Published: February 27 2009, 10:19 AM | no comments
by Pete Pepiton

CA's Pete Pepiton talks with Ron Hedges at Nixon Peabody about the importance of combining an information security and eDiscovery strategy.

YouTube CA_IG_Video

Published: February 26 2009, 12:19 PM | no comments
by Mark MacDonald

We all see the numbers concerning the exponential growth of Electronically Stored Information (ESI). A recent report by Michael Knight of content manager.com states that unstructured content will see an annual growth of between 65% and 200%. At rates like these, organizations will shortly become overwhelmed with stored content. At the same time, legal and regulatory obligations make it critical that the right content is accessible in the event of litigation or audit.

Since a large percentage of unstructured content is email and other messaging data, there is bound to be a lot of extraneous content. This can range from messages with absolutely no business value ("I'll meet you in front of the building for lunch") to critically important business decisions ("Make sure that all safety procedures are followed to the letter"). So how do you go about saving what matters and discarding the rest?

The best way to handle this situation is through a consistent and disciplined retention and disposition policy. There is no formal standard outlining what content to save and how long to save it. In fact the amended Federal Rules of Civil Procedure (FRCP) only state that organizations implement or update document retention policies to include Electronically Stored Information (ESI). What the courts want is a documented retention and disposition policy and proof that it is followed consistently.

So if your policy is to keep email for five years, and you have vast amounts of email that is older than that, it is acceptable to gather up and delete the old content. If you wait and are hit with a Discovery obligation tomorrow, it's not as simple, because you're obligated to save anything that might be relevant to impending litigation, and there could be something in that old email/

So for email, as well as other content, now is the best time to get your house in order, while there is nothing to require you to keep the content. You'll spend less time and money keeping content you have no business reason to keep, and in the event of litigation or a compliance audit, you'll have far less content to search through and review.

Published: February 26 2009, 08:15 AM | no comments
by CA GRC Blog Admin

In the February issue of the CA Advisor: Governance Edition, I've covered an important issue we hear from many of our customers "" where should you start with your GRC program?

There are many potential answers to that question, and what makes the most sense for your business directly correlates to your specific priorities and what you have for short-term needs and long-term goals. But, there is one thing that generally applies to most companies embarking on a GRC initiative, which is that it's OK to take a phased approach "" you don't have to implement the G, the R and the C all at the same time.

When talking with our customers, this insight usually comes as good news! We know it can feel overwhelming at first "" particularly if you're really looking under the covers at the people, process and technology to help ensure your GRC solution best matches your needs "" but most of the time, slicing off one piece will set you on the right path.

In my latest Advisor article, I specifically point out some of the advantages of starting with risk management "" the R in GRC. Take a look at the complete article for the full detail, but here's a quick overview of why risk management is a logical starting place:

1. Effective risk management is top of mind given the recent financial crisis and fall-out




2. 
   Improved risk management can have important financial benefits, now that Standard & Poor's includes it as part of their overall corporate evaluations (see a past post on this topic here)
   




3. Visibility into overall risks can help you make more informed business decisions "" helping to sort out which risks to avoid and which ones to take




4. Visibility also gives you insight into downstream effects of various decisions




5. By properly identifying, managing and mitigating risk you can earn competitive advantage for your company

Even if you choose to pick one area as a starting place, like risk management, I always advise companies to have a clearly defined vision showing how GRC will deliver short- to mid-term value to your organization. The long-term benefits can be profound, but given our economic climate today, most projects need to have demonstrable short-term benefits to get approval.

Another important tip "" developing a common GRC lexicon is a must. You want to be sure all stakeholders speak and understand the same language "" helping to spare a lot of pain once you get further along in your implementation. The next logical step is to have common practices and procedures for the key elements of risk management "" risk identification, assessment, and mitigation. If each organization has different processes for doing risk management, it will be much harder to gain visibility into the total enterprise risk profile. Common terminology, processes, and procedures implies a common risk management platform across the enterprise. This is a whole topic unto itself, but it is the foundation of improved enterprise risk management.

By focusing on one area "" such as risk "" when implementing GRC, it will be easier to show the rewards of the initiative and get buy-in for the entire project. The end goal should be a unified and centralized GRC management platform. But in many cases addressing one element at a time can set your team on the best path for success and help the group see the true benefits of the GRC program.

Check out my article in the February issue of CA Advisor: Governance Edition, and feel free to share your thoughts in the comments to this post.

Published: February 24 2009, 10:50 AM | 2 Comment(s)
by Reed Irvin

The team here is pretty excited about our own Bill Manago, the director of our records management practice, for penning the winning entry of a recent Infonomics Weekly contest about "Life in ECM." Here is the entry, which was chosen for the top spot by Infonomics readers:

I was at a store purchasing 25 small plastic buckets for a class I teach on the "Big Bucket vs. Small Buckets" theory of retention management. A little girl, about 5 years old, sat in her mother's shopping cart in an adjacent line. She pointed at the buckets and asked if I had that many kids. I laughed, said no and that I was buying them for a class I was teaching at work. She turned to her mommy and said "that man works at the playground and he gets paid to play in the sand. Can daddy get a job like that?"

For his efforts, Bill will receive an Infonomics hoodie "and "the adulation of the masses." Congrats Bill!

Published: February 24 2009, 03:10 AM | no comments
by Allan Gajadhar

In the latest in our video blog series, Allan Gajadhar shares his thoughts on how the challenging economic conditions are impacting, or could impact, risk management and GRC efforts.

Trouble viewing the video? Click here to view this and other CA videos on the CA YouTube channel.