Most organizations keep, or need to keep, organizational records of their business activities. These often take the form of documents, product or service applications, videos, email, instant messages and even tweets! In many cases, it’s not about the medium, but the information it contains. These are often artifacts of a business process and any decisions that were undertaken. If an organization is not careful about what information they collect and how they collect it, as well as the method by which it is stored and protected, risk increases. This can take the form of legal and compliance risk due to the high costs of information discovery, litigation and the inability to prove compliance with regulatory mandates. As a general rule, the impacts of over retention, under retention and non-controlled accessed to confidential or sensitive information can be costly.
On the flip side, if some care is taken at the points of collection, this information can be made into an asset the organization can leverage to its advantage. If information is easier to find, client profiles and history are better understood, servicing the market becomes easier and faster, and so operational costs decrease. Of course, risks decrease as well, because information is better managed. With the right retention and security controls in place, you can reduce the risk of surprise: no unauthorized access, retention conditions are satisfied, and auditors and regulators stay calm because the correct records exist, and importantly, can be recalled in a reasonable amount of time.
Getting a proper records program established is hard, and to many people, not that exciting. It usually isn’t part of the organization’s main mission and doesn’t necessarily get the attention it might require. First, what are your records and how can they be identified consistently? With what granularity? Are there external regulations that need to be considered for both record definitions and retention? How long should you store them? How should you store them? Who has access? What’s the correct way to destroy them if they are electronic? Or physical? How do I retain proof of destruction? How easy is my policy to follow?
Often, organizations focus on the point of storage as a way of approaching the task of getting records management straightened out. The purchase decision is predicated on the fact that records need to be stored well, and safely, with the right indexing and classification scheme and destruction mechanism. And they do. So a document and content management system is procured because it is a tractable problem to tackle for organizations. However, if you haven’t worked through change management with the organization and have not established the right classification activities and procedures and implemented them across all affected teams, the return on investment of an enterprise document management system is low – and can even make the problem worse.
In our experience, the best return on investment for an organization is made on implementing the front end activities first, not the back end storage and retention first. The front end activities are often harder, but without getting them right, you will not achieve objective value from the storage, searching, indexing, and retention management functionality. The front end steps are as follows:
- Establish a straight forward records classification scheme with as few types as you can manage. This is very important. It needs to be understandable by people otherwise it will not work. They won’t adopt it or they will use it inconsistently.
- Go to where the work is and understand how information is being used in the processes to make decisions and achieve outcomes. You’ll see emails, reports, software applications, and documents. All of these can be potential record sources.
- Try to make the act of collection and classification as invisible as possible. Think of each step a user has to take to participate in the classification activity decreasing compliance by roughly 20%. The more you can eliminate “think work”, the better consistency you will achieve.
- Train about why as well as what. Connect the dots with staff to make sure they see why they should care.
- Achieve buy-in by organizational leaders.
- Figure out how you can measure compliance.
Importantly, you can go department by department. Make the work manageable and you will learn more each time through the process.
Even if your users are still storing information in share drives, Sharepoint, their local hard drives (hopefully never!), or other storage locations, gaining consistency in classification and records identification in your organization is a HUGE win and enables much better return on investment downstream. It also demonstrates that an investment in a records management system and/or document management system will be beneficial for the organization. Importantly, it also allows you to understand your requirements for a document management system in a much more comprehensive way then if you started at the tail end of the process.