10 Steps to Effective Information and Records Management
The challenges that have evolved around information and records management have led companies to implement a variety of solutions. But increasingly, these solutions simply aren't keeping up with the changing needs of today's business environment. The answer lies in looking for innovative approaches to developing architecture for your organization's IRM solutions. But where do you begin?
The immediate demands are for records retention and archive solutions, primarily driven by email storage and compliance issues. Nonetheless, you should start with your firm's broad needs across four related IRM areas: compliance, security, legal e-discovery and storage management.
In taking this wider view, you need to balance costs and risks. At the same time, you should think about rapidly changing technologies, outside providers and the competition. Poor choices can be needlessly expensive and have limited future value. But there are clear best practices and migration paths which allow you to effectively meet both current and future IRM needs.
IRM solutions are typically made up of three components:
- Existing IT systems providing email, content management and other business services;
- Record archives housing electronically stored information;
- Collection and categorization tools working with one or more systems for ESI compliance.
Here are some of the specific needs IRM solutions address in each of the four areas:
- Records compliance. IRM solutions provide the services required to meet mandates, statutes and regulations governing the retention of business records. Compliance can cover general business requirements as well as industry and geographically specific needs.
- Security and recovery. IRM solutions centering on email are increasingly combining security elements with traditional protection from spam and malware, as well as recovery capabilities. These can often be provided, along with archival capabilities, by firms working in partnership. Outside suppliers also offer archival and recovery services around typical business systems.
- Litigation readiness. All information retained by an organization can be subject to disclosure in a legal proceeding. An IRM solution for the proactive review, assessment and disposition of archived collections is very important. This will mitigate exposure during e-discovery orders, reduce the volumes of data subject to discovery and support corporate retention schedules and policy compliance.
- Storage management. An IRM archiving solution allows the IT department to remove older or duplicated messages from their enterprise storage system using greater compression. The reduction in storage needs from deduplication generally does not provide sufficient ROI by itself. But the investment is usually justified when combined with the savings realized from more compression.
Critical Cost and Risk Considerations Driving Innovation
Cost and risks must be balanced against these needs as you work toward developing an effective IRM solution. But the analysis can be tricky. Let's look at one area of considerable cost – storage.
According to Gartner research, storage needs for the typical firm are growing from 65 percent to 70 percent per year, driven by both compliance requirements and the huge amounts of business intelligence information firms are collecting. People think storage costs are going down because the price of storage devices drops 34 percent a year. But the true cost of storage is actually increasing an average of 60 percent per year when you factor in overall capacity, services, software and electricity. With many organizations routinely managing terabytes of data, storage costs are a significant burden.
Often overlooked are unexpected project costs and system obsolescence. Because record retention requirements can change, archiving costs – especially for email – are frequently underestimated, along with their network impacts. The complexity of migrating to an enterprise search and collection approach can also be underestimated, along with the related costs.
With risk, there's even more to consider. Organizations typically view risk as litigation and most studies show these costs continue to rise. The exposure can be substantial, as a 2007 study revealed most midsized firms have been exposed to at least one, and as many as 50, $20 million lawsuits. The largest companies in the survey spent $5 million or more per year on litigation.
Finally the impact of compliance change is usually underestimated. Amendments to the Federal Rules of Civil Procedure in 2006 put the focus on email archiving, thanks to significant cases such as SEC vs. Morgan Stanley & Co. and Zubulake vs. UBS Warburg. But because technology cycles refresh every three to five years, any reaction to new regulation must anticipate the implications of emerging technology tools. The major recent example of this is the dramatic growth in social networking sites like Facebook and LinkedIn and communication channels like SMS and Twitter. These can result in considerable reinvestment in IRM. Similarly, legal e-discovery requirements should be seen as evolving, not static.
10 Steps to IRM Innovation
With this as background, the most important innovations are those which make the IRM solution architecture more adaptable. To meet IRM needs in this shifting business environment, here are 10 specific things you can do now. These 10 steps can help trigger the innovation that will help you achieve the best possible solution for your organization's situation.
- Expand your IRM focus beyond email. IRM assets should include file shares, Web transaction records, mobile assets, instant messages and, yes, print transactions. Any records infrastructure must still deal with a large volume of physical records with retention and destruction requirements. IRM solutions should manage hybrid records repositories, but organizations should also seriously consider digital conversion followed by secure destruction of the physical records (careful review of local, regional and international laws related to retention of records must be included in your decision-making process when converting and destroying physical records assets). Focusing principally on email may solve an immediate problem but miss a significant opportunity for longer term savings. Any selection of tools and services should consider the full range of assets and systems. Carefully scrutinize collection tools for their applicability. Make cross-repository capability mandatory, to provide for future growth. Also consider the long-term viability of vendors, bearing in mind that smaller firms have small financial bases and might be acquired. Before making a decision, take all the usual precautions, including software escrows, financial disclosures and partnership analysis.
- Make a comprehensive risk assessment. Critically examine all risks and get inputs from all crucial parties: legal, business units, records management, IT and security. Most firms are not as unbiased as they think in conducting a risk analysis. This should be viewed as an analytic tool and not just an exercise, to enable informed decisions about important issues like outsourcing, technology selection and service levels. A good test to see if a risk analysis has been done correctly is to ask if it is improving your solution.
- Merge security and compliance. Increasingly, security needs will be indistinguishable from compliance requirements. Approach this by making sure all events are logged into the archive associated with the underlying asset. This includes any external logs (from the email system, for example), which may contain critical chain-of-custody information about the ESI asset. This must also track all event information such as user, logical and physical asset ID. All IRM security solutions should provide access control and multilevel security to support use in a variety of scenarios, such as compliance audits, e-discovery and corporate governance. In addition to working in a cooperative environment, security must also withstand deliberate attempts at circumventing compliance. Snapshot audits are not likely to detect a user who has deliberately masked, encrypted or copied information. Yet failure to protect against these threats can expose an organization to legal and business risks.
- Carefully evaluate technology vendors. Look for technology vendors offering ready support for archiving, security, records management, e-discovery and secure destruction. They may not directly offer all functionality, so be sure you fully understand their approaches, limitations and partnerships.
- Plan now for future migration. In planning for resources and scheduling, consider how you may migrate to future IRM solutions. Phases typically include: selecting tools; developing an overview of your data asset topology; detailing the identification/organization/destruction of both PC/mobile assets and core assets (on app and storage servers); and finally, maintenance and audit. Each area requires specific skills, so the overall scope of work can greatly tax a corporate records office. Where appropriate, make maximum use of technology and outside vendors to leverage resources. It may be more expeditious and less expensive to use outside suppliers for things like templates, technology evaluation expertise, collection analysis techniques and manpower audits. Going outside should be considered not just for timing and cost considerations, but for risk mitigation too. Finally, it may be prudent to consider an outside vendor for a continuing role in your compliance architecture, where they can continue to provide experienced resources as the demand scales up and down.
- Classify ESI at point of entry. This approach to classifying ESI saves storage by duplicate elimination and stubbing of attachments with emails. With a proper Web interface, your archive may also support continuity of operations in the event of core system outages. Retention and deletion capabilities should be definable by asset type, organization and users. The retention policy must be defined and enforced centrally in all cases.
- Be flexible in your archiving approach. A flexible archiving approach may provide downstream savings. You may prefer to archive and store email centrally, but other ESI may be better managed in-situ. The best IRM solutions allow you to manage disparate archives depending on ESI type and support migration as your solution matures.
- Archive for e-discovery. Archives can't be effective for e-discovery unless they can efficiently export evidence. An IRM solution should support all stages of e-discovery and even allow you to create automated processes or metadata that support your preferences. Apart from regulatory changes, compliance is fairly predictable and stable. But demands for records can be rapid and varied during litigation, requiring more access and search options.
- Consider software as a service solutions. Take a look at SaaS to augment your overall archival approach. SaaS offerings are maturing rapidly, increasingly cost competitive and easy to integrate. They can be very effective for rapid implementation and minimal budget impact. You also might have greater flexibility in managing external vendors versus in-house resources. In the context of a corporate records risk plan, you may choose to leverage financial penalties as an effective risk transfer approach. Before entering into an agreement, be sure you clearly understand the costs to store assets and your options for bringing the archive back in house, as well as the associated transfer costs. SLAs should be firmly established with SaaS providers and negotiated to your advantage. SaaS features must also be critically examined for completeness.
- Think like a user. In developing an IRM solution, it's easy to get caught up in compliance and e-discovery needs. But don't forget the users. Any new solution should integrate with the user's existing environment and tools. Making the transition easy will reduce workload and increase voluntary compliance. Check if issues uncovered during automated audits could represent rapid and targeted training opportunities. The ability to identify and communicate specific mistakes in a timely fashion can be a very effective teaching technique in conjunction with traditional annual training sessions.
Innovate for the Long Term
Migrating to an innovative IRM solution architecture can be difficult and complicated. There is also always a risk it could become outdated. Expect the litigation and compliance environments to continue to evolve and look for truly adaptive solutions that can grow to address all forms of ESI. All new solutions should make the best use of technology and outside vendors, evaluating cost, risk concerns and expertise. A robust but well thought-out IRM solution architecture will save you considerably in long-term investment while effectively meeting your litigation and compliance needs.