Archive

Posts Tagged ‘records management’

3 steps to a Compliance Strategy – As valid now, as ever!

3Steps Compliance StrategySome of my old FileNet friends reading this article will smile… I realised today to my surprise, that it’s over 11 years ago that this simple concept was first articulated, and went on to form the basis of our compliance messaging, transitioned into IBM after the acquisition, and was presented in many conferences and briefings. The result of a quick brainstorm before a breakfast briefing for Bearingpoint, at an off-site annual kick-off session, the picture on the left is a scan from my original notebook where it first appeared, in January 2004. I have evidence of this still being included in presentations as late as 2011. In the world of PowerPoint slides, does that make it a classic?

Now, it may be an old message, but it is as valid today as it ever was. And since I’ve never written about it in this blog I thought it was worth re-introducing it to a whole new audience.

What does a company need to do, to be compliant?

There are three very fundamental and very explicit stages for an organisation to achieve a “compliant” status. These apply equally to every vertical industry, be it Banking, Insurance, Telco, Retail, Pharmaceutical, etc. And they also apply equally, if “compliance” refers to regulatory compliance in a Nuclear plant, financial compliance, or Health & Safety at a local school.

Step 1 – The Present: Become compliant

What do you need to do today, to comply with the rules and meet the regulations? What changes in procedure, what risk controls, what equipment checks, what training? This stage includes designing and implementing everything that a company needs to put in place, to be able to certify that today, it is compliant with each regulation the law currently subjects it to. Implementing this stage requires the company to (a) identify and understand which regulations are relevant and what they are expecting (b) identify possible areas and processes where the company is at a risk of not compliant with the regulations, and (c) implementing any changes necessary to remove those compliance risks.

Step 2 – The Future: Remain compliant

This is the part that is often forgotten, and ends up costing organisations millions in fines: Looking at the future. Becoming compliant is not enough, it’s just the first step. As an organisation, you need to ensure that compliance is sustained consistently in the future. That every system, every procedure and every employee remains within the controls and guidelines specified by the legal regulations or the company policies. At a manual level, this involves regular training for employees and regular testing of all the various controls and devices implemented in Step 2. The best way to implement Step 2 however, is automation. Putting in place systems and processes that not only monitor the company’s compliance, but that enforce it. The less a company relies on individual employees to maintain compliance the less likely it is to fall foul of compliance breaches through human error. Automation reduces training requirements, reduces management overheads, and it reduces wasting operational cycles for testing and reporting.

Step 3 – The Past: Demonstrate compliance

The final part of the process is looking at compliance retrospectively: Are you able to go back to a specific point in time, and demonstrate to a regulator, and auditor, or even a customer, that you operated compliantly. Are you able to shoe what decisions were made, what policies were in force, who made the decisions and what information they had available to them to support that decision? This is all about Records Management and audit trails. It’s about maintaining evidence of your compliance that is complete, accurate and irrefutable. Preparing for that retrospective compliance review in the future, should be a core part of the design of any compliance system implemented today.

So the meme Become – Remain – Demonstrate (or even “AchieveSustain – Prove”, as the alternative version that our U.S. marketing folk seemed to favour) summarises the three key steps that you need to remember about structuring a compliance programme. If you are faced with a new regulation, new management, or even a new mandate to create or replace IT systems for compliance, use these three steps to validate if your compliance strategy is complete or not.

Advertisements

Stop comparing Information Governance with Records Management!

Information Governance has been all the rage in the ECM world in the last year. Chris Walker, Laurence Hart, James Lappin, John Mancini, Barclay T. Blair and many other writers whose opinions I respect, are all writing about it.

That, in itself, is a good thing: I’ve been an advocate of Information Governance for a while now [Data Governance is not about Data] and it’s good to see it taking a prominent (and permanent) position in IT dialogue.

As with any other IT topic however, the more we talk about it, the more vague it becomes, and the more confusing and overlapping the definitions get. One of the latest symptoms of this, is the recent dialogue (read these posts by James and Laurence) discussing where Information Governance (IG) sits with Records Management (RM).

The points they are making are valid, but I believe that the premise behind these conversation is fundamentally misplaced, and here’s why:

1)      Information Governance is a discipline, not a tool. The purpose of IG is to define all aspects of how information is being managed. The purpose of RM is to do the managing of some of that information.

2)      According to Corporate Governance and Oversight Council, the information kept under RM’s control represents less than 20% of the total information managed by an organisation. IG has responsibility for 100%, including the 20% managed by RM.

3)      RM is typically focused on the lifecycle management and protection of unstructured information, mostly documents. IG creates common policies that apply to both structured and unstructured information.

4)      RM works with a defined and agreed taxonomy and schedule. IG is perpetually juggling with overlapping policies, laws, cases, security, legal holds, costs and business demands.

5)      IG scope includes all information sources: The RM repositories, the other ECM repositories that are not RM platforms, all the SharePoint instances, the live email server(s), the email archive(s), the shared network drives, the personal network drives, the PST files, the data archive system, the notebook C: drives, the cloud drives, the detachable storage drives, those servers that came with the last acquisition and nobody quite knows what is on them, Jim’s old desktop, etc., etc.

6)      RM tends to accumulate all the information it manages in a centralised, controlled environment. IG does not have that luxury: It needs to assume that most information will be managed in its native environment (unless of course it’s information that should explicitly be moved to RM’s control).

7)      RM has a well defined function: store, classify, protect, secure and dispose of business records. IG has the function of telling RM what should and should not be protected, as well as determining security policies, disposition schedules, data protection risks, storage tier management, archive policies, data ownership, etc., for all other enterprise information.

8)      RM stakeholders are mostly records managers and/or compliance managers. IG answers to Compliance, Audit, Security, Legal, IT, Finance and Business Operations – a very different audience with often conflicting interests.

Trying to compare IG and RM is a bit like trying to compare Central Government (or Federal for my US friends) with a local school’s governing body. Both have something to govern, one takes direction from the other and… there the similarity ends. Neither one is a replacement for the other.

And I’ll finish on a separate but related bug bear of mine: Governance is about taking ownership, making decisions and setting rules. Management is about acting on the decisions, executing the policies and enforcing the rules. Therefore, Information Governance and Information Management are not the same thing and the two terms should not be used interchangeably!

Update: Read the follow up article to this, with some more detailed explanations and comments [Part 2]

Content Obesity – Part 2:Treatment

(…continued from Content Obesity – Part 1: Diagnosis)

You can’t, and don’t want to, stop data growth.

The growth of digital volume has been instrumental in driving major operational and cultural change in today’s business. Better, more personalised customer interaction; Insight from BigData business analytics;  Social media and collaboration;  effective training and multi-media marketing, all rely on the flow of much higher volumes of information through the organisation. Not taking advantage of this would make your organisation less competitive.

So, if reducing the volume of data being consumed is not an option, how else can you manage Content Obesity? There are two approaches to this:

Managing the symptoms

There are some key technologies that help alleviate some of the symptoms of content obesity. These, in our human analogy, are the equivalent of liposuction and nip-and-tuck.

  • De-duplication can identify and remove multiple copies of identical documents. It is only effective if you can apply it across all your document stores (ECM systems, Records management, Shared file drive, personal file drives, SharePoint, email servers, etc.). This rarely happens, and when it does, it is usually restricted to one or two of these sources and focuses only on files, not structured data.
  • Archiving and tiered storage Being able to select the most appropriate storage type for archived data, can have a positive impact on reducing storage costs. Not everything needs to be stored in expensive high-availability devices. A lot of the organisation’s data can sit on lower cost equipment, that can be restored from backups in hours, or days, rather than instantly. But how do you decide which information goes where? Most organisations will use this expensive high-availability storage for core systems, regardless of the age or significance of the date stored by these systems, as there is no easy way to apply policies at a granular level. There is certainly no way to map those logical “shared” network drives, where the majority of documents is stored, to tiered storage.
  • Compression. There are storage systems that use very sophisticated algorithms to reduce the physical space required, by compressing the data when stored and de-compressing it when it needs to be used. These are also expensive and require additional computing power to be able to maintain reasonable speeds in the compressing and de-compressing process.

All of these techniques offer some relief, but the relief is marginal, if it’s not driven by a unified policy, and they do not address the fundamental issue: Whilst they temporarily reduce the impact of storage cost, they do not curb the information growth rate.

They also do not address any of the compliance or legal risks associated with content obesity: The same logical volume of data needs to be preserved, analysed and delivered to litigation and the same effort is required to manually manage the multiple retention policies and respond to regulatory challenges.

Treating the disease

In order to properly resolve content obesity, we need to consider the organisation’s metabolism: How quickly information is digested, which nutrients (value) can be extracted from content and how the organisation disposes of the waste.

The key question to ask is: “How much of this content do organisations actually need to keep?”, Discussions with our customers indicate that an average of 70% of all retained data, is obsolete! (the actual number will vary somewhat by organisation, but I’ll use the 70%/30% analogy for the purposes of this article) This represents information that is duplicated, it is outdated, it has become irrelevant or has no business value. Or, it is content that can be readily obtained or reproduced from other sources.

The problem, however, is that nobody within the organisation knows which 70% of the data is obsolete. So nobody has the knowledge, or the authority, to allow that content to be deleted. The criteria for defining or identifying which information that 70% represents, are virtually impossible to determine systemically.

A more drastic and more realistic approach is required, to provide a permanent solution to the problem.

The concept behind treating Content Obesity is simple: If, and only if, the organisation was able to identify the 30% of information which they need to keep then, by definition, any information that falls outside that, could be legitimately deleted.

If this level of content metabolism could be controlled automatically, regularly, and effectively, it would free up critical IT storage resources and the corresponding budget that can be used to invest in growth projects instead.

What organisations need, is the equivalent of a Thyroid gland: A centralised Information Lifecycle Governance mechanism, that monitors the all the different retention requirements, regulates the content metabolism and drives a digestive system that extracts the value from the content and disposes of all the waste. Most organisations do not have such a regulating organ, or function, at all.

Sounds simple enough, but how can you create a centralised policy that determines precisely, which 30% of the content, needs to be preserved?

Studies conducted by the CGOC (Compliance, Governance and Oversight Council), have shown that there are only three key reasons why companies need to preserve data for any length of time:

  • Regulatory obligation – controlled by Records Managers
  • Litigation – controlled by the Legal department
  • Business Utility – controlled by each business function or department.

These are the three groups in the organisation that are responsible for the metabolic rate of content. Yet these groups rarely connect with each other, do not use the same terminology and, certainly, never had common policies and control mechanisms that they can communicate to IT. The legal group issues data preservation orders (legal holds) to custodians. Records Managers define taxonomies, fileplans and retention schedules, and task the business to abide by them. Business functions have more important things to do (like… keeping the business running) and, frankly, don’t have much appetite for understanding, let alone complying with, either legal hold orders or retention schedules. Business functions need the correct information to be available to them, at the right time, to make decisions on and to service their customers.

And who has the responsibility to physically protect, or to destroy, digital information? The IT group, which is not usually part of any of the conversations above.

At the heart of an Information Lifecycle Governance function, is a unified policy engine. A common logical repository, where Records Managers can document, manage and communicate their multiple retention schedules and produce consolidated fileplans; the Legal Group, can manage its ongoing legal matters, issue legal hold and preservation orders and communicate with custodians and the other parts of the business; IT and the business functions can identify and document which information is stored in each device and each application, and the business requirements for information preservation. A place where all of these disparate groups can determine the value that each information asset brings to the business – for both structured and unstructured information.

Once this thyroid function is established to control the content metabolism, it is key to connect it to the mechanisms that physically manage information – the “organs”. Connecting this policy engine to the document collection tools and repositories, records management systems, structured data archives, eDiscovery tools, tiered storage archives, etc., provides the instrumentation which is needed to monitor the data growth, execute the policies and provide the auditability and defencibility that is needed to justify regular content purging.

Conclusion

There is no quick fix for Content Obesity and, like medical obesity, it requires a fundamental change in behaviour. But it is achievable. Organisations need to design a governance model that transparently joins the dots: The business needs to describe the information entities, based on their value and utility, mapping them to the asset, system and application descriptions that IT understands. Legal can then manage their legal holds and eDiscovery, based on knowing what information exists, what part of the business it relates to, and where information lives, not only by custodians. Compliance groups can then consolidate their records management directives and apply a unified taxonomy and disposition schedule, relevant to the territory and business function. When all of these policies are systematically connected to the data sources, IT can accurately identify what information should be preserve and, by definition then, what information can be justifiably disposed of. (IBM calls this process Defensible Disposal).

Content Obesity – Part1:Diagnosis

Obesity: a medical condition in which excess body fat has accumulated to the extent that it may have an adverse effect on health, leading to reduced life expectancy and/or increased health problems

Content Obesity: An organisational condition in which excess redundant information has accumulated to the extent that it may have an adverse effect on business efficiency, leading to depleted budgets, reduced business agility and/or increased legal and compliance risks.

First of all, let me apologise to all the people who are currently suffering from obesity, or who are supporting friends and family that do. I have no intention of making fun of obese people and I have great sympathy and respect for the pain they are going through. I lost my best friend to a heart attack. He was obese.

In a recent conversation with a colleague, about Information Lifecycle Governance and Defensible Disposal, I made a casual remark about an organisation suffering from Content Obesity. I have to admit that it was an off-the-cuff remark, but it conveyed very succinctly the picture I was trying to paint. Since then, the more I think about this analogy the more sense it makes.

People are not born obese, they become obese. And they don’t become obese overnight, it’s a slow, steady process. Unless it’s addressed early, the problem grows in very predictable stages: gaining weight, being overweight, being obese, being morbidly obese, dying. Most people, however, do not want to acknowledge the problem until it is too late. They live in denial, they make excuses, they make jokes. Until it’s often too late to reverse the process.

Organisations consume and generate content at an incredible rate: IDC’s Digital Universe study (2011), predicts an information growth factor of 50x between 2010 and 2020. Just to give that figure some context: If an average grown up person would grow at the same rate, they would weigh 3.5 tons by 2020!. Studies we conducted with our own customers, puts the annual growth rate at a slightly more conservative figure of 35-40% per year, which is still significant.

We love our digital content these days, we can’t get enough!

We all create office files and our presentations are growing larger, our email rate is not slowing down (we have several accounts each), we communicate with our customers electronically more than ever before, we collaborate inside and outside the firewall, we engage in social media, we text, we document life with our mobile phones’ cameras and we use YouTube videos extensively for marketing and education. We collect and analyse blogs and conferences and twitter streams. We analyse historical transactional data and we create new predictive ones. And if collecting our own streams is not enough, we also collect those of our competitors so that we can analyse them too. Our electricity meter collects data, our car collects data, our traffic sensors collect data, our mobile phones collect data, our supermarkets collect data. We have an average of two game consoles per family (all of which connect to the internet), we watch high-definition TV, from every fixed or portable device that has a screen, our kids have mobile phones, and PSPs and DSs and laptops. We have our home computer, our work laptop, our BYOD tablet and our smart phones. Our average holiday yields over 500 pictures, all of which are 12 Megapixel. And the kids take another 500 with their camera… In fact we generate so much digital data, that we now have special ways of handling it with Big Machines that manage Big Data to give Big Insights. And that is all wonderful, and it all exploded in the last five years.

I’ll say it again: We love digital content.

Going back to my health analogy, you could say that we gorge on content. The problem is, we are now overweight with content, since most of that content has been accumulated without any particular thought of organisation or governance. So today, we can’t lose weight, we can’t clean it up because IT doesn’t know what it is, where it is, who owns it or if it’s of any use to anyone. And, frankly, because it’s far too much hassle and we have better things to do.  It’s all digital so… “storage is cheap, we’ll just buy some more storage”: A staggering 78% of respondents to another recent study, stated that their strategy for dealing with data growth was to “buy more storage”!

Newsflash: Storage is not cheap! By the time you create your high-availability, tier-1 storage with 3 generations of backup tapes and put it in a data centre, pay for electricity and air-conditioning, and pay people to manage it, it’s no longer cheap. Even if storage prices go down by 20% per year, if your data grows at 40%, you are still 20% worse off… Simple maths!

Most organisations are still in denial about the problem. The usual answer to the question “How much storage do you currently have and how much does it grow each year?” is “We don’t really know, we never measured it that way”. Well, I would argue that whoever is writing the cheque to the storage vendors every year, ought to know.

Fortunately, for large multinational organisations (banks, pharmaceuticals, energy, etc), the penny has finally dropped. Growth rates of 40%, on a storage estate of 20 Petabytes, translates to an increase of dozens of millions of storage costs per year. In an economy where IT budgets are shrinking, this is not a pleasant conversation to have with your CFO. These organisations are now self-diagnosed as Content Obese, and are desperately looking for ways to curb the growth, before they become Morbidly Obese.

And, similarly to the human disease, Content Obesity has side effects. Even if you could somehow overcome (or overlook, or sweep under the carpet…) the cost implications, it creates huge health risks for the organisation.

Firstly, it creates risks for the Business. Unruly, high volumes of content clog up processes, the arteries of the business. Content that is lost in the bulk, uncategorised and not readily available to support decision making, is slowing down the flow of information across the organisation. Content that is obsolete or outdated can create confusion and lead to incorrect decisions. Unmanaged content volumes do not lend themselves to fast changing business models, marketing innovation, shared services or better customer support. And by consuming huge amount of IT capital, they also stifle investment and innovation into new business services.

Secondly, it creates a huge Legal risk. All electronic content in the organisation, is potentially discoverable. The legal group has a duty to preserve information that is relevant to litigation. When information is abundant and not governed, the only method that the legal group has to identify and preserve it, is by notifying all people that may have access to it – custodians – asking them to protect it. This approach is inaccurate, expensive and time consuming. And when it comes to delivering that information to opposing parties or the courts, the organisation has to sift through these huge volumes of content to identify what is actually relevant, often incurring huge legal fees in the process. (Unashamed plug: If you are interested to find out more about the role of Information governance in UK civil litigation, I recommend this excellent IBM paper authored by Chris Dale, respected author of the eDisclosure Information Project)

Finally, Content Obesity creates a huge Compliance risk. Different regulations dictate that records are kept for defined periods of time. Privacy and data protection regulations, dictate that certain types of content are disposed of, after defined periods of time. Record Managers often have to comply with multiple (and often conflicting) regulations, from multiple jurisdictions, affecting hundreds of systems and millions of records. An ever-growing volume of unclassified content, means that records cannot be correctly identified, disposition schedules cannot be executed consistently and policies remain on a binder on the shelf (or in a PDF file somewhere on the intranet). Regulatory audits become impossible, wasting valuable resources and often leading to significant fines (As the regulator put it in one of many examples: “These failings were made worse by their inability to determine the areas in which the breakdown in its record keeping systems had occurred“)

So, how much of that content do organisations actually need to keep? And who has the responsibility and the right to get rid of it?

Next: Content Obesity – Part 2: Treatment

Is it a Record? – Take 2!

August 27, 2009 2 comments

(Originally posted on InformationZen by George Parapadakis on June 10, 2009)

In response to my previous blog “Is it a Record, Who cares?@DoD501502STD twitted: “Let’s just ignore the laws we don’t like??”. It’s a very valid question, but I think it slightly misses the point I was trying to make in my post: “Who Cares?” wasn’t a flippant remark, it was a literal question…

I want to be very clear: I am not at all disputing the need to manage records. My discussion point was on the issue of what constitutes a record that needs to be managed as the law prescribes. And I guess there are two points I’m trying to make here: (1) The distinction between a record and a non-record is becoming a moot point, and (2) that the paradigms we use today to manage records are no longer relevant. Let me explain…

Today, all electronic information is potentially discoverable, in the legal sense, regardless whether that information has been declared as a record or not. Today, the information relating to a business transaction (the “record”) will be spread across multiple media and formats – paper, electronic document, database entries, email, website interaction, instant messaging, telephone transaction, SMS text and potentially even Twitter. The current paradigms for records management, which would effectively require you to electronically “staple” all these bits of information together in order to archive them in a folder, in a volume, in a category of a fileplan, is using an outdated model that has been designed for the constraints of the paper archiving world and is no longer relevant.

Arguably, existing RM practices, are effectively constraining organisations in defining the most appropriate RM strategy by prescribing management paradigms which no longer align with today’s information management practices.

The WHY, which is the law requirement, is the secure preservation of information for a defined retention period, and the audited exercise of disposition schedules. HOW we go about implementing this today, is what I’m questioning here. Not the requirement to manage records, but what is a record and how we manage it.

So, to follow through from my previous blog, I would suggest that it is the desired behaviour and context of these information entities, that defines whether they are a record or not, and not their physical medium or simply their content.

So my suggestion would be: Focus on the WHY – The spirit of the law: The need to reliably, transparently and accountably protect all relevant information, for a given period of time. In today’s IT and social networking environment, designing an environment that delivers that capability may need alternative paradigms that are effective and efficient, but may be far removed from our current rigid definitions of records, fileplans or what an RM implementation is “supposed” to look like.

Your Thoughts?

Categories: ECM Tags: , , ,

Is it a record? Who cares?

August 27, 2009 3 comments

Originally posted on InformationZen by George Parapadakis on June 8, 2009

Is anyone else getting tired of artificial boundaries in IT terminology, or is it just me? In the quest to simplify and categorise software products, the market, requirements and (to a certain extent) ourselves, we keep trying to fit everything in neatly labelled boxes. And it doesn’t work! Just like a flu-virus that keeps re-inventing itself, as soon as we’ve fully understood what a box label means, the contents of the box have changed shape. What has this got do with Records?

Well, to identify if a document is a “record” you need to look at what information it contains, right? In the old paper world, the paradigm was simple. One or more pieces of paper bound together were a document, and if the information in that document had to be kept for any length of time it, then it was a record. Simple! But in the electronic world, the boundaries have shifted… A document file is no longer the only “container” of information. A blog, a website, an instant message, an email – all could carry information that make them a business record. And an instant message or an email or even a blog, can contain an attachment that is a record.

And, just to add to the confusion, a record is not only defined by what information it contains but also where that information has been used. An email that wasn’t a record, becomes one, as soon as you send it to an auditor. An opinion document or a blog entry, becomes a record when it is used in a process to support a decision. So the context becomes just as relevant as the content.

OK, so the box is square but the content we’re trying to squeeze in it is an amorphous blob. Should we make a bigger“A record is…” box so all types fit in? Do we design a box that can change shape according to the record you are storing in it? Should we get better at making the amorphous “record” blobs neatly square, so that they fit in the same box? Perhaps we should just dispense with the box and the label altogether? Is a formal fileplan really necessary, when you can have metadata and tags and search engines? Is every scrap of information potentially a record, with a disposition that ranges from zero days to forever? And what happens when the customer walks in and asks “I want to buy a box to put my records in, please”?

I will leave this question open-ended… I believe that in the next couple of years we will see some radical changes in this space so anything you would like to contribute to the research, let me know your thoughts!

A document file is no longer the only “container” of information. A blog, a website, an instant message, an email – all could carry information that make them a business record. And an instant message or an email or even a blog, can contain an attachment that is a record.
Categories: ECM Tags: , , ,
%d bloggers like this: