Continue in 2 seconds

Address Policies and Procedures Early and Often

Published
  • September 01 2003, 1:00am EDT

There is an old saying in Chicago politics, "Vote early, vote often." We should take a page from the old school politicians of Cook County and apply it, with a twist, to enterprise content management (ECM) policies and procedures.

The primary rule of ECM policies and procedures is: Begin work on them when you begin work on the ECM project. Do not wait until you have defined the system architecture, selected applications and tools or, worst of all, deployed a system. Policies and procedures that define how an ECM system is used are as essential to the application as the servers on which it runs. Also, remember to review and revise these policies and procedures prior to significant changes, such as introducing an enterprise portal, deploying a new channel that uses or generates content, or undergoing a major organizational change.

We can broadly categorize ECM policies and procedures into four areas: governance, security, maintenance and change management. This is not the only possible organizational scheme, and there is some overlap between these categories. Nonetheless, this categorization provides a useful scheme for organizing the wide-ranging issues that must be addressed in ECM.

Governance policies dictate who will make decisions about the ECM system. In highly distributed systems, defining a governance model is challenging; you must juggle the requirements of multiple departments, share administrative responsibilities among several system administrators and balance the need for some centralized control with departmental demands for autonomy. If you are developing policies and procedures for this kind of environment, use a federated model of governance.

Federated models retain some centralized control while allowing for customized procedures within departments or lines of business. The central authority in a federated model should control security and meta data standards. Departments and lines of business can define individualized maintenance policies, such as the default time before documents are archived. Operational decisions, such as backup procedures and schedules, should be left to system administrators operating within centrally defined functional requirements. When in-depth knowledge of content is required, distribute the responsibility. For example, department administrators should share responsibility for specifying controlled vocabularies used in meta data attributes. In general, federated models keep broad frameworks and standards centralized while the responsibility for implementation details remains distributed. Federated models also provide the right balance between centralized and decentralized control of security.

Organizational security issues, such as the role of single sign-on services, are best managed centrally. Centrally manage security policies governing access to ECM systems, the high-level organization of users, groups and roles, and procedures for auditing and enforcement. Again, department-level administrators can manage operational details, but within a centrally defined framework. These frameworks should focus on how security is implemented, allowing administrators who are closer to end users and content to define specific access controls.

Maintenance policies should address content maintenance as well as system maintenance. Most organizations have well-established procedures for keeping servers and related hardware up and running. Not as many have procedures for controlling content in those systems. Keep in mind that not all content is created equal. Some has relatively short useful life spans while other content should be kept indefinitely. Categorize content according to how long it should remain accessible in ECM systems. Implement procedures to archive content when it is no longer useful. These procedures are especially important to control e- mail.

Also, define procedures for managing change early in your ECM project. Users will need to understand how a new ECM application will fit into their work. System administrators need to understand how it will integrate with other applications. Network managers will want to know how the system impacts the network infrastructure. Business sponsors will want to monitor how changes in the system affect requirements and budget. Change management policies should address these needs. The procedures should include documenting the required change, identifying affected constituents, planning the change implementation, creating testing and verification procedures and, finally, implementing the change.

Of course, policies and procedures are worthless if they are not followed. As part of the governance model, create enforcement mechanisms, such as review boards and audit procedures. Review boards are especially important for security and change management issues. These boards should draw representatives from different technical and business perspectives to avoid unintended consequences caused by a system change or a missing requirement. Automated audit reports should measure compliance with content policies such as providing categorization, keywords and other descriptive meta data when adding or revising a document.

If we define policies and procedures early and enforce them often, we can succeed as well as some old Chicago ward bosses; and we won't have to worry about the Federal Election Commission.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access