The discipline of records management has evolved to the point where it now encompasses information management and governance. This is not news for many records managers. However, growing awareness of this trend is empowering and strengthening the records management function, which increasingly is being viewed as vital to the success and safety of businesses as well as their customers and other stakeholders.
Our company has a national division dedicated to guiding its clients in constructing, implementing and managing information governance programs. I believe it is critical that an information management or governance program is built upon a solid, more current definition of records management. An easy way to think of it is ‘‘records management plus.’’ This description would include the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records. “Records management plus,” however, expands the traditional definition of records management to encompass unstructured data, business transactions, social media, legal holds, eDiscovery demands and metadata. These elements, in turn, are governed by regulatory requirements, the culture of the business, operational needs, and the ever-increasing issues of privacy and security, all of which ideally the organization manages in an integrated manner. Two more ingredients for success include direct responsibility by executive boards or C-level executives and an adequate budget to make essential program improvements.
- New clients frequently relate similar challenges to me about the state of their records program. These concerns often include the following:
- Lack of system integration
- Duplication (the same data contained in a variety of repositories)
- No executive insight as to where data and records reside and if the company is truly prepared for an audit, discovery or a disaster
- Hidden costs for managing data
- Inadequate flow of information
- Questions surrounding business agility
Hearing any of these apprehensions suggests to me that the client has an immature information management program. There might be massive hoarding of data; unknown repositories; no inventory of what is where; and inconsistently named, unstructured data. Often there is no point person or empowered position that has program accountability; the company is unable to halt the ingestion of inappropriate information, and there is no defined and structured legal hold process beyond the legal department advising employees to not destroy data that may be relevant to a pending lawsuit. Given these scenarios, the general information management goal would be to advance the program from localized, separate efforts to an enterprise-wide, integrated and mature set of procedures. The goal would also include training employees on best practices and monitoring compliance by auditing technology usage, data flow and personnel habits; and using reports with documented results to detail improvements and current status of the organization’s march toward a significantly enhanced program.
As a best practice, I suggest beginning this transition by conducting what we term a Business Process Assessment (BPA). This is an objective in-depth analysis of the current state of an organization’s records management program including strengths and weaknesses and what must be done to build upon positives and address the negatives. The ingestion and egress of information is mapped; repositories are identified (including ‘‘rogue’’ repositories that are created by employees without notifying the IT department); current taxonomies are identified including how they were implemented; concerns expressed by employees about how they access information are gathered; bad recordkeeping habits are documented; and how the current overall program may negatively impact the organization’s ability to meet regulatory requirements is clarified.
Building an Information Governance Framework
While leveraging the BPA for guiding future direction, the next step is to craft the information governance framework that will support program planning, monitoring and enforcing compliance. This, in turn, drives the company’s ability to define, approve and communicate the records program (policy, retention schedule and procedures) while implementing it with new standards, architecture and analytics reporting functions. Table 1 highlights many of the key elements of an information governance framework.
This is a time-intensive and expensive undertaking, consisting of five phases: the BPA, the resulting report that will be referenced for all initiatives, planning for change, implementation and analytics. Within the table, each phase is summarized at a high level to provide an orientation of how to get started.
Create a Committee for Sponsorship
Although we collectively groan when we hear the word “committee,” it really is necessary for gathering the support and constructive input that can spell success for implementing what could be a company’s most important program. The highest level of executive sponsorship possible should be at the helm of the committee, such as the CEO or CFO. Other members could include the records/information manager and executives from the IT, risk, audit, compliance, legal and finance departments. These members can help enhance program accountability. They should understand the program’s direction by reading the BPA report, agree on what has to happen and by when, and know what resources (both financial and non-financial) are involved. They should also be responsible for communicating the program’s mission statement and expectations to key audiences within the company.
It is important that the organization ensure that it has a records/information manager who is educated in the field, has access to training and is keeping abreast of developments in legal discovery, technology and regulatory requirements that impact the enterprise. Without this training, the strategy necessary for advancing the program will be weak and will negatively impact the results.
Dashboard Analytics and Reporting
Another key element of the transition to a robust information governance program is to monitor and report on progress and program compliance. Analytics and reporting can help executives clarify if response times to legal discovery and audit requests are faster and more efficient. These tools can help clarify if storage requirements are reduced due to improved version control; if the number of repositories has declined and the remaining repositories have defined roles and contain only the information that is necessary for the organization to work more effectively. The reporting function should include a compliance ranking, which ideally increases over time due to improved, streamlined data sharing and overall enhanced program effectiveness. These improvements in turn enable the company to better meet legal and compliance challenges. Specifically related to legal discovery, in our work with clients we have learned that a significant portion of an attorney’s time spent overseeing a new discovery request is devoted to collecting and culling documents. This can be very expensive for a business. If there is an information management and governance program in place, the program’s manager can have an important role in identifying where relevant information is located and in gathering documents. Thus the program and its manager can possibly help reduce legal fees and better protect the company by ensuring that unnecessary or potentially damaging information is not shared due to negligence.
Return to the Beginning
As the information management and governance program matures, I recommend that the records manager or external consultant perform another BPA. The time to perform the second assessment will depend on the progress made and the committee’s dedication toward continuous improvement, but it is necessary to ensure that no major issues or gaps were missed since the first BPA was performed. The follow-up assessment can be used, if ever necessary, to substantiate to a court or shareholders that the organization has taken actions and is doing its best to govern its most important asset — information.
This article originally appeared in the March 2015 issue of Workflow.