Information Governance and Transparency though Records Management
Tip: Hit Ctrl +/- to increase/decrease text size)
Storage Peer Incite: Notes from Wikibon’s February 16, 2010 Research Meeting
Strong records management is now an important technique both for improving internal productivity and defending the enterprise against external and internal risks - Information Governance.
In this week's Peer Incite meeting, Wikibon took up the topic of Information Governance from the perspective of records management and the basic principles that define the role. We've captured the conversation and action items on the role of records exec and management, an information infrastructure and the importance of records management, and the value of thinking about information governance as part of all business decisions. We hope you enjoy this edition. G. Berton Latamore
On our February 16, 2010 Peer Incite, The Wikibon Project community discussed the topic of corporate information governance, trends, and the principles of enterprise records management. Wikibon was joined by three special guests:
- Donald L. Martin, PhD, Department of Veterans Affairs, Office of Medical Inspector,
- Sam McCollum, Strategic Information Management, ENMAX Corporation Canada, and
- Jennifer Winch, Infrastructure Systems, PG&E.
- Content collaboration is not records management, all content are not records, and the distinctions are critical in information governance programs.
- Collaboration tools do not replace records management. Collaboration tools will continue to create business risk, as sites inside and outside the enterprise will remain difficult to compliance-manage.
- Records managers and content managers have diametrically opposed interests. Content managers are focused on collaboration, dynamic, open search, and user-driven activities, while records managers are focused on control, classification, security, and discovery.
- Records managers continue to demand better integration between content and official records systems. Policy integration is what they really want – it’s the place to start.
- Records management solutions contain the security, policy management, interoperability, and architectural framework for controlling costs and reducing information governance risks. Take this message to the Board room.
- Information governance should be part of every business decisions - for every new piece of data created, sourcing decision made, new system developed, application retired, businesses acquired or sold. Retrofitting information governance is hugely expensive and often ineffective.
- Policy automation will reduce business and operational risks
- End-to-end information governance is very difficult to achieve today for the largest firms. Mid size firms to small business have less information, less sophistication to manage, so the challenge is less but not 0.
Action item: The digital deluge continues, and execs, technology, and information management professionals could get washed out without an effective records program built on tried and true principles. These principles should form the discipline of an information governance program and information architecture. End-users should challenge vendors with integration requirements and pursue the goal of aligning the digital deluge with the creation of business value.
In today’s fluctuating business and regulatory environment, enterprises are increasingly burdened with escalating litigation costs and the specter of lawsuits that threaten to run up millions in legal fees and adverse judgments as well as consume hundreds if not thousands of precious hours of employee productivity.
One of the biggest enablers of these phenomena are the changes to the Federal Rules of Civil Procedure (FRCP) governing Electronically Stored Information (ESI). These and other rules have precipitated a deluge of vendor solutions promising to “fix” problems stemming from legal or IT’s inability to efficiently and cost-effectively meet their enterprise’s ESI and litigation management requirements.
Why so many point solutions
Consequently, legal teams are too often driving technology or service provider adoption decisions based on their familiarly with legal-practice-specific solutions to address various activities defined by the Electronic Discovery Reference Model (EDRM), aided and abetted by a seemingly unending number of vendors great and small who are beating a path to the general counsel’s door promising yet another collection of point solutions to overcome the latest technological challenge or bottleneck. Chief among the complaints are lack of integration or interoperability, poor scalability, a population explosion of indexes, and siloed, replicated content - not to mention a lack of centralized policy management and transparency across the entire corpus of enterprise content and data.
Legal team tail wagging the records management dog
In too many cases, records management professionals and the products that support their efforts have been overlooked - not unlike how mainframe disciplines and best practices were largely ignored when PCs and network computing became the rage in the 1990’s. Recently, after a fair amount of criticism for a lack of clarity in the Information Management section of their model, EDRM embarked upon the IMRM Project to “provide a common, practical, flexible framework to help organizations develop and implement effective and actionable information management programs. The IMRM Project aims to offer guidance to Legal, IT, Records Management, line-of-business leaders, and other business stakeholders within organizations.”
Unfortunately, IMRM disregards the extensive work that ARMA International has done with its Generally Accepted Recordkeeping Principles GARP, which includes a wealth of advice on ediscovery practices and an information governance maturity model to help organizations improve their business practices, leverage their technology assets and lower their risks. Sadly, legal teams also fail to acknowledge the contribution that records management professionals can make and the proven technologies they have implemented over the years that provide a scalable, policy driven foundation for information governance.
Why records management matters
Mature records management (RM) solutions and best practices provide a foundation and framework on which records can be declared, secured, and managed. Information governance best practices, regardless of how much they can be automated, are inseparable from the human component, which includes employee education and training along with policies that can be adhered to without severely straining business workflows or losing vital corporate information assets. In addition:
- Think IM architecture and the requirements of the RM disciplines,
- Get records management right, and your compliance risks and costs go way down,
- Look to RM for accountability, transparency, operability, and defensibility,
- Think about functionality needed to manage unstructured data which constitutes the bulk of records.
HP TRIM and SharePoint example
The proliferation and use of Microsoft SharePoint as an ediscovery tool among all classes of enterprises has created a thriving cottage industry throughout the ranks of information management vendors and service providers. This is primarily due to the fact that while SharePoint is a popular and useful collaboration tool, today it lacks the policy management and repository scalability that most enterprises require. HP with the new features of its TRIM 7.0 RM solution allows SharePoint to act as the user interface while enabling organizations to “proactively capture, classify, and manage evidence of their decision making and business activities in an enterprise scalable records management system.” This includes the ability to declare hundreds of data or content types business records and allows for ESI to be discoverable in case of litigation or a compliance audit.
According to HP, the TRIM 7.0 solution offers these key customer benefits:
- Proven records management for your enterprise,
- Increased compliance and faster response to legal discovery requests,
- Improved employee productivity and business process efficiencies,
- Transparent records management and site archiving for SharePointm
- Built in compliance with the international standard for records management, ISO 15489,
- Compliance with US Department of Defense Security Standard DoD 5015.2 Chapters 2, 3, 4 and with other major standards.
The consensus among IT, RM and other line-of-business executives as well as the vast majority of industry pundits and even many e-discovery vendors is that legal should not be making critical technology decisions in a vacuum if at all. There are too many examples of poorly implemented, stop-gap solutions that neither scale nor conform with information governance best practices or take advantage of enterprise or service-oriented architectures that would support a superior view of enterprise wide data and, ultimately, provide greater assurance that all pertinent ESI is being managed properly while lowering risks and costs. Some more enlightened general counsels and litigators have engaged IT, RM, and other critical constituencies within the enterprise such as compliance and HR. However, the overwhelming evidence indicates that legal is in a reactive mode rather than taking a more strategic view.
Action item: CTOs and IT professionals need to help make the case to management and legal that records management solutions often contain the security, policy management, interoperability, and integration of disparate modules. In short, they provide a holistic architectural framework and approach that will ultimately serve the enterprise better in controlling costs and reducing risks. This means bringing records management practitioners, solutions and best practices to the table.
Most organizations have (or by now should have) an information governance policy monitored by a cross-organization governance and compliance group. As organizations get ready for the cloud, this group needs to take a more active role in ensuring that new technology deployment reduces risk and enhances compliance. An effective way of pushing this down to IT and the lines of business is to ensure that any new project that creates data or files inside or outside of the organization has a formal compliance review section.
The emphasis of the review should be on ensuring that compliance is built in for every new piece of data created, as retrofitting is hugely expensive and often ineffective; classification is low impact if it is done at file creation, very difficult if is done years later. A key elements in justifying any review will be cost avoidance of future eDiscovery activity and risk reduction.
Action item: Project and maintenance reviews should include the following types of questions:
- How will all the data and files created be automatically classified with minimal user impact?
- How will the new data and files be integrated into the formal recordkeeping processes?
- What are the backup and recovery mechanisms required to ensure compliance?
- How is disaster recovery for the new files and data to be included in the business continuance plan?
- What are the risks of data loss, and how will they be mitigated?
- Are the costs for all supporting processes included in the project?
The not-so-recent focus on information governance has generated a renewed interest in records management, records management profession, and the value of records management to the organization. The role is redefined in business to be a strategic resource to the CEO as organizations look to better understand, measure, and manage the unprecedented growth in electronic information and the complexities inherent in determining what information to trust, to keep, to secure, to connect, and of course, to discard.
The recognition of the records manager as key component of information governance, and the focus of information governance as a business enabler, are long overdue. Today, the most critical asset to any organization is its business information and records. Organizations are struggling to use huge volumes of information for better business outcomes. At the same time, the number of high-profile examples of data mismanagement is growing, making the need for proper oversight and use of information key to success.
Defining the Current State of Records Management
- Over the last 10 years, as electronic information has grown to represent 90% of all information, information management strategies have been in reactive mode, responding to gaps in principles and infrastructure exposed by legal or regulatory imperatives.
- Most information management technology investments have also been reactive, stopgap measures designed to address a specific problem, such as electronic discovery.
- Massive adoption of collaboration tools including Sharepoint has blurred the distinction between content and records and increased risks associated with over retention, information loss, and compliance.
- End-to-end information management automation across electronic and physical records does not exist. If it did, it would allow the enterprise to address record keeping principles intelligently and declare, classify, store, secure, retain, discover, and ultimately dispose of content based on policy and automated, defensible enforcement.
- Poorly architected solutions have turned information assets into liabilities – systems that once satisfied basic requirements laid out decades ago buckle under the increased pressure for interoperability, scalability, end-to-end security, and discoverability. This predicament has fielded unsustainable solutions along with upward spiraling integration costs.
- Progress on establishing an information management strategy, which is essential for mid-size to large enterprises, has been extreme slow. For example, according to the AMA only 1% of all healthcare providers have an electronic records management strategy, and 94% have yet to start planning for the information management requirements of HITECH.
- Records managers cannot get the e-discovery monkey off their backs. Even in 2010, records managers will be consumed with managing e-discovery risk leaving little time for strategic records management programs and activities.
Back to Basic Principles
On the Wikibon Peer Incite call February 16, 2010, the primary organizational message was “get back to the basics” of principles of records management and use these principals as the basis for sound information governance. These principles, originally defined by ARMA International, a not-for-profit professional association and the “authority on managing records and information” are expressed and embellished on below (see [ARMA] for the official versions):
- Accountability - Assign a senior executive who will oversee and be accountable for record keeping program (aka information governance program, or IGP) and delegate program responsibility to appropriate individuals; adopt policies and procedures to guide personnel, and ensure program auditability. Make all business managers accountable for information governance and the records management principles, policies, and costs.
- Integrity - Construct an IGP so that records generated or managed by or for the organization have a reasonable and suitable guarantee of authenticity and reliability. Identify technologies and processes that can provide suitable and reasonable guarantees. To do this of course requires an organization to first define and classify the difference between official records and business information.
- Protection - The IGP must ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, or essential to business continuity. These attributes are the core differentiators when comparing content management to records management systems.
- Compliance - The IGP must be established to comply with applicable and jurisdictional laws, regulations, and the organization’s policies. The challenge for most organizations is not developing policies but instead enforcing these policies across a vast number of information repositories and file systems.
- Availability - The IGP must maintain records in a manner that ensures timely, efficient, and accurate retrieval of needed information, as more and more organizations are turning to information governance and IGP to do more than meet compliance regulations.
- Retention - Maintain records and other information for an appropriate time (and for no longer), taking into account business, legal, regulatory, fiscal, operational, and historical requirements.
- Disposition - An IGP provides for the deletion for records that have no incremental business value or that create liability for the business.
- Transparency - The IGP must be implemented in a defensible, understandable, and efficient manner and be available and understood by internal and external business stakeholders.
Action item: Get back to basics in records management and understand the clear distinctions between content management and records management. Do the homework to understand the value of having effective records program built on tried-and-true principles. Use these principles as the discipline of your information governance program.
In early February 2010, the Legal Tech event in New York City showcased roughly 200 vendor offerings most of which address one or more pieces of eDiscovery workflow or activities represented by the Electronic Discovery Reference Model EDRM. In talking with scores of buyers and vendors along with catching presentations and panels over a three-day period, three major themes emerged from these discussions:
- Legal is driving technology purchases and with it information management (IM) and information governance (IG) practices.
- Vendors who are primarily IT focused want to appeal more to legal and vendors who have heretofore appealed to litigators want IT to embrace their solutions.
- Point solution vendors are broadening their capabilities to address more EDRM-defined functions, while many larger vendors are adding functionality or additional products to their suites.
Why is legal driving the technology bus?
Despite the best efforts of records management directors, and to some extent IT, too often litigation teams drive technology purchases because they have the budget and, to their credit, they understand the legal process and the workflow as well as the costs and risks associated with non-compliance or poor preparation for activities associated with legal holds, early case assessments, electronic discovery, and disclosure to name a few. Legal teams have experience with poorly implemented, inadequate or expensive solutions and services that do not meet their needs.
Round pegs in square holes
Vendors, in their haste to meet the legal team’s requirements, have created or repurposed a plethora of solutions, many of which were developed to meet content management, storage management, enterprise search, or message archiving requirements. While many good products now exist for the eDiscovery and overall litigation space, these solutions too often exist in an information governance vacuum because they create interoperability nightmares and the need for their own repositories, search engines, and customized connectors to existing file stores, data, and content repositories. While this scenario leads to more business for system integrators and consultants, it creates more difficulties for IT, and can lead to functionality gaps, higher costs, and potentially increased risk.
The case for records management
During Wikibon’s Peer Incite call on February 16th, records management (RM) professionals discussed how enterprises that rely on proven RM solutions, practitioners, and RM maturity models can dramatically lower their eDiscovery costs and risks. Don Martin, senior archivist for the Veterans Administration in Washington, D.C., described how his TRIM RM solution from Hewlett-Packard allows his staff of doctors and nurse practitioners to quickly review thousands of patient records of various formats and record types as well as centrally manage policy to meet HIPAA and other regulations while efficiently indexing, scanning, and classifying records.
The needs of litigation teams have spawned many new and useful tools to manage the deluge of unstructured content and other forms of electronically stored information (ESI) that burden the ediscovery process. While the legal community has done a reasonably good job of defining the tasks associated with delivering ESI to comply with litigation requirements, overall, vendors have delivered too many point solutions that do not interoperate well, conform to enterprise architectures, or leverage existing technology assets as well as they could. Legal needs not only to drive vendor innovation and work with IT departments but also consider proven RM solutions, practitioners, and their best practices in order to improve governance, decrease risks, and manage costs.
Action item: More vendors need to build and promote solutions that support good information management and governance practices while moving away from point solutions that do not leverage, or interoperate well with, existing technology assets.
Liability mitigation is an important motivator pushing organizations to destroy business records that they are not required to keep. Records that have been properly destroyed in compliance with a well-designed corporate records-management policy are not open to legal discovery. On the other hand, from a business operations and business management perspective, organizations are often motivated to retain any business records that will enable the organization to sell more goods or services, understand customers better, or enhance customer service. After all, most organizations exist to make money or to provide a service. Business owners have an inherent bias to retain information because it may be useful, and while the inherent bias among corporate attorneys, records managers, and corporate compliance officers is to destroy records as soon as allowable, because retained records increase risk.
In some organizations, the business owners are required to personally authorize the destruction of records in compliance with corporate standards. Because they never want to destroy information that might be useful, this often leads to a retention of records beyond the required retention period, or worse, a near standstill in the records destruction process.
In other organizations, where records management and corporate governance are given a stronger hand, policies and processes have been implemented to enable the automated destruction of records in compliance with corporate policy. This strong-arm implementation of corporate policy often leads to the unintended consequence of increasing the distribution and leakage of corporate data, as business-unit employees save unauthorized copies of paper records or electronic data because they might need it in the future.
Policies for records management must consider both legal and business operations concerns. Ultimately the organization must chose between automated policy administration for records management and records destruction and a more manual process, in which the business owner either authorizes destruction of records in accordance with corporate policy or authorizes the retention of records beyond the period defined in corporate policy.
Action item: Records managers and compliance officers must collaborate with business owners to weigh the operational benefits of retaining records versus the legal and regulator risk of failing to destroy. Once established, they must also assign responsibility for authorizing exceptions to corporate policy for digital and hard-copy records destruction. One thing is certain, keeping all records is both costly and risky.