:: Performance Management Weekly

Volume No. 26

The Prudence of External Data Sharing

There is clearly no shortage of external requests for performance information. Requests from regulators, requests from stock analysts, requests from large customer consortium, and perhaps the most common but least understood of all requests – the requests of external peer organizations, be them friends or competitors. Some of these requests must be fulfilled, but many, such as the external peer request, are discretionary – in terms of both the response itself, as well as the manner in which you respond.

It's important to keep in mind that most of the organizations requesting information are only interested in getting information from you. Few of them are actually interested in how it affects you, the company. It's up to you to be prudent about what information you share, and how you share it.

Whenever you share information with external parties, whether it be a regulator or competitor, its important to keep in mind a few "rules of the road":

1. First, understand WHO is requesting it WHY.

Is it discretionary or mandated? If discretionary, what's the ultimate purpose of the information request? What's in it for you? Admittedly, you may have little say over regulatory or analyst requests, but when it comes to sharing with other companies, it helps to know what you're going to get out of it BEFORE you share. If it doesn't support mutual learning, its probably best to pass.

2. Have clear terms governing what can and CANNOT be done with the information.

Almost always, this will mean setting up a confidentiality or non-disclosure agreement between you and the requesting party. While you may never have to enforce such an agreement (it can often be very costly and time consuming to do so), it will serve as a good deterrent, and add a level of structure to the sharing. The parties are likely to take much more "care" of each other's information when an agreement like this is in place.

3. Be discriminating about what is shared, and more importantly, HOW it is shared.

For example, if you're sharing information with a group of peer companies, you should insist that any information that ends up in a report is appropriately masked to protect the identities of the companies.

Sometimes a simple coding protocol will work, but I've found that in most cases "the code" is relatively easy to break, particularly if the information is to be shared with many people inside your company (i.e. those who may not be aware of, or do not have the same degree of respect for the confidentiality terms you've established).

A practice that I use (a derivative of the coding protocol, of sorts) is to only show the median of a group of companies that match a particular demographic. If they're not more than a half dozen or so companies that match the criteria, I do not show them because of the risk of detecting the identities. This way, you get the benefit of being able to maximize insights and learning without incurring the risk of full disclosure. This will also help in the regulatory environment, in which (because of discoverability laws) it may be easy for a regulator to demand the codes of other companies. If you only report in the demographic clusters I discussed above, there are no codes to reveal.

In general, you should assume that any coding system is made to be broken. My advice is to be careful in how you use them.

4. Use a third party where multiple companies are involved. This ensures that there is a layer between the data and those who may wish to use the data against you. Having a third party between you and the reporting of information (whether it's done through coding, or through the manner discussed in #3) will ensure that there is at least one more BIG hurdle that others will have to go through to get to the data. And since a third party is bound by confidentiality with MANY companies, it's virtually impossible for another organization (e.g. regulator) to mandate those data be turned over. They may have discoverability laws governing YOUR data, but they certainly do not have jurisdiction over the collective group's data, insights, conclusions, etc. Hence, it becomes harder to use the data against you. Data becomes only relevant to a regulator in the context of some type of comparison. Without that context, it's just a data point. A third party insulates that "context" via a strong and enforceable firewall, and serves as another good deterrent.

5. Understand the nature of "give for get." I know many companies who, because of the risk and fear associated with sharing, simply don't do it unless they're forced to. But when these companies need information, they don't hesitate to ask for it. Companies are getting smarter and more discriminating about their data sharing, and it's pretty safe to conclude that if you build a solid wall around your data sharing, others will do the same with you. Multi-company data sharing is a reciprocal business. Far better to share prudently, using the above risk management practices, than to opt out of the sharing game altogether.

There are many other smaller items that will help you manage the risk of data sharing. I've given you the "biggies." If you're going to play the game, as I suggest most do, it pays to be prudent.

Author: Bob Champagne is a Vice President of Performance Management Solutions with UMS Group, Inc., a privately held international management consulting organization specializing in Performance Management tools, systems, and solutions. Included in UMS Group's product portfolio are a wide variety of performance tracking, reporting, and benchmarking solutions, as well as customized performance assessments and diagnostic services. UMS Group has consulted with hundreds of companies across numerous industries and geographies. Visit UMS Group at http://www.umsgroup.com or contact us directly at 973-335-3555.