This document discusses information governance and records management at Citigroup. It describes how Records Management Officers (RMOs) help ensure compliance with retention obligations by classifying records, setting retention periods, and handling exceptions. RMOs answer questions about files and compile requirements for retaining, disposing of, archiving, and retrieving information. They track issues until a compliant retention and disposition process is established. The document emphasizes that improper handling of information poses significant legal and financial risks, so employees should contact RMOs before acting.
Manage Risk and Save Cost with Information Governance
1. Information Governance- a programmatic
perspective on driving value through RIM
Practical Goals and Directions for managing information assets..
Richard Gomes
Citigroup- Director of Information Governance
Richard R Gomes February 2010
2. Information Management Services from Citi Global RIM
RETENTION, DISPOSITION, AND ARCHIVING ARE CONSIDERED A SUPER-JURISDICTIONAL RISK
It isn’t always clear what we are obliged
to keep or how long it should be kept.
INFORMATION MANAGEMENT SERVICES MITIGATE
Though many Citi employees realize that RISK AND SAVE COST Questions about physical and
they may be dealing with Records in the electronic files come in via a
call or email
course of their daily activities, only a
Clients
Records Management Officer (RMO) Internal
can tell for certain.
The query goes to the Employees
The type of Record it turns out to be, the RMO responsible for the
Sector, Global Function,
jurisdiction it belongs to, and the type of Region, and Country • Record Status
data it contains are just some of the many associated with the files
• Jurisdiction of Record
factors an RMO must take into account Identify • IS/Privacy flags
to ensure we comply with our Legal and The RMO compiles the • Record Class/Code
Regulatory obligations to compliantly retention, disposal,
• Retention Schedule
archive, and retrieval
retain and dispose of Citi’s information. Classify • Deviation if required
requirements.
Contact your RMO before you act- • Assign RM-Unit
The issue is tracked and • Update Inventory
<link> Inventory • Declare Datasource
managed by RIM until a
The mishandling of Citi information is a compliant BAU retention
big risk that can damage our reputation, and disposition process is in
place Manage and Facilitate
and cost us a lot of money.
Retention, Disposal Active Matter
Policy and Collection and
After all, only Records Management Backup, and Eligibility and (e)Discovery Preservation
Governance Custody
Archiving Approval Holds
Officers are trained and authorized to
classify records, set retention periods,
and process deviations.
Richard R Gomes February 2010
3. Records and Information Management (RIM) is a key competency that drives
down the cost of protecting our information assets.
The less information we retain, the lest costly it is to securely maintain.
RIM Assets and Deliverables
POLICY DRIVEN DISPOSAL.
‘Retain only what we are obliged to retain’
IAI (Information Asset Inventory) targeted protection
Worldwide golden source of the Information Citi has, where it is,
and who is responsible for it.
DEFENSE-IN-DEPTH against Super Jurisdictional- Risk
Preventive Control- Information Asset Inventory (IAI) identifies IS
and Privacy control gaps
Detective Control – Disposition Scheduling identifies IS and
Privacy operational gaps
Corrective Control- GOC aligned RIM-organization coordinates
and facilitates CAP responses
Service Delivery Model driven cost savings
Legal Matter Response – ‘eDiscovery’
Storage Demand
Data Privacy
Data Protection
Information Classification
Data Classification
Richard R Gomes February 2010 3
Citi Internal
4. Program History at a Glance
“a packaged service that focuses on direct and timely benefits”
CMM Level Global Program Evolution
1 – Ad Hoc
2005 – Policy and Governance standards
• Policy and Control Process
• Five Important Control elements developed- Master Record Catalog, Spans of Authority,
Country Retention, Inventory Manifest, Custody Map
2– Repeatable 2006 – Organization and Control Processes
• Platform Development and Deployment
• Rev 1 of the IAI (Information Asset Inventory) with integrating the 5 important controls
implemented, Physical Information BAU disposition (‘IC ‘)Project delivered
3– Defined 2007 – Enterprise Data Map and Global Process Control
• Improved Process Fidelity • Continuous Data Disposition (CDD) of Structured and unstructured electronically stored
information (ESI) initiated in NA, eMail disposition rules introduced
• Broadened Scope and Effectiveness
2008 – CDD Process Development and Regionalization
• Expanded CDD for structured ESI Globally, Prototype CDD for some unstructured ESI,
Legal Hold process reengineering begun
2009 – CDD as BAU, Deploy RIM as a Service
• Embedded RIM into the Data Centers • BAU Tape backup disposition and extended Archiving deployed, SharePoint and First
Archive automated disposition process delivered (BAU eMail disposition in test in First Archive NA)
4– Managed 2010 – RIM Services Global Rollout and Regionalization
• Major Gap in Reporting to be closed
• Close Metrics and Reporting GAP, Improve Financial Reporting of Green and Blue $
saves, deploy automated classification and tagging for unstructured ESI
2011 – Push to CMM Level 4 RIM
• Full benefit Capture • Deploy integrated dashboard to track effectiveness of savings, risk, and strategy
enablement (Divestiture, M&A, Storage Reduction, etc)
Richard R Gomes February 2010 4
5. RIM is an effective way to manage the growth rate of retained
Information volume because its about empowering people to act.
RIM leads to less information in a form that is easier to manage
Strategic
1. Minimally Intrusive to the business-
Basis of advisory services that help business clients optimize their approach to compliance
2. Consistent in the eyes of auditors, regulators and the courts-
Policy and Control Processes based on legal and regulatory requirements as interpreted by case law and regulatory findings
3. Straightforward and well documented –
RIM is supported by job-aids and guidance and delivered through advisory teams composed of RMs, ISOs, and CoB personal
Tactical
1. Policy aligned framework and methodology-
Operational processes based on RM Policy which is risk based and integrated with RCSA, and ARR’s SAP
2. Enterprise-wide consistent, defensible, and actionable
Global rules for Local application.
3. Serves all constituencies
Addresses core Information Retention and Handling requirements that apply equally to the Business, Legal, Compliance and
O&T,
Actionable
1. Clearinghouse / CoE for process development and technology enablement initiatives
2. Cost saving identification and capture program
3. Knowledge exchange for collaborative sharing of locally developed practices
Richard R Gomes February 2010 5
6. Service Focus Cost Containment
Over-retention creates a large drag on performance and is relatively easy to fix.
Retention Driven Cost and Risk Factors
Primary and secondary information handling costs
Electronically Stored Information (ESI) costs about $1.88 / GB-Year – (All in estimate of ESI on-line
storage and administration costs this translates to at least $MM of savings in North America alone)
Back-up and Archive costs
System Back-up Times- (the need for more costly high throughput solutions and increased tape
volumes)
Offline ESI-Archive Inventory Overhead- (indexing, retrieval, sampling, and restore overhead drive
incremental storage requirements)
eDiscovery costs-
Collection, Culling, and 3rd Party review cost many large companies $10s of Millions annually
Legal and Regulatory Exposure.
Matter Scope – (Out of context eMail, EUCs, logs, etc. widen investigation scope and drive up costs)
Missed/Overlooked information – (Untimely disclosure [e.g. Merrill $1.4B], Inaccurate Data Map [e.g.
Qualcomm $200MM] resulting in large financial penalties and judicial prejudice)
Disposition Framework – (Retention inconsistency (e.g.. Intel, Arthur Andersen) resulting in serious and
costly threats to the Franchise..
Richard R Gomes February 2010 6
7. Internal Clients are a broad and diverse population
Client Organization Expected Service Benefit
Risk facing activities (e.g. Data Privacy, Data Protection, IDEM) derive direct expense and
O&T/ Risk Organizations FTE benefits from volume reduction and efficiency benefits from a common Data Map-
Case: IDEM u-ESI initiative
Enterprise Data Map and Retention Schedules enable large scale economies
O&T/ Technology Organizations associated with Info-centric architectures
Enterprise Data Map provides baseline for Data Classification and forms the basis of a
ISO Organization comprehensive Enterprise-Security Data Dictionary governing the risk based handling
of Information in transit and at rest
Right-sizing and cost management of the Information Infrastructure build-out based on
Technology Infrastructure Organizations rules based predictive growth and volume information derived from well defined
retention scheduling
In aggregate, direct capital and expense savings are in the $.5B range with realization
Financial Control within 12-24 months
As a principle user of the Data Map and the Retention Processes associated with
Legal Services / eDiscovery CDD, the direct benefit is in significant FTE / external resource reduction associated
with the preservation, collection, culling, review, and production activities.
Based on the effectiveness of the CDD methodology and the consistency of its
Legal / Litigation implementation (e.g. SLAs) attorneys responsible for litigation can confidently delegate
eDiscovery oversight to lower levels within their organization and improving skills alignment
Framework for the development of Info-Centric applications that are aware of the
Business / Application Development information they handle, can look up the rules for handling it, and can systematically
enforce the information lifecycle
Richard R Gomes February 2010 7
8. Information Management Services from Citi Global RIM
RETENTION, DISPOSITION, AND ARCHIVING ARE CONSIDERED A SUPER-JURISDICTIONAL RISK
It isn’t always clear what we are obliged
to keep or how long it should be kept.
INFORMATION MANAGEMENT SERVICES MITIGATE
Though many Citi employees realize that RISK AND SAVE COST Questions about physical and
they may be dealing with Records in the electronic files come in via a
call or email
course of their daily activities, only a
Clients
Records Management Officer (RMO) Internal
can tell for certain.
The query goes to the Employees
The type of Record it turns out to be, the RMO responsible for the
Sector, Global Function,
jurisdiction it belongs to, and the type of Region, and Country • Record Status
data it contains are just some of the many associated with the files
• Jurisdiction of Record
factors an RMO must take into account Identify • IS/Privacy flags
to ensure we comply with our Legal and The RMO compiles the • Record Class/Code
Regulatory obligations to compliantly retention, disposal,
• Retention Schedule
archive, and retrieval
retain and dispose of Citi’s information. Classify • Deviation if required
requirements.
Contact your RMO before you act- • Assign RM-Unit
The issue is tracked and • Update Inventory
<link> Inventory • Declare Datasource
managed by RIM until a
The mishandling of Citi information is a compliant BAU retention
big risk that can damage our reputation, and disposition process is in
place Manage and Facilitate
and cost us a lot of money.
Retention, Disposal Active Matter
Policy and Collection and
After all, only Records Management Backup, and Eligibility and (e)Discovery Preservation
Governance Custody
Archiving Approval Holds
Officers are trained and authorized to
classify records, set retention periods,
and process deviations.
Richard R Gomes February 2010