Like most of you I spend a lot of my time on airplanes reading and writing e-mails. On a recent flight I decided this would be worth posting and sharing. It's an email communication with a friend of mine who I met with earlier in the day. He's a CIO at one of the largest banks in the US. Our meeting was to discuss his banks storage dilemmas and how his normal IT operations were being frustrated and quite frankly confused with the heightened awareness around regulatory compliance. He and I grew up in the IT industry together, so our meeting and conversations are pretty casual.
After our meeting I told him that it sounded like his dilemma was keeping him up at night, he concurred, and offered that 'it's just not as easy as 'writing a program' like the old days' to solve a business problem, that the issues of 'business risk' is daunting for both him and his IT managers and it does in fact 'keep him up at night'.
As a friend and trusted confidant I told him that I would try to help him with his 'sleep' problem.
Anyhow, moving on, when the plane hit 10,000' and the familiar bell tolled I reached for my notebook and started jotting him a note. An excerpt from my note to him follows.
e-Mail to a Large U.S. Bank Corporate CIO.
Excerpt begins here...
...does your daily "archived" data "really" need to be stored internally on your floor space, your power, your SAN's etc.? Does all of the "archived" and "long-term" managed content have to be stored internally? Keyword, "long-term" content.
Have you considered asking some of your team to run the numbers and see if it's cheaper and actually more efficient and even "safer" to the business to store all (or part) of it externally.
Let's review the simplicity without getting into all of the details.
Use one of your operational systems as an example, Sungard. Sungard
provides some of the back-office operational systems that the bank
runs, and everyday like clockwork it transmits end of day back office
reconcilliation data to your network, that data is processed, and
written to your disk, then migrated to SAN, then duplicated across
data-centers, and backed up to tape, and accessed by the end users
doing reconcilliation work for the front-office, and your required to
keep that data "long-term" keep it readily accessible
"just in case" someone asks a question that only that data can answer.
Doesn't seem like a little much. By the way, where does your responsibility to destroy the data begin and end? The application can take care of the purge, but your OPS folks still have it on tape and who else knows where - considering that you have chartered them with ensuring "business continuity" and "disaster recovery" and they are doing a bang up job, but at what risk for 'certain' types of content.
Using the same example, of the data that you are housing from that one "outsourced" system. What if Sungard can send it to an outsourced provider of our archival services (EDS for example) and all your processing, storage management, long term record keeping and end user access happens off site. You have no internal infrastructure, no full-time administrators, no dedicated telecom, no "extra copies" of compliant content floating around, and best of all your teams get back to delivering value added IT services you have a Service Level Agreement and a monthly bill, and possibly a little more rest at night.
One of the other things that your teams are dealing with today is protection from hardware obsolescence, that's costly to manage internally especially over the life-cycle of long term data content. What is the longest time period that the business side is telling you to keep their compliant data, 3,4,5 years?
Let me guess, they don't know - and your stuck with it indefinitely. We've always joked that not having a plan, is in fact having one, just not a good one! Why deal with the risk of the business not knowing all of the pertinent facts around their regulated "compliance" data, while it may be normal course of business for them it means a tremendous amount of disruption for you, and your in the business of delivering 'steady state operations'. I think that realistically you'll start to see that that various departments have real retention periods for certain records that will exceed 20 years.
Which means that you will have to plan "today" for the obsolescence of hardware, operating systems, etc. to ensure accessibility to that data over its life cycle. Is that something you really want to budget and plan for in your next budgeting cycle, think about how that one requirement alone will effect your agility in solving the more important projects like improvements to the front office trading system, market data delivery, the data center move, etc.
Also, this one is almost as an aside to our discussion, from my perspective, your IT departments should not be internally responsible for ensuring that data is accurately deleted and removed from the "corporate DNA" when it’s supposed to - you have to be in the business of providing the tools, capabilities, and the little button that says "press here to delete" but make sure that you are clear that this last mile has to be executed by our "content business owners".
Look at it this way, do you really want to own the responsibility for ensuring that all of the banks commission reports are deleted exactly 10 years after the date of payment, unless there was a commission dispute then hold it 1+ years from the date of the dispute resolution, unless there is a legal hold for pending or potential litigation, then hold it for 3+ years after the date of settlement, unless the case was summarily dismissed before a suit was joined, otherwise revert to the original deletion schedule.
And that’s just one rule for one content type, called commission reports! You should be in the business of delivering the capabilities, and let the owner of the business create the policies and more importantly 'hit the button'.
Your area's risk for mis-firing or mis-communicating on that process, is that some "legal eagle" discovers through the commission reports that someone was cooking the books 10 years ago and it if it wasn’t for the evidence that you didn’t “destroy”, which you had a right to and were supposed to based on your business policies, the bank was found guilty, and now your top 100 customers start to close their accounts and walk to that other institution across the street because you guys are "shady". There goes the end of year bonus, pool, and that's if your lucky, you can be sure that some head's will roll.
So, what's the point my friend, consider why are you managing all of this risk, long-term records management that is somewhat tricky given the nature of the data, why not sign outsource to an industry trusted provider and let someone else own this particular process.
Do what you do best and keep the front office highly tuned, efficient, and making money! Manage the operations aspects that you have to, but this particular one is different than normal backup and DR, it's tied to the business, legal, compliance and it poses way to much risk.
Wouldn't you would rest better at night knowing that you have successfully negotiated a SLA for making sure that this is taken care of for the bank, focus on the "core" business, and re-capture those resources that are now dealing with this full-time.
The way I see if you are really presented with two choices, build out a new group, which has to be cross-functional between, IT, legal, compliance, and business unit specific, and prepare to house a couple of peta-bytes over time for this business requirement - or - sign on the dotted line, buy an SLA and get some rest at night.
Think about it my friend. Mitigate your risk.
Let’s talk more when I’m in town next week.
Regards,
Peter
VP, Product Strategy.Management
AXS-One Inc. www.axsone.com
301 Route 17N Rutherford, NJ 07070
201-935-3400 Corporate | 704-895-2146 Direct
704-756-1736 Mobile | 877-370-3906 eFax
e-mail: pmojica@axsone.com
Comments