Special Report - IT's Critical Partnership with Records Management
It is just as true, but frequently overlooked, that these electronic records and information are subject to the same legal/regulatory/compliance requirements that impact records in other formats. It is a great temptation to manage electronic records and email according to their format (e.g., How long do we have to keep this email?) Treating electronic records in groups based on their format seems, at least on the surface, to be a simple and practical solution. But this approach overlooks the reality that any record or correspondence used in the course of conducting the organizations business is subject to all the regulatory, legal and compliance requirements that impact the organization. It doesnt matter whether the record information is included in an email, produced from a computer, or remains in digital format throughout its life, the compliance requirements apply.
This reality can most vividly be seen in charges and counter-charges made in corporate litigation. For example, Intel and AMD are currently litigating an anti-trust case in U.S. District Court in Delaware. Both companies filed motions with the court in March 2010, seeking sanctions against the other company, based on claims of improper records retention.
AMD claims that Intels auto-delete shredder and policy that records would be automatically deleted unless manually saved resulted in the destruction of hundreds of thousands of relevant documents. Intels response is that they have spent tens of millions of dollars to remediate their document preservation problems and have subsequently delivered nearly 200 million pages of documents to AMD.
While the court has not yet ruled on either of these motions, one thing is clear: electronic documents are at the heart of conducting business, and are therefore, at the heart of litigation and compliance issues related to that business.
Electronic Records The Long-term Reality
It is also clear that the trend toward electronic records will continue as younger generations join the workforce. A study recently released by Accenture provides insight to the challenges facing corporations as more and more Millennials (individuals aged 14-27) enter a workplace currently dominated by the baby boom generation. While the Millennials are likely ignoring or violating IT policies, using non-standard applications and improvising, they are also interacting with customers, vendors, and partners in new ways. Using technology is already second nature to this generation. And, creative uses of technology in the conduct of work can only increase as Millennials begin to dominate the workplace.
As the study points out: The demographic shift can be either frightening or exhilarating maybe a bit of both. But it cant be ignored. (Jumping the Boundaries of Corporate IT: Accenture Global Research on Millennial Use of IT, February 2010) Competing effectively in the next decades global environment is going to demand new behaviors, concepts, and working methods.
Accentures chief technology strategist, Gary Curtis, said in a phone interview with Information Week magazine, For CIOs, it's critical that they recognize that the great majority of all the people they'll be hiring from here on out are Millennials, and they all think this way. So companies need to look at their policies and first figure out how to make them intelligible and meaningful to all employees, especially these new ones.
Though not specifically defined in the study, it is clear that the same dynamics affect corporate information governance. Both IT and records and information (RIM) management represent another series of procedures and controls that may seem like unnecessary constraint to Millennials. Achieving effective information governance is already a challenge in todays business environment, and is likely to become ever more challenging. Since IT and RIM have similar goals in information governance, it will be beneficial to partner together in addressing this need.
Internet Business Models on the Rise
A recent study by the Pew Internet and American Life Project (a project of the Pew Research Center) and Elon University indicates that 72 percent of technology experts and stakeholders believe that use of the internet will result in more efficient and responsive for-profit firms, non-profit organizations, and government agencies by the year 2020.
If this prediction proves true, IT and RIM stakeholders will face an even more diverse and complicated set of challenges. Organizations must continue to meet their legal/regulatory and compliance requirements even while their business model changes dramatically. We have already seen that early adopter consumers frequently expand their use of new technologies from their private lives to the business environment.
At first a personal cell phone is used for the occasional business call. Soon, other employees catch on to using a cell phone to increase their productivity and mobility. Suddenly (it seems), companies are providing cell phones to key employees and sometimes even picking up the expense. And the cell phone becomes institutionalized into business processes.
Yet, a technological change such as this introduces new information governance issues that must be addressed in order to protect the organizations overall interests. Confidential and proprietary data must still be protected. Information residing on new devices must still be managed according to the retention and disposition policy and is still subject to collection for litigation. RIM and IT must come together to find the appropriate balance of constraints that provide corporate protection without unnecessarily restricting use(s) of the new technology.
Its an easy bet that electronic information governance is going to be an issue in all sectors of the economy for the foreseeable future. And, each organization has a great deal at stake in how they handle their information governance challenges.
The trends above are daunting enough the sheer quantities of data, devices and applications can overwhelm any of the key stakeholders (IT, RIM, legal, business units, compliance). But the reality is even more grim, when one looks at the mounting negative impact of ineffective information governance.
ARMA International and Forrester Research conducted an online survey in Q3, 2009 which gives good insight into whats at stake. Survey respondents were largely in North America (95%) and identified themselves as technology and strategy decision-makers with responsibility for RIM. The key issues they identified were:
- Mitigating legal risks is a key business driver, yet barely 20% of respondents report they are very confident they could demonstrate that their electronically stored information (ESI) is accurate, accessible and trustworthy.
- Technology to support legal hold processes is under-utilized. In relation to the legal hold capabilities of existing technology, more than 50% of the respondents report that they dont know if they have the capability or they dont know how to use the capability.
The importance of effective legal hold management has received additional attention due to recent rulings by U.S. District Court Judge Shira Scheindlin in The Pension Committee of the University of Montreal Pension Plan, et al. v. Banc of America Securities LLC, etc. al. Amended Order. This is the same judge who made rulings in the famous Zubulake v. UBS Warburg litigation. These rulings established guidelines for litigation holds, e-discovery obligations on all parties, and expectations for proper conduct by attorneys regarding proper preservation of electronically stored information (ESI).
Though a number of issues are addressed in The Pension Committee opinion, one of the opinions most direct impacts on RIM and IT falls in the area of properly preserving ESI and proper notification of legal hold obligations. To quote the opinion, By now, it should be abundantly clear that the duty to preserve means what it says and that a failure to preserve records paper or electronic and to search in the right places for those records, will inevitably result in the spolation of evidence.And, later in the written opinion, Parties need to anticipate and undertake document preservation with the most serious and thorough care, if for no other reason than to avoid the detour of sanctions.
The judge believes monetary sanctions are appropriate to punish offending parties, and identifies other potential spoliation actions that can be levied against organizations which do not adequately manage their ESI. Yet, only 63% of the respondents in the ARMA/Forrester study are leveraging technology to enforce retention management for email. And only about 50% use technology to enforce retention policies for file shares, desktops, or other electronic assets.
Whats the impact of that? A significant quantity of data, records and information is subject to ad hoc retention and disposition decisions by individuals. As a result, businesses lack defensible recordkeeping policies and procedures, as well as defensible legal hold/document production processes.
Effective Information Governance GARP is the Answer
Gartner describes information governance as an accountability framework that includes the processes, roles, standards, and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals. The definition sets a context for information governance, but doesnt help an organization understand much about what information governance looks like, or what is really necessary to achieve critical and scalable results.
In response to this need, ARMA International has undertaken to define information governance and to articulate the recordkeeping principles which are at the heart of effective information governance. This work is referred to as generally accepted recordkeeping principles or, more familiarly, as GARP. Though these principles have been well developed by those in records and information management, they are frequently less understood by colleagues in IT, in the business units and executive management. Nevertheless, these principles form the basis upon which every effective records program is built and are the yardstick by which any recordkeeping program is measured. These principles also form the basis upon which any organizations recordkeeping will one day be judged.
The GARP principles identify the critical hallmarks of information governance. These hallmarks can be simply stated, and include: accountability, transparency, integrity, protection, compliance, availability, retention and disposition. Eight principles. Eight hallmarks of success.
Its not quite as easy as it sounds, however. Underlying each principle is a detailed understanding of what is covered by the principle. The principles are based upon the major international and national level standards and best practices that have been developed and vetted by RIM professionals over more than half a century. The array of professional standards, best practices, educational courses and other published resources provide a roadmap for implementing defensible and comprehensive RIM programs.
For example, the Principle of Compliance states that The recordkeeping program shall be constructed to comply with applicable laws and other binding authorities, as well as the organizations policies. The annotation to this principle gives additional information regarding the intended scope and coverage of the principle. The annotation points to the need for documenting the organizations activities so it can be shown that the organization operates in a lawful manner, knows the records it must maintain, and understands what the law dictates in terms of recordkeeping requirements. The annotation then identifies a variety of resources (in this case, a best practice guideline and various other ARMA International publications) as additional guidance for implementation of compliance. Each principle is documented and explained in a similar manner.
How Much Information Governance is Enough?
It has not always been easy to describe what good recordkeeping looks like. Yet, this question gains in importance as regulators, shareholders, and customers are increasingly concerned about the business practices of organizations. By articulating the GARP, ARMA provides guidance to:
- IT professionals in understanding information governance business and functional requirements;
- CEOs in determining how to protect their organizations in the use of information assets;
- Legislators in crafting legislation meant to hold organizations accountable, and;
- Records management professionals in designing comprehensive and effective records management programs.
The GARP principles establish a common language and a common understanding for RIM and IT, of what it takes to achieve effective information governance.
Yet, by themselves, the GARP principals still do not really help organizations determine whether their current practices are effective, where their current vulnerabilities lie, and what steps they should take in order to make the necessary improvements. Metrics are needed in order to begin assessing the sufficiency of current practices.
The GARP maturity model for information governance begins to paint this picture. Similar to the capability maturity model (CMMi) developed by Carnegie Mellon University, the GARP model is based on the eight GARP principles mentioned above, and incorporates the foundation of standards, best practices, and legal/regulatory requirements that establish the field of records and information management. The maturity model establishes five levels of maturity and defines characteristics at each level, for each GARP principle. The maturity levels represent a range from substandard to transformational.
The GARP model provides another common language and understanding to facilitate collaborative work throughout the organization. It can provide the basis for an organizations self-assessment and a foundation for determining appropriate goals for information governance compliance.
Establishing Effective Governance
Effective information governance is heavily dependent on effective partnerships between the business units, legal, records and information managers (RIM), and IT professionals. Each of these entities has a piece of the overall picture.
The business units are the primary creators of the records. They understand the processes and technology tools they use to conduct their business. Legal understands the legal and litigation environment within which the company operates. Closely aligned with Legal (and often a part of the legal department) are the regulatory and compliance entities. They also have a perspective on the companys regulatory obligations and reporting requirements.
Which two entities cross all these departmental boundaries and bring additional important perspectives? RIM and IT. Managers of an effective recordkeeping program have an enterprise-wide perspective which lends itself to the most comprehensive view of the varying needs of the business and how the business units access and use their records and information. With this understanding, the RIM professionals are positioned well to translate these varying needs between the parties involved.
At the same time, RIM professionals do not have the in-depth understanding of technical issues that is required for effective network architecture and infrastructure support, new technology developments and capabilities, interoperability of systems, programming and software development or hardware maintenance. Yet clearly, these issues are critical to effective information governance as well. RIM, IT, and Legal represent a three-legged stool take away any one of the legs and the stool loses its effectiveness. The business units cannot be successful unless they have effective, integrated support from IT, RIM, and Legal.
Laying the Groundwork for the RIM/IT Partnership
While it is easy to identify areas in which RIM and IT have common purpose and common goals, it is often much more difficult to ensure that the partnership is effective. The following activities will facilitate a true collaborative relationship.
Establish a shared language - One area of difficulty is the language we use to describe what we do. The words may be the same, but point to entirely different meanings. For example, in RIM, the word record is defined as Recorded information, regardless of medium or characteristics, made or received by an organization that is evidence of its operations, and has value requiring its retention for a specific period of time. But, for the IT professional, a record refers to a complete set of information and is generally composed of fields of information.
Similarly, the word archive has distinct meanings for each profession. For RIM, the term refers to documents created or received by a person or organization and preserved because of their continuing value, often also referred to as historical value. For the IT professional, it is much more common to think of archive as a process of compressing and copying files to a long-term storage medium.
Take time to make sure that everyone on the RIM/IT team has the same understanding of terms that are being used in their work together. Does everyone understand what a backup is and what it is used for? Does everyone understand the difference between backups and long-term retention? Does everyone understand information lifecycle management and how it might differ from the records lifecycle?
Understand the goals of electronic records management - RIMs primary responsibility is to ensure that a system which captures and receives records can also preserve required record characteristics. This is particularly important since the vast majority of records are now born digital or converted into electronic formats.
Ensure electronic records meet tests of evidence - ISO 15489-1, Information and Documentation Records management Part 1: General outlines four tests that must be met for a record to meet the test of evidence. Those characteristics are:
- Authenticity A record must be what it purports to be.
- Reliability a records must be a full and accurate representation of the transactions, activities, or facts to which it attests.
- Integrity a record must be complete and unaltered.
- Usability a record must be able to be located, retrieved, presented, and interpreted.
Other international and national level standards address various elements of ensuring the tests of evidence can be met through the capture and retention of metadata, controlled processes for records conversion and migration, and the integration of various technologies (e.g., electronic document management systems, electronic records management systems, cloud computing, SaaS, etc.)
Capture metadata specific to records management actions - RIM-related metadata aids in the implementation of the organizations information processing activities and records management policies. Proper recordkeeping metadata ensures that records are retrievable, are properly handled throughout the records lifecycle, and assists in maintaining the integrity and authenticity of records.
Ensure accessibility of records throughout the lifecycle - ISO 15489-1 makes clear that accessibility to records must be assured throughout the lifecycle of the record. The standard does not preclude organizations from transferring records to nearline or offline storage, but it does require that the records be retrievable and usable throughout their defined records lifecycle.
It is a joint responsibility of RIM and IT to ensure that the systems in use provide the necessary levels of protection for personal privacy and corporate information. Methods should be implemented to prevent unauthorized access, tampering, or disposal.
Manage disposition of electronic records - Effective recordkeeping programs enforce a records disposition schedule that defines the necessary retention times for various categories of records. Disposition occurs when the pre-determined time period has passed between the creation or capture of a record and the endpoint (date) as specified in the retention schedule. In North America, the term disposition may mean permanent transfer of a record to an historical archive or permanent destruction of the record.
Once the disposition is complete, it is important to create an information audit trail of the disposition actions and the authority on which they are based. The audit trail should include:
- Method of disposition (e.g., shredding, maceration, degaussing, permanent preservation).
- Title/name of the file.
- Records schedule identification or classification code applicable to the file(s).
- System identifier pointing to the system where the record originated (for audit purposes).
- Name of individual authorizing the destruction of records.
- Name of the vendor responsible for records disposition if an outside party is used.
- Disposition date and destruction date.
Recommendations for RIM/IT Collaboration
By now it is clear that the roles of RIM and IT professionals converge throughout the information lifecycle. Decisions made by these professionals should align with the companys records management policies as based upon relevant laws, statutes, or regulations. No actions should be taken that would create unnecessary risk to the organization or would negatively impact the content, context, or integrity of the record. But beyond that, what are the key areas for RIM and IT collaboration?
To avoid the prospect of boiling the ocean it is important for each organization to assess its unique areas of opportunity and vulnerability to determine the initial focus of the collaborative efforts. But most companies will benefit from first addressing the following areas.
Apply retention and disposition rules to electronic records - As we have seen, the requirements for information governance and compliance apply to all record formats. The organizations records retention and disposition policy identifies the length of time the organization will maintain its records. Retention periods will vary by type of record and may extend from a few months to many years, or even permanent retention for some types of records. Since email messages often contain record information, the systems in place for managing email must allow the application of the organizations retention and disposition policy as well.
IT and RIM must work together to develop the strategies and protocols that will ensure the organizations retention and disposition rules are followed for the vast array of electronic repositories, such as shared servers, transactional databases, data warehouses, ECM systems, document management systems, etc.
Initial discussions between IT and RIM on this topic will likely lead to a need for developing a shared or complementary taxonomy which facilitates retrieval and disposition of records and information. RIM understands the records, the retention and disposition requirements, and how the business units use the information in their conduct of business. IT understands the capabilities and limitations of the systems and storage media in use, as well as the plans and implementation for technology upgrades. Both perspectives must be considered to result in effective records retention and disposition.
Apply litigation hold rules to electronic records - A litigation hold (a.k.a. legal hold or hold order) is the process for temporarily suspending the disposition of records which are otherwise eligible for destruction or transfer. Courts and/or government agencies require this to be done when an ongoing matter (e.g., litigation, government investigation or audit) involves records and information that may be important to resolving the dispute or ensuring a fully-informed investigation. When a litigation hold is in effect, retention and destruction rules are temporarily suspended on all related information.
Many organizations create a litigation support team made up of representatives from Legal (or Compliance), RIM, IT and the business unit to ensure the effective management of the litigation process itself. Legal generally identifies the scope of the litigation/investigation and the types of records that are subject to the hold order. It is then up to RIM and IT to figure out which systems are affected and how to apply the hold order. Hold orders will affect any and all sources of records and information whether in hard copy, electronic form or email. This is a complex undertaking, for even the simple forms of litigation. The following areas are the chief responsibility of the RIM/IT team:
- Document the overall search strategies used to identify and protect relevant records.
- Identify electronic storage locations that were searched for records, including email accounts of named key individuals.
- Identify the electronic systems that were reviewed to determine whether they contain relevant records. Identify any sources or locations of records not searched.
- Preserve documents to prevent spoliation during the inventory, collection and preservation stages of the hold order.
In addition, RIM and IT have an opportunity to collaborate in the management of the legal hold process itself. In addition to preserving the records and information, the courts scrutinize the organizations handling of the legal holds to ensure the preservation responsibility is taken seriously.
It is increasingly important to track the communication efforts that have gone into implementing the legal hold. Litigation hold software allows the documentation of legal hold actions such as (1) when Legal initially issued the hold order, (2) whether all key individuals received the hold order, (3) whether hold order recipients acknowledged their receipt and understanding of the hold order, (4) how frequently Legal sent reminder notices to key individuals, etc.
The RIM/IT collaboration can help organizations avoid problems and potential financial sanctions by providing search, retrieval, aggregation, and protection of electronic information related to the event.
Integrate records requirements to IT deployment - It is clear that information governance cannot be effective without the joint efforts of RIM and IT. It is equally clear that trying to retrofit a software configuration to meet records management requirements is likely to result in inadequacies and inefficiencies. Records may be difficult to locate unless they are classified according to standard terminology. It may be impossible to apply the organizations retention policy to records and information unless the classification scheme ties to the retention policy itself.
For example, nobody can apply retention and disposition decisions to a folder that contains Excel documents. It is not enough to roll out a piece of new software or technology and to tell employees they can organize this however you want to. An effective partnership between RIM and IT can help ensure that the recordkeeping requirements are adequately addressed during the rollout of new systems.
The RIM team should be represented in any planning efforts for systems which create and/or capture records. The business units may have detailed ideas of what they want the software to do, but they may not be aware of all the recordkeeping requirements that need to be considered. They may be unaware of long-term storage needs and preservation issues. A representative from the RIM team should be involved in requirements definition phases of IT strategy development on a routine basis.
Once a software solution has been programmed, the RIM team should be involved in the testing and implementation phases to ensure that the programming actually meets the recordkeeping requirements identified in the needs assessment. The RIM team will continue to be a valuable partner throughout the deployment process and can assist in employee training. As the software is used over the long-term, new recordkeeping requirements can be expected, and RIM can assist in identifying these changing needs. That work begins to lay the foundation for needs assessments tied to software upgrades and replacements.
A single master repository is not usually a realistic or practical solution for organizations with multiple and diverse information technology needs. However, many records management, document management, and content management systems permit unified management of large, distributed records systems. They may also permit custom configurability with respect to key functionality.
Legacy systems may contain records that require preservation because of fiscal, legal, or business requirements. The records have to be accessible and usable throughout their lifespan, so that the organization can meet its retention requirements. This requirement means that RIM and IT must determine the appropriate handling of the legacy information in the system being retired. In some cases, this means that the organization must preserve the legacy system in working order. Or, it may mean that the data must be migrated to the new system. RIM and IT must make such decisions in the light of the overall retention policy and any record hold orders that affect the legacy records.
As we have seen, RIM and IT professionals can leverage their collective expertise by working together and fostering a productive relationship where their assets and value are clearly evident to the organization.
Diane Carlisle, CRM is the director of Professional Resources for ARMA International. In this position, she is responsible for guiding the strategic direction of ARMAs content development and delivery to RIM professionals. She has been a practitioner of records management, a consultant to a variety of industries, and a frequent speaker and author. She is a Certified Records Manager and a charter member of ISO TC46/SC11, the committee that develops international records management standards. Diane can be reached at firstname.lastname@example.org.
(GARP and Generally Accepted Recordkeeping Principals are both registered trademarks with the Patent and Trademark Office.)