AIIM information governance in the enterprise 320 x 240.jpg
Whatever you think of US National Security Agency leakerEdward Snowden, you have to concede he has done a lot for information governance (IG). He didn't build the ultimate IG technology.

But his behavior over the past 12 months have forced a large number of organizations to sit down and ask themselves, "What if?"

What if your information is not governed properly?

New research from AIIM shows only 10 percent of organizations have an effective IG policy in place, while 21 percent have polices that are mostly ignored. Most of the rest consider IG a work in progress.

Governance is a Challenge

In its recent Industry Watch report, Automating Information Governance assuring compliance (free after registration),  AIIM discovered many organizations are struggling to cope with information governance.

The research was based on 531 responses to a questionnaire sent to AIIM members between March 15 and April 8, excluding organizations with less than 10 employees and suppliers of enterprise content management (ECM) products and services.

Traditionally, there has been a great deal of apathy towards IG by the leadership in many enterprises. But recent security breaches coupled with Snowden's revelations about cyber spying has pushed the topic into the limelight.

Metadata became a household word after Snowden revealed the NSA has been systematically tracking it on a global scale.

Add into the mix the data explosion and the realization that data and the customer insights it can offer means money, along with the regular use of electronic data in the court room coupled with increasingly stringent rigid compliance regimes. You can see how IG has turned into a real devil's brew.

Data Protection

The report covers just about all the bases when it comes to IG. But there are some figures that really stand out, particularly now data protection and privacy rules are under the microscope everywhere.
If there was any doubt as to the need for an IG strategy, one of the most striking figures relates to how companies believe they would perform if they were audited under current legislation.

According to AIIM, 18 percent admitted that if they were audited today, they would probably fail it, while a further 7 percent admitted that they had suffered data or privacy breaches or even lost data. On top of that, 26 percent said they were unable to comment on the likelihood of failing an audit, while 22 percent said they felt they were operating at the very minimum of requirements.

The overall impression is that about half of organizations are incurring considerable risks — and this is based only on what organizations are prepared to admit. It is possible, if not probable, that the risk level is, generally speaking, a lot higher.

AIIM information governance risks.jpg

Small Improvements

The situation appears to be getting slowly better. The research shows that the amount of paper being used in the organization is beginning to stabilize.

This has seen the number of organizations using electronic records jumping to 68 percent while those actually reporting a decrease in the use of paper records rose to 32 percent.

In the next 12 months, another 40 percent plan to move from traditional records management to a wider, all-encompassing IG strategy.

This corresponds with commonly held views of the risks of not implementing an IG strategy as well as the potential benefits.

The responses show that the three biggest perceived risk of failing to introduce IG are loss of intellectual property, damage to reputation and the inevitable litigation costs with 24 percent reporting compliance issues around litigation and discovery over the past two years.

However, for those that do have a coherent IG strategy the rewards are potentially great. According to the research, the three principal benefits from good information governance are a reduction in storage costs, exploiting and sharing knowledge resources, and faster response to events and inquiries. Digging down deeper into figures there are some other notable points:

AIIM mechanism for managing records.jpg

IG and Records Management Policies

The research shows that only 15 percent of respondents felt they that had “robust” IG policies in place, although this rose to 22 percent for larger organizations.

This means that only one in five organizations feel that they have policies that they feel are adequate, although this varies across departments.

This translates into 28 percent who said they have departmental or geographical variations, 38 percent that feel they are still some way from maturity and 21 percent that say they have no policies in place at all. For large organizations, a shocking 12 percent say they don’t even have an agreed records management policy.

Records management

The records management landscape itself is quite diverse. It appears that many organizations have moved beyond the traditional electronic document and records management systems (EDRMS) that combine content management, document management, and records management.

Even still, 27 percent of those that have records management capabilities in their enterprise content management (ECM) or document management (DM) systems don’t use it although a lot of them say they will start using it in the coming 18 months.

Another 25 percent have separate systems for records management with this often involving the use of SharePoint as the document management system with records management layered underneath it. Again, another shocking statistic here in that 26 percent have no records management capabilities whatsoever.


Even with all the recent headlines about data breaches and data loss, it seems that many organizations have still to take no heed to the risks inherent in not securing organization data.

Overall, the research shows, 52 percent have started IG projects, but a third of those have been unreferenced and unaudited making it a rather pointless exercise. In fact, only 8 percent of them feel that they have achieved anything or that the policies are working.

This opens the organization up for all kinds of legal problems on top of the obvious problems that compromised data, or lost data poses.

To highlight that, the research also found that 84% do not delete emails and electronic records in a formal way (compared to 45% for paper records, which itself is still not good).

While the deletion of paper records is normally a manual process, for many enterprises the destruction of emails and electronic records is also done manually, a situation which also puts the organization at risk.

Email Archives

Email is still creating enormous problems for enterprises. In a normal work scenario, only a small number of emails need to be keep, tagged and declared as records.

However, with email used now as a way of communicating with the world beyond the firewalls as well as one of the principal ways of collaborating in the enterprise, the volume of emails is overwhelming many users.

There is also storage and space issues with emails with problems of clutter and duplication. While there are many tools that can automate that process most organizations appear to have bypassed them. Although 14% of respondents send email records to ECM, only 3 percent use automation.

Although 13 percent have tackled this problem with a dedicated archive for emails, the solution for the rest is less than satisfactory. According to the research 17 percent are keeping everything, 16 percent delete everything after a fixed period, and 22 percent have no policy or strategy at all.

Multiple Repositories and Cloud

One final issue that needs to be considered is a relatively recent problem and aggravated by the rise of cloud computing. If organizations are using different repositories for different kinds of content and there is no connection between those repositories as is the case in many organizations, then developing IG is not enough.

AIIM information governance across repositories.jpg

Where there are multiple repositories, IG will need to be applied to each one, and furthermore, when laws or regulatory rules change, each set of repository rules will need to be updated. Search capabilities will have also have to be applied across each repository while the application of hold and destruction processes will have to be applied across each of these repositories.

In addition, e-discovery searches will need to be repeated across each repository, and hold processes applied in multiple places. The research shows that 30% have a single ECM/RM system as a strategic objective, and 18 percent are planning around manage-in-place, and only a third adopting CMIS compatible connectors.

These are only a small number of the findings in this comprehensive research which shows that if some progress has been made in the past year in IG, there is still a lot more to be done.

While the headline grabbing exploits of hackers who hit Target before Christmas, or more recently eBay, the everyday problems with data breaches and loss are just as important.

With many organizations now becoming aware of the inherent value in their information in respect of customer experience, for example, it is surprising to see so many treating their data in such a cavalier way.

While it is unclear why this is the case, at least some of it much be because of the failure to connect the dots between governance, customer experience and relationship management and business success.