Swiss Chapter
Records Management: An Important Element of Your Information Governance Program RSD Event Geneva, May 23, 2013
Agenda 1. Intro / ARMA Switzerland 2. RIM business case today 3. Embedding RIM/ILMG into Information Governance 4. Inadequacy of IT Governance 5. Records Management Foundations (ILMG) 6. Pain Points in Records Mgmt and how to mitigate them 7. Measuring the Maturity of RIM: The Principles (GARP) 8. Value proposition & Conclusions
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
2
1. ARMA Swiss Chapter at a glance • • • • • • • •
Established Nov. 2011 (Basel) Board: 4 members >40 members (growing) Website under ARMA Europe: http://europe.arma.org/chapters/switzerland Newsletters are published regularly Collaboration platform on box.net (for members only) LinkedIn group: http://www.linked.com/groups?gid=4379074 Agreement with VSA-AAS Switzerland (coordination)
Initiatives • Create possibilities for corp. membership (Friends of …) • Develop further education programs at an official info mgmt school CH Events 2013 • Spring Meeting Geneva (UN HCHR) 12.4.13 • Booth at the Swiss IM Forum Zurich, June 4th • European Presence at ARMA Annual Conference Las Vegas end of Oct. • Annual Conference Zurich 8.11.13 (IBM) • Gen. Assembly (morning) • Topical conference (afternoon) RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
3
2. RIM Business Case today
• Risk mitigation / compliance • Reducing IT costs (Gartner*) Challenges: big data, technology changes, regulatory reqs, consumerization IT, mobility etc.
-> Control deficits = Various risks * Information governance best practices for contentintensive processes (Febr 27, 2012) RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
4
2. Examples of retention risks • Keeping records too long • Keeping unnecessary records (be careful when destroying documents on clean-up days) • Inappropriate or premature destruction of records (advertently or inadvertently) • Inability to preserve digital records for the required time period • Inability to identify the official record (original) • Inability to apply legal holds • Inability to produce (find) records in a timely manner (audits, investigation) • Unauthorized duplicate records • Records stored on obsolete media • Not creating records that we should • Storing unknown content (smoking gun) • Storing records on non-traditional or inappropriate formats and media • Storing records in inappropriate facilities or locations (no adequate protection of hazards)
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
5
2. Reality / incidents • Senior management is ignoring the risks (*) • 31% report that poor electronic records keeping is causing problems with regulators and auditors • 14% are are incurring fines or bad publicity (reputation damages)
*AIIM Industry Watch 2013: Information Governance – records, risks, and retention in the litigation age
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
6
3. Records Management is not enough The force of the nexus
Retention, Lifecycle Mgmt, Disposition
Relations /Disciplines IT/Information security Awareness
ILM / RM ISEC, Cloud
eDiscovery; Regulatory compliance
eDisc. SOX IT
Business Continuity / Disaster Recovery
BCM / DR Business Processes / Activities generate Business Information
Information Architecture
ITRC
Privacy SM Data protection /
Arch.
IT Risk Control / COBIT
WCM
Social Media Web Governance RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
7
3. Information Governance: Big Picture Requirements
FDA Reg. authorities
Litigation
Intellectual Property
Information Life Cycle
IT Infrastructure Services
IG Framework RSD event 23.5.2013
Privacy
ILMG Enables EIM Risk & Compliance
Information, Content, Context Creation
Vulnerabilities
-
- Retention, Dispos. - Info Security - Online governance - IT risk control - IT BCM/DR
Disposition
Deliver the right systems & services
Policies / Standards Information Security / Privacy IT / Information Risk Management Information & Records Management, Web Governance Quality & Value Creation Operations & Support, Training, Awareness, Communication
@jhagmann – ARMA Swiss Chapter
Incidents
Arch
Information Risks
Information Flow
Competition
Business
IG Framework 8
3. Terminology (perspective) is changing – requirements are not Will we ask if any kind of (compliance) relevant information will be qualified and declared as a "record" or not, particularly when on average less than 20% of enterprise information is managed as "official” or scheduled records? ILM or ILMG Information Lifecycle Mgmt or Information Lifecycle Mgmt & Governance RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
…as a record 9
4. Inadequacy of IT Governance • Not concerned with the way information is created, used and processed (content, context – lifecycle – physical world )
• It just covers the „control half“ of the business universe and confuses compliance with compliant a strong “audit culture is ironically the enemy of reflection, the very thing that it is supposed to support”.
What about the vital values of innovation, creativity, value creation, business development etc.?
• Incomplete or half-hearted implementation which leads to a formal and bureaucratic environment (controls remain undetected until an incident occurs, service level remain unmonitored, BCM/DR testing is lacking etc.) RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
10
4. Governance - It’s all about culture & behaviour
„I came to see, in my time at IBM, that culture isn‘t just one aspect of the game; it is the game.“ (Lou Gerstner, former chairman of the board & CEO, IBM)
Real organizational challenge of IG: „no department/discipline alone is able to achieve the desired goals and advantages.“
Orchestration and business alignment = harmonize incoherent aggregates and stakeholders! Achieve desirable behaviour … RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
11
5. Information Lifecycle Mgmt - Overview
Governance Layer
Policy Layer
Systemlevel
Lifecycle
RSD event 23.5.2013
DMS
File Sys
Active/Semi-active Phase
-
@jhagmann – ARMA Swiss Chapter
Bus.Apps
Inactive Ph.
Long-term repository
Permanent
12
5. Policy Framework RIM – House & Foundation Strategic
Policy
Standards
Principles and definition of mandate Retention Mgmt / Standards
Implementation Guidelines
Guidelines (How to …)
Operational
ECM (Technology solutions)
RSD event 23.5.2013
Records Identification (Inventory)
Which record types exist? (above item level)
Requirements catalog
What requirements apply? (legal, regulatory, business)
Retention Schedule (Master Schedule)
How long have records to be kept?
File Plan (item level)
How are records filed and retrieved?
-
@jhagmann – ARMA Swiss Chapter
Records Center Enterprise wide or per Function or Unit Providing templates/forms and tools for required processes
13
6. Major Pain Points RIM Implementation 1. Enforcement gap / deficit 2. Lack of accountability / responsibility 3. Broken custody chain 4. Schedule compliance & lacking execution of disposition/deletion
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
14
6.1. Enforcement Gap
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
15
6.2. Lacking Accountability A folder with an important contract cannot be found in a repository because of: • There is no current process ownership defined (who is the records manager for this dept. ?) • Records have never been captured (registered and indexed) in the active phase (no identification and tracking is possible) • -> Lessons learned: the information owner must assign the appropriate program role(s)
“The word that matters most is accountability. The root of all of our problems with information, and we do have lots of problems with it, is the fact that there is no accountability for information as such.” (Debra Logan, Gartner) RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
16
6.2. Lacking Accountability
Assign and document information ownership and stewardship
Functional manager: ownership Operational Records Mgr: stewardship (custodian)
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
17
6.3. Broken Custody Chain Documents cannot be found (due to several moves or employees who left) or a given context of evidence in a dossier (file) cannot be understood (lack of knowledge); often H:\drives or G:\drives are orphaned Must do: lessons • Transfer the records under your custody to your successor or the responsible superior when moving to another dept. or leaving the company! • Prepare a template for leave protocol (hand-over) with HR; enforce and monitor ist usage
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
18
6.4. Schedule Compliance & Disposition Enforce/execute lifecycle according to schedule! Apply rules to multiple repositories (federated, in-place RM) Enterprise top level Class: 09 – HR Series: Personnel File
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
19
6. Choke points to mitigate risk
Pain points
Choke Points / Mitigation actions
Enforcement deficit
Awareness training and campaigns on all levels from lessons learned, supporting post audit activities and self-assessments, C-level involve
Lacking accountability
Appointing and assigning appropriate program roles (incl. deputies) throughout the whole lifecycle, clearly documenting information ownership and stewardship responsibility(custody)
Broken custody chain
When employees are leaving the company or moving into another dept. transfer all relevant information to the successor or supervisor; enforce and refine HR exit procedure
Schedule compliance & disposition/ destruction
Execute the lifecycle requirements on the document (item) level; get rid of excess documents and data in a controlled way; coordinate controlled disposition and deletion with IT & Legal; organize regular clean-up days, purify shared drives, fight „keep everything“ attitude
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
20
7. The Principles (ARMA) Generally Accepted Record Keeping Principles (GARP= Maturity model for implementation of IG programs Based on the 8 Principles
RSD event 23.5.2013
-
Accountability
Compliance
Transparency
Availability
Integrity
Retention
Protection
Disposition
@jhagmann – ARMA Swiss Chapter
21
7. GARP maturity model Ex. Retention
Non-existant
Initial
Repeatable
Defined/Managed
Optimised
There is no current documented records retention schedule. Rules and regulations that should define retention are not identified or centralized. Retention guidelines are haphazard at best. In the absence of retention schedules, employees either keep everything or dispose of records based upon individual rather than organizational needs.
A retention schedule is available, but it does not encompass all records, did not go through official review, and it is not well known around the organization. Education and training about the retention policies is not available.
A formal retention schedule that is tied to rules and regulations is consistently applied throughout the organization. The organization’s employees are knowledgeable about the retention schedule and they understand their personal responsibilities for records retention.
Same as 3. In addition, it is clear to employees how to classify records appropriately and retention training is in place. Retention schedules are reviewed on a regular basis and there is a process to adjust retention schedules as needed. Records retention is a major corporate concern.
Same as 4. In addition, retention is important item at the C and board levels. Retention is looked at holistically, and is applied, not just to official records, but to all content in an organization.
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
22
7. Using The Principles HOW to use the maturity model: • Identify the gaps between the organization's current practices and the desirable level of maturity for each principle. • Assess the risk(s) to the organization, based on the biggest gaps. • Determine whether additional information and analysis is necessary. • Develop priorities and assign accountability for further development of the program. GARP® Health Checkup by John C. Montaña
Link to Health checkup short (free)
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
23
7. Assessment packages Basic Package: $395 introductory price 1 organizational assessment 1-5 respondents Access to your data for one year, renewable each year Compare against your previous organizational assessments with each purchase Assessment reports provide your score by principle, overall score, and individual responses Ideal for: Small organizations Assessing an individual department, location, or division Proving program needs to management Premium Package: $995 introductory price Unlimited organizational assessments per year Unlimited respondents in multiple configurations based on your needs Compare against your previous organizational assessments Ongoing access to your reports while your one-year subscription is active Assessment reports provide your score by principle, overall score, and individual responses Ideal for: Large organizations Organizations needing flexible deployment options Continual assessment to show program improvement and ROI http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/generally-accepted-recordkeeping-principlesassessment RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
24
8. Creation of Business Value by RIM (organized & domesticated information)
ďƒ˜ Value of information = - Availability + - Retrievability + data quality (metadata) - Retention and disposition defined (lifecycle) + - Ease of identification as relevant + - Ability to present in appropriate form + - Known place in process (cloud?) + - Appropriate level of protection + - Value of the contribution to solve a business problem (leverage for decision making) + the hardest - Intangible value of knowledge / content (e.g. IP)
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
25
8. Conclusions • RIM is or will be positioned under the umbrella of Information Governance (ILMG) • Do not treat IT governance and information governance as synonyms (make a difference: infrastructure / content/context) -> important for the buy-in from the business • Key points for RIM programs (ECM): • Automation & deletion • Enterprise search • Interoperability (federated & in-place RM) • Accountability / Role Models • IG Organization, culture • Culture of orchestration, extreme collaboration & interaction • Co-governance instead of hierarchical governance • Apply subsidiarity principle RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
26
8. Bottom line & last warning
Gartner
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
27
Thanks for Your Attention!
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
28
Reserve Slides
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
29
IGM Policy Framework
RIM & ISEC awareness
Main Document Information Management
Inventories & Classification
Service Provider Management
IT Security Management
Information Risk Mgmt IGM Manual Maturity Assessment
IT Organization & Management
IT Project Management
Retirement IT Operations
Example Novartis Pharma Div. RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
30
References (1) Literature: • • • • • • • • • • • • • • • • • •
AIIM: Occupy IT. A manifesto (2012): Link for download AIIM: Information governance – records, risks and retention in the litigation age (2013 Industry watch)) Bailey Steve: Managing the crowd. Rethinking records management for the web 2.0 world, London 2008 (facet) Bailey Steve: Forget electronic records management, it‘s automated records management that we desperately need, in: Records Mgmt Journal, No.2, 2009, p.91-97 Choksy Carol: Domesticating Information. Managing documents inside the organization, Lanham 2006 (scarecrow press) Currall J., Moss M.: We are archivists, but are we OK?, in: Records Mgmt Journal, No.1, 2008, p.69-91 Gartner: Toolkit: Information governance project, April 9, 2009 Gartner: Information governance best practices for content-intensive processes, Febr 27, 2012 Goodman Susan: Measuring the value added by records management and information management programs, in: Records Management Quarterly, Apr94, Vol.28, issue 2, p.8 Hagmann, J.: Records Management – Paradigmenwechesel oder neue Orthodoxien?, in: Archiv & Wirtschaft, H.4, 2012 Kahn R., Blair B.T.: Information Nation (2nd ed.) Kooper M.N.: On the governance of information: Introducing a new concept of governance to support the management of information, in: International Journal of Information Management, 31 (2011), p.195-200 online: download Lappin J.: What will be the next management orthodoxy?, in: Records Mgmt Journal, No.3, 2010, p.252-264 Pugh Harry: Daten vernichten: Warum es so schwierig ist, in: Wirtschaftsinformatik & Management, Nr.4, 2012,S.42ff RMS Debate: The case against EDRMS Has EDRMS been a success? The case for the prosecution, RMS Conference, Edinburgh 22 April 2007 Soares S.: Selling Information Governance to the Business, Ketchum (ID), MC Press, 2011 Saffady William: Managing electronic records, London 2009 (4. edition, facet) Upward Frank (et al): Recordkeeping informatics: re-figuring a discipline in crisis with a single minded approach, in: Records Mgmt Journal, No.1, 2013, p.37ff
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
31
References (2) Websites / Blogs: Wiki: http://en.wikipedia.org/wiki/Records_management ARMA: http://www.arma.org ARMA Europe: http://europe.arma.org GARP: https://www.arma.org/r2/generally-accepted-br-recordkeeping-principles IGP certification: http://www.arma.org/r2/igp-certification AIIM: http://www.aiim.org Certified Information Professional (Course): http://education.aiim.org/Training/Certification CGOC (IBM): http://www.cgoc.com Blog Records Mgmt & Archiving: http://jhagmann.twoday.net Blog B.T. Blair: http://barclaytblair.com/ Blog Bailey: http://rmfuturewatch.blogspot.ch/ Blog Lappin: http://thinkingrecords.co.uk/ The myth that data storage is cheap: http://futureproof.records.nsw.gov.au/mythbusting-that-storage-is-cheap/ Glaxo case overretention: Link Master education Switzerland: http://archivwissenschaft.ch JISC education framework RIM: http://www.jiscinfonet.ac.uk/records-management/ Metrics / Messmethoden: http://www.jiscinfonet.ac.uk/records-management/measuring-impact
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
32
Tenet of Information Governance One of the fundamental tenets of information governance is tying "value" and "legal duty" to "information assets" so 1.) IT can routinely and defensibly manage data and 2.) the business can make fully informed decisions.
VALUE Content / context for decisions
INFORMATION ASSETS
LEGAL DUTY
IT
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
33
ECM Future Architecture Structured Tier 1&2 Dynamic phase
Business Application 1
Information
Business Application 2
ERP
Unstructured
Information
Office / Mail Sharepoint, S-Drives
Paper
Connectors
Metalayer: ERM (classified / scheduled information types above item level) Federated/in-place MetadataMapping
Tier 3 Static phase Retention Compliance
RSD event 23.5.2013
(Multiple Systems)
Data Warehouse
Tier 3 Long-term Preservation
Archives / Digital Preservation
-
ECM
@jhagmann – ARMA Swiss Chapter
Capturing / Imaging Tools
Ownership?
34
Definitions of IG “IG is the specification of decision rights and an accountability framework to encourage desirable behaviour in the valuation, creation, storage, use, archival and deletion of information. It includes processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals. “(Gartner) “IG is a comprehensive program of controls, processes, and technologies designed to help organizations maximize the value of information assets while minimizing associated risks and costs.” (Barclay T. Blair) “IG is the formulation of policy to optimize, secure, and leverage information as an enterprise asset by aligning the objectives of multiple functions.” (IBM, Soares) RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
35
The 7 Keys to Info Mgmt Compliance Key 1: Policies – Enactment of binding rules Key 2: Leadership and responsibilities of senior management, Involvement of IT as partner Key 3: Clear definition and delegation of program roles Key 4: Communication and Training Key 5: Monitoring and Auditing Key 6: Enforcement of program Key 7: Continous improvement of program Source: Kahn/ Blair, Information Nation (2nd ed. 2008)
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
36
Problem Description Governance
Organisation?
Roles and Responsibilities?
Legal, Business Knows what to keep but does not have the data.
Policies?
Processes? GC/RIM
IT
Is setting policies but cannot it enforce them.
Has the data but does not know what to keep.
Source: CGOC RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
37
Information value declines over time, cost and risk don’t
Source: CGOC
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
38
Information Governance Reference Model
Source: EDRM
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
39
Reducing Data – Benefits For All
Source: CGOC RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
40
Problem Description
Organizations struggle with record keeping
• • • • • • • • • • •
Records don’t get captured from the business users Records are incorrectly classified or misfiled Records aren’t getting destroyed at all High storage costs are unnecessary and avoidable Records are lost or destroyed to soon (spoliation) Inability to produce in court leads to spoliation claims, costly to recreate Too many records are kept too long (“keeping everything forever attitude”, hardly discoverable and very expensive to defend Process information not recorded, breaks legal chain of custody required for audit and compliance RM Policy not enforced Reliance on users to make decisions on records retention or disposition IT systems do not implement RM requirements
RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
41
Prime Test: Records Mgmt Culture Quiz: anonymous – pertains to your business function, applies to paper and electronic records equally Agree
-
Disagree
• If someone leaves the organization or changes dept. all relevant records (or ownership) are transferred to his successor or any other responsible person • We always find and retrieve our business records easily and in a reasonable time • Business records are properly captured by business users • Business records are correctly classified • Business records are getting properly destroyed according to the life-cycle (based on the retention schedule) • Business records are never kept too long • We do never have gaps in the records or premature destruction of records • I know who is my Records Mgmt Coordinator / Archivist
• I’m sure that IT understands records and information mgmt policies • Process information is recorded • I understand good records management practice • I’ve already heard about our internal Records Management Center (or Policy) • We follow defined filing rules (according to a file plan or SOP) • I know how long to keep the records I’m creating or receiving within my scope • I know where to look up the retention period of the records in my business scope RSD event 23.5.2013
-
@jhagmann – ARMA Swiss Chapter
42