Records management redux: the nudge toward compliance
By Alan Pelz-Sharpe
The current swell of interest in records management (RM) comes in the wake of a number of high-profile corporate scandals. But corporate misconduct is not the only driver; the global push to e-government and the increased recognition that electronic data is valuable but vulnerable has created an almost "perfect storm" for RM vendors.
However, the increase in interest has been driven largely by legislation, not by ethical and moral business practitioners setting a standard that others aspire to. In that regard, RM for many organizations is taking on aspects of risk management. It's not something they want to do, but feel they must. They are calculating how much or little they can undertake to be considered "compliant." They are also weighing the actual likelihood of being caught in a non-compliant situation, and the weight of penalties should that happen.
In doing so, many organizations are hampered by both internal foot dragging and the realization that many core RM skills have been lost over the years—skills that are difficult to replace. Add to that the sheer volume of information that needs to be managed in a wired world and the dilemma facing records managers becomes acute.
This report sets out to define some basic principals and parameters that organizations can use as they start to address their RM processes. In doing so, it looks to provide common sense advice, measuring the ideal against the basic necessities.
Pragmatism—corporate reality vs. ideals
In an ideal organization, all documents, e-mails and information formats would be stored in an orderly fashion. They would be retrievable with ease, they would be managed in such a manner that their life cycles would be automated from creation through to destruction. Only those who had a justifiable need to see the records would be able to, others would not. And all the records and live information that existed on the system would be kept in context with supporting and illustrative co-records in easily understood configurations. Document management would have been implemented throughout the organization, Web content management would also have been deployed. Those two systems, combined with a records and archival management system would work in synergy. If that describes your organization, you don't need to read this report. The opposite is true, however, if your organization:
- has multiple repositories for information;
- has no defined information management process;
- operates a mixture of commercial, off-the-shelf (COTS) and home-grown applications;
- lacks proper e-mail management and;
- has not dedicated records management staff.
Don’t worry, you're in the majority. In fact, the ideal organization described above probably doesn’t exist. If you are like most organizations, you need to do something quickly. A pragmatic approach to enterprise records management (ERM) is required--one that deals with the necessary first and the nice-to-have, second.
Too much mail
Many companies think they are doing enough to manage their records, yet on an hourly basis those same companies send automatic messages to their staff telling them to reduce the number of messages in their mailboxes. The messages tell them that their mailboxes have exceeded size limits set by the administrator, and that they may not be able to send or receive new mail until they reduce their mailbox size. The messages also suggest that they delete items that they are no longer using.
That type of message—which is sent from millions of e-mail servers every day—shows that there is no effective records management process in place. It instructs users to delete records to free up storage space, but offers no advice about what should or should not be deleted and makes no reference to a central archive. It is the sort of message that business users should never receive; the storage and archiving of e-mails should be an automated process that does not involve them.
As one trawls through the information management systems of a typical organization, it becomes clear that RM was never even thought of when the systems were deployed. Managers who are toying with the idea of issuing a corporate procedure regarding records retention, yet have no plans to monitor or enforce its implementation, should think again.
The reality we face today is that most organizations avoid RM for two other reasons. First, they think it will cost a lot of money, and, second, they don't see its ultimate value. If a company has to undertake RM for regulatory purposes anyway, it might as well do the job properly because there are many hidden values in RM. And even though the cost of ERM can be steep initially, those costs plateau quite quickly. Although an ERM software system can cost $100,000, once it is deployed it can handle very large quantities of records without problem. And once operational, the costs of managing increasing volumes of documents decrease dramatically. RM requires time and effort to get right. It also delivers far more in benefits if executed correctly than may be first realized.
Strategies to move forward
Organizations need to find a balance between pragmatism/cynicism and idealistic knowledge management scenarios. They must be clear about what can be managed effectively, what must be managed and what is currently too difficult to do well. (In the fast-paced world of information management technologies, many of the issues that are currently difficult to deal with are already some way to being resolved.)
Many software systems are able to manage paper and electronic documents fairly efficiently. Systems also exist, though they are in their infancy, to manage e-mails. Technology is capable of delivering a lot, but all files are not created equally. As the electronic file becomes increasingly unstructured in nature, it becomes increasingly difficult to manage that file effectively. So, for example, it is possible to store voice mails (complex, unstructured files), but it is very difficult to know what content the voice mail holds or its relevance to any other files.
So the current focus of most ERM implementations is (rightly) on basic office documents such as Word, Excel and PowerPoint, along with e-mails. In the process of implementing a solution, some provision might be made for the future management of instant messaging (IM) and voice mails. Unstructured data are difficult to manage, and most approaches--whether enterprise records management or content management—focus on the storage and delivery aspects of the process. In the world of ERM, that becomes a serious limitation and one which defines how deep and meaningful an ERM system can be. Reducing the number of records to be managed will go a long way toward gaining insight and value from the system, and the question of how much needs to be managed is an important one to answer. In strict RM methodology, only vital records need to be stored. As a rule of thumb, that may amount to no more than 5% to 10% of the total content base. However, undertaking an RM implementation after years of no coherent RM processes being in place makes that, at least initially, a difficult goal.
Many records managers argue that custody of records is not the central issue ... the issue is that an organization develop a viable, credible business process for managing records. That system must be able to determine the difference between a record with value and one without. The purpose of records management in general is the preservation of evidence, and the processes, activities and transactions behind that evidence.
RM or ERM is much more about the reasoning behind the activity than the activity itself. A long history of failed document management projects should serve as a lesson to those who believe the introduction of RM will in itself resolve the situation.
Many if not most ERM implementations are being pushed through for the wrong reason: the grudging acceptance that if organizations do not, they might face legal consequences. Rather, the motivation should result from a full analysis of the benefits that could be gained from managing records and information as a whole. True economy and efficiency, rather than simple compliancy, could be derived from RM, but that point is some way off for many.
Quantity over quality
How many records to manage (as a percentage of the whole) is the central question for many organizations. Because most have probably never truly managed their electronic records correctly in the past, they should take the following steps:
- Stop deleting files. That means all e-mails and office documents.
- Move all inactive or semiactive files to separate, secure storage.
- Implement a regular sweep of corporate information to ensure that the archive is kept accurate and up to date.
- Implement a procedure that structures the identification and appraisal process for records.
- Trawl the archive and assign retention flags to information.
- Automate that procedure on a regular basis.
- Destroy non-flagged files from the archive.
That approach ensures that your organization is compliant from the beginning. If you destroy files (e-mails, old documents) without an appropriate procedure, you are making a mistake. Those implementing ERM systems need to stop the random deletion of potential records. Once that is done, the job of sifting through the mountain and introducing an efficient method of tagging and preserving important records, and securely destroying unimportant records can be undertaken.
Alan Pelz-Sharpe is a principal analyst and VP of Research North America at Ovum (ovum.com), e-mail firstname.lastname@example.org.