Information management at the crossroads: Is it time for Corporate Information Responsibility?

Exponential data growth, new media formats, emerging technologies, increasingly stringent regulation and changing business needs are transforming the information landscape beyond recognition. At the same time, our ability to derive value from information and transform raw data into knowledge is opening up new market opportunities that businesses cannot afford to ignore.

The statistics are breath-taking. We now create as much information every two days as we did from the dawn of civilisation to 2003. In 2011, there were more than 788 million corporate email accounts worldwide – a fifth of them in Europe– generating and disseminating information. Social media is chalking up the numbers fast, both in terms of accounts and content that runs into the billions. Every month, 30 billion pieces of content are shared on Facebook and 25 billion tweets are posted on Twitter.

As with any fast-moving field, contradictions and inconsistencies abound. Consumers willingly share personal details, but are passionate about protecting their privacy. Companies want to engage with customers using social media but are terrified of losing control, not to mention the legal, regulatory and record-keeping requirements that these new channels present. Organisations want to extract maximum value and insight from their information. Yet they fail to impose order on a landscape that includes structured and unstructured information that exists in physical and digital formats (often both) – all located in different parts of the organisation and subject to different rules and processes. All too often, a business tries to minimise risk by building a digital fortress around its data, only to witness sensitive information walking out of the door on paper or left by the printer for anyone to see.

These challenges and opportunities can significantly increase information risk. Research[iii]undertaken across Europe by Iron Mountain and PwC reveals that many European businesses are woefully unprepared to address such risk.

The study shows that just half of mid-market businesses in France, Germany, Hungary, the Netherlands, Spain and the UK consider information risk to be one of their top three business risks. There is also considerable inconsistency around who is or should be responsible for information risk. Only 13 per cent consider information risk to be a boardroom issue, while around a third (35 per cent) view all information risk – whether related to paper or digital information – as the responsibility of the IT department. Just one per cent of businesses consider information risk to be the responsibility of every employee.

Such overwhelming evidence of a lack of internal measures to adequately address external pressures should be sounding alarm bells across Europe. We could be losing control of the information tsunami at the time we can least afford to do so. This is not good news at a time when new EU data protection legislation, announced in January, is set to add an additional burden of accountability and obligation to all businesses.

The need for professional information management within business has never been greater. Corporate Social Responsibility, ‘CSR’, grew out of a growing demand for organisations to be held to account for their environmental and social values, actions and impact. We believe the time has now come for organisations to hold themselves to account for the way they handle and manage information. Organisations of all sizes need to demonstrate a formal commitment to safeguarding information assets including confidential customer, employee and business data. We call this commitment “Corporate Information Responsibility” (CIR).

CIR is about establishing a company-wide culture of respect for and protection of information, maximising its value and minimising the risk of data loss, security breaches and non-compliance.

CIR is about visibility and control. You need to know what information you are creating, collecting, processing and storing; where it is at any moment in time; who is accountable for it and what the plans are for secure storage and legally compliant destruction at the end of its journey. The back-up of digital information, archiving of paper documents, scanning, shredding, day-to-day storage – on or off site, with or without a third-party provider – as well as search, retrieval and access restrictions are all vital elements that should form part of a robust, company-wide information management plan.

CIR is about understanding and being prepared for risk. Unexpected things will happen. Fire, flood, conflict, crime, an accidental data breach or the failure of the IT infrastructure are all potential disasters that could strike your business suddenly and with serious consequences for your information assets. CIR is about acknowledging the threats and preparing for the worst, in order to ensure fast recovery, business survival and the protection of corporate reputation, customers and staff.

Whether or not your plan succeeds will depend on people. Managing information is not simply an IT or business process issue; it’s about culture and people. People produce most of your information, and it’s usually people who are going to lose or misuse it. It is essential that you get every employee on board.

Achieving a culture of information responsibility requires training and support. Most of all it requires backing of senior-level executives. The drive and direction for responsible information handling must come from the very top of the business and be backed up by example. How information is managed has become a Board Room issue, not just in terms of developing and disseminating company-wide policies, but as an example of best practice in information handling and accountability that sets the tone for the whole business.

In today’s increasingly knowledge-based global economy, the success or failure for your business could depend on how you manage your information. Imagine the impact on your company of having instant access to all the value and intelligence stored in your information. Now imagine what would happen – to your competition, your data-dependant business processes, your customer service and brand reputation – if that information were damaged, exposed, lost or destroyed.

Corporate Information Responsibility is about fostering a culture of care for information, underpinned by reliable business processes that treat information as an asset not a liability. We call on European businesses to make this commitment.