Post on 19-Mar-2016
description
Records Management: An Important Element of Your Information Governance Program
RSD Event
Geneva, May 23, 2013
Swiss Chapter
Agenda
1. Intro / ARMA Switzerland
2. RIM business case today
3. Embedding RIM/ILMG into Information Governance
4. Inadequacy of IT Governance
5. Records Management Foundations (ILMG)
6. Pain Points in Records Mgmt and how to mitigate them
7. Measuring the Maturity of RIM: The Principles (GARP)
8. Value proposition & Conclusions
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter 2
• Established Nov. 2011 (Basel)
• Board: 4 members
• >40 members (growing)
• Website under ARMA Europe: http://europe.arma.org/chapters/switzerland
• Newsletters are published regularly
• Collaboration platform on box.net (for members only)
• LinkedIn group: http://www.linked.com/groups?gid=4379074
• Agreement with VSA-AAS Switzerland (coordination)
Initiatives
• Create possibilities for corp. membership (Friends of …)
• Develop further education programs at an official info mgmt school CH
Events 2013
• Spring Meeting Geneva (UN HCHR) 12.4.13
• Booth at the Swiss IM Forum Zurich, June 4th
• European Presence at ARMA Annual Conference Las Vegas end of Oct.
• Annual Conference Zurich 8.11.13 (IBM)
• Gen. Assembly (morning)
• Topical conference (afternoon)
3
1. ARMA Swiss Chapter at a glance
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
2. RIM Business Case today
4
• Risk mitigation / compliance
• Reducing IT costs (Gartner*)
Challenges: big data, technology changes,
regulatory reqs, consumerization IT,
mobility etc.
-> Control deficits =
Various risks
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
* Information governance best practices for content-
intensive processes (Febr 27, 2012)
2. Examples of retention risks
5
• Keeping records too long
• Keeping unnecessary records (be careful when destroying documents on
clean-up days)
• Inappropriate or premature destruction of records (advertently or inadvertently)
• Inability to preserve digital records for the required time period
• Inability to identify the official record (original)
• Inability to apply legal holds
• Inability to produce (find) records in a timely manner (audits, investigation)
• Unauthorized duplicate records
• Records stored on obsolete media
• Not creating records that we should
• Storing unknown content (smoking gun)
• Storing records on non-traditional or inappropriate formats and media
• Storing records in inappropriate facilities or locations (no adequate protection
of hazards)
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
2. Reality / incidents
6
• Senior management is ignoring the risks (*)
• 31% report that poor electronic records keeping is causing problems
with regulators and auditors
• 14% are are incurring fines or bad publicity (reputation damages)
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
*AIIM Industry Watch 2013: Information Governance – records, risks, and retention in the litigation age
3. Records Management is not enough The force of the nexus
7
Relations /Disciplines
Business Processes / Activities
- generate Business
Information
ILM /
RM ISEC,
Cloud
ITRC
Arch.
WCM
Privacy
SM
eDisc.
SOX IT
Business Continuity / Disaster Recovery
Retention, Lifecycle Mgmt, Disposition
IT Risk Control /
COBIT
Web Governance
BCM /
DR
Data protection /
Social Media
eDiscovery;
Regulatory
compliance
IT/Information security Awareness
Information
Architecture
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
3. Information Governance: Big Picture
FDA Reg. authorities Litigation
Privacy Competition Incidents
Vulnerabilities
Requirements
Info
rma
tio
n F
low
Intellectual Property
Business
Info
rma
tion R
isks
Creation Information Life Cycle Disposition
IT
Infrastructure
Services
Information,
Content,
Context
Deliver the
right
systems &
services
ILMG
Enables EIM
Risk &
Compliance
- Retention, Dispos.
- Info Security
- Online governance
- IT risk control
- IT BCM/DR
Policies / Standards
IT / Information Risk Management
Information & Records Management, Web Governance
Quality & Value Creation
Operations & Support, Training, Awareness, Communication
Information Security / Privacy
8
Arch
IG
Framework
IG
Framework
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
3. Terminology (perspective) is changing – requirements are not
9 RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
…as a record
Will we ask if any kind of
(compliance) relevant information
will be qualified and declared as a
"record" or not, particularly when on
average less than 20% of enterprise
information is managed as "official”
or scheduled records?
ILM or ILMG
Information Lifecycle Mgmt or
Information Lifecycle Mgmt &
Governance
4. Inadequacy of IT Governance
10 RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
• Not concerned with the way information is created,
used and processed (content, context – lifecycle –
physical world )
• It just covers the „control half“ of the business
universe and confuses compliance with compliant - a strong “audit culture is ironically the enemy of reflection, the very thing
that it is supposed to support”.
What about the vital values of innovation, creativity, value creation,
business development etc.?
• Incomplete or half-hearted implementation which
leads to a formal and bureaucratic environment (controls remain undetected until an incident occurs, service level remain
unmonitored, BCM/DR testing is lacking etc.)
4. Governance - It’s all about culture & behaviour
11 RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
„I came to see, in my time at IBM, that culture
isn‘t just one aspect of the game; it is the game.“
(Lou Gerstner, former chairman of the board & CEO, IBM)
Real organizational challenge of IG:
„no department/discipline alone is able to achieve the
desired goals and advantages.“
Orchestration and business alignment = harmonize
incoherent aggregates and stakeholders! Achieve
desirable behaviour …
5. Information Lifecycle Mgmt - Overview
12
Active/Semi-active Phase Inactive Ph. Permanent Life-
cycle
System-
level DMS File Sys Bus.Apps Long-term
repository Mail
Policy Layer
Governance Layer
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
5. Policy Framework RIM – House & Foundation
13
Policy
Standards
Implementation Guidelines
ECM (Technology solutions)
Records Identification
(Inventory)
Which record types exist?
(above item level)
Requirements catalog What requirements apply?
(legal, regulatory, business)
Retention Schedule
(Master Schedule)
How long have records to be
kept?
File Plan
(item level)
How are records filed and
retrieved?
Principles and definition of mandate
Retention Mgmt / Standards
Guidelines (How to …)
Opera
tio
nal
Str
ate
gic
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
Enterprise wide
or per
Function or Unit
Providing templates/forms
and tools for required
processes
Records Center
6. Major Pain Points RIM Implementation
14
1. Enforcement gap / deficit
2. Lack of accountability / responsibility
3. Broken custody chain
4. Schedule compliance & lacking
execution of disposition/deletion
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
15
6.1. Enforcement Gap
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
16
6.2. Lacking Accountability
“The word that matters most is accountability. The root of all of our
problems with information, and we do have lots of problems with it, is the fact
that there is no accountability for information as such.” (Debra Logan,
Gartner)
A folder with an important contract cannot be found in a
repository because of: • There is no current process ownership defined (who is the records
manager for this dept. ?)
• Records have never been captured (registered and indexed) in the
active phase (no identification and tracking is possible)
• -> Lessons learned: the information owner must assign the
appropriate program role(s)
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
17
6.2. Lacking Accountability Assign and document information ownership and stewardship
Functional manager: ownership
Operational Records Mgr: stewardship (custodian)
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
18
6.3. Broken Custody Chain
Documents cannot be found (due to several moves or
employees who left) or a given context of evidence in a
dossier (file) cannot be understood (lack of knowledge);
often H:\drives or G:\drives are orphaned
Must do: lessons
• Transfer the records under your custody to your
successor or the responsible superior when moving to
another dept. or leaving the company!
• Prepare a template for leave protocol (hand-over) with
HR; enforce and monitor ist usage
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
19
6.4. Schedule Compliance & Disposition
Enterprise top level Class: 09 – HR
Series: Personnel File
Enforce/execute lifecycle according to schedule!
Apply rules to multiple repositories (federated, in-place RM)
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
6. Choke points to mitigate risk
20
Pain points
Enforcement
deficit
Lacking
accountability
Broken custody
chain
Choke Points / Mitigation actions
Schedule
compliance &
disposition/
destruction
Awareness training and campaigns on all levels from lessons learned,
supporting post audit activities and self-assessments, C-level involve
Appointing and assigning appropriate program roles (incl. deputies)
throughout the whole lifecycle, clearly documenting information
ownership and stewardship responsibility(custody)
When employees are leaving the company or moving into another dept.
transfer all relevant information to the successor or supervisor; enforce
and refine HR exit procedure
Execute the lifecycle requirements on the document (item) level; get rid
of excess documents and data in a controlled way; coordinate
controlled disposition and deletion with IT & Legal; organize regular
clean-up days, purify shared drives, fight „keep everything“ attitude
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
21 RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
7. The Principles (ARMA)
Accountability Compliance
Transparency Availability
Integrity Retention
Protection Disposition
Generally Accepted Record Keeping Principles (GARP=
Maturity model for implementation of IG programs
Based on the 8 Principles
22 RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
7. GARP maturity model
There is no current
documented records
retention schedule.
Rules and regulations that
should define retention are
not identified or
centralized. Retention
guidelines are haphazard
at best. In the absence of
retention schedules,
employees either keep
everything or dispose of
records based upon
individual rather than
organizational needs.
A retention schedule is
available, but it does not
encompass all records, did
not go through official
review, and it is not well
known around the
organization.
Education and training
about the retention
policies is not available.
A formal retention
schedule that is tied to
rules and regulations is
consistently applied
throughout the
organization. The
organization’s employees
are knowledgeable about
the retention schedule and
they understand their
personal responsibilities
for records
retention.
Same as 3. In addition, it is
clear to employees how to
classify records
appropriately and retention
training is in place.
Retention schedules are
reviewed on a regular
basis and there is a
process to adjust retention
schedules as needed.
Records retention is a
major corporate concern.
Same as 4. In addition,
retention is important item
at the C and board levels.
Retention is looked at
holistically, and is applied,
not just to official records,
but to all content in an
organization.
Non-existant Initial Repeatable Defined/Managed Optimised
Ex. Retention
23 RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
7. Using The Principles
HOW to use the maturity model:
• Identify the gaps between the organization's current practices and
the desirable level of maturity for each principle.
• Assess the risk(s) to the organization, based on the biggest gaps.
• Determine whether additional information and analysis is necessary.
• Develop priorities and assign accountability for further development
of the program.
GARP® Health Checkup by John C. Montaña
Link to Health checkup short (free)
24
Basic Package: $395 introductory price
1 organizational assessment
1-5 respondents
Access to your data for one year, renewable each year
Compare against your previous organizational assessments with each purchase
Assessment reports provide your score by principle, overall score, and individual responses
Ideal for:
Small organizations
Assessing an individual department, location, or division
Proving program needs to management
Premium Package: $995 introductory price
Unlimited organizational assessments per year
Unlimited respondents in multiple configurations based on your needs
Compare against your previous organizational assessments
Ongoing access to your reports while your one-year subscription is active
Assessment reports provide your score by principle, overall score, and individual responses
Ideal for:
Large organizations
Organizations needing flexible deployment options
Continual assessment to show program improvement and ROI
7. Assessment packages
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/generally-accepted-recordkeeping-principles-
assessment
Value of information = - Availability + - Retrievability + data quality (metadata) - Retention and disposition defined (lifecycle) + - Ease of identification as relevant + - Ability to present in appropriate form + - Known place in process (cloud?) + - Appropriate level of protection + - Value of the contribution to solve a business problem (leverage for decision making) + the hardest - Intangible value of knowledge / content (e.g. IP)
8. Creation of Business Value by RIM (organized & domesticated information)
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter 25
26 RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
8. Conclusions
• RIM is or will be positioned under the umbrella of Information
Governance (ILMG)
• Do not treat IT governance and information governance as
synonyms (make a difference: infrastructure / content/context)
-> important for the buy-in from the business
• Key points for RIM programs (ECM):
• Automation & deletion
• Enterprise search
• Interoperability (federated & in-place RM)
• Accountability / Role Models
• IG Organization, culture
• Culture of orchestration, extreme collaboration & interaction
• Co-governance instead of hierarchical governance
• Apply subsidiarity principle
27 RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
8. Bottom line & last warning
Gartner
28 RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
Thanks for Your
Attention!
29
Reserve Slides
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
IGM Policy Framework
RIM &
ISEC
awareness
Example Novartis Pharma Div.
30 RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
Information
Risk Mgmt
IGM
Manual
Retirement
Maturity
Assessment
IT Project
Management
IT
Operations
Inventories &
Classification
Main
Document
Information
Management
IT Security
Management
IT Organization
& Management
Service Provider
Management
References (1)
Literature:
• AIIM: Occupy IT. A manifesto (2012): Link for download
• AIIM: Information governance – records, risks and retention in the litigation age (2013 Industry watch))
• Bailey Steve: Managing the crowd. Rethinking records management for the web 2.0 world, London 2008 (facet)
• Bailey Steve: Forget electronic records management, it‘s automated records management that we desperately need, in:
Records Mgmt Journal, No.2, 2009, p.91-97
• Choksy Carol: Domesticating Information. Managing documents inside the organization, Lanham 2006 (scarecrow press)
• Currall J., Moss M.: We are archivists, but are we OK?, in: Records Mgmt Journal, No.1, 2008, p.69-91
• Gartner: Toolkit: Information governance project, April 9, 2009
• Gartner: Information governance best practices for content-intensive processes, Febr 27, 2012
• Goodman Susan: Measuring the value added by records management and information management programs, in:
Records Management Quarterly, Apr94, Vol.28, issue 2, p.8
• Hagmann, J.: Records Management – Paradigmenwechesel oder neue Orthodoxien?, in: Archiv & Wirtschaft, H.4, 2012
• Kahn R., Blair B.T.: Information Nation (2nd ed.)
• Kooper M.N.: On the governance of information: Introducing a new concept of governance to support the management
of information, in: International Journal of Information Management, 31 (2011), p.195-200
online: download
• Lappin J.: What will be the next management orthodoxy?, in: Records Mgmt Journal, No.3, 2010, p.252-264
• Pugh Harry: Daten vernichten: Warum es so schwierig ist, in: Wirtschaftsinformatik & Management, Nr.4, 2012,S.42ff
• RMS Debate: The case against EDRMS Has EDRMS been a success? The case for the prosecution, RMS Conference,
Edinburgh 22 April 2007
• Soares S.: Selling Information Governance to the Business, Ketchum (ID), MC Press, 2011
• Saffady William: Managing electronic records, London 2009 (4. edition, facet)
• Upward Frank (et al): Recordkeeping informatics: re-figuring a discipline in crisis with a single minded approach, in:
Records Mgmt Journal, No.1, 2013, p.37ff
31 RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
Websites / Blogs:
Wiki: http://en.wikipedia.org/wiki/Records_management
ARMA: http://www.arma.org
ARMA Europe: http://europe.arma.org
GARP: https://www.arma.org/r2/generally-accepted-br-recordkeeping-principles
IGP certification: http://www.arma.org/r2/igp-certification
AIIM: http://www.aiim.org
Certified Information Professional (Course): http://education.aiim.org/Training/Certification
CGOC (IBM): http://www.cgoc.com
Blog Records Mgmt & Archiving: http://jhagmann.twoday.net
Blog B.T. Blair: http://barclaytblair.com/
Blog Bailey: http://rmfuturewatch.blogspot.ch/
Blog Lappin: http://thinkingrecords.co.uk/
The myth that data storage is cheap: http://futureproof.records.nsw.gov.au/mythbusting-that-storage-is-cheap/
Glaxo case overretention: Link
Master education Switzerland: http://archivwissenschaft.ch
JISC education framework RIM: http://www.jiscinfonet.ac.uk/records-management/
Metrics / Messmethoden: http://www.jiscinfonet.ac.uk/records-management/measuring-impact
References (2)
32 RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
Tenet of Information Governance
VALUE
LEGAL
DUTY
INFORMATION
ASSETS
IT
One of the fundamental tenets of information governance is tying "value" and "legal
duty" to "information assets" so 1.) IT can routinely and defensibly manage data and
2.) the business can make fully informed decisions.
Content /
context
for
decisions
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter 33
Business
Application 1
ECM Future Architecture
Data Warehouse
Archives /
Digital Preservation
Business
Application 2
Tier 1&2
Dynamic
phase
Tier 3
Static phase
Retention
Compliance
Tier 3
Long-term
Preservation
ERP Office / Mail
Sharepoint, S-Drives Paper
ECM
(Multiple Systems)
Connectors
Capturing /
Imaging
Tools
Metadata-
Mapping
Structured Information Unstructured Information
Metalayer: ERM (classified / scheduled information types above item level)
Ownership?
Federated/in-place
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter 34
Definitions of IG
“IG is the specification of decision rights and an accountability
framework to encourage desirable behaviour in the valuation, creation,
storage, use, archival and deletion of information. It includes
processes, roles, standards and metrics that ensure the effective and
efficient use of information in enabling an organization to achieve its
goals. “(Gartner)
“IG is a comprehensive program of controls, processes, and
technologies designed to help organizations maximize the value of
information assets while minimizing associated risks and costs.”
(Barclay T. Blair)
“IG is the formulation of policy to optimize, secure, and leverage
information as an enterprise asset by aligning the objectives of
multiple functions.” (IBM, Soares)
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter 35
The 7 Keys to Info Mgmt Compliance
36 RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
Key 1: Policies – Enactment of binding rules
Key 2: Leadership and responsibilities of senior
management, Involvement of IT as partner
Key 3: Clear definition and delegation of program roles
Key 4: Communication and Training
Key 5: Monitoring and Auditing
Key 6: Enforcement of program
Key 7: Continous improvement of program
Source: Kahn/ Blair, Information Nation (2nd ed. 2008)
Problem Description Governance
37
IT Has the data
but does not
know what to
keep.
GC/RIM Is setting
policies but
cannot it
enforce them.
Legal,
Business Knows what to
keep but does
not have the
data.
Organisation?
Processes?
Roles and Responsibilities?
Policies?
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
Source: CGOC
Information value declines over time, cost and risk don’t
38
Source: CGOC
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
Information Governance Reference Model
39
Source: EDRM
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
40 RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
Reducing Data – Benefits For All
Source: CGOC
Problem Description Organizations struggle with record keeping
41
• Records don’t get captured from the business users • Records are incorrectly classified or misfiled • Records aren’t getting destroyed at all • High storage costs are unnecessary and avoidable • Records are lost or destroyed to soon (spoliation) • Inability to produce in court leads to spoliation claims, costly to
recreate • Too many records are kept too long (“keeping everything forever
attitude”, hardly discoverable and very expensive to defend • Process information not recorded, breaks legal chain of custody
required for audit and compliance • RM Policy not enforced • Reliance on users to make decisions on records retention or
disposition • IT systems do not implement RM requirements
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter
• If someone leaves the organization or changes dept. all relevant records (or
ownership) are transferred to his successor or any other responsible person
• We always find and retrieve our business records easily and in a reasonable
time
• Business records are properly captured by business users
• Business records are correctly classified
• Business records are getting properly destroyed according to the life-cycle
(based on the retention schedule)
• Business records are never kept too long
• We do never have gaps in the records or premature destruction of records
• I know who is my Records Mgmt Coordinator / Archivist
• I’m sure that IT understands records and information mgmt policies
• Process information is recorded
• I understand good records management practice
• I’ve already heard about our internal Records Management Center (or Policy)
• We follow defined filing rules (according to a file plan or SOP)
• I know how long to keep the records I’m creating or receiving within my scope
• I know where to look up the retention period of the records in my business
scope
Prime Test: Records Mgmt Culture Quiz: anonymous – pertains to your business function, applies to
paper and electronic records equally
Agree - Disagree
RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter 42