Assessing Information Loss After a Disaster

Global 2000 (G2000) organizations and research and consulting firms have generated reams of analysis on disaster recovery (DR) and business continuity planning (BCP) as well as studied hundreds of best practices . Unfortunately, our research indicates that only 20% of G2000 organizations have well-developed, actionable disaster plans that adequately consider the information aspects. Given that the costs associated with information recovery far outweigh the costs of disaster preparation, managers have a fiduciary duty to their constituents to develop world-class recovery and continuity plans that explicitly quantify the value of information.

META Trend: By 2006, the need to derive business value from information assets will force information architecture to mature. Information architects will formally articulate principles and actionable models that enable the CIO to focus on custodianship and stewardship of information, thus improving the enterprise's discovery of real opportunities to save time and money.

Organizations must be able to understand the value of information to mitigate the threat of its loss during a disaster. Numerous disciplines must be brought to bear, including risk analysis impact assessment’ enterprise content management, information architecture; and IT portfolio management. Information value analysis balances the benefits an organization receives from leveraging high-quality information against the cost associated with acquiring, managing, and controlling information across a complex enterprise. These costs include the cost to capture/generate information, the cost to store/maintain information, the cost to retrieve/leverage information stores, and the cost to disseminate/assimilate information into line-of-business (LOB) operations.

Effective information management (IM) is concerned with ensuring that organizations are able to operate with maximum effectiveness by making quality information available to the right people at the right time. Without such information, organizations may be unable to anticipate the need for change, react to varying circumstances, or make correct decisions. There are eight IM disciplines that should be articulated at two levels of detail. The first is as a general principle that applies to the IM discipline generally; the second is as an applied principle that draws out the implications for core enterprise activities. Here, we tease out and expand on these eight general IM principles and explore the associated implications for recovery and contingency planning.

Understanding the Value of Information

In attempting to ascribe the value of information, one must consider the linkage between these general IM principles and accept that information by itself has no intrinsic value. Of course, information can be profoundly valuable when structured to enable high-quality managerial decision making and activity; yet information value is dependent on its use across its life cycle and on a management framework defined by three “life-cycle stages” - the acquisition of information, the storage of information, and, ultimately, the retiring of information (see Figure 1).

Obviously, in its simplistic form, the information life cycle provides no real value - it is only when access is provided and the organization (which may include external agencies such as suppliers and partners) is given the opportunity to use and reuse the information that value may be derived (see Figure 2).

However, simply acknowledging the five stages in the information life cycle is not enough. We previously mentioned eight IM disciplines, and it is only when organizations understand their role in undertaking certain management activities that value may be derived. Hence, when the remaining three IM disciplines are included on the framework, a complete picture is provided and organizations are able to start to analyze the impact that each discipline will have on recovery and contingency planning throughout each of the information life-cycle stages.

Figure 3 depicts the complete framework overlaid against the value-adding activities highlighted in yellow. As stated previously, information has no intrinsic value, but instead exhibits numerous characteristics that lend it value. The following are the three key value-lending characteristics of information:

• Relevance
• Timeliness
• Actionability

These value-lending characteristics typically involve the third and fourth stages of the information life cycle, with the associated underlying management activity being data quality.

Driving the Value of Information
Information Culture

The driving force for maximizing the effective use of information should come from within the organization - its management and its culture. An information culture should have the following characteristics:

• The value of actionable, relevant, and timely information is recognized as a prime organizational asset (while at the same time balancing availability demands against data quality issues)
• The organization recognizes that most work involves the management, leverage, and assimilation of information into LOB operations
• Value is placed on the effective management and sharing of information - the sharing of information should be restricted only by an explicit management decision (balancing accessibility against security requirements) Projects should include information sharing components and focus on reuse

The development of an information culture will result in the recognition that information is an important organizational asset. Because much of the organization’s information is recorded as documents, document management becomes important in an information culture. Document-management systems provide a way of ensuring that the information asset is accounted for and protected and can be retrieved when it is needed.

Portfolio Management

Increasingly, G2000 organizations are applying portfolio management (PfM) approaches as employed in the financial sector to ensure that IT investment decision making is aligned with organizational goals. By effectively managing IT portfolio investment strategies, G2000 organizations are able to balance risk and rewards, thus driving value maximization and competitive advantage through increased ROI within the defined portfolio. To effectively balance risk against business value of their organizational information assets, portfolio managers must regularly conduct both information audits and risk-management activities.

Information Audit and Data Quality
Although standards for measuring intrinsic information characteristics are still maturing (such as data profiling technologies and metadata management tools), G2000 organizations must embrace the same audit activities for information assets as those used for other asset classes within the IT portfolio. Such audit activities must establish the cost associated with managing the information asset as well as the potential value (or preferably actual value) of the information asset - typically expressed in terms of ROI and data quality. META Group research shows that organizations that approach information auditing with a similar degree of rigor as found in financial auditing practices find the audit activity becomes less arduous.

Once the importance of the information audit activity is understood and the organization is able to annunciate the expected benefits realization (see Figure 4), successful portfolio managers must conduct audits of data quality. Figure 3 proposes that key value-adding characteristics of information are relevance, timeliness, and actionability. Although timeliness is more a factor of availability, relevance and actionability are a direct outcome of data quality (DQ).

Data quality assurance is composed of numerous concerns that collectively determine the quality of an organization’s data. Although the following list includes some of these DQ concerns, organizations need to ensure that their approach to DQ is appropriately aligned with business drivers, and areas where organizations are suffering the most or have the most to gain receive the highest attention. Portfolio managers need also to ensure compliance with overarching enterprise information architectures.

• Accuracy: A measure of information correctness
• Consistency: A measure of semantic standards being applied
• Completeness: A measure of gaps within a record
• Entirety: A measure of the quantity of entities or events captured versus those universally available
• Breadth: A measure of the amount of information captured about an entity or event
• Depth: A measure of the amount of entity or event history/versioning
• Precision: A measure of exactness
• Latency: A measure of how current a record is
• Scarcity: A measure of how rare an item of information is
• Redundancy: A measure of unnecessary information repetition
• Integrity: A measure of validity with respect to another item of related information

The information audit must become a continual organizational activity that portfolio managers conduct regularly. Ultimately, the refinement of information audit tools and techniques will lead to information value being quantified on the balance sheet of 30% of G2000 organizations by 2005. In the face of major disasters involving information loss, organizations that have embraced information audit activities as a continual process will quickly come to the fore because they will be able to derive a ready snapshot of the impact resulting from the loss. Organizations found lacking in this discipline will struggle in responding to major disasters. Therefore, it is imperative that organizations yet to embrace information audit disciplines do not delay in focusing attention on building a picture of their information assets now and evolve that picture over time to include both data quality aspects as well as an assessment of the risks associated with information loss.

Risk Assessment
To understand the costs associated with an information loss, portfolio managers must conduct a risk-assessment exercise. Traditional risk assessments focus on three key questions - namely, what the threat that needs to be understood and managed is, what the organizational vulnerabilities in the face of that threat are, and what the impact of that threat is (this then enables the organization to formulate its mitigation strategy). Organizations typically are faced with two real options to combat the impact associated with the eventuality of disaster. The response mechanism used will vary depending on the sensitivities of the information being protected and the constraints facing the organization.

• Response Mechanism 1 - Prevention: Where the organizational value of information is known to be high, and a risk assessment has determined the impact of information loss to be great, then the preferred solution often is to implement high-availability (HA) infrastructure. Although such a solution is often a high-cost solution, many organizations tend to focus their BCP efforts solely on the lure on HA/redundant hardware (often without having undertaken a rigorous risk-assessment exercise or an information audit).
• Response Mechanism 2 - Recovery and Contingency: The HA response can often be the wrong perspective - and should be used only where a risk assessment and information audit have been conducted and the cost of an information loss would outweigh the cost of the prevention mechanism (i.e., HA infrastructure). A more measured response poses the question, “If we were to have a disaster, how do we get back online?” This is framed from the perspective that not all information needs to be protected by an HA strategy; instead, some information can be recovered and restored following a disaster.

Successful organizations focus their recovery and continuity plans on information architecture requirements, particularly the business information requirements at each stage of the information life cycle. Such organizations are able to balance recovery and continuity plans with an understanding of what information must be available at all times and all places according to the information architecture and information life cycle, versus that which can be recovered.

Next Steps

Prior to conducting an information audit, organizations need to understand their current maturity level as it pertains to their information culture. First, they need to consider their architecture - how well is information organized to support enterprise processes? Second, how robust and enforceable are the information-related governance structures and compliance processes? Third, how is information leveraged across the organization - how do the existing infrastructure and processes support information access and use? Finally, how is data quality measured and ensured throughout the information life cycle, and what intrinsic risks are associated with how the organization uses information? Only when portfolio managers understand these imperatives can the value of information be quantified and its loss following a major disaster mitigated against by a measured recovery and continuity plan.

Business Impact: Organizations that implement information architecture programs founded on solid Information management disciplines and an understanding of the value of actionable information throughout its life cycle will ensure that disaster recovery and business continuity plans appropriately manage risk and hence will succeed.

Bottom Line: For recovery and continuity plans to stand any real chance of staving off the long-lasting effects of a major disaster, they must adequately address information requirements. Currently, only 20% of organizations have a clear understanding of the value of information throughout its life cycle and thus have developed plans that balance this against risk. Portfolio management approaches demand that information audits be regularly undertaken to drive the value of information, resulting in improved data quality and greater return on information.

META Group originally published this article on 11 November 2003.