of ESI is critical to the process.
• The ediscovery marketplace is rapidly maturing ... Ediscovery vendors are capital- izing on the opportunities to sell solutions to refine the process. Many of these tools can process data and search, classify, categorize, and produce relevant information. Some tools claim “full automation,” whereby search crawlers relying on heuristics and logic come up with all documents that may pertain to one or more keywords. Even the traditional information and content management vendors now provide “native” ediscovery support for their repositories. Consultants are also providing a lot of the governance and production support required for ediscovery. Outside counsels continue to participate in the ediscovery process or represent in the courts on behalf of their clients.
• ... but organizations continue to struggle. In spite of the amount of money and resources being pumped into the ediscovery space, the problem of information management continues to haunt organizations. Legal, compliance, and IT functions are trying to establish controls in their respective spaces but these efforts are sometimes uncoordinated and do not produce the desired results.

7-Step Strategy to Win the Goat Rodeo 
So what is the solution? What can organizations do to reduce the cost and time spent on ediscovery? Or help mitigate the enormous risks involved in not producing the correct set of documentation in response to a subpoena?

Step 1: Take Stock of What You’ve Got
First things first: Take stock of what you’ve got by executing an information asset audit. An information audit identifies all unstructured and structured systems and data repositories. It provides leadership with valuable data to make business decisions on what systems are serving their customers and employees. This information provides IT with architecture and infrastructure planning data, identifies legal information that may be required during an ediscovery request and, more importantly, helps record managers think about how to build policies, procedures, and retention schedules to capture all records that reside in these systems. Be sure to include external data sources such as Web 2.0-hosted applications in the audit. Typically these applications include shared repositories, human resource and financial systems, and customer relationship management (CRM) apps.

You can normally compile the information through a quick, online survey (typically a four- to six-week process). Assign a dedicated project manager who understands information management, build a short business case for the project to obtain executive sponsorship, assemble a team of business, IT, legal, and records management representatives, and conduct the survey. You’ll be surprised what you find!

Step 2: Prioritize Your Information
Given the massive amounts of information, it is critical to identify, categorize, and classify organizational information based on some prioritization. This process helps to identify the higher risk areas within an organization that should be addressed immediately. For example, professional services companies may determine that client data is the number one priority, while a government agency may decide that compliance-related information is key.

Prioritization of information is rarely straightforward and care must be taken to develop the right set of parameters. These parameters can range from analyzing what would happen if a particular set of information was missing or compromised (e.g. personal identifiable information), to value to the organization (e.g. vital records of the company), to criticality of completing business processes (e.g. a master data table with daily rates), to frequency of use (e.g. information about organizational roles and responsibilities) and so on.

Each organization must evaluate these parameters for their unique circumstances, business lines, geographies, and tolerance for risk. Once all of the parameters have been identified, information managers must meet with business, operations, legal, and compliance to determine and assign relative weights to each of the parameters. A model for grading the importance of information can thus be developed. This model can now be mapped to the various information sources within the organization and a list of information types with their “grade” can be developed.

Keep in mind that there are always exceptions that need to be made in certain circumstances. If a piece of information got a lower grading number, it may still qualify as critical information depending on factors that may not have been addressed through the model. The importance of using business in this exercise cannot be overestimated. Simply relying on legal or compliance to develop such a model is not recommended. It has to be a joint effort among the various information stakeholders.

Step 3: Understand the Systems and Their Role in the Business
Using IT as a partner, conduct a detailed analysis of the systems to understand how they work, the business processes that are executed on them, how they interact with each other, the flows of information, the key areas of dependency, and the various roles and responsibilities of the people who work on these systems. Dividing the list into structured/unstructured and internal/ external (Web 2.0, for example) is a logical first step. Next, strive to understand how these systems are secured, what the various access controls are, security features, protection of confidential information controls, and so on. The analysis team should also have a good idea of the impact of this system on organizational processes, stakeholders, and the organization’s bottom- line. During ediscovery a key aspect of information search and production is centered on key financial, operational, and compliance systems. Therefore, it is important to figure out what controls are in place and what controls or processes need to be in place for these systems.

Step 4: Identify Risk Areas within Systems and Conduct Gap Analysis
Working with the business, understand the various risk factors impacting the organization, its people, partners, and customers. Typically one can start with reviewing business, legal, and financial risks within the organization. Business risk can arise from inadequate or failed internal processes, people or systems, and from internal and external events. Legal risk arises from pending or potential legal action. Drivers include legal retention requirements; a history of litigation holds; subpoenas; previous fines or legal actions; ediscovery requests; and violation of privacy and non-public information laws. Financial risk includes the impact to financial well-being of the company, such as loss or damage to assets or an indirect loss such as staff time or market share.

The location of information also plays a role in risk. Ediscovery often requires organizations to quickly access and lock down information. Server locations such as Web 2.0 applications can often complicate this process, creating a higher level of risk.

Gap analysis should also help identify the record retention gaps that may exist in these systems. Develop retention polices to snapshot the data to the records archival solution and dispose of historical data if there is no business or legal value.

Step 5: Develop a Remediation Plan
Most organizations do a reasonable job of identifying the risks and the cause-andeffect of these risks. The key here is to work out a realistic remediation plan that can work for the business, meet legal compliance requirements, and be cost-effective. At the end of day, if a remediation plan costs more than the impact of a risk, then it may simply not be worth it.

As part of the remediation plan try to focus the effort on some key tasks. First establish a task force comprised of key stakeholders from IT, legal, operations, business, and compliance. The task force should be focused only on remediating the gaps and issues. Next, engage an audit or quality organization. This can be either an internal organization (if it has the right level of maturity and is not a conflict of interest) or an external audit team that is engaged for a short period of time to conduct, evaluate, and report back on the results. It is important to continuously track and monitor progress to see how well the remediation plan is working. It is recommended that a single individual be asked to play the oversight and accountability role across business and IT side. This person would also be the one to build a business case, provide funding, monitor remediation activity, and articulate any significant risk factors to senior leadership.

Another aspect of the remediation process is that IT can sometimes feel threatened with all this talk of information management, controls and audits. But in order to be successful, IT must be made into an ally. It is simply impossible for information programs to proceed without the support and participation of IT.

Step 6: Execute Quick Wins
Demonstrating a quick return on investment is critical to gaining credibility among leadership, business lines, legal, and IT teams. A quick win can be accomplished by identifying areas within the organization where information management challenges can be remediated with relatively low pain, time, and cost. Establish the right set of goals and milestones; manage execution; and work and communicate with constituents of these business units to realize quick wins. These essential stepping stones will demonstrate value and win buy-in from each team and the entire organization. Choose your quick win candidates carefully, however: A system or business area that has historically had significant information governance challenges is probably not a good candidate for a quick win. Make sure the area’s business owner and sponsor are 100 percent committed to the success of the program. Throughout this process, be sure to track metrics-based milestones so you can demonstrate your success.

Step 7: Establish a Formal Records and Information Management Program
Now that you’ve earned credibility with leadership by achieving “quick wins,” good planning, and sound management, it’s time to build a business case for better management of information within the entire organization. A strong information management program will establish policies and controls for managed and unmanaged repositories and make sure key players such as legal, compliance, and records management are stakeholders in system design and operational decisions. And, most importantly, an information management program is the key to avoiding ediscovery goat rodeos in the future.

The Bottom-Line: Crawl-Walk-Run
Being proactive about getting your data and systems in order can help you avoid lots of goat rodeos. But remember: the existing chaos took a long time to evolve and getting your information management house in order will not happen overnight and requires a step-by-step process. Tackling all issues and risks at once is likely to fail; instead, take a crawl-walk-run approach that considers the following points:

1. Secure executive buy-in for the project.
2. Establish a collaborative team—IT, legal, records management, and the business.
3. Make sure that Web 2.0 applications are part of your plan.

If your organization does not currently have a comprehensive records and information management program, please refer to our three-part series, “Lessons from the Trenches: A Practical Approach to Enterprise Records Management.” This series, which appeared in the November/December 2007, January/February 2008, and July/August 2008 issues of AIIM E-Doc Magazine, the predecessor to Infonomics, is available online. The public report of the 2008 Socha-Gelbmann Electronic Discovery Survey can be found here.

Ganesh Vednere is a content and records management practitioner with expertise in implementing enterprise-wide content and records management programs including program strategy and setup, policies and procedure development, record retention research, and technology implementation. He has over 15 years of relevant industry experience in various business and technology verticals. Ganesh is a 2009 recipient of AIIM’s Distinguished Service Award.

Nishan DeSilva  is the global director of the records management program at a leading international human capital consulting firm. Nishan has a proven track record of implementing and leading global content and records management programs, including compliance, ediscovery, risk mitigation, policy, and technology. He is currently leading the enterprise-wide development and deployment of an electronic content and records management solution. He is an experienced records management expert with more than 17 years of business and technology leadership.