Records Management: An important element of your information governance program

Records Management: An Important Element of Your Information Governance Program

RSD Event

Geneva, May 23, 2013

Swiss Chapter

Agenda

1. Intro / ARMA Switzerland

2. RIM business case today

3. Embedding RIM/ILMG into Information Governance

4. Inadequacy of IT Governance

5. Records Management Foundations (ILMG)

6. Pain Points in Records Mgmt and how to mitigate them

7. Measuring the Maturity of RIM: The Principles (GARP)

8. Value proposition & Conclusions

RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter 2

• Established Nov. 2011 (Basel)

• Board: 4 members

• >40 members (growing)

• Website under ARMA Europe: http://europe.arma.org/chapters/switzerland

• Newsletters are published regularly

• Collaboration platform on box.net (for members only)

• LinkedIn group: http://www.linked.com/groups?gid=4379074

• Agreement with VSA-AAS Switzerland (coordination)

Initiatives

• Create possibilities for corp. membership (Friends of …)

• Develop further education programs at an official info mgmt school CH

Events 2013

• Spring Meeting Geneva (UN HCHR) 12.4.13

• Booth at the Swiss IM Forum Zurich, June 4th

• European Presence at ARMA Annual Conference Las Vegas end of Oct.

• Annual Conference Zurich 8.11.13 (IBM)

• Gen. Assembly (morning)

• Topical conference (afternoon)

3

1. ARMA Swiss Chapter at a glance

RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter

http://europe.arma.org/chapters/switzerland

http://www.linked.com/groups?gid=4379074

2. RIM Business Case today

4

• Risk mitigation / compliance

• Reducing IT costs (Gartner*)

Challenges: big data, technology changes,

regulatory reqs, consumerization IT,

mobility etc.

-> Control deficits =

Various risks


* Information governance best practices for content-

intensive processes (Febr 27, 2012)

2. Examples of retention risks

5

• Keeping records too long

• Keeping unnecessary records (be careful when destroying documents on

clean-up days)

• Inappropriate or premature destruction of records (advertently or inadvertently)

• Inability to preserve digital records for the required time period

• Inability to identify the official record (original)

• Inability to apply legal holds

• Inability to produce (find) records in a timely manner (audits, investigation)

• Unauthorized duplicate records

• Records stored on obsolete media

• Not creating records that we should

• Storing unknown content (smoking gun)

• Storing records on non-traditional or inappropriate formats and media

• Storing records in inappropriate facilities or locations (no adequate protection

of hazards)


2. Reality / incidents

6

• Senior management is ignoring the risks (*)

• 31% report that poor electronic records keeping is causing problems

with regulators and auditors

• 14% are are incurring fines or bad publicity (reputation damages)


*AIIM Industry Watch 2013: Information Governance – records, risks, and retention in the litigation age

3. Records Management is not enough The force of the nexus

7

Relations /Disciplines

Business Processes / Activities

- generate Business

Information

ILM /

RM ISEC,

Cloud

ITRC

Arch.

WCM

Privacy

SM

eDisc.

SOX IT

Business Continuity / Disaster Recovery

Retention, Lifecycle Mgmt, Disposition

IT Risk Control /

COBIT

Web Governance

BCM /

DR

Data protection /

Social Media

eDiscovery;

Regulatory

compliance

IT/Information security Awareness

Information

Architecture


3. Information Governance: Big Picture

FDA Reg. authorities Litigation

Privacy Competition Incidents

Vulnerabilities

Requirements

Info

rma

tio

n F

low

Intellectual Property

Business

Info

rma

tion R

isks

Creation Information Life Cycle Disposition

IT

Infrastructure

Services

Information,

Content,

Context

Deliver the

right

systems &

services

ILMG

Enables EIM

Risk &

Compliance

- Retention, Dispos.

- Info Security

- Online governance

- IT risk control

- IT BCM/DR

Policies / Standards

IT / Information Risk Management

Information & Records Management, Web Governance

Quality & Value Creation

Operations & Support, Training, Awareness, Communication

Information Security / Privacy

8

Arch

IG

Framework

IG

Framework


3. Terminology (perspective) is changing – requirements are not

9 RSD event 23.5.2013 - @jhagmann – ARMA Swiss Chapter

…as a record

Will we ask if any kind of

(compliance) relevant information

will be qualified and declared as a

"record" or not, particularly when on

average less than 20% of enterprise

information is managed as "official”

or scheduled records?

ILM or ILMG

Information Lifecycle Mgmt or

Information Lifecycle Mgmt &

Governance

4. Inadequacy of IT Governance


• Not concerned with the way information is created,

used and processed (content, context – lifecycle –

physical world )

• It just covers the „control half“ of the business

universe and confuses compliance with compliant - a strong “audit culture is ironically the enemy of reflection, the very thing

that it is supposed to support”.

What about the vital values of innovation, creativity, value creation,

business development etc.?

• Incomplete or half-hearted implementation which

leads to a formal and bureaucratic environment (controls remain undetected until an incident occurs, service level remain

unmonitored, BCM/DR testing is lacking etc.)

4. Governance - It’s all about culture & behaviour


„I came to see, in my time at IBM, that culture

isn‘t just one aspect of the game; it is the game.“

(Lou Gerstner, former chairman of the board & CEO, IBM)

Real organizational challenge of IG:

„no department/discipline alone is able to achieve the

desired goals and advantages.“

Orchestration and business alignment = harmonize

incoherent aggregates and stakeholders! Achieve

desirable behaviour …

5. Information Lifecycle Mgmt - Overview

12

Active/Semi-active Phase Inactive Ph. Permanent Life-

cycle

System-

level DMS File Sys Bus.Apps Long-term

repository Mail

Policy Layer

Governance Layer


5. Policy Framework RIM – House & Foundation

13

Policy

Standards

Implementation Guidelines

ECM (Technology solutions)

Records Identification

(Inventory)

Which record types exist?

(above item level)

Requirements catalog What requirements apply?

(legal, regulatory, business)

Retention Schedule

(Master Schedule)

How long have records to be

kept?

File Plan

(item level)

How are records filed and

retrieved?

Principles and definition of mandate

Retention Mgmt / Standards

Guidelines (How to …)

Opera

tio

nal

Str

ate

gic


Enterprise wide

or per

Function or Unit

Providing templates/forms

and tools for required

processes

Records Center

6. Major Pain Points RIM Implementation

14

1. Enforcement gap / deficit

2. Lack of accountability / responsibility

3. Broken custody chain

4. Schedule compliance & lacking

execution of disposition/deletion


15

6.1. Enforcement Gap


16

6.2. Lacking Accountability

“The word that matters most is accountability. The root of all of our

problems with information, and we do have lots of problems with it, is the fact

that there is no accountability for information as such.” (Debra Logan,

Gartner)

A folder with an important contract cannot be found in a

repository because of: • There is no current process ownership defined (who is the records

manager for this dept. ?)

• Records have never been captured (registered and indexed) in the

active phase (no identification and tracking is possible)

• -> Lessons learned: the information owner must assign the

appropriate program role(s)


17

6.2. Lacking Accountability Assign and document information ownership and stewardship

Functional manager: ownership

Operational Records Mgr: stewardship (custodian)


18

6.3. Broken Custody Chain

Documents cannot be found (due to several moves or

employees who left) or a given context of evidence in a

dossier (file) cannot be understood (lack of knowledge);

often H:\drives or G:\drives are orphaned

Must do: lessons

• Transfer the records under your custody to your

successor or the responsible superior when moving to

another dept. or leaving the company!

• Prepare a template for leave protocol (hand-over) with

HR; enforce and monitor ist usage


19

6.4. Schedule Compliance & Disposition

Enterprise top level Class: 09 – HR

Series: Personnel File

Enforce/execute lifecycle according to schedule!

Apply rules to multiple repositories (federated, in-place RM)


6. Choke points to mitigate risk

20

Pain points

Enforcement

deficit

Lacking

accountability

Broken custody

chain

Choke Points / Mitigation actions

Schedule

compliance &

disposition/

destruction

Awareness training and campaigns on all levels from lessons learned,

supporting post audit activities and self-assessments, C-level involve

Appointing and assigning appropriate program roles (incl. deputies)

throughout the whole lifecycle, clearly documenting information

ownership and stewardship responsibility(custody)

When employees are leaving the company or moving into another dept.

transfer all relevant information to the successor or supervisor; enforce

and refine HR exit procedure

Execute the lifecycle requirements on the document (item) level; get rid

of excess documents and data in a controlled way; coordinate

controlled disposition and deletion with IT & Legal; organize regular

clean-up days, purify shared drives, fight „keep everything“ attitude



7. The Principles (ARMA)

Accountability Compliance

Transparency Availability

Integrity Retention

Protection Disposition

Generally Accepted Record Keeping Principles (GARP=

Maturity model for implementation of IG programs

Based on the 8 Principles

http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/metrics/metrics-accountability

http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/metrics/metrics-compliance

http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/metrics/metrics-transparency

http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/metrics/metrics-availability

http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/metrics/metrics-integrity

http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/metrics/metrics-retention

http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/metrics/metrics-protection

http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/metrics/metrics-disposition


7. GARP maturity model

There is no current

documented records

retention schedule.

Rules and regulations that

should define retention are

not identified or

centralized. Retention

guidelines are haphazard

at best. In the absence of

retention schedules,

employees either keep

everything or dispose of

records based upon

individual rather than

organizational needs.

A retention schedule is

available, but it does not

encompass all records, did

not go through official

review, and it is not well

known around the

organization.

Education and training

about the retention

policies is not available.

A formal retention

schedule that is tied to

rules and regulations is

consistently applied

throughout the

organization. The

organization’s employees

are knowledgeable about

the retention schedule and

they understand their

personal responsibilities

for records

retention.

Same as 3. In addition, it is

clear to employees how to

classify records

appropriately and retention

training is in place.

Retention schedules are

reviewed on a regular

basis and there is a

process to adjust retention

schedules as needed.

Records retention is a

major corporate concern.

Same as 4. In addition,

retention is important item

at the C and board levels.

Retention is looked at

holistically, and is applied,

not just to official records,

but to all content in an

organization.

Non-existant Initial Repeatable Defined/Managed Optimised

Ex. Retention


7. Using The Principles

HOW to use the maturity model:

• Identify the gaps between the organization's current practices and

the desirable level of maturity for each principle.

• Assess the risk(s) to the organization, based on the biggest gaps.

• Determine whether additional information and analysis is necessary.

• Develop priorities and assign accountability for further development

of the program.

GARP® Health Checkup by John C. Montaña

Link to Health checkup short (free)

http://w2.arma.org/docs/default-document-library/garpcheckupv1.xlsx

24

Basic Package: $395 introductory price

1 organizational assessment

1-5 respondents

Access to your data for one year, renewable each year

Compare against your previous organizational assessments with each purchase

Assessment reports provide your score by principle, overall score, and individual responses

Ideal for:

Small organizations

Assessing an individual department, location, or division

Proving program needs to management

Premium Package: $995 introductory price

Unlimited organizational assessments per year

Unlimited respondents in multiple configurations based on your needs

Compare against your previous organizational assessments

Ongoing access to your reports while your one-year subscription is active

Assessment reports provide your score by principle, overall score, and individual responses

Ideal for:

Large organizations

Organizations needing flexible deployment options

Continual assessment to show program improvement and ROI

7. Assessment packages


http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/generally-accepted-recordkeeping-principles-

assessment

http://www.arma.org/go/prod/GARPAssmt

http://www.arma.org/go/prod/GARPAssmtPrm

http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/generally-accepted-recordkeeping-principles-assessment

















Value of information = - Availability + - Retrievability + data quality (metadata) - Retention and disposition defined (lifecycle) + - Ease of identification as relevant + - Ability to present in appropriate form + - Known place in process (cloud?) + - Appropriate level of protection + - Value of the contribution to solve a business problem (leverage for decision making) + the hardest - Intangible value of knowledge / content (e.g. IP)

8. Creation of Business Value by RIM (organized & domesticated information)



8. Conclusions

• RIM is or will be positioned under the umbrella of Information

Governance (ILMG)

• Do not treat IT governance and information governance as

synonyms (make a difference: infrastructure / content/context)

-> important for the buy-in from the business

• Key points for RIM programs (ECM):

• Automation & deletion

• Enterprise search

• Interoperability (federated & in-place RM)

• Accountability / Role Models

• IG Organization, culture

• Culture of orchestration, extreme collaboration & interaction

• Co-governance instead of hierarchical governance

• Apply subsidiarity principle


8. Bottom line & last warning

Gartner


Thanks for Your

Attention!

29

Reserve Slides


IGM Policy Framework

RIM &

ISEC

awareness

Example Novartis Pharma Div.


Information

Risk Mgmt

IGM

Manual

Retirement

Maturity

Assessment

IT Project

Management

IT

Operations

Inventories &

Classification

Main

Document

Information

Management

IT Security

Management

IT Organization

& Management

Service Provider

Management

References (1)

Literature:

• AIIM: Occupy IT. A manifesto (2012): Link for download

• AIIM: Information governance – records, risks and retention in the litigation age (2013 Industry watch))

• Bailey Steve: Managing the crowd. Rethinking records management for the web 2.0 world, London 2008 (facet)

• Bailey Steve: Forget electronic records management, it‘s automated records management that we desperately need, in:

Records Mgmt Journal, No.2, 2009, p.91-97

• Choksy Carol: Domesticating Information. Managing documents inside the organization, Lanham 2006 (scarecrow press)

• Currall J., Moss M.: We are archivists, but are we OK?, in: Records Mgmt Journal, No.1, 2008, p.69-91

• Gartner: Toolkit: Information governance project, April 9, 2009

• Gartner: Information governance best practices for content-intensive processes, Febr 27, 2012

• Goodman Susan: Measuring the value added by records management and information management programs, in:

Records Management Quarterly, Apr94, Vol.28, issue 2, p.8

• Hagmann, J.: Records Management – Paradigmenwechesel oder neue Orthodoxien?, in: Archiv & Wirtschaft, H.4, 2012

• Kahn R., Blair B.T.: Information Nation (2nd ed.)

• Kooper M.N.: On the governance of information: Introducing a new concept of governance to support the management

of information, in: International Journal of Information Management, 31 (2011), p.195-200

online: download

• Lappin J.: What will be the next management orthodoxy?, in: Records Mgmt Journal, No.3, 2010, p.252-264

• Pugh Harry: Daten vernichten: Warum es so schwierig ist, in: Wirtschaftsinformatik & Management, Nr.4, 2012,S.42ff

• RMS Debate: The case against EDRMS Has EDRMS been a success? The case for the prosecution, RMS Conference,

Edinburgh 22 April 2007

• Soares S.: Selling Information Governance to the Business, Ketchum (ID), MC Press, 2011

• Saffady William: Managing electronic records, London 2009 (4. edition, facet)

• Upward Frank (et al): Recordkeeping informatics: re-figuring a discipline in crisis with a single minded approach, in:

Records Mgmt Journal, No.1, 2013, p.37ff


http://pages2.aiim.org/OccupyITWebBanners_Get_OccupyIT_eBook.html




http://www.scribd.com/doc/63866742/On-the-Governance-of-Information

Websites / Blogs:

Wiki: http://en.wikipedia.org/wiki/Records_management

ARMA: http://www.arma.org

ARMA Europe: http://europe.arma.org

GARP: https://www.arma.org/r2/generally-accepted-br-recordkeeping-principles

IGP certification: http://www.arma.org/r2/igp-certification

AIIM: http://www.aiim.org

Certified Information Professional (Course): http://education.aiim.org/Training/Certification

CGOC (IBM): http://www.cgoc.com

Blog Records Mgmt & Archiving: http://jhagmann.twoday.net

Blog B.T. Blair: http://barclaytblair.com/

Blog Bailey: http://rmfuturewatch.blogspot.ch/

Blog Lappin: http://thinkingrecords.co.uk/

The myth that data storage is cheap: http://futureproof.records.nsw.gov.au/mythbusting-that-storage-is-cheap/

Glaxo case overretention: Link

Master education Switzerland: http://archivwissenschaft.ch

JISC education framework RIM: http://www.jiscinfonet.ac.uk/records-management/

Metrics / Messmethoden: http://www.jiscinfonet.ac.uk/records-management/measuring-impact

References (2)


http://en.wikipedia.org/wiki/Records_management

http://www.arma.org/

http://europe.arma.org/

https://www.arma.org/r2/generally-accepted-br-recordkeeping-principles









http://www.arma.org/r2/igp-certification



http://www.aiim.org/

http://education.aiim.org/Training/Certification

http://www.cgoc.com/

http://jhagmann.twoday.net/

http://barclaytblair.com/

http://rmfuturewatch.blogspot.ch/

http://thinkingrecords.co.uk/about/

http://futureproof.records.nsw.gov.au/mythbusting-that-storage-is-cheap/









http://www.compliancezen.com/compliance_zen/2009/10/another-real-world-lesson-on-having-a-records-retention-policy.html

http://archivwissenschaft.ch/

http://www.jiscinfonet.ac.uk/records-management/



http://www.jiscinfonet.ac.uk/records-management/measuring-impact





Tenet of Information Governance

VALUE

LEGAL

DUTY

INFORMATION

ASSETS

IT

One of the fundamental tenets of information governance is tying "value" and "legal

duty" to "information assets" so 1.) IT can routinely and defensibly manage data and

2.) the business can make fully informed decisions.

Content /

context

for

decisions


Business

Application 1

ECM Future Architecture

Data Warehouse

Archives /

Digital Preservation

Business

Application 2

Tier 1&2

Dynamic

phase

Tier 3

Static phase

Retention

Compliance

Tier 3

Long-term

Preservation

ERP Office / Mail

Sharepoint, S-Drives Paper

ECM

(Multiple Systems)

Connectors

Capturing /

Imaging

Tools

Metadata-

Mapping

Structured Information Unstructured Information

Metalayer: ERM (classified / scheduled information types above item level)

Ownership?

Federated/in-place


Definitions of IG

“IG is the specification of decision rights and an accountability

framework to encourage desirable behaviour in the valuation, creation,

storage, use, archival and deletion of information. It includes

processes, roles, standards and metrics that ensure the effective and

efficient use of information in enabling an organization to achieve its

goals. “(Gartner)

“IG is a comprehensive program of controls, processes, and

technologies designed to help organizations maximize the value of

information assets while minimizing associated risks and costs.”

(Barclay T. Blair)

“IG is the formulation of policy to optimize, secure, and leverage

information as an enterprise asset by aligning the objectives of

multiple functions.” (IBM, Soares)


The 7 Keys to Info Mgmt Compliance


Key 1: Policies – Enactment of binding rules

Key 2: Leadership and responsibilities of senior

management, Involvement of IT as partner

Key 3: Clear definition and delegation of program roles

Key 4: Communication and Training

Key 5: Monitoring and Auditing

Key 6: Enforcement of program

Key 7: Continous improvement of program

Source: Kahn/ Blair, Information Nation (2nd ed. 2008)

Problem Description Governance

37

IT Has the data

but does not

know what to

keep.

GC/RIM Is setting

policies but

cannot it

enforce them.

Legal,

Business Knows what to

keep but does

not have the

data.

Organisation?

Processes?

Roles and Responsibilities?

Policies?


Source: CGOC

Information value declines over time, cost and risk don’t

38

Source: CGOC


Information Governance Reference Model

39

Source: EDRM



Reducing Data – Benefits For All

Source: CGOC

Problem Description Organizations struggle with record keeping

41

• Records don’t get captured from the business users • Records are incorrectly classified or misfiled • Records aren’t getting destroyed at all • High storage costs are unnecessary and avoidable • Records are lost or destroyed to soon (spoliation) • Inability to produce in court leads to spoliation claims, costly to

recreate • Too many records are kept too long (“keeping everything forever

attitude”, hardly discoverable and very expensive to defend • Process information not recorded, breaks legal chain of custody

required for audit and compliance • RM Policy not enforced • Reliance on users to make decisions on records retention or

disposition • IT systems do not implement RM requirements


• If someone leaves the organization or changes dept. all relevant records (or

ownership) are transferred to his successor or any other responsible person

• We always find and retrieve our business records easily and in a reasonable

time

• Business records are properly captured by business users

• Business records are correctly classified

• Business records are getting properly destroyed according to the life-cycle

(based on the retention schedule)

• Business records are never kept too long

• We do never have gaps in the records or premature destruction of records

• I know who is my Records Mgmt Coordinator / Archivist

• I’m sure that IT understands records and information mgmt policies

• Process information is recorded

• I understand good records management practice

• I’ve already heard about our internal Records Management Center (or Policy)

• We follow defined filing rules (according to a file plan or SOP)

• I know how long to keep the records I’m creating or receiving within my scope

• I know where to look up the retention period of the records in my business

scope

Prime Test: Records Mgmt Culture Quiz: anonymous – pertains to your business function, applies to

paper and electronic records equally

Agree - Disagree


Records Management: An important element of your information governance program

Documents

Transcript of Records Management: An important element of your information governance program