In conversation with a customer last week, I was struck by how complex and confusing records management projects can be. Even for larger organizations that have invested in records management professionals, understanding the business, technology and legal factors involved in becoming compliant can be challenging. Taking on the task of implementing a records management initiative can be downright discouraging.
My client has a variety of constraints to consider, and I think they’re not that dissimilar from other organizations. During the ‘early,’ post-Enron years, commercial organizations scrambled to put basic information safeguards in place, anticipating future regulations such as the Sarbanes-Oxley Act. More often than not, these projects fell to the IT organization to deliver. When IT became aware of the depth and complexity of managing corporate records, it typically made one of two decisions:
- To set up a partial records management implementation serving the needs of a single department (typically driven by the department funding the initiative)
- To set up an enterprise-wide ‘archiving’ solution for easily-captured but difficult-to-manage content such as email.
Neither of these approaches, of course, has resulted in enterprise-wide compliance. Records management compliance, regardless of the particular legislation or regulation that applies, revolves around three key topics:
- Retain what you have to retain, to meet legislative or business requirements
- Dispose what you need to dispose, when you need to dispose it, in order to meet legislative or business requirements.
- Be able to produce, during legal discovery, what you are required to produce – quickly, and (ideally) cost-effectively.
Viewed like this, neither of the typical records management initiatives to date have resulted in compliance. A bulk email archiving solution – while practical – doesn’t meet the requirements for a differentiated disposition scenario (if you keep every email, you are keeping some you shouldn’t be keeping and others for too long). A departmental records management system doesn’t meet the simple criteria regarding enterprise-wide compliance (it doesn’t really matter that one department is compliant if the others aren’t).
And there are, of course, other aspects of records management initiatives that may also contribute to uncertainty and project failure. They include lack of adoption, high costs, lengthy implementation time lines and a lack of executive sponsorship (executives still struggle to provide support for initiatives that don’t earn the organization any money).
To get a better handle on the records management journey, I think a four-dimensional road map would be a great approach. This would serve to illustrate what in my opinion are the four key parallel trajectories along which records management implementations need to proceed in order to be successful. Ignore one of these dimensions and you’re sure to have a blind spot from which you’ll struggle to recover.
The four dimensions are:
- Organizational change management
I’ll provide my notes for each of these to give you an indication of the kinds of things you should be exploring and mapping out.
The idea of a road map is, of course, to capture and plot out over time project activities and their anticipated cost and impact, making it easy to obtain long-term buy-in for a complex, multi-year initiative. Once you’ve established a rudimentary road map by collecting your goals, activities, constraints and impacts in each of the four dimensions, you’ll need to look at them in the context of each of the other dimensions. For example, implementing a records management system that requires user interaction (technology) may require business process changes or end-user training (organizational change management).
The Business Dimension
This dimension is about money, mainly. What can you afford? What do you have to do, and how much will it cost you? The factors to consider aren’t just the cost of the technology implementation you may choose to do (hardware, software, services), but also the cost of changing your business processes and human resources to make it all work. Another business problem to consider is the opportunity cost of compliance projects. While you’re becoming compliant, what are you not doing? The business dimension should also track the overall business risks of not being compliant, or only achieving partial compliance (particularly as you’re moving through the project). What would it cost
- To have to do discovery?
- To be fined for non-compliance?
- To have it emerge publicly that you’re not compliant?
Finally, an important consideration is what to do with physical records. Technology-driven records management initiatives don’t really look at this aspect of compliance hard enough because it’s hard to understand and not particularly flashy. But it’s worthwhile to look at the overall annual cost of managing physical records, and how these should either be included in a management approach, or dissolved into a new, more technology-focused solution (i.e. bulk intake, etc.).
The Legal/Compliance Dimension
Here, my sense is that you need to become aware (and remain aware) of applicable legislation and regulation in your sectors and geographies/jurisdictions. You should also include in your road map periodic compliance health checks, performed by in-house or external legal experts. Your road map should help you understand, at each step of the way, how compliant you are, what the associated legal risks and costs are (this feeds back into the business stream), and how the legislative/regulatory framework is evolving alongside your internal records management efforts. If it’s correct to assume that you’re going to be spending 2-4 years on this initiative, you need to be cognizant that a lot can – and does – change on the legislative front during that time.
The Technology Dimension
This is about moving through a typical technology selection and implementation scenario. The individual steps are relatively clearly understood by most IT practitioners:
- Determine business requirements and prioritize them
- Select an appropriate technology platform and/or solution
- Determine functional requirements
- Implement and integrate
The tricky thing with records management systems is that there are several fundamentally different types of enterprise content that may need to be managed, and each type has very specific parameters that are hard to solve. The key types are:
- Existing physical records
- Electronic records (unstructured)
- Electronic records (structured/LOB/transactional databases)
- Email (this may appear like a ‘document’ but really isn’t)
- Other, ‘new’ types of enterprise content, such as phone calls/messages, Instant Messenger transcripts, etc.
Enterprises embarking on this journey need to be conscious of the fact that a single, magical records management system that has a good story for each of the content types does not exist. In the technology dimension, it is therefore important to map out the trade-offs and their impact on the other dimensions. Compromise and an iterative approach to implementation will go a long way here.
The Organizational Change Management Dimension
Due to the highly complex nature of the business processes associated with records management, enterprises would ideally like to avoid having to involve end users in making decisions about records. Unfortunately, that is not really possible. The compliance problem cannot be solved with technology alone. Ultimately, it is end users who need to decide what something is in order for the system to classify, retain and dispose of it correctly. (I’m aware that there are automatic classification systems – but the overwhelming feedback is that that putting software in charge of classifying records is not a good approach for a variety of business and legal reasons.)
As a result, it is important to map out at least the following organizational change management parameters for any compliance initiative:
- End user impact
- End user training required
- Business process changes required
Mapped out in context, these four dimensions can help organizations better understand the whys and hows of records management initiatives. I wouldn’t for a minute pretend that this isn’t one of the more complex corporate projects you will ever tackle. But I think that here, as in so many high-complexity scenarios, breaking it down into clearly defined atomic parts will go a long way toward success.