Capping IT Off

Capping IT Off

Translating value into risk: why do we keep so many emails?

There’s an ongoing internal debate about the size of our email boxes. This debate, in common with similar going on in many organisations, is centred around the impression that email boxes are too small, that we need more storage space for our carefully hoarded collection of emails. “We need more space” comes the cry, usually followed by “… how do I back up my local email archives?” Very rarely though, does anyone ask “Why are you keeping so much?”

Let’s be clear. It doesn’t take in-depth and rigorous research to establish that people hold thousands of emails in their email boxes and tens of thousands of emails in their local email archives.  If we assume the average email box is 100Mb and use Capgemini’s 100,000 employees as a reference point, then we have over 10Tb of data in our exchange servers alone. If we assume that the average Capgemini staffer has a personal email archive of over 1Gb, which may be a gross underestimate, we have another 100Tb sitting on laptops and desktop machines around the planet. This is a vast amount of information, the bulk of which is, in all probability, utterly useless and will never be looked at again.

Figure 1:  typical access curve over time: Source- JISCInfoNet

In general we keep records for only three reasons. Either we’re told to, we think they are useful or because we think they’ll protect us. In other words, regulation, value and fear. However our treatment of these factors is almost totally subjective, we don’t understand the regulations fully, we over-estimate the value of our emails and we view risk as a purely personal equation. The net result is we either consciously retain too many emails or we find the factors influencing our decision too complex and we leverage the ease of storage technology to defer the decision on our emails until a poorly defined(or non-existent!) point in the future.

 Figure 2: Email retention factors: Source- Capgemini

It’s self-evident that the real value of the emails declines faster than the number of times we access old emails, and the personal risk we’re mitigating against drops off even faster. Beyond personal factors, regulation is a binary condition in some industries, with the result that the choice is to keep it or bin it... Yet we all keep emails for longer than logic dictates. This has costs in terms of disc space as well as the time spent managing it but because of their distribution, these costs appear small and inconsequential.

However, there is a forgotten factor which most of us are oblivious to, systemic or corporate risk. 


Figure 3: A complete view of email retention factors: Source - Capgemini

The longer you retain your emails, the longer you defer the decision on what to do with them, the greater the systemic risk of your emails exposing your organisation to external threats. Suddenly your innocent over-retention with its obscure costs and practical issues has started to add up to a problem for your organisation. Legislators, regulators, investigators and litigators are all very much aware of this risk gap and to some extent they’re banking on it. In the vast majority of cases, your emails don’t contain a smoking gun or a ticking time bomb and everyone knows it. The fact that they might is all the excuse needed to ask a judge to conduct a very expensive eDiscovery or eDisclosure exercise if you are sued or investigated. Such an exercise will cost your organisation a fortune in legal and management time. It may even seem so expensive and painful that your management decides to settle the case or ‘sue for peace’, even if the company has done nothing wrong and the other side don’t have a case, just to make it go away.

So the question I’m raising here is simple. Is your organisation even aware of this risk? If so, are they doing enough to mitigate against it? Addressing your eDiscovery processes is sensible and effective but only addresses the problem after the fact. To properly treat the risk, I would suggest there are four streams of work required to start to address the issue. The most straightforward are information policy, management visibility and technology. The real challenge, however, lies in the education of your workforce. This major area of corporate risk is, by default, in the hands of individual employees. If your business is to have any hope of protection it is vital that you provide them with clear policies, the right technologies and the required information. Such a bottom up approach will go further than any number of risk board meetings and email archive systems to prevent already expensive and time consuming information management issues become terrifyingly expensive legal headaches.

About the author

Leave a comment

Your email address will not be published. Required fields are marked *.