Information risk management – making the business case for search and intranet investment

For some time now I have been advocating the use of a risk-based approach to making a case for investment in intranets and search.  Organisations have to declare business risks (for example in Section 1A of an SEC 10K filing) and I have had some success making investment cases that could reduce the risk scores. In a presentation to the Enterprise Search Summit last month I argued that important though a search strategy might be it would only have a lasting value and impact is incorporated into an information management strategy. Based on a show of hands very few attendees had either a search strategy or an information management strategy based on an information life cycle model.

Over the last few years there has been a growing interest in information risk management. The main focus of information risk is on making sure that information is held securely, and is invariably based on ISO Standard 27001. As a result the requirements tend to be around breaches of security that lead to information that is vital to business operations not being available because it has been lost, has been stolen or has just strayed. There is an excellent report from PwC, sponsored by Iron Mountain, which provides a good introduction to information risk management strategies.

However there is a fourth scenario in which the information is there all the time but that for various reasons (such as a poor search implementation) it cannot be found, and de facto it is lost. In the PwC report there is a list of seven causes of information loss but search failure is not listed.

There is no doubt that information risk is on the Board agenda, helped by companies with an interest in information security management (Iron Mountain and Symantec being just two examples). Perhaps now is the time to talk to the managers responsible for assessing and reporting information risk and highlighting the scale of the problems that a lack of investment in intranets and search could be causing the organisation. I’m still recovering from a paper at the Search Summit in which one global business mentioned that 25% of the zero-success queries listed in the search logs were the result of IT and HR repositories not being crawled and indexed. That is a lot of ‘lost’ information.  

Martin White