Simplify for Success - Conversation with Danny Thankachan
Danny Thankachan, who manages Information Governance at Blank Rome was on Simplify for Success, a podcast series presented by Meru Data and hosted by Priya Keshav to discuss IG programs. He shared how he can develop a case for change by highlighting the costs of a reactive approach.
He said this resonates with legal departments in large corporations as they understand the challenges with a reactive approach. He also observed how it is easier to drive change through incremental improvements compared to standing up entirely new processes – the cost to benefits become more obvious to everyone.
Listen to the full podcast below:
*Views and opinions expressed by guests do not necessarily reflect the view of Meru Data.*
Hello everyone, welcome to our podcast around simplifying for success. Simplification requires discipline and clarity of thought. This is not often easy in today's rapid paced work environment. We have invited a few colleagues in data and information governance space to share their strategies and approaches for simplification.
Today, we will be talking with Danny Thankachan. Danny is currently the director of Practice Technology at Blank Rome. Danny specializes in advising Fortune 500 Am Law 200 clients at the nexus of law and technology, specialties include consulting with corporations on legal technology operations, e-discovery, cost control, and legal business process improvement. He also is currently teaching the development of blockchain use cases for law and its implementation and daily operations.
Hi Danny, welcome to the podcast.
Thank you for having me, Priya.
You have had many years of experience in developing and implementing enterprise-wide IG (Information Governance) programs. How do you build a business case for IG?
The larger corporations have had records management of some form or another for decades, whether it was paper or the transition to electronic, they've understood that they've had records management responsibilities and obligations, regulatory, legal, and just for normal business operations. So, the concept of information governance from a records management point of view has been around. The development, I worked heavily on litigation, so when I come in and get involved with information governance on behalf of a client, what we're really focused on is reactive litigation specific. We need to get this data organized and collective, but inevitably that process is very expensive, and the question comes up- how do we not have to spend this kind of money in the future? And that opens the door to an enterprise information governance conversation. And then the business case, if you will, the costs of not doing this the right way kind of slap you in the face.
So, you know, it becomes a litigation readiness posture, it becomes how do we manage information governance enterprise-wide to promote data hygiene to address issues like privacy? How do we, you know, really talk about data mapping and all the associated tasks for managing the company's information. So yeah, I think maybe I'm a little bit in a unique situation in that being the litigation context, the business case usually becomes pretty clear just as soon as you hire me to get involved.
So, how do you set expectations though that sometimes it's hard to see immediate results and you know information governance to do it right will have to be a multi-year program??
Setting expectations is really has a lot to do with understanding the scope of the particular organization. I think I've been in companies that are relatively small, and they quickly understand what they're trying to gather or harness. They have a pretty solid idea of what they need to organize. Larger corporations, inevitably, it means standing up a team. And whether it's hiring the right staff, putting a records management program together and putting goals together. I've found business executives that have had to react to litigation, quickly realizing that they don't have a grasp of where they have information inside the company. And then the realization comes that, you know, this is not something you can do at the last minute without spending a lot of money.
Then there's the employee training piece, because when we start talking about changing behaviors, using document management systems for those companies that don't even have a DMS platform of any kind, and developing that discipline, those aren't behaviors that you change overnight.
No, I agree. So, when you especially come back to information governance after a reactive event, the very fact that you have spent an enormous amount of money or you could have spent an enormous amount of money, just becomes a justifying factor. So, most you know, companies with a heavy litigation obviously understand this and now obviously privacy, also sort of becomes a business use case for that.
Obviously, even if you talk about proactive programs right, so one of the things that sort of always is daunting about IG is where do you start and obviously doing a good job with the program means it's enormous and complicated and requires a change in behavior. So, when you start with the program that is enormous, you obviously think about simplifying.
How do you typically simplify to have a successful plan as well as, you know, and itself? So essentially, we think there are two ways to sort of simplify: one is to break it down into parts to reduce the complexity, the other is to completely come up with a new, innovative way to execute the same task. Would you choose one over the other for that matter, is it a choice at all or maybe they're not really mutually exclusive. But what are your thoughts on how do you sort of simplify it, both from an execution perspective as well, as you know, making the business executives understand perspective??
Sure, I'll say between the two options, I work with legal departments and legal departments are not eager to try the new, innovative way of doing things. Inevitably, you know, I am focused on the reactive element and using the work and the cost and the expense of reacting to a litigation to drive the organization to improve their practices. I almost always when I'm involved in information governance, focusing on the litigation holds and the amount of data that a business is storing, to put it simply, for litigation or reactive purposes.
So, what does that look like? How many custodians, how many individuals inside your organization have email on lit hold for how many years? How do we organize that, clean that off and that's one of the smallest but most important bites that a legal department of corporation can take. And that rolls up from just responding to this individual litigation to responding to all of the hundreds, and in a couple cases, thousands of litigations holds that have been implemented throughout the organization. You know, what's our retention policies? How do we implement litigation holds more effectively in the future? How do we set up the controls in such a way that we have the necessary audit trails? And it goes pretty much step by step, piece by piece.
I've not seen much enthusiasm, to say, let's stand up a whole new method in practice, let's stand up an information governance practice or department. It's been, we want to make incremental improvements and demonstrate how we are generating value over time, so it's a cost-benefit conversation and an incremental step by step type of approach.
So, you talked about some of the examples that you take because it's a cost-benefit, right? So, maybe we can elaborate a little bit more on the examples. In particular, I kind of want to focus a little bit on, you know, you mentioned small bite-sized pieces and you can set what they can comprehend, and it has to make sense from a cost perspective. So, what you can clearly see as a visible and I'm putting words into your mouth, but visible cost savings, right? But also, I'm kind of trying to kind of pull this out of you a little bit, but in terms of, you know if you think about your examples, sometimes what's visible might mean that we leave a lot on the table. Can we talk a little bit about how much gets left over in?
Yeah, let's give an example. You know this is the most frequent scenario that I run into. A litigation hold request goes to a client, and they are asked to hold, you know, 50, 100 custodians' worth of email for years and, you know, quickly I'll get a call from a client, from a partner of the firm saying this is immensely burdensome on our client, the costs are getting outrageous, how do we manage this in a more effective way? And it becomes a conversation with IT, it says what are your general practices? How are you storing litigation hold data? How do we change your retention policies? How do we change your storage architecture? How do we help your business unit managers store only the data they actually need to keep? And again, in a reactive way, it looks very narrow, but the implications can be very broad throughout the organization. If you just dealt with this on the litigation hold in this specific case, you're leaving a lot of organizational improvements unaddressed and it becomes really evident that OK, so for the purpose of this litigation, we're only interested in this narrow date range we're narrowly collecting data here. But if we set up our retention policies to expire data after three months or six months or whatever is appropriate for the business, how could we improve our storage costs? How could we improve our data document review costs, and future litigations? It starts becoming evident that there's a lot more value there.
So, I'm kind of drilling down a little bit more, right? So, what I always find is that emails are the easiest, low-hanging fruit, so everybody kind of focuses on email retention, because obviously from a litigation perspective you can see that. Supposed litigation after the legal hold is lifted, you kind of think OK, let me put an email retention and play.
But almost always that sort of follows with I will give you a place to store all your data, which kind of also means that the user is now putting all of the data because they don't want anything deleted. So, you just push the problem from now an email to a shared drive or you make them mark, which means you always know that they basically end up sort of over retaining and then you just kind of implemented email retention and now you've got at least the email being deleted, but it doesn't sort of address the whole issue at all. But I mean I can see how you can look at it as glass half full or glass half empty, but that's what I typically see it playing out, so.
Yeah, no I would agree with you that, but again I come from legal. And legal struggles to drive the business to change business operations but legal is a cost driver. And when legal can demonstrate the cost of bad information governance practices inside the company, then legal can affect broader change. And so we are talking about email, email is relatively easy, but email is also from a litigation perspective the place we find our smoking guns.
You know, for corporate litigation, yeah, I mean, we still deal with text messages and various other content to some extent, but email is still kind of one of the most fruitful places that we go to. And the costs associated with email review, attorney review, privilege review, the risks associated with inadvertent production of privileged communications. All of that are really high and therefore the costs are equally high.
So, what does role does a technology play in obviously building the IG program? How have you leveraged technology to solve some of the IG problems?
Oh, I think technology is the critical effectuating means of answering and implementing IG strategy. So, I'll give you one of the simplest things, you know, when you have gigabytes, not terabytes of unstructured data, using some of our information, we have various tools in litigation called technology-assisted review tools that basically our artificial intelligence tools that allow you to do supervised learning across data populations. So, you take that supervised learning that you've developed for a particular litigation or for any function, it is trained machine learning system, and you point it at terabytes of unstructured data, and you have developed the classifications. And those classifications can be used to inform retention policies and deletions, just organizations, structural organization and it requires a fair amount of fine-tuning.
I'm not suggesting that, you know, it's just going to happen overnight, but if it's a matter of finding and deleting duplicated data that's all over your organization, the technology really goes along with accomplish that.
What are some of the biggest challenges with IG and what in your mind are some of the tips on how to overcome some of these challenges?
You know, in law firms, it is inevitably user education. We do face, and I think every law firm faces this, and I think it's parallel throughout the industry or all industries, a constant resistance to change. I've been successful in managing my information here on this network share drive, why do I have to take all these extraordinary efforts to, you know, learn and practice using a document management system? It's not evident to the average user day to day that, you know the DLP, the loss prevention value that using a document management system offers. The litigation, the older risks, and the harms from bad data management aren't evident to the typical user data to day. There's a big education piece that says you know how we as individuals practice data hygiene really affects the entire organization.
Where I think things have changed a little bit is the last decade of cyber security breaches, cyber security education that has gone on for anybody that's involved in managing data. There's a high degree of awareness about security concerns and information governance and security and privacy play very well together, and you can use security as the carrier of the message that good data hygiene, good information governance practices are inherently more secure. So, that's, I think, is the pivot for information governance going forward.
Thank you so much for all your tips.
I think it was a great conversation, Danny.
Thank you for having me.