Osterman Research

WHITE PAPER

White Paper by Osterman Research

Published July 2019
Sponsored by Netwrix

Practical Steps to Establishing

Good Information Governance
Practical Steps to Establishing Good Information Governance

Executive Summary
Most organizations struggle with how to manage the enormous volumes of
information they have today, but the problem is going to become much more difficult
in the future as both the number of new data types and the volume of data increase.
To get a handle on these problems, decision makers should implement an information
governance program that will help to properly manage their data; enable their
organizations to satisfy their legal, regulatory and best practice obligations; enable
improved employee productivity; and reduce the overall corporate risk associated
with improper information management.

KEY TAKEAWAYS
• Information volumes are increasing
The sheer volume of information is increasing and managing it will get worse in
the future because of the growing volume of data types that organizations retain
today, because they will need to retain new data types in the future, and
because good information governance practices are lacking in many
organizations.

• Information is stored in many systems

Corporate data is distributed across a wide and growing range of platforms,
including email, secure file transfer systems, file shares, desktops, laptops,
mobile devices, employee-managed data repositories, collaboration platforms like
SharePoint and Slack, and many other venues. Some of this data is under the
control of corporate IT, but not all of it.

• The obligations to manage information properly are difficult to satisfy

Organizations must retain, find and produce information for a variety of reasons, The sheer
including early case assessments, eDiscovery, regulatory compliance and to
increase employee productivity. However, new obligations, such as the ability to
volume of
satisfy privacy regulations, are adding to organizations’ obligations to retain, information is
produce and delete data, putting additional strain on current information
management practices. increasing and
the problem
• Most corporate data is not necessary
One study found that 60 percent of corporate data has no “business, legal or will get worse
regulatory value, but is being retained anywayi. This adds to storage costs; in the future.
makes eDiscovery more difficult, time-consuming, and expensive; and makes it
more difficult to find the information that is actually necessary.

• There are four key metrics to consider

The metrics to consider in the context of information governance are the costs of
storage costs, defensible deletion, end-user productivity and litigation support
and eDiscovery.

• Information governance reduces costs

A properly established information governance program will significantly reduce
costs and can provide a significant return-on-investment (ROI). Even if “soft”
costs like improvements in employee productivity are not considered, information
governance still provides a good ROI.

ABOUT THIS WHITE PAPER

This white paper was sponsored by Netwrix; information about the company is
provided at the end of this paper.

©2019 Osterman Research, Inc. 1

Practical Steps to Establishing Good Information Governance

The Challenges
Information is the lifeblood of most organizations and it is becoming more important
over time. This section address some of the many challenges in dealing with
information.

ADDRESSING THE GROWING FLOOD OF INFORMATION

Organizations are flooded with information. Underscoring just how much of a flood
this has become is illustrated by Domo’s “Data Never Sleeps” infographicii. The 2018
version shows that every 60 seconds 12.9 million text messages are sent, 473,400
tweets are sent, and Skype users make 176,220 calls. Moreover, Statista published
data showing that in 2018 more than 280 billion emails were sent worldwideiii. In all,
more than 2.5 quintillion bytes (2.5 exabytes) of data are created every dayiv.

In short, we create, store and transfer lots of information and the volume of data
continues to grow, the vast majority of it unstructured. Moreover, organizations are
creating and storing a variety of new information types in addition to the traditional
sources like emails and files, such as social media posts, text messages, videos,
voicemails, data from Operational Technology (OT) devices and sensors, etc.

ADDRESSING REGULATORY COMPLIANCE

The majority of nations require the retention of various types of records, dictating the
type of information to be retained, for how long, and sometimes the form of this
information. The retained information has to be treated carefully to avoid
consequences not unlike those experienced in legal cases in which spoliation of The tendency is
evidence can occur. Regulatory obligations are stricter for certain types of
organizations, such as those that participate in the financial services industry,
for organ-
healthcare, or government, but all organizations in all industries have some level of izations to
regulatory obligation that they must satisfy.
over-collect
It’s important to note, however, that there is a flip-side to retention – namely, the information as
ability to find and delete information when needed. For example, the European
Union’s General Data Protection Regulation (GDPR) contains provisions that enable a mitigation
citizens or residents of the European Union to request from a company a copy of any against under-
and all information that the company might have on them (a Subject Access
Request), and to delete this information if the company has no legal or regulatory collection, but
obligation to do so (the “right to be forgotten”). While organizations have obligations
to retain data, they also have obligations to delete it, as well.
this drives up
legal costs.
ADDRESSING THE SECURITY OF INFORMATION
Every organization must protect its sensitive and confidential data assets, most
notably its intellectual property, personally identifiable information (PII), and
protected health information (PHI) at rest and when it is transferred. These
requirements have become significantly more important in recent years as data
breaches have become much more common, and as privacy regulations have been
implemented that carry with them often draconian penalties for breaching sensitive
data. As just one example, the GDPR can impose a penalty of up to four percent of
an offending organization’s annual revenue for a breach of sensitive information.

The intellectual property of an organization represents a potentially enormous

investment by the organization. Leaks of this information through theft or accidental
disclosure can cost an organization millions of dollars in lost revenue, loss of
shareholder equity, loss of market share, loss of ownership of the breached data, and
ongoing damage to its reputation.

ADDRESSING USER PRODUCTIVITY

Information governance is also essential to maintain user productivity. Organizations
that do not provide robust search capabilities for their users can find themselves in a
situation in which their users spend inordinate amounts of time searching for
information that could otherwise be readily available. For example, one study found

©2019 Osterman Research, Inc. 2

Practical Steps to Establishing Good Information Governance

that the typical employee spends 1.8 hours per day searching for and gathering
informationv. If we assume a fully burdened salary for the typical information worker
of $60,000 annually, then $12,981 of that salary is paid simply for that worker to find
information. Moreover, additional productivity can be squandered from inefficient
search practices and the re-creation of data when retained information cannot be
found.

ADDRESSING STORAGE BLOAT

Storage bloat is another issue that good information governance can address by
minimizing duplicate data and eliminating information that no longer needs to be
retained. While storage itself is relatively inexpensive and its cost continues to fall,
the implications of increased storage are not so inexpensive: higher IT labor costs to
manage storage, longer backup and recovery times, higher legal costs for attorneys
and paralegals to pore through irrelevant information, greater difficulties in satisfying
regulators’ demands for timely production of information, and so forth.

DEFENSIBLY DISPOSING OF INFORMATION

The Compliance, Governance and Oversight Counsel published results of its
benchmark survey comparing results in 2010 and 2018 and found that 60 percent of
corporate data has no “business, legal or regulatory value”vi. While this result is
better than the 2010 result of 69 percent, it means that only four in ten of the bits
currently retained by organizations actually has value to them. Moreover, the survey
found that while the percentage of organizations with a consistent, defensible
deletion program grew from 22 percent in 2010 to 33 percent in 2018, fully two-
thirds of organizations do not yet have a mechanism in place to reliably delete data
that they no longer require.

The research we conducted for this white paper found that 77 percent of Storage bloat is
organizations regularly dispose of information from their file shares and 74 percent
do so from their email archives, but defensible deletion is much less common for another issue
other types of data.
that good
These results have important implications: it means that most of the information information
retained by organizations is unnecessary, but many organizations aren’t addressing
the problem. Retaining this data adds needlessly to storage costs, and it makes
governance can
searching for the remaining information that actually is valuable that much more address.
difficult.

ADDRESSING eDISCOVERY AND LITIGATION SUPPORT

Being able to search for, find, secure, and produce information when requested by a
court as part of an eDiscovery order is an essential capability. If not addressed
properly, with the right processes and technologies, it can cost an organization
enormous sums in higher legal costs, adverse judgements, lost revenue, and damage
to its reputation. At its core, an effective eDiscovery process is dependent on good
information governance. The costs and risks associated to eDiscovery increase when
an organization does not have control of its data and cannot find all of the requested
information for a lawsuit within the timeframe permitted by the court, or if it finds too
much data and must pay to process useless information, or cannot find all relevant
information.

The tendency is for organizations to over-collect information as a mitigation against

under-collection, but this drives up legal costs because of the need to review
irrelevant information. In larger cases, over-collection can add millions of dollars to
each case, while under-collection can result in cases being lost because of spoliation
of hiding evidence. Good information governance is essential to prevent both
situations and to produce the right amount of relevant information in a timely
manner.

©2019 Osterman Research, Inc. 3

Practical Steps to Establishing Good Information Governance

The Key Metrics

There are a number of important metrics to consider in the context of establishing
and maintaining a robust information governance program:

• Storage costs
Storing information that is not necessary obviously drives up storage costs, but it
also makes it more difficult and more costly to find the minority of information
that is necessary to produce for legal, regulatory, employee productivity, and
other considerations. A good information governance program can significantly
reduce the cost of storage in the short term and can result in slower growth in
storage costs over the longer term.

• Defensible deletion
Key to the ability to reduce data volumes is a defensible deletion program that
will allow decision makers to safely delete unnecessary information. It will not
only reduce storage costs, but also reduce costs through fewer documents being
identified as potentially responsive during eDiscovery and litigation review.

• End-user productivity
As noted earlier, employees spend a significant amount of their day searching for
old information for reuse and reference. When they cannot find the data they
need, they often will recreate the data they couldn’t find, wasting their time on
duplicating information that is “somewhere” in the organization. A good Key to the
information governance program can ensure that data can be found quickly,
eliminating the need to recreate lost information. ability to
• Litigation support and eDiscovery
reduce data
The growing volume of electronically stored information makes it very difficult for volumes is a
end users to find and properly categorize all of this information, and so poor
information governance practices will drive up the cost of data collection in
defensible
response to an eDiscovery request. As noted above, the problem is exacerbated deletion
by the tendency to over-collect information for fear of spoliation and the
significant consequences that can result. That drives up the cost of the data
program that
review process and makes it more difficult to meet production demands in a will allow
timely manner.
decision
The process of eDiscovery review involves reviewing all of the potentially makers to
responsive documents to determine if they are actually responsive to the case, or
are privileged or confidential and, therefore, not subject to production. Because safely delete
data preparation for document review costs roughly $150 per gigabyte,
document review hosting costs $20 per gigabyte per month, and document
unnecessary
review is about $1.00 per documentvii, a good information governance program information.
that culls out unnecessary data can dramatically reduce the cost of the
eDiscovery process.

In the next section, we will examine the costs for each of these areas without good
information governance in place, and in the section after that focus on how
information governance can reduce these costs significantly.

The Cost of Poor Information

Governance
In this section, we will consider the costs of various aspects of information
management in the absence of good information governance practices.

©2019 Osterman Research, Inc. 4

Practical Steps to Establishing Good Information Governance

MEASURING THE COST OF STORAGE BEFORE INFORMATION

GOVERNANCE
Storage is cheap, but storage management is not. While enterprise storage systems
can be procured for as little as $100 per terabyte or less, consider that the actual
storage cost is several multiples of the procurement price:

• Redundancy and high availability will require at least 30 percent overhead, and
so 50 terabytes of usable storage will require the purchase of at least 65
terabytes of total storage.

• Add in the cost of labor to evaluate, purchase, deploy, configure and maintain
these systems.

• Add in the cost of space to house these systems and their power and cooling
requirements. For example, a Dell EMC Isilon X210 chassis consumes 400 watts.
At 12 cents per kilowatt-hour, that translates to about $420 per year in electricity
costs.

• The replacement cost of storage systems must also be considered, since a

spinning disk does not run indefinitely.

The result is that the actual cost of storage is many multiples higher than its initial
procurement cost. As shown in Figure 1, the estimated storage usage and savings
over a five-year period can be calculated based on these assumptions.

Figure 1
Assumptions for Calculating Email, File System and SharePoint Storage
Storage is
Description cheap, but
Total employees in year 1 2,500
Average size of an email 50Kb storage
Average number of emails sent and received daily per employee 100 management is
Expected rate of increase or decrease in the number of employees
per year
5% not.
Annual growth rate in the average size of email messages
15%
(including attachments)
Annual growth rate in the average number of emails sent and
5%
received daily per employee
Estimated annual change in the cost of storage -20%
Expected annual growth rate of file system storage requirements 15%
Expected annual growth rate of total SharePoint storage
10%
requirements
Fully burdened Tier 1 storage cost per gigabyte $15.00
Fully burdened Tier 2 storage cost per gigabyte $12.50
Average number of workdays per year 250

Source: Osterman Research, Inc.

Based on these assumptions, the five-year cost of email storage is shown in Figure 2.

©2019 Osterman Research, Inc. 5

Practical Steps to Establishing Good Information Governance

Figure 2
Email Storage Calculations Over Five Years

Costs Year 1 Year 2 Year 3 Year 4 Year 5

Total number of
2,500 2,625 2,756 2,894 3,039
email boxes
Average size of
50 58 66 76 87
emails (Kb)
Average number
of emails sent and
100 105 110 116 122
received daily per
employee
Total estimated
disk storage for
2.91 3.72 4.66 5.94 7.51
email per year
(Tb)
Total estimated
disk storage for $81,956 $83,851 $83,959 $85,647 $86,625
email per year
Cumulative cost of
$81,956 $165,808 $249,767 $335,414 $422,039
email disk storage

Source: Osterman Research, Inc.

In order to determine the total cost of resources used for file system storage, we
multiply the amount of storage consumed by the file system by the fully loaded cost
per gigabyte of the storage tier used. It’s important to note that file system storage
includes a range of solutions, including traditional file shares, secure file transfer
The actual cost
systems, cloud-based file storage and the like. of storage is
In this example, we are assuming 30 terabytes of Tier 1 storage, and so the cost
many multiples
calculation for Year 1 would be: higher than its
30 terabytes x $15.00/Gb x 1,024 = $460,800 initial procure-
ment cost.
As shown in Figure 3, file storage costs are shown for a five-year period.

Figure 3
File System Storage Calculations Over Five Years

Costs Year 1 Year 2 Year 3 Year 4 Year 5

Total file share
storage 30.0 34.5 39.7 45.6 52.5
requirements (Tb)
Total file share
storage
30.0 64.5 104.2 149.8 202.3
requirements
(Tb, cumulative)
Total annual cost
of file share
$0.461 $0.424 $0.390 $0.359 $0.330
storage
($ millions)
Cumulative cost of
file share storage $0.461 $0.885 $1.275 $1.634 $1.964
($ millions)

Source: Osterman Research, Inc.

©2019 Osterman Research, Inc. 6

Practical Steps to Establishing Good Information Governance

As a next step, we estimate the amount and cost of storage consumed by the various
SharePoint repositories. First, we determine the total number of SharePoint
installations, the average volume of storage used for each SharePoint instance, and
the storage tier used. In this example, there are 13 SharePoint repositories with an
average of 400 gigabytes in each Tier 2 storage repository. The SharePoint storage
calculations are:

400 gigabytes x 13 repositories = 5.2 terabytes in Year 1

Consequently, the cost of that storage would be 5.2 terabytes multiplied by $12.50
per gigabyte, or $66,560 in Year 1. Figure 4 below shows the calculations for both
the storage in use and its cost over a five-year period.

Figure 4
SharePoint Storage Calculations Over Five Years

Costs Year 1 Year 2 Year 3 Year 4 Year 5

Total SharePoint
storage 5.2 5.7 6.3 6.9 7.6
requirement (Tb)
Total SharePoint
storage (Tb, 5.2 10.9 17.2 24.1 31.7
cumulative)
Total annual cost
of SharePoint $66,560 $58,573 $51,544 $45,359 $39,916 Employees can
storage
Cumulative cost of expect to
$66,560 $125,133 $176,677 $222,036 $261,951
SharePoint storage spend up to
Source: Osterman Research, Inc. eight hours per
week in these
The combined storage costs of email, file systems and SharePoint are shown in types of
Figure 5. information
management
Figure 5
Total Storage Costs by Year
activities.
Millions of Dollars

Source: Osterman Research, Inc.

©2019 Osterman Research, Inc. 7

Practical Steps to Establishing Good Information Governance

Please note that the assumption we have made in the analysis above is that no data
is deleted over the five-year period, and there are no limits on the consumption of
storage.

MEASURING THE COSTS OF EMPLOYEE PRODUCTIVITY

BEFORE INFORMATION GOVERNANCE
Employees spend lots of time managing information, which includes reading,
forwarding, copying, filing and deleting emails and attachments; managing
information in SharePoint, Slack and other collaboration solutions; managing data on
file shares and in various cloud-based repositories and the like. Employees can expect
to spend up to eight hours per week in these types of information management
activities.

As noted earlier, employees also spend significant amounts of time searching for
information. Since most organizations don’t actively manage their employees’ data,
individual employees are typically left to decide how best to store the information
they decide to keep. The survey conducted for this white paper found that 87 percent
of organizations rely on employees to categorize and file their own digital
information, but only 53 percent of organizations provide guidelines to their
employees on how to do this. Over time, many employees forget where they stored a
particular file and so will conduct a hit-and-miss keyword search. These searches do
not normally produce the desired content right away because of the use of weak
search applications available to the employee, the use of incorrect search terms, and
forgotten data repositories. These searches can negatively impact employee
productivity, particularly if the average employee searches for old information on a
regular basis. Individual
We have made the assumptions shown in Figure 6 for a pre-information governance employees are
environment, showing the amount of time that employees search for information and
their success in doing so.
typically left to
decide how
Figure 6
best to store
End User Productivity Assumptions the information
they decide to
Description Variables
Average number of hours per week spent managing
2.0
keep.
email/files/SharePoint records
Number of times per year the average employee searches for old
16
email/files/records
Average minutes spent searching for old email/files/records, per
30
search
Average percentage of success in finding old email/files/records 60%
Average time spent per email/file/record (in hours) recreating the
1.0
content the search did not turn up
Average annual fully burdened employee salary $60,000
Average annual salary growth 3.5%
Work weeks per year per employee 50

Source: Osterman Research, Inc.

Based on these assumptions, we calculate that the cumulative investments in time

and cost for employee efforts to manage and search for information will be as shown
in Figure 7.

©2019 Osterman Research, Inc. 8

Practical Steps to Establishing Good Information Governance

Figure 7
Per-User Productivity Loss Calculations by Year Without Information
Governance

Year 1 Year 2 Year 3 Year 4 Year 5

Productivity loss per
year per employee in
hours managing files
100 200 300 400 500
(cumulative)
Productivity cost per
employee in hours
per year searching 8.0 16.0 24.0 32.0 40.0
for old email and
files (cumulative)
Productivity cost per
employee in hours
per year recreating 6.4 12.8 19.2 25.6 32.0
old data not found
(cumulative)
Total employee
productivity loss 114.4 228.8 343.2 457.6 572.0
(hours)
Cumulative
employee
$3,300 $6,716 $10,251 $13,909 $17,696
productivity loss in
dollars

Source: Osterman Research, Inc. Successful and

cost-efficient
SUMMARY OF COSTS BEFORE INFORMATION GOVERNANCE eDiscovery
Figure 8 summarizes the costs of eDiscovery and litigation support, storage, and depends on the
employee productivity costs before the implementation of an information governance
program. collection of all
potentially
Figure 8 responsive
Cumulative Costs Without Good Information Governance in a 2,500-User
Organization
content.
Millions of Dollars

Year 1 Year 2 Year 3 Year 4 Year 5

eDiscovery review $3.60 $7.39 $11.36 $15.53 $19.91
Email storage $0.08 $0.17 $0.25 $0.34 $0.42
File system
$0.46 $0.89 $1.28 $1.63 $1.96
storage
SharePoint storage $0.07 $0.13 $0.18 $0.22 $0.26
Employee
$8.25 $16.79 $25.63 $34.77 $44.24
productivity
TOTALS $12.46 $25.35 $38.69 $52.50 $66.80

Source: Osterman Research, Inc.

MEASURING THE COST OF LITIGATION SUPPORT AND

eDISCOVERY BEFORE INFORMATION GOVERNANCE
Successful and cost-efficient eDiscovery depends on the collection of all potentially
responsive content, regardless of its location, so that it can be reviewed for privilege
and relevancy prior to being turned over to opposing counsel. That means that for
most organizations the document review process is the most time-consuming and
expensive part of eDiscovery, making it important to avoid over-collecting data.

©2019 Osterman Research, Inc. 9

Practical Steps to Establishing Good Information Governance

However, because of poor indexing and management of data, those charged with
eDiscovery typically will collect too much information and then later cull out the
irrelevant data or that which cannot be produced as part of the eDiscovery order.

A typical eDiscovery effort includes conducting a keyword search of the various data
repositories for relevant content within a target date range. The average for initial
data collection is roughly three to five gigabytes of data per custodian.

The cost of eDiscovery collection and review is relatively high in most cases because
of the large volume of data that must be culled, processed and reviewed. To
determine if an information governance program would reduce an organization’s
eDiscovery costs, it must first understand the details of its current eDiscovery
processes. To better show the details of eDiscovery costs, Figure 9 details some
assumptions and costs for eDiscovery.

Figure 9
eDiscovery Cost Assumptions

Assumptions
Number of discovery requests per year
Number of custodians per discovery request
6
20
The ability to
Gigabytes of data per custodian 3.5 deduplicate
Average number of document pages per gigabyte 12,000 content and
Average culling percentage (cull rate) 45%
Number of documents that a reviewer can process per hour 50 defensibly
Hourly billing rate for a legal reviewer (average of attorney and
$65.00 dispose of
paralegal)
Annual salary increase for legal reviewers 5% information are
Calculations the two
Total gigabytes of data per eDiscovery event (pre-culling) 70.0
Total gigabytes of data per eDiscovery event (post-culling) 38.5 primary ways
Total documents per eDiscovery event (post-culling) 462,000 that
Hours spent on document review 9,240
Costs
information
eDiscovery review per event $600,600 governance
Total annual eDiscovery review $3,603,600
results in
Source: Osterman Research, Inc. storage
savings.
The Cost Savings and ROI of Good
Information Governance
Much of the savings that result from a robust information governance program will
come primarily from two areas:

• Storage savings
The ability to deduplicate content and defensibly dispose of information are the
two primary ways that information governance results in storage savings. A good
information governance program will enable an organization to identify expired,
unnecessary and useless data, and to delete this content safely. This will free up
storage resources that then can be redeployed, delaying the purchase of new
storage systems.

For the following analysis, we will conservatively assume that only 40 percent of
data can safely be deleted without negatively impacting the organization, and
that 10 percent of data is duplicated and can be disposed of without

©2019 Osterman Research, Inc. 10

Practical Steps to Establishing Good Information Governance

consequence. Combining these, we assume that 50 percent of data can be safely

deleted.

Shown in Figure 10 is the anticipated cost savings for email, file system and
SharePoint storage based on the assumptions for defensible deletion and
deduplication noted in the paragraph above.

Figure 10
Storage Savings Arising from Good Information Governance
Millions of Dollars

Costs Year 1 Year 2 Year 3 Year 4 Year 5

Email storage $0.04 $0.08 $0.12 $0.17 $0.21
File system
$0.23 $0.44 $0.64 $0.82 $0.98
storage
SharePoint storage $0.03 $0.06 $0.09 $0.11 $0.13
TOTALS $0.30 $0.59 $0.85 $1.10 $1.32

Source: Osterman Research, Inc.

A general lack
• Litigation support and eDiscovery savings
There are two rules of thumb in eDiscovery response: of information
o A general lack of information management across the enterprise translates
management
to more time spent searching for and reviewing potentially relevant content. across the
o The more electronic content you have, the higher the cost of collection and
enterprise
review. translates to
eDiscovery savings will come from two areas: data collection and data review.
more time
Both of these are influenced by the volume of potentially discoverable data spent searching
floating around an organization. The more unnecessary data that can be
removed from the organization before a discovery request is received, the less for and
data that will have to be collected, culled and reviewed. Studies have reviewing
demonstrated that much of the data collected and reviewed during discovery
should not have been available to discover and would have been removed and potentially
not included in the search and collection process if effective information
governance had been available.
relevant
content.
Figure 11 shows the cost savings that result from an information governance
program’s reduction in storage and resulting eDiscovery effort.

©2019 Osterman Research, Inc. 11

Practical Steps to Establishing Good Information Governance

Figure 11
Total Estimated eDiscovery Savings

General Assumptions Before IG After IG

Number of discovery requests per year 6 6
Number of custodians per eDiscovery event 20 20
Gigabytes of data per custodian 3.50 1.75
Total gigabytes of data per eDiscovery event (pre-
70 35
culling)
Average culling percentage – cull rate 45% 45%
Total gigabytes of data per eDiscovery event (post-
38.5 19.3
culling)
Average number of documents per gigabyte 12,000 12,000
Total documents per eDiscovery event (post-
462,000 231,000
culling)
Number of documents that a reviewer can process
50 50
per hour Productivity
Hourly billing rate for a legal reviewer (average of
attorney and paralegal)
$65.00 $65.00 cost savings
Cost Comparison Before IG After IG that are the
Hours spent on document review 9,240 4,620
eDiscovery review per event $600,600 $300,300
result of a
Total annual eDiscovery review $3.60m $1.80m sound
Cost Savings Summary
Total projected cost savings per discovery $300,300
information
Total projected annual cost savings $1.80m governance
Cost savings 50% program come
Source: Osterman Research, Inc. from the
adoption of
Based on the estimated eDiscovery costs we calculated earlier, as well as the good processes
defensible disposal and file deduplication efforts, we can reduce the overall amount
of data collected and reviewed by one-half. This reduction also affects the data
and
collected per custodian and the total number of pages for manual review. The total technologies
estimated single eDiscovery event cost is reduced dramatically.
that enable
PRODUCTIVITY COST SAVINGS employees to
The productivity cost savings that are the result of a sound information governance
program come from the adoption of good processes and technologies that enable
find the
employees to find the information they are looking for more efficiently and more information
quickly.
they are
Now, if we assume that a robust information governance program can reduce looking for.
employee time investments in these activities by just 75 percent, the per-user
productivity investments and costs will be reduced as shown in Figure 12.

©2019 Osterman Research, Inc. 12

Practical Steps to Establishing Good Information Governance

Figure 12
Per-User Productivity Loss Calculations by Year With Information
Governance

Year 1 Year 2 Year 3 Year 4 Year 5

Productivity loss per
year per employee in
hours managing files
25 50 75 100 125
(cumulative)
Productivity cost per
employee in hours
per year searching 2.0 4.0 6.0 8.0 10.0
for old email and
files (cumulative)
Productivity cost per
employee in hours
per year recreating 1.6 3.2 4.8 6.4 8.0
old data not found
(cumulative)
Total employee
productivity loss 28.6 57.2 85.8 114.4 143.0
(hours)
Cumulative
employee
$825 $1,679 $2,563 $3,477 $4,424
productivity loss in
dollars

Source: Osterman Research, Inc.

The total costs of eDiscovery review, storage and employee productivity with
information governance are shown in Figure 13, and a comparison of costs without
and with information governance are shown in Figure 14.

Figure 13
Annual Costs With Good Information Governance in a 2,500-User
Organization
Millions of Dollars

Year 1 Year 2 Year 3 Year 4 Year 5

eDiscovery review $0.30 $0.62 $0.95 $1.29 $1.66
Email storage $0.04 $0.08 $0.12 $0.17 $0.21
File system
$0.23 $0.44 $0.64 $0.82 $0.98
storage
SharePoint storage $0.03 $0.06 $0.09 $0.11 $0.13
Employee
$2.06 $4.20 $6.41 $8.69 $11.06
productivity
TOTALS $2.66 $5.40 $8.21 $11.08 $14.04

Source: Osterman Research, Inc.

©2019 Osterman Research, Inc. 13

Practical Steps to Establishing Good Information Governance

Figure 14
Cumulative Costs Without and With Good Information Governance
Millions of Dollars

Source: Osterman Research, Inc.

CALCULATING ROI
Return-on-investment (ROI) is a measurement of investment performance that is Return-on-
used to evaluate the efficiency of an investment. ROI is based on good faith
estimates of costs before and after the investment, and it goes beyond the simple investment
cost savings calculations that many label as ROI. The difference between cost
savings and a true ROI measurement is the inclusion of the actual cost of the
(ROI) is a
investment into the calculations. To determine ROI, the cost of the investment is measurement
subtracted from the estimated cost savings of an investment and is then divided by
the cost of the investment, the result being expressed as a percentage. This is the
of investment
standard ROI formula: performance
that is used to
(the cost before the investment minus the cost after the investment) evaluate the
minus the cost of the investment
= ROI efficiency of an
the cost of the investment investment.
Let’s assume that the cumulative cost of an information governance program in a
2,500-user organization will be $6 million over five years ($2,400 per user over five
years, or an average of $480 per user per year), which will include the cost of the
information governance platform(s), the various technologies that will be deployed,
the labor required to manage the program, and so forth. Using the data presented
above, we can determine an ROI for an information governance investment by
populating the above formula with the already calculated costs and cost savings
(using the five-year estimates), plus an estimated cost of the investment:

($66.8 million - $14.0 million) - $6.0 million

= 779%
$6.0 million

CONSIDERING SOFT COSTS

For many decision makers, one of the primary objections to the data presented
above is that a significant proportion of these costs – namely, employee productivity

©2019 Osterman Research, Inc. 14

Practical Steps to Establishing Good Information Governance

losses arising from poor information governance – are “soft” costs, or costs that the
company is not paying directly. Unlike the costs of paralegals, outside counsel,
additional storage systems and the like, soft costs are not one for which finance will
cut a check, and so many decision makers balk at the cost of considering them as a
true cost of the business. The mindset for some is that if employees need to spend
extra time searching for information or re-creating it, they can work longer hours,
work weekends, etc. to make up for these inefficiencies.

However, even if we completely eliminate employee productivity loss from the

calculations and retain the same level of investment in the information governance
platform, we find that there is still a positive and significant ROI from the
investment:

($22.6 million - $3.0 million) - $6.0 million

= 226%
$6.0 million

MEASURING LOST REVENUE

It’s important to note that while some decision makers might not consider soft costs
to be a valid consideration when evaluating the value of an information governance
solution, these costs should be considered because they represent a drain on
employee productivity. Moreover, the lost revenue associated with lost productivity
should also be considered, since employees who are less productive also generate [Soft] costs
less revenue for their employer. In short, employee hours that are recovered by
making them more productive will ultimately result in greater revenue generation.
should be
considered
Let’s consider the amount of annual revenue that organizations generate per
employee. This covers a wide range, but here are some examples from top five and because they
the bottom five of the Fortune 500 for 2018viii: represent a
• Walmart: $233,820 drain on
• ExxonMobil: $4.087 million employee
• Apple: $2.012 million
• Berkshire Hathaway: $637,113 productivity.
• Amazon.com: $359,671
• Spire: $583,779
• Shutterfly: $276,544
• NuStar Energy: $1.293
• ManTech International: $251,103
• Carvana: $504,125

What this tells us is that for every hour of employee productivity recovered, the
average contribution to revenue for the companies shown above will range from $112
to $1,965 per hour. For those decision makers who are skeptical that recovery of
employee productivity will result in additional corporate revenue, a simple question:
why are you hiring employees if they aren’t contributing to revenue generation?

Another way to consider revenue in the context of information is through risk

avoidance: the technique of risk management that focuses on taking steps to remove
exposure to negative events, such as the cost of losing a legal case because of
insufficient or incomplete collection processes during eDiscovery. These risks might
include fines imposed by the court, payment of the opposing counsel’s costs, reduced
stock prices, and the lost revenue arising from negative publicity and customers who
refuse to do business with companies involved in controversial activities. Savings
from risk avoidance are difficult to quantify, and so for organizations that have not
directly experienced these kinds of issues, risk avoidance calculations might not hold
much meaning. How can you measure the cost of an event that has not or may never

©2019 Osterman Research, Inc. 15

Practical Steps to Establishing Good Information Governance

happen? One way to do this is to consider the life insurance model: those who want
to protect their families or companies will typically spend significant sums on a
product that will mitigate the risk from an event that they have never experienced.

It is also important to note that there are some additional soft costs to consider:

• Poor access to information that results in less-than-optimal decision making can

be a major drain on the efficiency of any organization. However, better decision-
making because of the availability of more relevant data means that field
workers, analysts, executives and others can all make better business decisions
when they have information in context, such as any prior research or
conversations on a particular subject. This results in being better able to
leverage business opportunities.

• A lack of good information governance means that organizations miss

opportunities. However, a defined and consistent governance process allows
decision makers to identify automation opportunities to further boost
productivity. For example, automating steps, such as data classification, can in
turn enable better search, automate data retention, and enhance security
solutions like DLP.

Important Issues to Consider

There are some key issues to consider for organizations that want to implement an
information governance program. Although these will certainly vary by organization,
industry, the risk tolerance of corporate decision makers and others, here are some
The ability to
issues to keep in mind: defensibly
• Establish an executive sponsor delete inform-
First and foremost, Osterman Research recommends establishing an executive ation is a key
sponsor for an information governance program, something of a champion that
will push hard for this. It could be compliance or legal, or it might be IT, but part of an
there needs to be an executive sponsor that will push for the program in spite of information
the obstacles that will crop up. The survey conducted for this white paper found
that 81 percent of organizations that have or will have an information governance
governance program have an executive sponsor for it.
program.
• Understand the drivers
It’s also important to understand why an information governance program is
necessary in a particular organization and which drivers for it are most
important. For example, an organization that is going through a significant
number of legal actions will likely view an information governance program as
essential for reducing eDiscovery and litigation support. An organization that is
spending inordinate amounts on storage may view information governance as
the best way to get a handle on its storage costs. Understanding the drivers will
help to determine who best should become the executive sponsor of the
program.

Our research found that the leading drivers for an information governance
program are avoiding risk (77 percent), regulatory risks other than the GDPR (60
percent), and improving end user productivity (48 percent).

• Understand where information is located

In an era of Bring Your Own Cloud/Devices/Apps, a significant proportion of
corporate information is stored in locations that are inaccessible to the
organization at large. For example, individual employees or workgroups may
have corporate data stored in non-IT managed locations that will be inaccessible
to decision makers during eDiscovery, a regulatory audit, an early case
assessment, etc. However, understanding where all corporate information is
located – and how IT, legal, compliance, etc. can gain access to it – is essential

©2019 Osterman Research, Inc. 16

Practical Steps to Establishing Good Information Governance

as part of an information governance program. Information governance works as

it should only if all of the information is accessible to the organization.

• Establish audit processes and controls

Fundamentally, you need to know your data in addition to where it’s located:
what your organization collects, stores and processes. Which business processes
depend on which types of data. What risks and liabilities are associated with
different categories of information. Plus, you need to understand where your
data is located. You need to have visibility into the information lifecycle: who has
access to what information, how they are using this access, what is deleted and
when.

• Implement a program for managing information

This is a key element of information governance and requires a formal program
to implement the appropriate processes and technologies for storing and
transferring information. Key elements of implementing the program would be
understanding all of an organization’s retention and data management
obligations, establishing retention policies for various types of data,
implementing the right type and location of storage, implementing the
appropriate controls when information is transferred, establishing who should
have access to information, etc.

• Implement a defensible deletion program

As noted in this white paper, the ability to defensibly delete information is a key
part of an information governance program. Doing so reduces risk, reduces
storage requirements, speeds the eDiscovery and litigation support process, and
makes it easier for employees to find information. More importantly, defensible
deletion reduces corporate risk by eliminating information that the organization
simply no longer needs. However, key for any defensible deletion program is
defensibility – understanding legal, regulatory and best practice obligations – so
that the organization can defend its decision to delete specific types of
information.

• Deploy the right technologies

Finally, it’s essential to deploy the appropriate technologies as part of the
information governance effort. These will include solutions focused on archiving
any kind of electronic content that contains corporate business records, secure
and managed file transfer solutions, classification capabilities, monitoring
solutions, auditing solutions, identity and access management solutions, and
other technologies that will help to properly manage corporate information in a
manner that will be consistent with legal, regulatory, and best practice
requirements, and that will mitigate risk to the greatest extent possible.

Summary and Conclusions

Information is essential to most organizations, and so proper governance of this
information must be an essential element of any organization’s information
management approach. Good information governance can offer significant benefits in
reducing corporate risk, reducing the costs associated with legal and regulatory
compliance, can reduce storage costs, and can make employees more productive.
The ROI associated with information governance is substantial for most organizations
and should be considered a high priority.

©2019 Osterman Research, Inc. 17

Practical Steps to Establishing Good Information Governance

Sponsor of This White Paper

Netwrix is a software company that enables information security and governance
professionals to reclaim control over sensitive, regulated and business-critical data,
regardless of where it resides. Over 10,000 organizations worldwide rely on Netwrix
solutions to secure sensitive data, realize the full business value of enterprise
content, pass compliance audits with less effort and expense, and increase the www.netwrix.com
productivity of IT teams and knowledge workers.
@Netwrix
Founded in 2006, Netwrix has earned more than 150 industry awards and been +1 949 407 5125
named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest
growing companies in the U.S.

© 2019 Osterman Research, Inc. All rights reserved.

No part of this document may be reproduced in any form by any means, nor may it be
distributed without the permission of Osterman Research, Inc., nor may it be resold or
distributed by any entity other than Osterman Research, Inc., without prior written authorization
of Osterman Research, Inc.

Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes
legal advice, nor shall this document or any software product or other offering referenced herein
serve as a substitute for the reader’s compliance with any laws (including but not limited to any
act, statute, regulation, rule, directive, administrative order, executive order, etc. (collectively,
“Laws”)) referenced in this document. If necessary, the reader should consult with competent
legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no
representation or warranty regarding the completeness or accuracy of the information contained
in this document.

THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR
IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE
ILLEGAL.

REFERENCES
i
https://www.cgoc.com/wp-content/uploads/2018/11/CGOC_Infographic_2018_.png
ii
https://www.fiaks.com/data-never-sleeps-6-0/
iii
https://www.statista.com/statistics/456500/daily-number-of-e-mails-worldwide/
iv
https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-
every-day-the-mind-blowing-stats-everyone-should-read/#130eda0960ba
v
https://www.cottrillresearch.com/various-survey-statistics-workers-spend-too-much-time-
searching-for-information/
vi
https://www.cgoc.com/wp-content/uploads/2018/11/CGOC_Infographic_2018_.png
vii
https://www.mindseyesolutions.com/2017/03/30/want-to-reduce-the-cost-of-ediscovery-re-
think-the-approach/
viii
http://fortune.com/fortune500/

©2019 Osterman Research, Inc. 18