Records Management - Overcoming barriers to gain rewards
Records management has been compared to taking out the trash—no one likes to do it, but if you don’t, the house will start to smell. “Keeping information that you don’t need is a risk from a compliance and security viewpoint,” says Firas Raouf, CEO of Everteam.
In addition, costs can be incurred when data from applications that are no longer being used keeps on being maintained. “Sometimes companies continue paying expensive license fees for applications that are dormant,” Raouf says. “In these cases, the information needs to be reviewed, classified and either migrated or deleted. Then the application can be decommissioned.”
The primary reasons for retaining data include:
- active litigation,
- records retention for regulatory reasons, and
- the business value of the content.
Many organizations outside those that are heavily regulated do not place a high priority on records management. “Anything that is a cost center is hard to get excited about,” says Chris Zohlen, managing director for information governance and compliance services at FTI Technology, a business unit of FTI Consulting that provides software and services for data discovery and governance. However, the downside is that the risk of being unable to respond to an e-discovery requirement, of being out of compliance or unable to find necessary business records will overshadow the cost of establishing policies, procedures and programs for records management.
Finding the content to manage
In today’s multi-application environment, records can be scattered all over an enterprise. “The hardest work is in finding out where the sensitive material is and how much is managed, as opposed to being ad hoc,” Raouf says. For example, many employees use Dropbox for their content instead of IT-approved SharePoint. “Content can be anywhere. It is very decentralized, with marketing having content in Wordpress, finance in SAP and multiple departments using SharePoint, for example,” he adds.
Everteam’s platform includes such functional areas as content discovery and analytics, records management and business process automation. The content analytics solution allows IT to regularly scan the network for content that needs to be cleaned up—either deleted or brought into a managed environment. “We use artificial intelligence and natural language processing to classify information, since it’s difficult to get users to tag content for records management purposes,” Raouf says.
Global issues in records management
The global nature of today’s business has placed extra burdens on records management. “We have already seen examples where Facebook had to change its privacy policies because they were storing information from Ireland on U.S. servers,” says Tara Combs, information governance specialist at Alfresco. “They were taken to court not only by Ireland, but also by Germany, Belgium and Austria, and had to change their security policies.” Those requirements will affect U.S. companies because of social media, e-commerce and other digital transactions that span multiple countries.
Noting some differences between the European and U.S. markets, Raouf says, “In Europe, online records are seen as an extension of paper records, whereas in the United States, they tend to be seen as separate. We designed our solutions to be seamless in storing paper and electronic records.” Everteam, which was founded in France with U.S. headquarters in Boston, has clients throughout the world, and its clients in turn are often global organizations that need to comply with diverse regulations. Bouygues Construction, a global company headquartered in France with projects in 80 countries, selected Everteam to manage its records. Its in-house records management system was no longer adequate to handle the paper records it produced, and its electronic records were being retained in the original systems rather than being managed centrally. In addition, Bouygues had to retain construction project records for 30 years to comply with regulations.
The company established a governance process and set up basic document classification categories to include contracts, drawings and tax documents. The company implemented Everteam in one division, providing training and support. Bouygues is in the process of rolling it out to global subsidiaries throughout its network. According to Bouygues, employee response has been positive because of the system’s ease of use in archiving records, its search function and its ability to support new construction project implementation.
In the past few years, concern about security has grown. “People are no longer talking about stopping hackers,” Combs says, “because sooner or later there will be a breach. Even access control and permissions can be overcome. The emphasis now is on marking the content itself to indicate who can access it.”
Alfresco’s application development framework (ADF) allows for customized dashboards that connect to the specific content that each individual needs for his or her job and provides access control at the document level. “Different roles require access to different records,” says Combs. “The CIO might need to see a dashboard and enterprise-level metrics, while individuals managing personally identifiable information might need to see a red flag that indicates data that is not in compliance.”
Organizations will use multiple approaches to secure records, including intrusion detection and prevention, role-based access and document-specific security. In addition, many have learned the hard way that readily available backups are vital to be prepared for ransomware and other threats. Putting the highest fences around the most critical information, however, requires full awareness of where the information is and knowledge of why it is critical, an exercise that many companies are still postponing.
Streamlining saves money
Once the issue of retaining content for active litigation has been addressed, steps can be taken to reduce the amount of content being stored. “An organization should not run the risk of spoliation, so legal requirements are generally the first step,” Zohlen explains. “The next step is to examine privacy and security factors and make sure content subject to those requirements is properly protected.”
Documents subject to records retention requirements can still be managed in a way that reduces volume. “Contracts are a good example,” he explains. “Often there are many copies of the same contract within a company—even more when you consider drafts and revisions—but only one needs to be retained as a record.” The reduction in the number of stored documents saves storage costs, mitigates risk and helps ensure that the right version is retained. In addition, if a company does face legal action and needs to go through e-discovery, the volume of material that must be searched and produced is much lower.