Every so often, an idea comes along that stops you in your tracks.
Innovation is happening at the speed of light all around us but most of of the time it consists only of incremental, evolutionary thinking, which takes us a little bit further in the same direction we were going all along. We have become fairly blazé about innovation.
And then you spot something that makes you sit up, pay attention, change direction, and re-think everything. I had one of these moments a few weeks back.
The name “EpyDoc” will probably mean nothing to most of you. Even looking at their existing website I would have dismissed it as a second or third-rate Document Management wannabe. Yet, EpyDoc is launching a new concept in April, that potentially re-defines the whole Data / Content / Information / Process Management industry, as we know it today. You know what happens when you mix comets and dinosaurs? It is that revolutionary.
I have lost track of the number of times over the years that I’ve moaned about the constraints that our current infrastructure is imposing on us:
- The arbitrary segregation of structured and unstructured information [here]
- The inherent synergy of Content and Process management [here]
- The content granularity that stops at the file level [here]
- The security models that protect the container rather than the information [here]
- The lack of governance and lifecycle management of all information, not just records [here]
- The impossibility of defining and predicting information value [here]
…etc. The list goes on. EpyDoc’s “Information Operating System” (a grand, but totally appropriate title), seeks to remove all of these barriers by re-thinking the way we manage information today. Not in small incremental steps, but in a giant leap.
Their approach is so fundamentally different, that I would not do it credit by trying to summarise it here. And if I’m honest, I am still discovering more details behind it. But if you are interested in having a taste on what the future of information management might look like in 5-10 years, I would urge you to read this 10-segment blog set which sets the scene, and let me know your thoughts.
And if, while you are reading through, you are, like me, sceptical about the applicability or commercial viability of this approach, I will leave you with a quote that I saw this morning on the tube:
“The horse is here to stay but the automobile is only a novelty – a fad”
(President of the Michigan Savings Bank, 1903)
P.S. Before my pedant friends start correcting me: I know that dinosaurs became extinct at the end of the Cretaceous period, not the Jurassic… 😉
Some of my old FileNet friends reading this article will smile… I realised today to my surprise, that it’s over 11 years ago that this simple concept was first articulated, and went on to form the basis of our compliance messaging, transitioned into IBM after the acquisition, and was presented in many conferences and briefings. The result of a quick brainstorm before a breakfast briefing for Bearingpoint, at an off-site annual kick-off session, the picture on the left is a scan from my original notebook where it first appeared, in January 2004. I have evidence of this still being included in presentations as late as 2011. In the world of PowerPoint slides, does that make it a classic?
Now, it may be an old message, but it is as valid today as it ever was. And since I’ve never written about it in this blog I thought it was worth re-introducing it to a whole new audience.
What does a company need to do, to be compliant?
There are three very fundamental and very explicit stages for an organisation to achieve a “compliant” status. These apply equally to every vertical industry, be it Banking, Insurance, Telco, Retail, Pharmaceutical, etc. And they also apply equally, if “compliance” refers to regulatory compliance in a Nuclear plant, financial compliance, or Health & Safety at a local school.
Step 1 – The Present: Become compliant
What do you need to do today, to comply with the rules and meet the regulations? What changes in procedure, what risk controls, what equipment checks, what training? This stage includes designing and implementing everything that a company needs to put in place, to be able to certify that today, it is compliant with each regulation the law currently subjects it to. Implementing this stage requires the company to (a) identify and understand which regulations are relevant and what they are expecting (b) identify possible areas and processes where the company is at a risk of not compliant with the regulations, and (c) implementing any changes necessary to remove those compliance risks.
Step 2 – The Future: Remain compliant
This is the part that is often forgotten, and ends up costing organisations millions in fines: Looking at the future. Becoming compliant is not enough, it’s just the first step. As an organisation, you need to ensure that compliance is sustained consistently in the future. That every system, every procedure and every employee remains within the controls and guidelines specified by the legal regulations or the company policies. At a manual level, this involves regular training for employees and regular testing of all the various controls and devices implemented in Step 2. The best way to implement Step 2 however, is automation. Putting in place systems and processes that not only monitor the company’s compliance, but that enforce it. The less a company relies on individual employees to maintain compliance the less likely it is to fall foul of compliance breaches through human error. Automation reduces training requirements, reduces management overheads, and it reduces wasting operational cycles for testing and reporting.
Step 3 – The Past: Demonstrate compliance
The final part of the process is looking at compliance retrospectively: Are you able to go back to a specific point in time, and demonstrate to a regulator, and auditor, or even a customer, that you operated compliantly. Are you able to shoe what decisions were made, what policies were in force, who made the decisions and what information they had available to them to support that decision? This is all about Records Management and audit trails. It’s about maintaining evidence of your compliance that is complete, accurate and irrefutable. Preparing for that retrospective compliance review in the future, should be a core part of the design of any compliance system implemented today.
So the meme Become – Remain – Demonstrate (or even “Achieve – Sustain – Prove”, as the alternative version that our U.S. marketing folk seemed to favour) summarises the three key steps that you need to remember about structuring a compliance programme. If you are faced with a new regulation, new management, or even a new mandate to create or replace IT systems for compliance, use these three steps to validate if your compliance strategy is complete or not.
It’s Autumn. The trees are losing their leaves, the nights are getting longer, it’s getting cold and grey and generally miserable. It’s also the time for the annual lament of the Enterprise Content Management industry and ECM… the name that refuses to die!
At least once a year, ECM industry pundits go all depressed and introspect and predict, once again, that our industry is too wide, too narrow, too complex, too simplified, too diverse or too boring and dying or not dying or dead and buried. Once again this year, Laurence Hart (aka Pie), Marko Sillanpää, Daniel Antion, John Mancini and, undoubtedly, several other esteemed colleagues, with a collective experience of several hundred years of ECM on their backs, will try (and fail) to reconcile and rationalize the semantics of one of the most diverse sectors in the software industry.
You will find many interesting points and universal truths about ECM if you follow the links to these articles above. Some I agree with wholeheartedly, some I would take with a pinch of salt.
But let me assure you, concerned reader, that the ECM industry is not going anywhere, the name will not change and we will again be lamenting its demise, next Autumn!
There is a fundamental reason why this industry is so robust and so perplexing: This is not a single industry, or even a single coherent portfolio of products. It’s a complex amalgamation of technologies that co-exist and complement each other, with the only common denominator being an affinity for managing “stuff” that does not fit in a traditional relational database. And every time one of these technologies grows out of favour, another new discipline joins the fold: Documents and emails and archives and repositories and processes and cases and records and images and retention and search and analytics and ETL and media and social and collaboration and folksonomies and cloud, and, and, and… The list, and its history, is long. The reason this whole hotchpotch will continue to be called Enterprise Content Management, is that we don’t have a better collective noun that even vaguely begins to describe what these functions do for the business. And finally, more and more of the market (you know, the real people out there, not us ECM petrolheads…) are starting to recognise the term, however vague, inappropriate and irrational it may be to the purists among us.
And there is one more reason: Content Management is not a technology, it’s an operational discipline. Organisations will manage content with or without ECM products. It’s just faster, cheaper and more consistent if they use tools.
As I said, if you have an academic interest in this ECM industry, the articles above are definitely worth reading. For my part, I would like to add one more thought into that mix:
The word “Enterprise” in “ECM” has been the source of much debate. And whilst I agree with Laurence that originally some of the vendors attempted to promote the idea of a single centralised ECM repository for the whole enterprise, that idea was quickly abandoned in the early ’00s as generally a bad idea. Anyone who has tried to deploy this approach in a real world environment, can give you a dozen reasons why it’s really, really a very naïve idea.
Nevertheless, Content Management has always been, and will always be “Enterprise”, in the sense that it very rarely works as a simple departmental solution. There is very little value in doing that, especially when you combine it with process management, which adds the most value when crossing inter-departmental boundaries. It is also “Enterprise” in the sense that as a platform it can support both vertical and horizontal applications across most parts of an organisation. Finally, there are certain applications of ECM, that can only be deployed as “Enterprise” tools: It would be madness to design Records Management, eMail archiving, eDiscovery or Social collaboration solutions, on a department by department basis. There is no point!
That’s why, in my opinion at least, the term ECM will live for a long time yet… Long Live ECM!
This morning, I was reading Lawrence’s blog titled “Does Records Management Give Content Management a Bad Name?”, which picks on one of the points in Cheryl’s article “It’s a Digital-First World: Five Trends Reshaping Records Management As You Know It”, with some very insightful comments added by Christian. I started leaving a comment under Lawrence’s blog (which I will still do, pointing back to this) but there are too many points I wanted to add to the debate and it was becoming too long…
So, here is my take:
First of all, I want to move away from the myth that RM is a single requirement. Organisations look to RM tools as the digital equivalent to a Swiss Army Knife, to address multiple requirements:
- Classification – Often, the RM repository is the only definitive Information Management taxonomy managed by the organisation. Ironically, it mostly reflects the taxonomy needed by retention management, not by the operational side of the business. Trying to design a taxonomy that serves both masters, leads to the huge granularity issues that Lawrence refers to.
- Declaration – A conscious decision to determine what is a business record and what is not. This is where both the workflow integration and the auto-classification have a role to play, and where in an ideal world we should try to remove the onus of that decision from the hands of the end-user. More on that point later…
- Retention management – This is the information governance side of the house. The need to preserve the records for the duration that they must legally be retained, move them to the most cost-effective storage medium based on their business value, and actively dispose of them when there is no regulatory or legal reason to retain them any longer.
- Security & auditability – RM systems are expected to be a “safe pair of hands”. In the old world of paper records management, once you entrusted your important and valuable documents to the records department, you knew that they were safe. They would be preserved and looked after until you ask for them. Digital RM is no different: It needs to provide a safe-haven for important information, guaranteeing its integrity, security, authenticity and availability. Supported by a full audit trail that can withstand legal scrutiny.
Auto-categorisation or auto-classification, relates to both the first and the second of these requirements: Classification (using linguistic, lexical and semantical analysis to identify what type of document it is, and where it should fit into the taxonomy) and Declaration (deciding if this is a business document worthy of declaration as a record). Auto-classification is not new, it’s been available both as a standalone product and integrated within email and records capture systems for several years. But its adoption has been slow, not for technological reasons, but because culturally both compliance and legal departments are reluctant to accept that a machine can be good enough to be allowed to make this type of decisions. And even thought numerous studies have proven that machine-based classification can be far more accurate and consistent than a room full of paralegals reading each document, it will take a while before the cultural barriers are lifted. Ironically, much of the recent resurgence and acceptance of auto-classification is coming from the legal field itself, where the “assisted review” or “predictive coding” (just a form of auto-classification to you and me) wars between eDiscovery vendors, have brought the technology to the fore, with judges finally endorsing its credibility [Magistrate Judge Peck in Moore v. Publicis Groupe & MSL Group, 287 F.R.D. 182 (S.D.N.Y.2012), approving use of predictive coding in a case involving over 3 million e-mails.].
The point that Christian Walker is making in his comments however is very important: Auto-classification can help but it is not the only, or even the primary, mechanism available for Auto-Declaration. They are not the same thing. To take the records declaration process away from the end-user, requires more than understanding the type of document and its place in a hierarchical taxonomy. It needs the business context around the document, and that comes from the process. A simple example to illustrate this would be a document with a pricing quotation. Auto-classification can identify what it is, but not if it has been sent to a client or formed part of a contract negotiation. It’s that latter contextual fact that makes it a business record. Auto-Declaration from within a line-of-business application, or a process management system is easy: You already know what the document is (whether it has been received externally, or created as part of the process), you know who it relates to (client id, case, process) and you know what stage in its lifecycle it is at (draft, approved, negotiated, signed, etc.). These give enough definitive context to be able to accurately identify and declare a record, without the need to involve the users or resort to auto-classification or any other heuristic decision. That’s assuming, of course, that there is an integration between the LoB/process and the RM system, to allow that declaration to take place automatically.
The next point I want to pick up is the issue of Cloud. I think cloud is a red herring to this conversation. Cloud should be an architecture/infrastructure and procurement/licensing decision, not a functional one. Most large ECM/RM vendors can offer similar functionality hosted on- and off-premises, and offer SaaS payment terms rather than perpetual licensing. The cloud conversation around RM however, comes to its own sticky mess where you start looking at guaranteeing location-specific storage (critical issue for a lot of European data protection and privacy regulation) and when you start looking at the integration between on-premise and off-premise systems (as in the examples of auto-declaration above). I don’t believe that auto-classification is a significant factor in the cloud decision making process.
Finally, I wanted to bring another element to this discussion. There is another RM disruptive trend that is not explicit in Cheryl’s article (but it fits under point #1) and it addresses the third RM requirement above: “In-place” Retention Management. If you extract the retention schedule management from the RM tool and architect it at a higher logical level, then retention and disposition can be orchestrated across multiple RM repositories, applications, collaboration environments and even file systems, without the need to relocate the content into a dedicated traditional RM environment. It’s early days (and probably a step too far, culturally, for most RM practitioners) but the huge volumes of currently unmanaged information are becoming a key driver for this approach. We had some interesting discussions at the IRMS conference this year (triggered partly because of IBM’s recent acquisition of StoredIQ, into their Information Lifecycle Governance portfolio) and James Lappin (@JamesLappin) covered the concept in his recent blog here: The Mechanics on Manage-In-Place Records Management Tools. Well worth a read…
So to summarise my points: RM is a composite requirement; Auto-Categorisation is useful and is starting to become legitimate. But even though it can participate, it should not be confused with Auto-Declaration of records; “Cloud” is not a functional decision, it’s an architectural and commercial one.
Today I read a very well written and entertaining post from Adam Deane, titled “BPM and ECM – The War Begins”
Unfortunately it’s the “Dad’s Army” (aka the vendors…) view of the war. In the real world (Line-of-business) ECM and BPM have made peace years ago and for the last 20 years there have been very few ECM implementations without process elements, and vice-verse, very few BPM implementations that don’t involve documents, forms, images, or other forms of interaction with the knowledge workers and the customers. The only “pure-play” BPM solutions that don’t involve elements of ECM are straight-through-processing and application integration projects.
The “war” Adam is describing is a SuperMarket war: Inevitably you need to eat both protein and fruit… Will you buy your ECM and BPM rations from IBM, Oracle, EMC, Microsoft, your local FairTrade Co-op (is that Alfresco?) Or will you support the local economy by shopping at the smaller local pure-play traders buying separately from the butcher’s, the baker’s and the greengrocer’s?
As a consumer, it’s always good to have a choice! 🙂