Editor: What is Governance, Risk and Compliance (GRC)?
d'Alencon: There are many aspects of GRC, including Legal, Finance and IT. For the purposes of our discussion I am primarily talking about Legal GRC, although there is a considerable amount of crossover with the other aspects of GRC. To quote a Gartner Group definition, "Legal governance, risk and compliance (GRC) is a specialized form of GRC for corporate compliance officers, corporate counsels, corporate secretaries, and other legal professionals who are involved directly in compliance reporting to auditors and regulators, corporate social responsibility programs, or the enterprise risk management program. It provides the ability to track, remediate, manage and report compliance issues as well as legal and regulatory risks."1
Editor: How are GRC and eDiscovery converging?
d'Alencon: I think it is fair to say that the continual increase in electronically stored information (ESI) volumes, coupled with the increase of data types that are being created - including social media, email, office programs, voice and more - means that contemporary communication of business and personal information is largely via electronic means. Add to this increased government oversight and intervention and you will find that companies are experiencing a significant increase in reporting, investigations and litigation related to Governance, Risk and Compliance and eDiscovery.
There are many common activities and goals shared by GRC and eDiscovery and the risk and cost of this increased scrutiny is a board-level issue. This convergence ranges from centralizing the business processes and policies of creating and managing information to the downstream risks associated with those policies and decisions.
On the information technology (IT) front, we are seeing many companies undertaking reforms of their records management and information management programs so that they have a much better grasp on the ESI in their systems. One driver for this transformation is the decreasing tolerance of the courts for parties unable to produce relevant documents as a result of sub-par information management processes, technology and systems. One driver is cost - it is simply more expensive if one has to scour multiple systems and repositories to find relevant information. Lastly, a driver is time. If it takes you two weeks to find the information you need as opposed to 24 hours, both your risk and cost have increased.
With the beginning of the improvements to corporate information management comes the need for systems integration. More centralized storage of ESI integrated with downstream business processes and applications that need to make use of this ESI, means that it is faster, cheaper and generally less risky to respond to discovery requests, regulatory responses and internal investigations.
Editor: But why is electronic discovery getting swept up in the GRC net?
d'Alencon: eDiscovery is a maturing market and it has grown significantly over the past few years. The 2010 Socha-Gelbman Electronic Discovery Survey estimated the eDiscovery market will grow at 10-15 percent each year for 2010 and 2011 and that this market would be worth $2.8 billion in 2010.
In the past eDiscovery was a niche industry that tended to slip under the board's radar at many companies. The office of the general counsel generally oversaw a number outside law firms, who managed the bulk of the activity. Often different firms with different processes, vendors and technology would be used for each new case. This was typically an inefficient process, but one that was considered the cost of doing business.
Electronic discovery is a process supported by technology, not a product. It is a complex, data-driven process that involves a number of different disciplines and teams. These processes and teams have historically operated independently, with little cohesion, standardization, or repeatability.
Today corporations are being confronted with much greater ESIvolumes and related costs, and therefore much greater risks in the form of real consequences, such as sanctions, if regulatory or legal requirements are not met. eDiscovery is now a C-level discussion, and boards and CEOs are often struggling to address it. I recall when we asked a manager responsible for eDiscovery at a Fortune 50 company how his position had changed in the last 12 months. He responded that in one year, he had gone from reporting to the assistant general counsel to addressing the board of directors directly.
So the visibility and cost of eDiscovery has taken off, and accordingly the need for structure and process for eDiscovery has grown. If you consider the rise enterprise resource planning (ERP) software during the 1990s, a whole industry grew out of the need to pull together the widely different software and processes being used by different teams inside the corporation. ERP consolidated data and standardized processes. The same thing is now happening with electronic discovery under the umbrella of GRC.
Historically most eDiscovery companies have been focused on a single task or a single case with little process standardization. Companies like CaseCentral recognized the need for a centralized platform so an entire portfolio of cases could be serviced from a single system.
Editor: Are there any proof-points of this convergence?
d'Alencon: The mega-technology players like EMC, HP, IBM, Microsoft, Oracle and Symantec are definitely attracted by the size and trajectory of the market. And they are looking to enhance their positions by placing electronic discovery technology and expertise into their GRC practices. In the past weeks IBM has acquired information governance and legal hold software provider, PSS Systems and financial governance software company Clarity Systems, to enhance its product portfolio that addresses GRC. Barry Murphy at eDiscoveryJournal.com noted that PSS bolsters IBM's business process management (BPM) portfolio. And it is those BPM systems that help drive GRC. Other examples are Iron Mountain purchasing Mimosa and EMC picking up Kazeon.
The mega-tech providers are offering eDiscovery solutions to enterprises from a GRC perspective, which makes sense since eDiscovery is ultimately a business process that involves multiple stakeholders within the corporation. And it is often an expensive process, so real value can be derived through addressing eDiscovery challenges under the umbrella of GRC.
As these types of acquisitions occur, I expect an increase in the conversation about "end-to-end solutions." Such a comprehensive solution will likely continue to elude the market for some years, but through integration, partnerships or acquisitions, software vendors will chip away at having an integrated suite of products and technology to address this need.
To this end, CaseCentral recently announced the general availability of its connector to Symantec Enterprise Vault Discovery Accelerator. The integration between Symantec Enterprise Vault Discovery Accelerator and the CaseCentral eDiscovery Platform creates a single solution for identification, collection, processing, analysis, review and production, eliminating the need for IT and legal teams to manually export and upload large amounts of data for legal review and reclaims the days and weeks spent processing data. Clients using the new connector also bypass EDD processing fees for data moved into CaseCentral from Enterprise Vault and simplify the handoff process, removing risk by eliminating the opportunity for error and maintaining chain of custody.
Editor: Tell me a little more about this new connector.
d'Alencon: The connector is part of CaseCentral's strategy to integrate with corporate data sources so our cloud-based eDiscovery platform becomes an integral part of the internal process of information management and a good GRC citizen. Simplistically, we see this as eliminating processing time and costs for data coming from the Symantec archive; that just makes good financial and business sense. But more broadly we see this as responding to the larger macro-trend of the convergence of GRC and eDiscovery. As eDiscovery is increasingly viewed through the lens of governance, risk management and compliance, compatibility with corporate GRC programs is going to become increasingly important. So we view integration with enterprise data sources, especially file systems, email servers and archives, as well as providing a business dashboard with real-time, data-driven insight into eDiscovery costs, trends and efficiencies, as fundamental for our product to be included in the broader GRC movement.
Editor: What should we expect to see in the future?
d'Alencon: Corporations will continue the trend of bringing the eDiscovery process in-house, ultimately weaving it into their governance, risk management and compliance processes. The key to this trend is the centralization of data and process that feeds downstream business applications. These efforts will in turn save significant costs and reduce risks associated with litigation exposure, compliance and internal investigations as a standardized, repeatable and defensible process is put into place.
Editor: Where can people learn more about aspects of this trend?
d'Alencon: The EDRM (www.edrm. net) is a great educational resource for electronic discovery. Recently the EDRM added an information management reference model (IMRM) to facilitate a framework to help organizations, "develop and implement effective and actionable information management programs." The project seeks to facilitate dialogue among stakeholders within the company. This new reference model is an excellent starting place for learning how and why eDiscovery is being adopted into the information management and risk management models inside of companies. It is also a useful way to join the dialogue about these convergence trends. 1 "Hype Cycle for Governance, Risk and Compliance Technologies, 2010," by Gartner, Inc., Jay Heiser, July 28, 2010.
Published November 2, 2010.
