The collapse of the Francis Scott Key bridge on March 26, 2024, was a tragic loss of life and disruption to the shipping supply chain on a global scale that will take months, if not years, to fully recover. A major shipping artery in and out of the United States was severed, stranding ships on both sides of the bridge submerged in the river. Within hours, there was a statement issued by a senior hazmat investigator from the National Transportation Safety Board (NTSB). It stated, “That’s 764 tons of hazardous materials — mostly corrosives, flammables, and some miscellaneous hazardous materials, class nine hazardous materials, which would include lithium-ion batteries.”
Literally within hours of this unfortunate event, the agency delivered a precise statement around the globe to potential stakeholders. This resulted from a process that included:
- The coordinated classification of raw materials and finished goods
- International agreement on labeling standards
- A global communication system for shipping documents that covers the ship, content, manifest, and crew
- A sophisticated tracking mechanism that does not rely on manual spreadsheets and tribal knowledge
We found it interesting that of the thousands of containers on this ship, the HAZMAT teams were only concerned with those labeled in a high-risk category.
Herein lies an important message to those of us in data governance working with structured data or in information governance dealing with documents and unstructured data retention. It’s all about awareness of content and associated risk. And it contains the fundamental tenets of an effective governance program:
- Inventory
- Classification
- Location
- Ownership
- Risk Level
MetaGovernance focuses on lean governance. Our approach zeros in on high-risk data. In previous columns, we discussed how data and information follow the basic tenets of physical inventory management, including raw materials and finished goods. Our end game is to oversee the production of quality data with the least amount of waste and risk.
It all starts with data classification and awareness. While we are not dealing with environmentally hazardous materials, our work involves potentially dangerous content in the form of confidential and personally identifiable data. Data Loss is a real problem. Most companies have active prevention programs in place. But unlike the NTSB, few have the necessary rigor behind classification and labeling.
A recent client experience illustrates how a single event, a stolen laptop, can create a huge distraction and waste of resources, if not serious legal liabilities. In conducting a risk assessment, it was clear the company did not possess accurate information on the data or reports stored on the laptop. The information had been shared by multiple people in the months leading up to the theft. Backup scans revealed folders and file names, but no actual content. The folders and files were also not labeled in a comprehensive classification scheme. As a result, the company was unaware of what data was missing and its location.
The problem was elevated to the board as part of data risk management protocols. This is when the finger-pointing started between the data governance teams, information governance teams, and governance technology folks. This is a pointless exercise. The real fault lies in the failure to employ a comprehensive, system-driven approach for data and record classification and information labeling. Unfortunately, this is not an outlier in the world of data and information governance. Imagine if the NTSB had no idea of the contents of the ship or the containers that went overboard.
In data and reporting, tags like Confidential, PII, and Public carry specific responsibilities for the owner and the consumer on how to store, share, restrict, retain or destroy the materials. This is no different to the red triangle seen on the back of the overturned tanker truck warning people the content is flammable and to stay clear. HAZMAT professionals know this, as well as their stakeholders including shipping, factory, inventory, consumer, and law enforcement. Classification labels carry meaningful instructions.
As governance professionals, it is time to walk the talk of data risk management with a focus on classification and labeling. MetaGovernance looks for problems by walking through a client’s “data factory,” a technique we adapted from lean manufacturing. We can learn a great deal by observing the scope of manual intervention of data along the reporting and disclosure supply chain. Any problem areas can usually be traced back to insufficient standards for classification, ownership, labeling, and inventory awareness.
The good news is that you can solve your governance classification and labeling problems without a massive rework of existing processes, procedures, and technology. It is all about finding the right leverage point. That involves focusing on a very small number of business attributes which could have the greatest negative impact if compromised. Accidental disclosure of Social Security Number is an event that sends shivers down the spine of a data risk officer. The solution to data risk management and compliance revolves around treating these specific business attributes with the same level of care and awareness as any hazardous material. And it is critical that your technical governance solutions have current awareness of the location of the physical occurrences of these business attributes — both structured and unstructured.