Embed Size (px)
Citation preview
Implementing an ERM Program:The Issues, Challenges,
and Strategies
Jesse Wilkins
April 17, 2008
Seminar Agenda
A.M.: Implementing ERM• Implementing an ERM Program• Managing Electronic Records Without an ERMS• RM and IT: Collaboration for Success
P.M.: Emerging Electronic Records Management• Accessing Electronic Records in 5, 50, 500 Years• Effective Email Management• RM 2.0: Managing Records in the Cloud
2
Session 1:Implementing an ERM Program
Session Agenda
• Paper vs. Electronic Records
• Implementing the ERM Program
4
PAPER VS. ELECTRONIC RECORDS
5
Setting the Stage
• Explosion of information– 161 exabytes created or copied in 2006– Up to 95% created electronically– 80+% never printed
• Digital vs. paper– How do you print an Oracle database?
6
What’s the big deal?
• Paper records:– Self-contained– Human readable– Robust– Mature technology– Authentic and trustworthy
• Electronic records:– Might be…or not.
7
The paper problem
8
The electronic problem…?
Source for images: Wikimedia Commons 9
What’s the big deal with e-records?
• Not human readable
• Not even visible
• Anyone can create a ton of records
• And email them to everyone
• And create tons of perfect binary copies
• And in 10 years they won’t be readable anyway!
10
Really, what’s the big deal?
• Records management is about managing records regardless of media
• Electronic records are more complex and more fragile than analog records
• Electronic records must be actively managed to ensure reliability, trustworthiness, and authenticity
11
IMPLEMENTING THE ERM PROGRAM
12
Implementing the ERM programERM implementation lifecycle
6. Business & SystemsRequmts.
7.Business
ClassificatnSchemes
10.Pilots &Model Offices
11.
Roll-out
12.Post
Implementn.
9.IT
Infra-structure
3. Concept ofOperations
2. Information Governance
5. Business Case
8. Users & User Involvement
4.Information Survey
1. ERM Project & Program Management
13
Project management
• Assemble an effective project team
• Determine the scope of the program, projects
• Include stakeholder, user points of view
• Identify priority vs. other projects
• Determine a realistic schedule
14
ERM governance
• Policy
• Procedure
• Other “instruments”
• Job aids and references
15
Develop the charter
• Also referred to as concept of operations
• Identifies what the program is to accomplish at a high level
• Includes anticipated benefits
• Describes the “to-be”, ERM-enabled state of the organization
16
User involvement
• Users need to be involved early and often
• If the system doesn’t meet their needs, they won’t use it
17
The business case for ERM
• Identify the benefits of the ERM program– Financial– Non-financial– Non-tangible
• Beware the limitations of the “compliance” argument– And the pitfalls of “Chicken Little” or
disengagement
18
Business requirements
• Determine what is required for the ERM program to be compliant– Policies and instruments– Processes– Roles and training– Technologies
• Prioritize according to most urgent need
19
Develop the BCS
• Develop the business classification scheme– Select the approach: organizational,
functional, matter-centric– Draft the top-level scheme and get feedback– Iterate through successive levels
• Get business unit approval of the BCS
20
IT infrastructure
• IT infrastructure will impact the way the ERM solution is implemented
• Identify existing IT infrastructure
• Ensure ERM solution fits the IT infrastructure– And RM requirements!
21
Pilot the program
• Run the program in a controlled environment
• Easier to make corrections or changes
• Allows users to “test-drive” the program
• Develop and test training materials
• Get support staff and power users trained
22
Roll out the program
• Go-live for the entire program
• Could still be implemented in a phased approach
• Train users on expectations
• Change management and communication
23
Change control
• Most requests for change come during implementation and acceptance testing
• Important to have a change control process– Scope creep
• The “iron triangle”
24
Change management
• Different aspects of change
• Fear of change?
• Communication is the key to managing change– Up and down the organizational chart– Training is part of communication and vice
versa
25
Questions?
26
Session 2:Managing Electronic RecordsWithout an ERMS
Session Agenda
• The network share problem
• Desktops and laptops
• Removable media
28
THE NETWORK SHARE PROBLEM
29
The network share problem
• Many organizations have shared directories• But there are some issues
– Duplication of files– Multiple versions of files– Potential deletion of records– Accessibility without control framework– Limit to storage space available– Takes up lots of space– Lots of files stored on network shares are not records
• Or even work-related!
30
How do organizations address this today?
• Set passwords or access controls• Set quotas on network shares
– And enforce them – Sometimes
• Buy more storage• Back up everything periodically to optical or
tape, then purge• Do nothing• None of this helps the records issues
31
Dealing with records on shares
• Take small steps– Create folders that match the file plan at the
top level– Gradually add levels– Create usage guidelines
• Consider using technology to take control of shares– Sharepoint?
32
DESKTOPS AND LAPTOPS
33
Desktops, laptops, and other hidey holes
• Records can be stored many places on individuals’ PCs– My Documents– In folders on the desktop– In application folders– In .PST files– In temporary folders– On a personal laptop
34
The problem with local file storage• Many of the same issues as with network shares
– Duplication of files– Multiple versions of files– Potential deletion of records– Accessibility without control framework– Limit to storage space available– Takes up lots of space
• Plus the files rarely get backed up!
35
Dealing with records stored on PCs• Start with the policy• Consider “locking down” PCs
– Watch out for side effects
• Consider locking down PCs except for a specified directory (e.g. My Documents)– Use centralized technology to retrieve records from
those directories
36
REMOVABLE MEDIA
37
Removable media
• Come in many form factors and capacities• Cheaper and hold more every week• Includes:
– Optical disks (CDs, DVDs, etc.)– Flash drives– External hard disks– Smart phones and PDAs– MP3 players– Compact Flash cards, etc.
38
Removable media issues
• Many of the same issues as with network shares– Duplication of files– Multiple versions of files– Potential deletion of records– Accessibility without control framework– Lots of files stored on them are not records
• Plus they are generally not under any organizational control
• Easy to lose – and may have records on them!
39
Managing removable media
• Prohibit their use(?)• Address appropriate usage in policies• Purchase removable media for use by
employees (and address in policies)– Some provide encryption, passwords,
biometrics• Consider employing technology to limit or track
usage• Label and track media and location
40
Conclusion
• Network shares, PCs, and removable media present challenges for records managers
• There are less costly solutions available to address – but you get what you pay for
• A longer-term approach will almost certainly require technology assistance
• But any solution has to start with policies - TANSTAAMB
41
Questions?
42
Session 3:RM and IT: Collaborating for Success
RM and IT
“IT is RM’s most important stakeholder – even more important than legal. No significant RM initiative can even be attempted – let alone successfully accomplished – without a close partnership with IT.”
– David O. Stephens, CRM, FAI
44
Session Agenda
• A record by any other name…
• RM vs. IT: The way the world looks
• Recommendations for bridging the gap
45
A RECORD BY ANY OTHER NAME…
46
A record by any other name…
• Record
• Document
• Archive
• Records management
47
Record
• RM: information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business
• IT: A group of related fields that store data about a subject (master record) or activity (transaction record). A collection of records make up a file.
Source: TechEncyclopedia.com
48
Document
• RM: recorded information or object which can be treated as a unit
• All records are documents, but not all documents are records
• IT: The individual electronic objects on servers, workstations, and laptops, such as PDF, Word, etc.
49
Archive
• RM: The documents created or received and accumulated by a person or organization and preserved because of their continuing value.
• The building or part of a building in which archives are preserved and made available for consultation.
• IT: Offline or backup storage, e.g. to tape or optical media
• Might include offsite storage of backup media
50
Records management
• RM: field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records
• IT: Keeping the systems running, available, and backed up
51
RM VS. IT:THE WAY THE WORLD LOOKS
52
RM vs. IT
Records Managers IT ProfessionalsManage records Manage data and systems
Own records Own systems and information on them
Delete records based on retention
Delete data - or not - based on storage requirements
Analog Digital
Why How
53
RM vs. IT cont’d
Records Managers IT ProfessionalsDon’t understand the sheer volumes of electronic information
Don’t understand regulatory requirements and storage implications
Don’t understand the complexities of systems or how the technologies work
Underestimate the relationship between content and presentation
Long(!)-term focus Fire-fighting
Focused on process flows Ensures the flow of data
54
RM vs. IT cont’d
Records Managers IT ProfessionalsReports to admin, legal, IT(!)
Reports to executive management, admin, ops
Never have any budget Never have enough budget
Have very deep knowledge – on esoteric topics
Have widely diverging breadth & depth of knowledge
Don’t trust IT Think RM is a burden
55
RM vs. IT cont’d
Records Managers IT ProfessionalsDon’t trust users Don’t trust users
Speak odd language Speak odd language
Offices separated from rest of organization
Offices separated from rest of organization
Work thankless jobs Work thankless jobs
Focused on risk management
Focused on risk management
56
Key concerns for both RM and IT• Providing efficient access to information
– Versions
– Silos
• Containing costs
• Providing effective response to audit or litigation
• Ensuring integrity of electronic records
– Now and in the future57
The bottom line
• Both RM and IT manage information for the organization
• When RM and IT aren’t on the same page, bad things happen
• The increasingly electronic world means RM and IT must collaborate effectively!
58
RECOMMENDATIONS FOR BRIDGING THE GAP
59
General recommendations
• Establish cross-functional teams to create policies, address issues– IT– RM– Legal– Business (LOB managers, executive team)
• Identify business and technical requirements• Iterate through key deliverables• Change management!
60
Recommendations for IT
• Learn the basics of records management• Understand and apply lifecycle management
practices to electronic records and systems• Ensure that hold orders are applied to all
applicable systems, documents, data, backups• Ensure that information is destroyed at the end
of its lifecycle
61
Recommendations for IT cont’d
• Work with RM to identify migration issues and requirements for electronic records
• Hold backup media only as long as required for disaster recovery purposes
• Identify tools for automating records processes– Classification and categorization
• Look for systems that include required recordkeeping functions as identified by RM
62
Recommendations for RM
• Reach out to IT proactively• Add records requirements to IT’s RFPs• Work with IT to set system configurations• Review classification scheme and retention
schedule with IT – In particular for IT-unique records
• Be flexible– It can’t all be done today– Beware of “Chicken Little” syndrome
63
Recommendations for RM cont’d• Learn about technologies and their impact on
the records program and practices– Imaging (CompTIA CDIA+, AIIM)– Storage (SNIA)– Email
• Scan the records & technology horizons– Automatic classification & categorization– Electronic records management– Digital rights management
64
Questions?
65
Session 4:Accessing Your Electronic Records in 5, 50, and 500 Years
Session Agenda
• The problem with digital information
• Approaches to digital preservation
• Strategies for long-term access
67
THE PROBLEM WITH DIGITAL INFORMATION
68
The problem with digital information
Digital documents last forever – or five years, whichever comes first.
--Jeff Rothenberg, RAND Corp.
69
The problem with digital information
• Explosion of information• Documents and files are
increasingly “born digital”• Digital formats support more
complex information objects• Digital preservation does not just
happen – it must be actively pursued– And IT can’t do it alone
70
Issues in electronic archival
• Media deterioration• Hardware compatibility• Software compatibility• Security and encryption• A word about standards
71
Media• There are no archival-class
media for storing digital information– Media can be damaged,
scratched, stretched– Substrate separation – the
chemical layer that stores the data separates from media
• And if there were –
it wouldn’t matter!
72
Hardware compatibility
• Technical obsolescence– 8” floppy disks, laser video discs
• Generational changes– Floppy disks, CDs
• Non-standard formats– ZIP drives, LS-120
• Rapid rate of change
73
Software compatibility
• Between applications– Microsoft Word, Corel WordPerfect
• Between platforms– Word, Word for Mac
• Between versions– Word 1.0, Word 2007
74
Security and encryption
• Passwords can be lost• Some applications don’t play nicely with
encrypted or protected files• Some applications don’t
recognize security features -- and ignore them
75
• Formal standards are agreed to by users, vendors, industry experts, and managed by standards organizations.– XML, PDF
• Ad hoc standards are controlled by vendors or smaller groups and are considered standards because they are in widespread use– Microsoft Word
• Standards protect the organization!
A note about standards
76
APPROACHES TO DIGITAL PRESERVATION
77
Digital preservation strategies
• Analog storage• System archival• Emulation• Conversion• Migration• Each has its own strengths & weaknesses
78
Analog storage
• Analog storage suffers from a number of issues:
• Search and retrieval issues• Storage requirements and
costs• Data loss, particularly
for rich media formats
79
System archival
• Maintain copy of original hardware, software, operating system, and information objects
• Still run into issues with media and hardware lifespan
• Centralizes access to locations with older systems
• Increasing number of systems required to ensure access to everything
• Difficult to ensure everything is taken into account
80
Emulation
• Virtual recreation of original environment• Does not require any conversion• Requires periodic refreshing of the emulation
environment• Still have issues around media and, maybe,
hardware to read it• Lots of work is being done in this area
81
Conversion
• Move from proprietary to standard– HTML to XML– Windows bitmap to JPEG or TIFF– Excel to ASCII text
• Can be labor-intensive• Often results in some loss of data
– Proprietary formatting– Rich objects, images, formulas, etc.
82
Migration
• Digital media doesn’t last forever…• …and neither does the hardware• Media must be refreshed while it’s still readable• Very labor intensive• Often results in loss of some information
– Migration over generations often more reliable than migration through generations
83
Migration cont’d
The Domesday Project
• Domesday book written in 1086• In 1986, BBC created interactive
presentation using LaserVision LV-ROM
• By 2002 the discs were unreadable
• Through significant effort and the use of migration and emulation, the Domesday presentation remains available
85
STRATEGIES FOR LONG-TERM ACCESS
86
Recommendations – 5 years
• Capture information using no compression or lossless compression
• Use standard file and media formats• Select high-quality media that will last 5-10 years• Capture relevant metadata
87
Recommendations – 50 years
• Capture information using no compression or lossless compression
• Capture information in standard formats or formal descriptions
• Select high-quality media and plan for migration• Capture relevant metadata• Do not use encryption or passwords on
individual documents
88
Recommendations – 500 years
• Capture information in standard formats or formal descriptions
• Select high-quality media and plan for migration• Capture and embed relevant metadata• Consider converting to analog• Do not use encryption or passwords on the
individual documents
89
Summary
• Digital preservation requires work• Ultimately a question of tradeoffs
– Cost to preserve– Cost of not preserving– Exactly what must be preserved
• Pursue multiple preservation strategies• Standards can help preservation efforts
90
Questions?
91
Session 5:Effective Email Management for the Organization
Session Agenda
• Email management drivers• Email management today• Email management technologies• Elements of an email policy
93
EMAIL MANAGEMENT DRIVERS
94
Email – defining the issue
• First email was sent in 1971• Today more email is sent every day
than the USPS delivers in a year– 11 billion emails a day in the US alone– More than 57 billion a day world-wide– NOT including spam
• 60% or more of business-critical information is stored within messaging systems
95
Why are we sending so much email?
• It’s easy• It’s asynchronous• It’s convenient• It’s less formal• It’s ubiquitous and
platform-neutral• There’s a written record of
communication
96
Business issues
• Email storage costs– Up to 200 GB email per month for
1,000-user company– Costs to add and manage storage– Costs to back up to tape– Costs to restore
• Productivity costs
97
Business issues cont’d
• Email retrieval costs– It takes more than 11 hours to recover
an email more than 1 year old from an archive
– Typically have to restore the entire tape to a spare (!) server to find the desired message
– 29% of organizations would not be able to restore an email message
over 6 months old
98
Legal issues
• Electronic discovery for a Fortune 500 company averages $750,000 per case
• 75% of demands for discovery are for email
• Courts want discovery in native format…
• …but may also require that it be provided in an accessible format
99
Legal considerations for messages
• Messages are discoverable – whether they are records or not
• Message archives are discoverable, regardless of the format or storage medium
• The “deleted messages box” is discoverable
• Personal copies are discoverable
100
When is an email a record?
• When statutorily defined• When it documents a business transaction• When it memorializes a business decision• When the attachment
is a record• When it is the only written
record of something
101
EMAIL MANAGEMENT TODAY
102
Email management defined
According to AIIM, The ECM Association, the essence of email management is that
“As the de facto standard for business communication, removing emails from the server and saving them to a repository isn't enough. Email must be classified, stored, and destroyed consistent with business standards-just as any other document or record.”
103
Approaches to managing email today
Policy approaches to retention:
1.Do nothing
2.Let users manage their own email
3.Keep everything forever
4.Delete all messages older than X
5.Limit mailbox size to X
6.Declare and manage email as records
104
Approaches to managing email today
Technology approaches to retention:
1. Outsource it!
2. Server-based rules
3. Client-based rules
4. Decentralized – employees do it • Messages on the server• Messages in .PST/.NSF files
105
Email management is NOT:
• Saving all email messages forever• Saving all email messages in the
messaging application• Setting mailbox time limits• Setting mailbox size limits• Declaring “email” as a record
series – Or as simply “correspondence”
• Doing nothing
106
General principles
• Email management is part of time management
• Email is a medium, not an action• Email should not be used for
everything• Email should be kept as long as
needed – and no longer
107
Who captures the message?
• YOU have to capture an email:– You receive from outside the
organization– You send, either internally or to
someone outside the organization
• Designate someone to
capture messages sent to groups/lists
108
Emails that are not captured
• Transitory messages that are not timely• Personal messages unrelated to business• “Me-too” messages• Messages already captured by someone else
109
EMAIL MANAGEMENT TECHNOLOGIES
110
Messaging system
• Not built to store massive amounts of messages– And attachments– And manage as records
• Difficult to search across
inboxes– Discovery, auditing
111
Print & file
• Common approach• Challenges:
– Loss of metadata– Attachments– Volume to print and to file– Authenticity (phishing)
112
Backup tapes
• Backups store data, not files or messages
• Designed for “smoke & rubble scenario
• Multiple copies of data• Readability of older tapes
– Format, media, hardware
113
Email management applications
• Move messages out of the messaging application
• Typically use a rules engine• May provide simple retention management• Single instance storage• Many different capabilities available
114
Email management technologies
• Email archiving• Personal archive file management• Email encryption and digital signatures• Email compliance• Email discovery• Email security• Policy management
115
ECRM solutions
• Most systems support email management• May run at server or client• Many support single-instance storage• May allow declaration, management of
messages as records• Varying support for attachment management,
metadata management
116
ELEMENTS OF AN EMAIL POLICY
117
Email policy principles
• Email belongs to the organization, not the individual
• Email is not a records series unto itself• Email management program must comply with
appropriate regulatory requirements• Policy has to be followed and enforced!
118
Email policy elements
• Acceptable/appropriate usage• Personal usage• Access to external messaging systems• Effective email usage• Ownership of email• Retention and disposition• Legal issues
– Holds– Discovery and production
119
Elements of an email policy
• Mobile and web-based email • Backups • Archival• Privacy• Security• Retention and disposition• Training• Audit and compliance
120
Conclusion
• We have to manage messaging technologies better
• Start with policies and procedures
• Technology can help
• Communicate, communicate, communicate
• Enforce the program
121
Questions?
122
Session 6:Records Management 2.0: Managing Records in the Cloud
Agenda
• Definitions 2.0
• Web 2.0 In Action
• Managing Records in the Cloud
124
DEFINITIONS 2.0
125
Buzzwords 2.0
• Education 2.0
• Energy 2.0
• Health 2.0
• Library 2.0
• Travel 2.0
• Retail 2.0
126
Hugh McLeodhttp://www.gapingvoid.com
Web 2.0
• Web 2.0 is the business revolution in the computer industry caused by the move to the internet as platform, and an attempt to understand the rules for success on that new platform. Chief among those rules is this:
Build applications that harness network effects to get better the more people use them.
-- Tim O’Reilly, 12/10/2006127
Office 2.0
• First described by Ismael Ghalimi in 2005
• Use of Web 2.0 technologies for Office 1.0 tasks –Scott Deitzen, Zimbra
• Web-based Software-as-a-Service (Saas) – Dion Hinchcliffe
• Working where you want, when you want, and being able to conduct real business– blognation Canada
128
Enterprise 2.0
• Enterprise 2.0 focuses on platforms companies can buy or build to make visible the practices and outputs of their knowledge workers.
-- Andrew McAfee, 5/2006
• Enterprise 2.0 is the application of the Web 2.0 technology and mindset within an organization.
--Mike Riversdale, E20 New Zealand Style, 2/2008
129
Not in our organization….
If you don’t like change, you're going to like irrelevance even less.
--Gen. Eric Shinseki
11/8/2001130
5,000 Web 2.0 apps in 333 seconds
• http://www.youtube.com/watch?v=Hs_xnyJtWEc
• Source: SimpleSpark
• Currently tracking more than 8,300 Web 2.0 apps
131
WEB 2.0 IN ACTION
132
The 2.0 meme
• It’s all about me
• And my networks
• It’s open
• Emergent
• Fast
• And always on
Source: Ray Sims’ Learning Connections blog133
Web 2.0 and the enterprise
• Web-based email
• Web-based office suites
• Web-based collaboration
• Web-based document sharing
• Web-based social networking
• Web-based social categorization
• Noticing a trend?
134
Web 2.0 in the enterprise
• An approach, not a
technology
• Emergent structures
• Software as a service
• Information reuse
• Social networking
• Perpetual beta
• Enterprise-y!135
What makes Web 2.0 enterprise-y?
• Control over implementation model
• Standards support
• Security and identity
• Access to enterprise data
• Data quality
• Regulatory compliance
136
Web-based email
• Many different applications available
• Provide secure web-based access to email
• Provide 1+ GB storage/user
• Allow 20, 50, 100MB
attachments
• Forward to/from other
accounts
137
Web-based office suites
• Many different applications available
• Fully-featured to fairly narrow– Generally compatible with common Office
functionality
• May default to private or public
138
Blogs
• Project updates
• Organizational updates
• Customer communication
• Notification of changes
• Lessons learned
139
Wikis
• Knowledge base/customer service
• Meeting agenda and minutes
• Collaborative authoring and publishing
• Proposals and presentations
• Contract negotiation
• Collect and organize
research140
RSS feeds
• Subscription to updates from blogs, wikis
• Notification of system changes
• Competitive and market intelligence
• Publish organizational
updates
141
Social networks
• Expertise management
• Tap unknown resources
• Contact management
• Alternative to email– That users are already
using– That allows tagging,
blogging, etc.
142
Mashups
• Connect two or more data sources using loosely coupled connectors such as XML
• Combine sales data with maps
• Combine shipping and order data
• Provide external partners and customers with (non-sensitive) status monitoring
143
MANAGING RECORDS IN THE CLOUD
144
The bad news
• You can’t prohibit them– Too many of them– Constantly changing– IT has other fires to fight
• They can be difficult to control– The “Shadow IT Dept”
• Check your demographics
145
The good news
• Many of the most commonly used 2.0 tools already track changes, versions, etc.
• Some tools need to be managed for efficiency rather than compliance
• E20 tools use standard
formats and interfaces
• Some tools are less risky
than others146
Change tracking
147
Compliance 2.0
• Address in policies– Whether Web 2.0 solutions will be allowed– Which tools will be allowed or supported– What type of information can be published– Whether posts, etc. will be reviewed pre- or
post-publication
148
Compliance 2.0
• Consider whether to implement versions inside the firewall
• Review SLAs with hosted providers to determine whether you can live with them
• Consider add-ons that
can provide required
compliance functions
149
For more information
Jesse Wilkins
ermm, ecmm, bpms, LIT, CDIA+, edp, ICP
Access Sciences Corporation
http://www.accesssciences.com
blog:http://informata.blogspot.com
150
