Closing the Records Management Loop

Microsoft SharePoint is considered one of the fastest growing enterprise applications in the market. Many organizations view SharePoint 2010 as a platform for enterprise content management and collaboration since it makes it easier for people to work together, set up websites to share information, manage documents from start to finish and declare corporate records.

However, while there are many benefits to implementing SharePoint, a number of organizations are also beginning to discover that there are risks. SharePoint gives users the ability to easily create sites to support specific projects and then populate these sites with content. Often these sites and their associated content are not under the corporate governance umbrella, and over time—as the number of SharePoint sites grows unchecked—there is more and more confusion for users and an information management headache for IT and compliance professionals. Some organizations believe the ratio of sites per number of users is expected to reach one-to-one. An astonishing, if not frightening, outcome.

Companies have records management (RM) programs to protect the business from the legal risks that can arise from the way information is stored and handled. The goal of records management is to ensure compliance with information governance policies across the organization, mitigate risks and protect the confidentiality of sensitive company and customer data. From a practical perspective, records management programs also improve the value of the information by ensuring that it is easily accessible when and where it is needed, while minimizing the costs associated with storing and maintaining records over time.

As a result, organizations are beginning to understand the necessity of including SharePoint content within their corporate records management programs. It has become critical to apply legally defensible governance controls over SharePoint content throughout its entire complex lifecycle across various servers, jurisdictions and business units. SharePoint 2010 delivers basic (but important) RM functionality. However, industry analysts agree that the current offering does not address all enterprise records management and information governance requirements. Some of the required capabilities missing from SharePoint include:

• Multiple jurisdiction support;
• Integrated library of laws and regulations;
• Easy file plan creation/management;
• Out-of-the-box event-driven disposition; and
• Physical records management.

Because SharePoint does not meet the needs of all organizations, especially global enterprises or those in highly regulated industries, the need for an approach that integrates SharePoint with more robust information governance systems is evident. This integration is key to "closing the loop" on SharePoint information governance.

To Govern, or Not to be Governed

One of the challenges facing organizations is understanding and deciding what should be under the governance umbrella. With Federal Rules of Civil Procedure, all electronically stored information is admissible to the courts. This includes SharePoint content, not just email.

Companies are required to conform to a strict and growing body of rules and regulations regarding documents and other information relating to customer, vendor and employee interactions. We call these documents "records," and compliance with these mandates "information governance." Documents of this type typically include things such as customer statements, employee performance appraisals and vendor contracts.

SharePoint is commonly used as an environment for the development of documents—before they reach the stage of becoming official "records." While it is not necessary to include these documents under the information governance umbrella, it is essential to safely dispose all "draft" and "work in progress" documents once the work has been finalized. These in-process documents are legally discoverable, and storing them can be costly. In some organizations, SharePoint becomes the dumping ground for drafts and other incomplete documents, and when these are spread across dozens if not hundreds of individually created sites, there are increased storage needs, operating costs, legal risks and, potentially, legal fees. Administrators therefore need to prune these "orphan sites" and ensure that draft documents are disposed of properly. The trick here is to maintain balance between better governance of the very long record lifecycle without affecting the benefits of SharePoint or impeding the growth of SharePoint.

An information governance solution for SharePoint is therefore required to:

• Enable stakeholder alignment across functional groups;
• Deliver in-place governance;
• Ensure SharePoint content is governed in accordance with laws/regulations throughout all jurisdictions;
• Refine existing policies and processes to encompass the entire lifecycle;
• Strengthen integration across all repositories; and
• Promote consistent classification, metadata and usage.

All of this needs to be done without impeding the creativity and productivity benefits that are often associated with SharePoint deployments.

It All Starts with Policy...

Every program requires sound, validated and actionable policies, which must incorporate the requirements of all corporate functions—business, legal, risk management, compliance, IT, privacy and executive management. Creating and validating these policies requires input from all the lines of business that intersect across the enterprise.

If applicable, policies need to be designed to support multiple jurisdictions and languages. While multinational companies might desire a set of RM policies that can be deployed globally, country-specific requirements make that nearly impossible. If the rules change when you cross a border, the policy needs to reflect that; you also need to identify exceptions to the rules.

Policies also need to encompass the entire lifecycle of the record (see figure 1, Page S9 downloadable PDF). A few years back, retention and disposition were all that organizations needed to track, but that is no longer the case. Today, records have multiple milestones in their lifecycle. Perhaps at a certain age the record moves to less expensive storage or a legal action puts an indefinite hold on it, or rules change regarding when to "anonymize" and declassify the record. Policies need to link to corporate standard operating procedures, laws, regulations and more. If procedures or laws change, policies need to change, too. A complete audit trail of what changed, when it was changed, and (more importantly) why it was changed is necessary to provide legally defensible disposition.

Policies must be agnostic to the content source and apply to records, folders, sites and even entire SharePoint deployments. It would also be ideal to maintain all SharePoint and non-SharePoint policies from one place.

In-place Enforcement—Fact or Myth?

The goal of the records management program is to enforce the policy, but it's impossible for the business to enforce policies if employees don't know about them. It's equally important that the business be able to automatically translate policies into specific lifecycle actions-record declaration, disposition or legal hold. A closed-loop records management approach enforces the appropriate lifecycle actions through preconfigured SharePoint connectors that manage and execute the flow of commands.

In the absence of a closed-loop RM approach, many companies are required to migrate (sometimes referred to as "offload") content from SharePoint into a proprietary enterprise content management system where the RM policies can be enforced. Moving content from SharePoint into another system should be a choice—one that's defined by date, project, business rules or operational requirements. Naturally, these rules should be defined in your policy.

There are many reasons why in-place enforcement is important:

• Proprietary system costs—Offloading SharePoint content into "locked down" content systems means a more expensive and sometimes risky alternative.
• Regulations—Some laws, particularly in Europe, prohibit the export of content across national borders.
• User experience—Migrating content into a third-party system will have an impact on the overall SharePoint user experience; it creates an additional step, whether it's for archiving or retrieving records.
• IT resources—Offloading SharePoint content means you need to have dedicated resources to maintain additional third-party systems.
• Stability—Moving content from one system across the network to another introduces technical risk; the fewer the moving parts the better for an enterprise governance framework.

As mentioned earlier, the ultimate goal is to have minimal impact on the SharePoint user experience while ensuring compliance with governance policy. Therefore, it's critical to map the existing SharePoint content types to the approved corporate master classification. The mapping should be done easily behind the scenes—allowing users to easily declare records (under five seconds, please) or, alternatively, having SharePoint do this automatically.

The last key item for enforcement is to automatically trigger lifecycle actions based on business events. Here are some examples:

• Delete content after 60 days when project is closed.
• Declare everything as records when project is approved.
• Seek approval before releasing a legal hold on SharePoint records.
• Review SharePoint content when employee resigns from the organization (triggered from HR system).