Published: November 25 2008, 04:32 AM | no comments
by Reed Irvin

[caption id="" align="alignleft" width="350" caption="Over 6,000 attendees came to CA World this year!"]

[/caption]

It's good to be back from CA World--what a great show this year! This year's attendees were enlightened on a range of topics from the "greening" of IT for greater sustainability to the impact and pain of our current economic chaos. A prevailing message that we all heard was that at the end of the day, all roads lead to the serious need for proactive information governance. Session presenters wove a cautionary tale that acknowledged even though your company may be feverishly scrambling to remain solvent, it is highly imprudent to ignore your obligations to remain compliant with legal regulations and laws. Both sides of the story must be honored to keep things on track and headed in the right direction.

On Monday night, Jack Welch, former CEO of General Electric, elaborated on these themes when he took the stage before a rapt audience. In his keynote, Mr. Welch encouraged us to consider the opportunities of this turbulent economy (yes, opportunities!); essentially that it is most definitely the time to buy if you have the resources. He echoed the prevailing message of "change" that has swept the country both during the presidential election and as we have watched our economy unravel. His message was this: embrace change with a fierce commitment to learning and innovation because if you do not the consequences could be dire.

There were many great Information Governance sessions, but one of the most interesting was a session given by Vivian Tero, who is Program Manager of Compliance Infrastructure at leading analyst firm, IDC. Based on recent quantitative research and in-depth interviews, Vivian presented on trends in Information Management. The growth to date of enterprise information is astounding, and the numbers projected forward are even more daunting. By 2011, IDC estimates an average of 32 exabytes of disk storage alone (an exabyte=one quintillion bytes!). Faced with that, more enterprises are tackling strategic decisions about information risk management"¦knowing what is essential for retention and applying scheduled deletion for what is not. While email gets the lion's share of attention in the media, Vivian's research shows that shared files (in collaboration systems, etc) are the most frequent files searched in eDiscovery. eMail in fact was number 3"¦which, she concluded, could simply be because lawyers setting the agenda for litigation today assume that email is already controlled and relatively "discoverable."

On Wednesday, Galina Datskovsky, senior VP and GM of the Information Governance team gave an amazing presentation (in the spirit of full disclosure, I report to Galina, but I would have thought that her session was amazing regardless!). Her IG Vision and Future Session, covered the intriguing new trend and critical need for companies to govern social networking content created by employees. Now, companies are not only responsible for applying governance practices to content created for the company. They are also feeling the pull to govern personal content created on social networking sites such as facebook, MySpace, Twitter, or even LinkedIn. This trend has clear implications that can impact both a company's reputation as well as the employees' standing in the company "“ depending on what they choose to post (or their choice in avatar pics!).

In summary, we know that while there are challenges and opportunities in the market and in technology, the greatest concentration of power to make technology succeed or fail still lies at our fingertips: the human beings designing the strategies and using the solutions.

Published: November 24 2008, 03:30 AM | 3 Comment(s)
by Christopher Fox

We are at just the beginning of challenging times ahead. Risk management is becoming of increasing importance.

For example, according to a Towers Perrin survey of finance executives at major U.S. corporations, CFOs consider "improved risk management" as the top priority right now given the current financial crisis -- even more important than access to capital.

Towers Perrin commissioned the survey by CFO Research Services, an affiliate of The Economist and CFO, to gain insights on how companies view the seriousness of the financial crisis for their businesses. According to the summary of the report:

• Approximately 72% of respondents expressed concern about their own companies' risk management practices and ability to meet strategic plans. (Towers Perrin notes this suggests that finance executives, regardless of industry, perceive a need to invest in more effective risk identification, measurement and management procedures.)




• More than half (55%) of the CFOs agree that they plan to put their risk management practices under a microscope and that this investigation will in many instances reach all levels of the organization, from the board down and from the shop floor up.

There is a risk that management will focus on specific risk associated with the financial crisis. We believe that risk management encompasses an entire company and the potential impact of external events on the company.

At CA we are developing a risk management library that addresses risk throughout a company. At the highest level this structure includes the following risk elements:

• Governance




• Operational




• Technological




• Compliance




• Financial




• Financial Reporting




• Economic




• Environment Regulation




• Stakeholders




• International




• Market




• Social Trends

In the coming weeks on this blog, we will look at risk management holistically and discuss risk management considerations that businesses should be addressing over the next twelve months.

We begin with the following elements of Governance risk:

• 
  Governance Structure: The risk of loss through legislative action or loss of reputation because an organization cannot demonstrate that it has an effective corporate governance structure
  




• 
  Organizational Structure: The risk of loss through legislative action or loss of reputation because an organization does not have an appropriate culture, including ethical culture, to support the corporate governance objectives
  

The ability to demonstrate that risk is being effectively managed at the board and senior management level is beginning to be raised as an issue in the media.



On November 10, 2008, Tobin Harshaw of the New York Times compiled some interesting insights regarding the A.I.G. bailout in an "Opinionator" blog post:

"Executives there are handsomely paid, yet senior management cast a blind eye as one unit earned outsized profits while taking risks that would have driven A.I.G. into bankruptcy were it not for the Fed's rescue.

"¦the biggest single job of senior management in a financial institution ought to be to assure the health and survival of the entity, which means risk management and control is top of the list. "¦ Anytime a unit starts reporting very large profits, managers should be all over it like a cheap suit to make sure the earnings are not the product of massive risk taking."


(From the Naked Capitalism blog
.)

In the NY Daily News on November 9, 2008, Carl Icahn focused on Lehman in an opinion column. He wrote:

"But behind the success or failure of every corporation is a board of directors which is supposed to monitor the CEO, set salaries and, importantly, weigh risks and business strategies.

So we must ask: Where were the directors of these companies? Were they qualified to assess the risks their companies were taking? Or were they off playing golf at Augusta or jetting to the Super Bowl aboard company aircraft?

Consider the Lehman board. Of the ten non-management directors, only three "¦ has financial industry background"¦. Moreover, its five member finance and risk committee included a theater producer, a retired naval officer, a retired computer executive and a retired television CEO. Only the chairman had a finance background. He was eighty years old.

Even if these people were qualified to evaluate the bank's risks, the committee met just twice a year in 2006 and 2007, according to the Corporate Library, a research group. Its editor, Nell Minow, told a House committee last month: "˜A company that had $7 billion in losses after becoming embroiled in the global credit crisis had a risk management committee that did not understand or manage its risk.'"

What should the board and senior management do to address these risks proactively?

The first step could be to specifically have someone monitor developments in the governance and risk management area and to raise issues proactively and suggest potential management actions. This would be especially important for potential Government regulations, but of equal importance would be the monitoring of potential law suits. This could be performed by a risk manager in conjunction with general counsel and the regulatory compliance group.

The second step could be to assess the current state of governance, risk and compliance. Future blogs in this series will address factors to be considered in this review; however the first steps could be taken quickly. As part of this review, consideration could be given to the timeliness of risk management reporting "" including escalation of important issues. I suggest that the automation of GRC could address the timeliness issue and the review should include the reporting of significant issues to board members between board meetings.

Watch our blog in coming weeks to learn more about our thoughts on managing risk across the enterprise.

Published: November 23 2008, 05:50 AM | no comments
by Bill Manago

It's good to be back from the show, but I have to say, overall, we had a great time meeting customers, sharing ideas and talking about eDiscovery. In fact, the E-Discovery Summits were among the key Information Governance sessions at CA World 2008. Topics included:

"¢ eDiscovery Case Law Update - What are the latest cases affecting your eDiscovery
"¢ In-House Concerns- What About eDiscovery is Specific to Corporate Lawyers
"¢ The Infrastructure Approach to Preservation
"¢ Mock Deposition - IT Takes the Stand
"¢ Privacy et. al.- eDiscovery for Transnational Organizations
"¢ Hot Topics - What is the Worry of the Month in eDiscovery?
"¢ Assets Feed You, Liabilities Eat You-Making Reactive eDiscovery Efforts Pay Off

The sessions emphasized the roles of legal, IT, and records managers in the collaborative effort to search, find, produce, manage, and protect content, especially electronically stored information (ESI) that is deemed responsive to a discovery order or to anticipated litigation. The tools, policies, and procedures needed for effective, cost efficient, and repeatable discovery were discussed from every angle

To me, as a records manager, all of the collective knowledge and experiences of the gifted speakers could be summed into one word "“ consistency!

While the value of well thought out polices and procedures is clear, the summit underscored the fact that policies, procedures, and processes are of little value if they are not practiced consistently across the enterprise. Organizations must ensure that every employee who may be potentially involved in a discovery are well versed on the policies and procedures and, just as importantly, that they consistently apply and adhere to those procedures.

In the Mock Deposition session, we learned just how critical it is to be able to:

"¢ Clearly describe the organization's records and information program, policies, and procedures
"¢ Provide proof that the policies and procedures are updated periodically
"¢ Provide evidence that destruction of data is performed as a normal course of business and in accordance with an established records retention schedule
"¢ Provide evidence of employee training and compliance with retention and legal hold policies and procedures
"¢ Provide evidence that all of the above, is consistently practiced throughout the enterprise

Organizations with a mature records management program, also have a vital records programs and disaster recovery programs. Organizations that may find themselves involved in litigation should also have programs designed to prepare and practice for discovery depositions. We learned that if you are being deposed, on behalf of your company, you need to be prepared to explain and defend the organization's information governance policies and procedures. You may not be able to successfully defend those polices and procedures that are not consistently applied and practiced throughout the enterprise.

If you were to be deposed today, can you articulate polices and procedures as they are practiced throughout your company today? Can you convince a judge that your company has operated in "good faith" when it comes to safeguarding and producing information required for discovery? Are your Information Governance policies and procedures practiced consistently throughout the enterprise? If you cannot assure a court that Information Governance is consistently applied, the consequences could be costly. Consistency is key.

Published: November 20 2008, 12:48 PM | no comments
by CA GRC Blog Admin

Published: November 20 2008, 12:44 PM | no comments
by CA IG Blog Admin

Earlier this week we posted about Allan Peterson, who is part of an awareness campaign about CA governance solutions. Well, Allan was a huge hit at CA World this year, showing up all over the exhibit hall and sharing five very special buttons with attendees. Attendees who collected all five buttons were eligible for prizes and believe me, the collecting frenzy was in full swing. The hardest button to collect was the green, True View, button and was so coveted that the joke was that we could sell them on eBay starting at $10 and we'd make a killing! Each day at noon when the redemption booth opened the lines were long...longer than even we anticipated. Attendees wore the buttons on their lanyards, pinned them to suit jackets and the straps of CA World backpacks.

Our governance counterparts on the Governance, Risk and Compliance (GRC) team sponsored tours of the Venetian's IT department and the tour guide was especially interested in the button that read "I ♥ AP" The guide's name was Alan Pritchard and he was very happy to receive one of our team member's extra buttons.

But the real winner, it turns out, was Allan Peterson himself. Check out some of the great photos of his tour of CA World!

The Information Governance team is now on their way back from another successful CA World. Over the next few days we'll be posting CA World findings from the team, session reviews and more great trend discussions.