Embed Size (px)
Citation preview
Increase records security through process
Christopher Wynder, Ph.DDirector of Client Services
Education has the third highest rate of records breaches in 2014-2015
These first two are symptoms of how poor/slow adoption of technology has
been for records handling.
The last three are purely process maturity. Suggesting that even if
adoption of EDRMs technology was higher significant issues would still exist.
Effective ERM is service driven:
It is embedded into normal work processes
Provides time-savings to system users
Aligns with organization strategy and goals
Most records management procedures are based on “paper”
• Rigid organization-enforced taxonomy.
• Retention rules
• Disposition workflow
• Audit of deletion schedules
Capture Organize UseArchive or
retire
How it is generated does not matter in a
paper world. The physical artifact is “handed over”
Use is controlled
via ownership of artifact.
Documents consist of information that is used for particular business processes. There is no requirement for documents to be maintained for any period of time.
Records are a subclass of documents that must be treated differently. Specifically, they must be maintained in a format that can not be changed for a specific length of time.
Processes produce both documents and records.
Users do not have “silo’ed” work days where they handle just records or handle just documents.
9am
DATE
?5pm
The average user’s day
ERP/CRM
EIM as a strategy reduces risk of user confusionProcess and storage location alignment = risk reduction
Before
R&DSalesCEOHRAfter R&DSales
CEO HR
A year later
Do we have any tape?Someone needs to
organize this!
That looks great…but where do I put my vacation request-is it HR or
department?
Do we have any tape?
I thought we organized this?!
DATE
ERM
ShrePoint
LegacyExchange
ERP
Information can be found in a lot of places- and is a mix of personal and work
On-Premise Software Cloud and SaaS
How people work has changed vastly
Capture Organize Use Archive or retire
Information lifecycle
User information
lifecycleGenerate Record Use Forget or
storeOrganize Re-Organize
Envisioned Starting
point
Actual Starting
point
Forget or store
Align user information and ECM lifecycles at key points in the process
Adoption and BRPs are linked together. Solve the users’ key needs and you’ll solve your compliance concerns surrounding structured documents and records.
Capture Organize Use Archive or retire
ECM lifecycle
User information
lifecycleGenerate Record Use Forget or
store
?
Organize Re-Organize
ECM works best when the information is
organized at capture
The un-asked question-”How do users get work done?”
This is key to how users expect to find documents
Users lack the tools to
appropriately archive content
Re-use leads to lots of local copies.
ThinkDox LLC.
Move beyond just ERM to EIM
ERMAdd
User ECM ERP or LMS
Student records
Focus on the user tools that solve user frustration with
their day-to-day activities.
How many different
applications are they
using
9amDATE
?5pm
How many times are they breaking
compliance
ERP/CRM
how do users generate content-what are the filetypes, what are the key applications
where is the information from that content being recorded? Office documents, applications
what is the point of the content? Is the information being shared? Is it for revenue generation? Does it need to be moved to other people?
....is the information source used again. What do users really need, what can you securely provide them.
G enerate
R ecord
O rganize
W hen
Account for GROW-th by accepting the organic nature of information
An architect plans the design of information, brings structure to unstructured sources by enabling users to move through a "journey“.
Requires existing user compliance and understanding of information sources.
A gardener sets the parameters of access, provides a single point of entry to user needs by understanding that every user has multiple “journeys” that encompass their job.
Requires access control to key information sources to ensure user compliance.
Be the gardener: plant the seed, control the weeds, and nourish the environment
• Gardeners do not control growth they only maximize the conditions for growth.
• What can you as an Information Gardener do: ◦ provide appropriate access (the size of the
plot). ◦ Set limits on where the seeds can grow
(users) and ◦ provide within that plot the nutrients
(information) that seeds need.
• You cannot control the growth but you can limit the unwanted growth. Growth on ECM is going to be organic but you can limit the space provided.
1. Can we manage the customization?
2. Can we gather enough information on users
Start by defining what you want the system to do
IT Competency
1. What are users going to do IN system?
2. How embedded should the system be in our processes?
1. What can our ECM system do / do we features should we be prioritizing?
2. Do we have a taxonomy?3. What is a disposition needs?
1
2
3Information Governance
Technologyreadiness
ThinkDox LLC.
LMS
Idealized process
ERM
Add
Student records
The reality of how student records get updated
Add
School level
How do we move to better process
Board level
System of interaction
System of record
Access control
Findability
Archive
Ad hoc/ Fileshare
Holistic planning for information management
Infrastructure planning
Requirement gathering
Implementation
Integrated retention and disposition schedules
Understanding trends in content generation
Information management strategy
Technological support for managing information
THINKDOX LLC.
Case study: Evaluating a broken process
Who
K- 8 School board in Mid-west US.
Central IT administration
Charter schools have own IT budget
Problem
Updating student records at end of year is time-consuming for both teachers and central admin
Process “feels” unique for each school to enter same data
Complications
Some schools use Google Apps.
Central Admin and many schools are standardized on Microsoft
Central use O365. Most schools are migrating to O365
THINKDOX LLC.
The reality is their “process” is actually 3 processes
12
3
Records change approvalRecords change workflow
Records update capture
Optimizing each sub-process
1 Records change approvalWhy is this happening outside the system?
Do we care?
Risks?
Printing student records increases the number of different places that regulated information is stored.
Speed of process has led to paid overtime for Admin staff constraining infrastructure upgrades.
Why:
Key approval is an “email guy” doesn’t want to learn a new system.
It fits with the communication and template locations that currently exist.
Addressing the “Why” – understand how each user works
Admin
Student records
Facilities management
User Journey of a Admin’s day
Check information
Get Approval
Confirm Updates
Request updates
Review orders
Send orders
Request approval
Draft orders
Analysis:
The nature of approvals is the real issue.
Facilities management is completely done through accounting software. Has no ability to capture “wet signatures”
Approver wants to just send an email.
Identify the “most dangerous” user personasWhat core users or departments are the most dependent on ECM or have roles that generate the most content for ECM?
Go right to the source:
Where are the roadblocks in the process? • Survey users about their activities.• Compare the activities of people in
problem processes.
Where are the compliance issues?
Which group of users is the organization most concerned with?
Non-compliance from user groups that know better is often due to a lack of support for BRPs
Use IT system data:
What does the log-in data tell us? Is there an AD role that is under represented?
Users that are under-represented in access logs are likely dissatisfied with ECM.
What department has the most complex site organization?
Complex granular trees often result from user groups copying and re-filing information for new projects.
Search logs – are there commonly searched terms?Searching for the same document is a sign that users do not recall where documents live.
Dealing with capture and re-capture problems
3 Records update captureWhy is this happening outside the system?
Do we care?
Risks?
Errors in data input cause problems for teachers and administrators attempting to evaluate educational plans.
Duplicated records is an serious issue for both storage growth and audit controls
Why:
No one knows how to update documents in the system.
Information is captured in a different system then the records management system
Use of word templates and no required metadata “hides” documents from ERM
Collaboration
System of record
Access control
Templates
PDF generation strips metadata and is not linked to a form type in Laserfiche
Admin kept copy of template on
HD No one actually used SharePoint for version control
TemplateIT had tied metadata to “live” copy
Move the whole process to form based approach
Capture
Organize
Use Archive or retire
Take advantage of the metadata system to connect records classification to both information and process
Text
Date
List
Dynamic
“In progress”
Information
Folder
Information sorting
(Templates)
Process step identification
Tags
Confidential
Templates can be applied to either folders or documents
Tags can convey information or restrict
access
The brain uses two descriptors for recall. Take advantage of this to limit the number of descriptors
• People vaguely recall the name of a document
• People recall why they made or last used a document
• People are hard wired to remember WHO they:
◦ Work with
◦ Communicated with
◦ Made the original
• The right two pieces of process information will allow users to find the right documents
Take advantage of how the brain works.
Weak recall
Weak recall
Strong recall
Object
Who
=
=
=
Describe the user journey based on how people work
Expand using descriptors that describe work patterns
Facet Description Examples
Matter Objects, typically inanimate. Desktops; Servers; Storage; Buildings.
Energy Actions and Interactions. “processes”.
Customer service; Quality control; Manufacturing; Research; Accounts payable.
Space Locations, departments, Human resources; APAC; Guatemala; Building A2.
Time Hour, period, or duration Morning; Q3; Financial close; Winter; 2011.
Build out the descriptors based discrete tasks during the process
Client size
Depart. Budget related
Location
Order
approvals
fulfillment
Initiative
Intranet ERPOther
sources
Website
HR structures
Remember our goal at the beginning is to have enough
taxonomy to confidently allow users to add content to ECM for
the purposes that the organization has defined. The
taxonomy WILL need to updated through a controlled process.
The key with “semantic search” is a clear process for evaluating the
usage. The goal should be to have these integrated into the controlled
vocabulary to replace unused terms rather than create a shadow
metadata system
Categorize the non-records descriptors based on GROW fields
Contract negotiations
Billing
Contracts
Secondary office
Remote
CRM logs
Surveys
Direct interaction
Location
financials
Call list
Daily activities
Calendar
Hand-over
Workgroup
Potential taxonomy descriptors(GROW)
These could be the drop-down terms
Wide category
Remember this initial goal is about gaining control over documents. The long term goal is a living set
of descriptors that mirror business practices.
These are probably too specific. Additional personas will generalize these further to make them usable.
Use process descriptions to enable both findability and securityLong lists of anything are a disaster for information collection
Marketing Joke: “What is the biggest state in the United States?”
The Answer:
8x3The human brain has a storage and sorting limit of eight items.
This means drop-down items 9 - ∞ will not be considered. Keep your taxonomy to three levels of detail, each with about eight items. The taxonomy for a facet, therefore, can have 83 – or 512 –
items.
Define the complete view of what people do to extend content descriptors
Persona
Business Process
Users WorkflowNew cases
Case management
Check schedule
Follow-upSchedule meeting
Check for information
Review previous
Monitor action
Request action
Review reports
ServiceManagement
BPM case
module
CRM case # Workflow
Confirm by SMTP
Social Services
Refined the process maps with the actual information they need
DATE
CRMConstituent or Council
needs
Vacation request
Agenda/Budget
What information outside of their job description do users need to “get work done”
DATE
DATE
DATE
How many of these resources are up-to-
date?
Well-governed information is both protected and used.
• Start by determining how similar the key intra- and inter-departmental information movement patterns are. Do HR and corporate services speak the same language.
• School boards with cloud based educational tools e.g. GAFE, Office 365, D2L should evaluate the processes and security of how information moves into these systems.
• Move away from “E-documents” such as fillable PDFs to dynamic forms and workflow. This is easier to manage long term
• Don’t forget about social. School officials need to have policy and process for when constituent information and conversation moves beyond community “engagement” to legally binding or regulated action. RegulationsOrganization-wide data
Similarities
Departmentaldata
Key considerations for how to maximize the use of your ECM
Thank youHave questions or want a copy of the presentation:Email me: [email protected]
Don’t want to email me:
See our websites presentation page http://thinkdox.com/news/presentations/
We are on twitter and LinkedIn@Thinkdox@ChrisW_thinkdox
https://www.linkedin.com/company/thinkdox-inc-?trk=biz-companies-cym
