A Master Retention Management Tool as Core Element of a Records Management Program by Juerg Hagmann

Information Governance & Management

A Master Retention Management Tool as Core Element of a Records Management Program Use Case Novartis November 4, 2011 J. Hagmann

Agenda 1. Novartis @ a Glance 2. Challenges in Information Governance – Novartis Setup 3. ERM Overview 4. Prerequisites – RM Program - Foundation 5. ERM – Major Functionalities & Workflow - Example 6. Planned Interfaces to the Item Level 7. Benefits – Success Factors 8. Appendix

| IBM Event Bern | 4.11.2011 | ERM

Agenda 1. Novartis @ a Glance 2. Challenges in Information Governance – Novartis Setup 3. ERM Overview 4. Prerequisites – RM Program - Foundation 5. ERM - Major Functionalities & Workflow - Example 6. Planned Interfaces to the Item Level 7. Benefits – Success Factors 8. Appendix

| IBM Event Bern | 4.11.2011 | ERM

1. Novartis @ a Glance  Leading market position

 One of 20 largest companies by market capitalization  Among most respected companies globally Divisions

Key Figures 2010 Net sales:

Pharmaceuticals

50.6

Net income:

9.9

R&D Investment:

8.0

Employees:

119’418

Vaccines and Diagnostics

Sandoz

Consumer Health Alcon

| IBM Event Bern | 4.11.2011 | ERM

Patent protected Medicine

USD billion

Vaccines & Diagnostics

Generics OTC Medicine Animal Health Eye care

| IBM Event Bern | 4.11.2011 | ERM

Records Management â&#x20AC;&#x201C; Embed it in EIM

Records Management is simply NOT ENOUGH, YOU NEED Information Governance !

IBM Conference 2011 Las Vegas: Information on Demand 6

| IBM Event Bern | 4.11.2011 | ERM

Information Governance: Big Picture Requirements

FDA

SOX Competition

Information, Content Creation

Business

Intellectual Property

Vulnerabilities Data Privacy

IGM Enables EIM Risk & Compliance Information Life Cycle

IT Infrastructure Services

| IBM Event Bern | 4.11.2011 | ERM

- Retention, Dispo. - Info Security - Online governance - IT risk control - IT BCM/DR

Disposition

Deliver the right systems & services

Policies / Standards Information Security IT Risk Management Information & Records Management, Online Governance Information Governance & Quality Operations & Support, Training, Communication

Incidents

Information Risks

Information Flow

EMEA

Litigation

Problem

Legal, Business Knows what to keep, but does not have the data

GRC Manages policies but cannot enforce compliance

| IBM Event Bern | 4.11.2011 | ERM

IT Has the data, but does not know what to keep

„Interlocking“ Governance is Required

70%

used “liaisons and people glue” to link discovery and regulatory obligations to information management practice today RIM = Records Management

RIM

BUSINESS

LEGAL

DUTY Matters

VALUE

DUTY Laws or Regulations

Departments

IT Retention Schedule

Holds

ERM

Systems

No Structural Linkage of Legal Duties and Business Value to Information Assets

Information (Content itself)

80-85% of Information Stored Today is Unstructured (or Enterprise Content)

| IBM Event Bern | 4.11.2011 | ERM Source: CGOC Benchmark Report on Information Governance, October 2010

10 | IBM Event Bern | 4.11.2011 | ERM

ERM Positioning within PSS/Atlas Suite

11 | IBM Event Bern | 4.11.2011 | ERM

ERM Overview Big Picture â&#x20AC;&#x201C; Positioning Schedule Mgmt in Life Cycle

Business Information Management

ERM/Atlas

Enabling to make retention & disposition policies on scheduled information

Documents (item level) Paper and e-Records Capture / Generate

Life Cycle

Classify

Disposition

Retention mgmt / archiving

Use / Retrieve

IT â&#x20AC;&#x201C; Defensible Data Management

12 | IBM Event Bern | 4.11.2011 | ERM

Information Risks

Information Flow

Record Types (above item level)

ERM Scope: Managing Types

Process

Record Type

Sub-Process / Activity

Objects / documents managed in systems / repositories

015 Manufacturing 015.07 Packaging 015.07.19 Packing Orders attributes

Above item level

Item level Filing / Retrieval

Tracking system (for physical rep.) 13 | IBM Event Bern | 4.11.2011 | ERM

14 | IBM Event Bern | 4.11.2011 | ERM

7 Keys for your IMC / RM Programm Key 1: Policies â&#x20AC;&#x201C; Enactment of binding rules Key 2: Senior Management must take Leadership and Responsibility; include IT & Legal as Partner Key 3: Clear Definition and Delegation of Program Roles Key 4: Communication and Training Key 5: Monitoring and Auditing Key 6: Enforcing the Program (develop and establish governance mechanisms with rigor) Key 7: Continous Improvement (maturity model) (Randy Kahn: Information Nation â&#x20AC;&#x201C; 2008 (2nd ed.) - http://infonation.kahnconsultinginc.com/

15 | IBM Event Bern | 4.11.2011 | ERM

Corp. IGM

House & Foundation (Records Mgmt) Policy

Standards

 RM Directive (major principles)  Retention Mgmt / ERM Standard

Implementation Guidelines

 Guidelines (How to …)

Joint activity: Legal, RIM, Business

Records Identification

What record types exist?

Requirements Catalogue

What requirements are applicable? (legal, regulatory, business)

Master Schedule

How long are records to be kept; When can they be eliminated.

File Plans (item level)

How are records captured and assembled, tracking & retrieval

16 | IBM Event Bern | 4.11.2011 | ERM

Divisions (LOB)

ERM

Local Procedures (Functions, Countries, Sites)

Prerequisite 1 Identification of Record Types based on a Business Classification Scheme A functional Classification and Taxonomy is structuring all records based on business processes which generate Records. The model serves as a framework of an ordering system. The hierarchy is process oriented and should reflect all business activities (and/or record types) under a given process. Model

Record Class: Major business process

Novartis Functional Classification

F008

Human Resources

Normalization: GMRM (Master) example

HUM Human Resources

Activity (sub-class) Buckets should not exceed 30 sub-classes per Class

Record Type(s)

examples

Total 22 Classes (FDC)

Item level

Records: files/documents

17 | IBM Event Bern | 4.11.2011 | ERM

Items filed in dept. Xy by Apps / drive xy

Prerequisite 2 Definition & Delegation of Program Roles (ERM System roles) Roles according to Schedule Level

GMRM Program Office / ERM Admin

Country RMC

GLOBAL MASTER

France

COUNTRY MASTERS

Legal Approver

3 • • • •

Organizational RMC Functional RMC Operational RMC Data Source Liaison

User / Viewer Retention for Employees Portal 18 | IBM Event Bern | 4.11.2011 | ERM

LOCAL PROCEDURES

Prerequisite 2 Definition & Delegation of Program Roles (ERM) Master

19 | IBM Event Bern | 4.11.2011 | ERM

Prerequisite 3 Definition of Requirements (Legal, Regulatory, Business)

20 | IBM Event Bern | 4.11.2011 | ERM

21 | IBM Event Bern | 4.11.2011 | ERM

Process / Workflow Overview (Operations) An appointed Records Manager (operational, functional) is responsible for the Life Cycle of a defined business area (dept.). Prerequisites are fulfilled: • Master Schedules are defined , requirements (legal etc.) are defined and catalogued • Organisation is implemented • Repositories are known

Tasks

1. 2.

Create Local Schedules Capture and map Data Sources / Repositories to Schedules Maintenance / Reports / Holds

Menu Atlas Master

3. 1.

22 | IBM Event Bern | 4.11.2011 | ERM

2. 3.

Task 1: Local Schedules Creation Derived from Master Schedule

23 | IBM Event Bern | 4.11.2011 | ERM

Task 2: Capture data sources / repositories Data Sources: • Capturing • Mapping to Record Types • Mapping to Schedules, Holds & Collections

24 | IBM Event Bern | 4.11.2011 | ERM

Taks 3: Maintenance, Holds, Reporting, Comms Master

25 | IBM Event Bern | 4.11.2011 | ERM

Disposition und Destruction (Ex. IP) Disposition process (from Local Schedule)

Monitor volumes in your inactive repositories (tracking tool / list or get regular reports from your offsite vendor): e.g. some items of the record type “Generic reports” are expired. Proceed the final disposition review based on your local SOP and sign-off the destruction. Execute secure destruction (mostly outsourced). Keep the destruction protocol based on risks and needs. Mapped Data Sources: IP • Shared Drives (global access) • Sharepoint (global access) • Filing rooms (active, local access) • Archives (inactive, local inactive) • Iron Mountain (US) • Sispace (EU) • Basement (on-site) 26 | IBM Event Bern | 4.11.2011 | ERM

End-User Perspective – Working in the Future Doc xyz

Corporate Classification Library

Corporate Citation Law Library

GMRM

Local Schedule Switzerland Record Series – HUM 120 Personnel Dossier Jurisdiction – Switzerland Applicable Laws – Code of obligations ... Retention – T + 10Years Disposition Date - based on trigger event Custodian – John Doe Storage Locations

G:\HR...

•CV •Letters of Recommendation •Diploma •Transcript •Fingerprint •etc

ORACLE URM 27 | IBM Event Bern | 4.11.2011 | ERM

HR Archive Compactus

Iron Mountain CH

28 | IBM Event Bern | 4.11.2011 | ERM

Future Automated Process with ECM Solution (eRecords only) Prerequisites: • ECM system or in App RM is implemented (or connectors established) • Local schedules defined and record types and metadata are propagated into to ECM repository (one off) plus yearly changes

WHAT ERM Scope (above item)

Functional integration of retention rules in the repository

Business /IT Scope (item level)

• Local Schedules • Data Sources / Repositories • Record Types Every Org Unit knows how long to keep the records and when to be eliminated (disposed) on which repository.

29 | IBM Event Bern | 4.11.2011 | ERM

HOW

Repositories/ Systems Electronic (ECM)

Filing in the active phase (end user or records mgr?)

Automated workflow for disposition and deletion (approval process) of records based on the schedule .

ECM Future Architecture Structured Tier 1&2 Dynamic phase

Information

Business Application 2

Business Application 1

ERP

Unstructured

Information

Office / Mail Sharepoint

Paper

Connectors (Oracle)

Metalayer: ERM (classified / scheduled information types above item level)

Tier 3 Static phase Retention Compliance

MetadataMapping

Multiple Systems

Data Warehouse

Tier 3 Long-term Preservation

30 | IBM Event Bern | 4.11.2011 | ERM

ECM

Archives / Digital Preservation

Capturing / Imaging Tools

Ownership?

31 | IBM Event Bern | 4.11.2011 | ERM

Benefits ERM supports Novartis by mitigating major information risks through the following business benefits: • Globally coordinated and harmonized retention scheduels (legally defensible) define all binding retention periods for all relevant Record Types • Local schedules grant enough discretion for flexible handling of deviations (language, naming of record types etc.)

• The Business (custodians) knows all retention requirements of their business records; processes, locations, owners and Records Mgmt Coordinators are known; records can be easily and quickly retrieved. • The knowledge of the business and informational value of records contributes to a responsible handling of business information • Accountability is ensured; auditability is given

• “Litigation Readiness” und “eDiscovery” are ensured (incl. the ability to inform) 32 | IBM Event Bern | 4.11.2011 | ERM

Key Success Factors • Challenging Status quo: looking ahead

• Strong Sponsor: “If he fails, you fail” • Pragmatism and lean implementation (follow what’s possible “what people need and not what they want”)

• Anticipating Communication (internal Lobbying) • Piloting the Roll-out sufficiently • Roll-out: “learning to walk before you run”, do not underestimate training

33 | IBM Event Bern | 4.11.2011 | ERM

Records & Information Mgmt Culture Simply said: Itâ&#x20AC;&#x2DC;s all about rules like in a game: Everybody on the field has to adhere to the rules within the lines to get an efficient result. Roles and decisions are clear and transparent for all stakeholders.

34 | IBM Event Bern | 4.11.2011 | ERM

35 | IBM Event Bern | 4.11.2011 | ERM

References Literature: • Beglinger/Burgwinkel/Lehmann/Neuenschwander/Wildhaber: records management (2. Auflage), Zollikon 2008 http://www.aufbewahrung.ch (Leitfaden)

• Fässler Lukas: Records Management. Sorgfaltspflicht für Führungskräfte, Rheinfelden 2006 (BPX-Verlag) • Lehrgang (Präsentation): http://www.fsdz.ch/cms/uploaded/file/e2.pdf

Further education in Switzerland (RM): • Information Schools: • HTW Chur: http://www.fh-htwchur.ch/de/htw/informationswissenschaft/ • FHNW: http://www.fhnw.ch/wirtschaft/weiterbildung/cas-informations-undrecordsmanagement/

• Master (Bern u.a.m): • http://www.archivwissenschaft.ch/

• VSA: Overview • http://www.vsa-aas.org/de/beruf/ausbildung-weiterbildung/ 36 | IBM Event Bern | 4.11.2011 | ERM

IGM – Org Chart CIO NI

IGM Lead

Strategy & Policy • • • •

Strategy & Transformation Policy Management Directives, Standards and Guidelines Controls Framework

IT Risk Management

• GRC System/Prcss • Project Risk Assmnt. • Vendor Risk Mgmnt • X-RA Coordination

Records & Information Management

• GMRM & EDM • Rec Management • ICE

• Policy Stakeholder Management • Risk Mgmt Tools • Global IGM Policy Support

Information Governance & Quality

• Divisional Compliance • SOX IT • GxP IT

Information Security Management

• IAM • Incident Response • Project Risk Assmnt • Product Evaluation • Architecture • Testing

Operations & Support • • • • • •

Online Governance IT BCM / DRP Incident Reporting & Management Exception Reporting & Approval Divisional Support PKI

37 | IBM Event Bern | 4.11.2011 | ERM

• IGM Intranet • Training / Awareness • Communications • Admin Support

Tenet of Information Governance One of the fundamental tenets of information governance is tying "value" and "legal duty" to "information assets" so 1.) IT can routinely and defensibly manage data and 2.) the business can make fully informed decisions.

VALUE Informed business decisions

IT 38 | IBM Event Bern | 4.11.2011 | ERM

INFORMATION ASSETS

LEGAL DUTY