Management and Administration

January 27, 2012

Information Governance and ROI

How do you calculate the Return On Investment (ROI) as it pertains to information governance? On the one hand, this may not even be the right question. As our CTO Bassam Zarkout recently asked members of the Detroit ARMA Chapter, “Would you ask what the ROI is for your fire safety systems? How is risk mitigation associated with your records management program any different?”

Nevertheless, executives often require demonstrable ROI before they sign off on the organizational commitment information governance requires. Many of the key benefits of deploying an information governance platform are intangible:

  • Operational efficiencies from secure, rapid information access, and from automating record lifecycle actions
  • Assured compliance with applicable laws and regulations
  • Improved e-discovery processes

The problem is that applying hard dollar values to these benefits requires that customers clearly understand costs underlying their current state of affairs. Do you have that kind of visibility into your records management processes and the costs associated with those? How much does an e-discovery request cost? What are the administrative costs incurred by manual tasks related to record disposition, migration, or enforcing security and privacy controls?

Some costs are relatively well understood. Let’s take a look at two of them today, and how they might comprise part of the information governance business case.

Storage

I am not a storage expert. If I were to pretend otherwise, this would become immediately evident to those of you who are. But I know enough to marvel at the amazing calisthenics IT Executives and Administrators must perform in order to meet demands imposed upon them by business and legal entities. First, IT must overcome the assumption that storage is cheap. This is partially true, insofar as storage devices are concerned: the cost of this hardware is indeed falling. The cost of administering those devices, however, is not. At the most basic level, consider the environmental costs… machines need space and consume power to operate without melting. On top of those costs, IT executives must hire people to perform periodic backups, transfer archives between storage media, and respond to requests to produce archived information as required by litigation and normal business activities. Business owners and legal teams (who, let’s face it, should know better) demand that IT retain information indefinitely… “Yes, I know we have a retention schedule, but ignore it for now, and keep these records, just in case!” The volume of information is increasing exponentially, and with it, the costs associated with all this stuff (technical term) that must be stored. These demands could be easily met if IT budgets were increasing in lockstep with these demands. This isn't 1997... they aren’t.

And so I marvel at the creativity of the IT Executives I meet. To keep systems healthy and functional, within the constraints imposed by budgets, Service Level Agreements, and regulatory obligations, IT leaders must reshuffle projects and priorities, as they and their teams are asked to do more with less. As economists are wont to say, this is not sustainable. At some point, those deferred projects must begin. That SAP upgrade, CRM Rollout, or mainframe migration isn’t going to wait forever. And at that point, companies who haven't will have to take a second look at storage.

Every IT Executive I have met knows exactly what their storage costs are, mainly because they are constantly having to make the case to increase their annual storage spend. They can easily match those costs with the potential savings incurred simply by adhering to the retention schedule that is already in place. “X Petabytes of information could be disposed today, multiplied by $ dollars per petabyte per year.” Add the rolling future savings of planned disposition activities (dashboards are a wonderful source of this kind of information), and you’ve got yourself a compelling ROI right off the bat. Policy-based storage tier transfers can bring additional savings, as content is migrated from fast, expensive Tier 1 storage to cheaper tiers.

To be sure, most of this is not new. What IS revolutionary, however, is the notion that the storage lifecycle of records (just like privacy and security lifecycles, in addition to the disposition period of the record) should be part of an overall information governance policy, and enforced as such. It won’t be long before IT Executives are going to be very, very interested in Information Governance, as the key means for reducing storage costs. In fact, many already are.

Policy Updates

How long has it been since your retention schedule was refreshed? How did that go?

A significant majority of the customers I talk to tell me that the process of updating the retention schedule is so painful, they put it off for as long as they can. Once every two years is common... I have heard up to 5 years between updates. When they explain to me what they do, I understand why they procrastinate. A typical process could include some or all of the following:

  • Field surveys completed by business owners, legal, and records managers, providing feedback on policy and allowing them to formally register change requests
  • A review of relevant statutes, industry guidelines, and internal standards for records management
  • Redesigned business processes, to account for the manual enforcement activities required by the retention schedule
  • Accounting for acquired entities, who perhaps brought their own retention schedule that must now be incorporated
  • Approvals from legal, risk, compliance, privacy, security, records management, IT, and / or business executives (a group that we would call an Information Governance Steering committee... but hold that thought)

That’s a full time job by itself! Which is exactly the problem… all the people involved in this conversation have “Day Jobs”, as it were… they have higher priorities, and are often (usually? always?) reticent to set those aside and get involved in this process. For this reason, outside consultants are often hired to review and update the retention schedule, usually for significant sums of money.

What if, instead of bringing in consultants to review and update the retention schedule, companies had a collaboration platform used by their Information Governance Steering Committee? (Still holding that thought? We’ve got a webinar coming up that walks through the role of a IG Steering Committee, and how to charter one if you haven’t already.) There are a number of significant and compelling benefits to this approach… but since we’re talking ROI today, let’s focus on the dollar savings. Instead of making wholesale changes to the entire policy every 2 or 3 years, a policy collaboration environment like RSD GLASS Mosaic allows members of the steering committee to continuously and incrementally refine policy as needed. Since Mosaic policies are both human- and machine-readable, socialization and automatic enforcement of the policy changes can begin immediately, regardless of where the information resides.

Policy change need not be the painful, expensive process most companies undertake today. The savings derived from migrating from a monolithic change management process to an incremental one should absolutely be included in an ROI calculation.

Posted by James Amsler at 12:57 PM in English language, Information Governance, Management and Administration, Records Management, ROI, Weblogs | | Comments (1) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , , , , , , , , ,

January 18, 2012

How to Form an Information Governance Committee

When embarking on an information governance initiative for the enterprise, conventional wisdom continually indicates that one of the first steps should be the formation of an information governance committee.  This is easier said than done.  How can you be sure that the right parties are at the table?  How do you gain buy-in from other departments in a siloed organization?  How do you align interests and objectives in a productive manner?  If you want to see your information governance program succeed, forming a committee is a key step... but where do you start?

RSD is hosting a complimentary webinar to address this very subject.  Join RSD's Director of Marketing Tamir Sigal on Thursday, February 2, 2012 at 11am EST as he walks through the steps required to form an effective information governance committee, the challenges you can expect to encounter, and why a committee is necessary for the success of any information governance program.

Register here!

Posted by Nicole Lindenbaum at 07:55 AM in Enterprise Archiving and Retrieval, Information Governance, Management and Administration, Records Management | | Comments (1) | TrackBack (0)

January 13, 2012

RSD Industry Chats

RSD is pleased to announce Industry Chats!  This is an ongoing series of unscripted interviews with the team at RSD.  You’ll hear a variety of topics, including discussions regarding RSD and our solution GLASS, federated records management, information governance, and more.

In this first video in the series, RSD’s CTO Bassam Zarkout discusses information governance.

Keep checking back on our website for more Industry Chats!

Posted by Nicole Lindenbaum at 07:12 AM in Information Governance, Management and Administration, Records Management | | Comments (0) | TrackBack (0)

August 19, 2011

Governing Content on File Shares – Having Your Cake, and Eating It Too

Our customers come to us with a dizzying array and variety of Information Governance challenges. Many customers have unique needs… for example, one of our European customers has asked that we help them govern specific set of physical records: prototype parts created by their suppliers and R&D division, and stored away somewhere in crates in a large warehouse. (After all, not all physical records are documents.) We've also been asked to provide a governance solution for CAD Designs, Audio / Visual Records, and multi-component records comprised of many forms and supporting documents (discrete records in their own right).

Although there are often unique requirements such as these, there is also a consistent set of challenges voiced by nearly every customer and prospect we visit. These include:

  • Multi-jurisdictional policy development
  • Repository-agnostic policy enforcement
  • Cross-repository search and records access

A significant percentage of our customers and prospects (95% or more) tell us that at least two of these issues are high-visibility challenges they must solve in the next year. RSD GLASS represents a unique approach companies are using today to address these problems. Customers, partners, and friends of RSD already know this, so I won’t go into much detail today* on how we solve these Information Governance challenges. 

* - That said, if you are new here, why not take a look at our webinars and other resources. Lots of good stuff there.

Rather, there is a common request I am hearing these days, and I would like to take a moment to explore it in depth. The question goes something like this: “Can you help us govern our content on our network and file shares?”

Peel That Onion, Try Not To Cry

On its face, the requirement seems harmless enough. The organization has some "stuff" on its network, network-addressable storage devices, and local C: drives. They want to apply their retention schedule to it. Unfortunately, when I start asking questions, and they look at the problem a little more closely, they often realize there are some unspoken requirements behind this request:

  1. Little-to-no disruption. They usually want to govern the content in place. After all, legal and business users know where to find things on the network. (Don’t they?)
  2. They want to automatically classify content. This means scrubbing metadata (which is file system metadata, not record metadata) and document content to infer whether it is a record or not. If a given document or file is a record, classify it according to the corporate taxonomy of records, and apply and enforce the appropriate retention. This is an especially important requirement for customers who have a poor sense as to what records are on their network.
  3. Once a document is declared as a record, they want to block attempts to edit or delete the record outside of our governance platform. That is, they want to prohibit a user or system administrator from accidentally (or not) modifying or deleting the record from within the file system itself.

At this point in the conversation, the innocuous little request to govern content on file shares is now revealed to be a much more complex problem than first thought. On the one hand, the customer wants to employ all the necessary governance controls to meet regulatory and legal obligations. On the other hand, they want things to be exactly as they are today. What's so hard about that?

“One Word Can Really Bring You Round – Changes”

 The complexity behind the problem is the same problem ECM originally was supposed to help solve: the network / file share environment is inherently un-governable, from a Records Management perspective. Without specific and potentially very costly IT project work and ongoing administration, the required governance controls to identify, classify, and manage records is simply not possible at a technical level. More simply, a document or folder on a network can be changed or deleted. A record residing on a network or C: drive is not immutable. If it is not immutable, it is not a record.

And the Court will not admit it as such.

So Can This Be Done?

Thankfully, there are solutions. I’ve already suggested the most common solution: ask IT to solve it. IT defines and administers a set of permissions that describe who can read / write / access various drives and network directories where records may reside. They then trust their users (or their chosen auto-categorization technology) properly classify records. IT then applies the appropriate retention periods to these records, using a very small number of categories. To help, the network directory may mirror the taxonomy of corporate records. Enforcement is manual, entrusted to the IT / Network Administrator who periodically purges records with expired retention periods. The Audit Trail is the network log.

I’ve met a customers who have taken this approach; a few can make it work. Cost and complexity of administering such a program increase exponentially as they incorporate more than a few record types, business units, and / or jurisdictions. It can only work in relatively simple, localized, highly-cohesive environments, whose records are rarely, if ever subject to e-Discovery requests or litigation holds.

Most of the companies we talk to don’t fall in any of these categories. The records environment is complex. They lack unlimited IT and network administration budgets. IT and Records Management do not always work in lockstep. They are in highly regulated or litigious verticals. Their needs make it impractical or outrageously expensive to employ network technology as the RM enforcement mechanism. They know this; that’s why they bring us in.

From our perspective, we prefer to take a step back, and examine this question as a business / cultrual one, not a technology one. We examine why they want to maintain records on the network. We remind our customers that, in all likelihood, much of what resides on the network is probably not a record. Then we focus on the small subset of documents that truly are records, and develop an Information Governance program that:

  • Prevents the unwanted or unintentional editing or deletion of records
  • Allows authorized access
  • Automatically (if desired) enforces appropriate lifecycle actions, including declaration, disposition, and a whole host of intermediate actions between these milestones as required by privacy statutes and other policies
  • Provides corporate counsel with defensible disposition, showing when, how, and why records were disposed
  • Allows litigation holds to be placed on records, thereby freezing the lifecycle of potentially relevant records
  • Maintains an audit trail of all actions

The specifics of how these benefits are achieved differ from one implementation to the next. It may be necessary to move records (or a subset of records) to a traditional repository that supports these types of governance controls. RSD GLASS includes a component specifically designed for providing business and legal users the secure cross-repository search and access they expect.

In other environments, the benefit of this kind of migration does not justify the cost of moving records. Instead, these customers ask us to leave those records in place, but still calculate and transmit lifecycle action messages that are then manually enforced by the relevant administrator. To ensure appropriate governance, we can require to manually verify that they have performed the required actions, and record this verification in the Audit Trail.

Often, we take a blended approach: migrating some records to be governed in a repository, and enabling manual governance on the remainder of records left on the network. The openness of our platform and repository-agnostic approach gives us great flexibility to architect the right solution. In the end, we can meet the needs and govern records currently residing on the network.

It’s just a little more complicated than it first seems.

Posted by James Amsler at 01:30 PM in Archiving solution, Buisiness Information Delivery, English language, Enterprise Archiving and Retrieval, Information Governance, Management and Administration, Records Management | | Comments (2) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , , , , , , , , , , ,

May 27, 2011

The MER Rookie

The MER Conference was held in my backyard this past week. Hordes (well, hundreds) of industry experts descended upon Michigan Avenue and generally behaved themselves, much as you’d expect of a group of people with graduate degrees in Library Sciences.

We did not host a booth this year. Rather, we sponsored the MER Podcast Series. A number of my RSD colleagues had previously attended a dozen or MER Conferences, and recommended it enthusiastically. I’m glad they did. I attended a Pre-Conference Tutorial, and as many Case Studies and Panel Discussions as I could manage. Here are a couple of observations from a MER Rookie.

Orthodox Records Management 101

My Pre-Conference Tutorial was the AIIM Electronic Records Management Practitioner Certificate Program, facilitated by former Marine Drill Sergeant and Professional Chocolate Connoisseur Jessie Wilkins. For me, this was a useful and thoroughly welcomed introduction into traditional Records Management principles. It provided a nice foundation for the rest of the week’s sessions, as well as important context for my conversations with customers and prospects steeped in these concepts. This is exactly what I expected from this tutorial, and I was glad to get it.

What I was unprepared for was the extent to which the rest of the conference continued to beat on the same themes. In fact, a template for speaker abstracts might go something like this: “Tried and true RM practices will likely suffice, so long as you account for (insert session topic here).” More specifically, I heard the following specific tenets of orthodox RM in multiple sessions:

  • Define a small number of very general and highly inclusive buckets of records. It’s just too hard to expect people to adhere to complex retention schedules.
  • Manual retention enforcement means RM’s must be diligent about reminding people of the policy, and why they should be adhering to it.
  • Event-driven retention, though useful, is very difficult. Instead, apply a broad time-based retention period that will likely meet your intent, even if that means over-retaining some content.
  • Auto-classification doesn’t work well for unstructured content, regardless of what the vendors say. RM’s will spend more time reclassifying improperly classified content than they would have spent manually classifying it (or asking users to do so) in the first place.

To this MER Rookie, the irony was obvious: on the one hand, stay with the tried-and-true RM approaches. On the other, these approaches don’t address:

  • Accounting for applicable laws, regulations, industry best practices, and internal standards and guidelines.
  • Enforcing jurisdictional variances on these mechanisms.
  • Making content readily and securely available for business users.
  • Applying those policies across a heterogeneous landscape of repositories.

At the risk of channeling Solomon on you, is there nothing new under the sun? In fact, in the few instances where any of these items were mentioned, the speaker or panel did so in the context of how difficult it is to solve these problems. For example, I did hear Julie Gable mention that the future of RM is automatic enforcement of policy… but even here, she left me with the sense that she wistfully regarded this as an ideal future state we may reach some day, shortly after we solve cold fusion and everybody has flying cars.

Records Managers as Salespeople

This theme cut across multiple sessions; there was no single session (that I am aware of) dedicated to this topic. In a nutshell, the takeaway for me was that RM’s need to constantly sell their organization and colleagues on the value of adherence to good RM principles. The difficulty here is that people, including executives, legal, and accounting professionals who should know better, are predisposed to over-retain their records. “Abide by the retention schedule” is not something people want to hear.

In the past, the sales message has been focused on the doom and gloom side. “If we don’t behave ourselves here and consistently apply our retention schedule, bad things will happen.” I sensed widespread agreement that there needs to be a positive side to this message, focusing on improved competitiveness or operational efficiency. I found no information on how to build a business case around this, except for the usual mention of reducing storage costs. In Teresa Drabenstadt’s outstanding session on a RIM Program she helped institute at CUNA Mutual, she cited some impressive storage cost savings as a key benefit. Otherwise, the storage argument seemed unpersuasive to me.

The best friend RM’s have in this process is an enlightened, supportive, and empowered executive sponsor. Indeed, every successful case study mentioned executive support as a key factor. NOBODY, however, had any insight into how to get your executive team on board with an RM / IG program, if the idea wasn’t spawned at the executive level in the first place. Failing this, the best an RM can hope for is incremental improvement in adherence to the retention schedule.

Next Year

I’m absolutely looking forward to returning to MER next year. However, knowing what I know from this year’s conference, I think it may also be beneficial for me as an individual and RSD as a company to assume the role of friendly agitator. MER, and the field of Records Management, needs this. In my informal conversations with fellow attendees, I sensed frustration in the lack of new messages and themes.

As a MER Rookie and RSD employee, I am not disappointed by this. If anything, it is further confirmation of our strategy and positioning of RSD GLASS. After this week, I’m more convinced than ever that our approach is unique and revolutionary. I believe an RSD GLASS customer success story will make for a useful and informative Case Study session.

We are well positioned to lead the conversation away from the shortcomings and pitfalls of traditional Records Management approaches. We’d rather focus on the benefits of a repository agnostic Information Governance platform on which you can define fine-grained, multijurisdictional policies that account for laws and regulations, and automatically enforces these in your file plans.

Posted by James Amsler at 09:39 AM in Archiving solution, Buisiness Information Delivery, English language, Enterprise Archiving and Retrieval, Information Governance, Management and Administration, Records Management, ROI, Weblogs | | Comments (4) | TrackBack (0)

Technorati Tags: , , , , , , , , ,

February 22, 2011

What's So Special About Lebanon, Kansas?

If you are from Lebanon, Kansas (I'm not), you already know the answer to my question. Don't spoil it for everyone else. The rest of you will have to read through this entry to find out. No scrolling please.

I mentioned a week or so ago that I would be posting a three-part series, introducing Information Governance in terms that are familiar to anyone who has ever walked into a retail establishment. This, hopefully, means just about everyone. Welcome, then, to Part One: Define Centrally.

The Ad Hoc Approach

You may remember from last time that my first high school job was in a local pharmacy. Shortly after I was hired, I received a thorough and just scolding from a Regional Vice President for questioning the layout of our store. At the end of his lecture, he asked a rhetorical question, wondering if I’d prefer out customers go shopping in a street bazaar. As obtuse as the question seems in retrospect, it’s worth considering about his analogy a little more deeply.

There are some advantages to the street bazaar approach. First, it works. People have bought goods and services this way for over 4,000 years. Second, it requires very little administrative oversight, except for the informal enforcement of locations between vendors. Transactions between vendors and customers can be conducted in whatever manner and terms are required by the two parties. One transaction may be completed with hard currency. The next... two chickens. What's not to like?

It’s a good thing this works without oversight, because if you wanted to enforce standards on this process (as a regulatory agency might), you wouldn’t be able to. Other disadvantages are obvious:

  • It doesn’t scale beyond the local market.
  • Consumers have a hard time finding what they are looking for, unless they know exactly where it is.
  • It’s inherently un-measurable.

For these and probably a dozen other reasons, no corporate retailer would ever go to market with this kind of strategy.

Or would they?

Historically, many companies have approached Information Governance using an ad-hoc process. We've all heard the horror stories: Policies in a Microsoft Word document, printed, and pinned to the Record Manager’s cubicle. Policies produced by an outside consultant, who left them in a three-ring binder that, invariably, is "around here somewhere".

I submit that companies approaching Information Governance using an ad-hoc approach tacitly accept many of the same risks as a retailer might in selling goods through a street bazaar. It's needlessly complex, and impossibly difficult to measure and audit. Woe unto your poor business and legal users, who have a very tough time finding what they are looking for. Unless they know exactly* where it is.

* - This sort of domain knowledge has historically been an important value-add for Records and Knowledge Managers. Unfortunately, these ad-hoc demands have taken RM’s away from providing real value to their organization: a strategic overhaul of the inefficient and unsustainable process. As a Records Manager recently told me, “I’m too busy doing my day job to do what I was hired to do.”

Customers have told me they had no means for central policy definition. Instead, they let individual jurisdictions and business units define their own policies, and manage their own content as they see fit. This siloed approach is more common than you may think, and usually results in significant complexity, redundancy, and inefficiency.

Ask yourself: does your corporate taxonomy have thousands upon thousands of Record Classes? How many of those are redundant, sharing the same structure, metadata and retention schedules? How did we allow this to happen? (Hold that thought.)

I am pleased to say that most companies we meet with have evolved from a purely ad-hoc process, and have begun to place some structure around their approach to Information Governance. They have identified their exposure to risk. They are defining policies at a corporate level. The most forward-thinking of these companies have established an Information Governance Steering Committee, tasked with defining the vision for their IG Program. These customers are adopting our approach for standardizing the definition, management, and enforcement of information governance policies across their enterprise.

Like a retailer who has built or procured space and begun building their proverbial four walls, companies who have begun this journey already have the boundaries within which they will build out their Information Governance model. They’re ready to move to the next step, and build the infrastructure.

123824744_5f82a2681a_b

Brick by brick, the structure takes place. Photo courtesy of cdharrison via Flickr.

Developing a Standard

As I described last week, retailers spend considerable amounts of resources defining how their stores should be laid out. Multiple considerations factor in this decision, such as:

  • Traffic flow into, within, and out of the location
  • Governmental regulations, such as those defining accessibility guidelines and safe keeping of product and equipment
  • Consumer preferences

Out of these activities, they generate a shockingly large number of rules. Things like:

  • Don’t put food in the same aisle as pet supplies.
  • Milk and other dairy products should go in the back of the store, so people who come in to only buy a gallon of milk will be forced to walk by other merchandise, thereby increasing the odds they’ll buy more than they intended.
  • Conversely, high-revenue eye candy goes in front. Why does Home Depot place riding lawn mowers in the front of their stores? So that they can’t be missed. You came in for light bulbs; you left with a John Deere. And light bulbs.

These rules become the basis for a corporate standard for a retail layout. Once the standard structure is devised, it goes through many approval layers before becoming a standard template for store organization. They may produce several standards… for example, templates for urban, suburban, and rural locations. As feedback comes from remote locations, templates are constantly revised in accordance with changing market conditions.

This was my understanding of how this process worked 20 years ago. I’m told little has changed since, except retailers understand the science better than they did then. I’m happy to hear from experts on this topic, to confirm or correct my understanding.

If you are a frequent visitor here… if you have met with us, and / or attended many of our Information Governance webinars and events… you are already thinking about the parallels in the discipline of Information Governance. Information Governance begins at the corporate level, where companywide standards for information are devised. What is your information? What is the difference between information and a record? Where is it stored? Who can access it? What is the lifecycle that each record class undergoes? Who needs to be involved in the lifecycle stages? What about metadata?

These discussions should include Corporate Records Managers, Compliance Officers, Legal Counsel, representatives from each LOB, and, for companies that have one or more electronic records, IT. Once your policy is defined and validated, it should be published and easily accessible by every company employee with a stake in information.

RSD customers typically begin building out the Information Governance program by defining a corporate standard Master Classification, then applying variances as necessary to the various jurisdictions. This includes:

  • The hierarchy and structure of their Record Classes
  • Retention schedules that define not just retention and disposition, but also privacy actions, storage lifecycle events, and the handling of metadata attached to records
  • Who is involved in defining, validating, and maintaining these processes. Remember that Information Governance Steering committee I mentioned earlier? They’re like iPads. You're going to want one of those, if you don’t already have one*.

* - I don’t, so don’t take this as an informed endorsement.

In the past, companies have had to do this with multiple tools that were not designed specifically for this purpose. The focus of these solutions has historically been at the jurisdiction / business unit level. This is how we ended up with those messy taxonomies of redundant records. Since taxonomies and retention schedules were maintained at granular levels of the organization, local Records Managers defined the hierachies and structures they needed. There was significant overlap across jurisdictions. As these were centralized, many companies created taxonomies composed of thousands of Record Classes, many of which were redundant.

With RSD GLASS Mosaic, customers simplify their taxonomy into a single Master Classification, with centrally-defined variances that link to and account for laws and regulations applicable at each jurisdiction. Customers use Mosaic as the means for recruiting all constituencies in this process… legal, compliance, IT, Lines of Business, and Records Management at the various organizational levels.

Like a retailer who now has gained validation on a corporate standard for mapping out a store plan, including the various subtleties that may apply in different geographies and locales, Mosaic customers are ready for the next step, where they take the standard, and begin applying it…

Ah, but I get ahead of myself. This entry was all about "Define Centrally." They know all about that in Lebanon, Kansas. Geographic center of the contiguous 48 United States.

Lebanon Kansas knows what it means to Define Centrally

 

Posted by James Amsler at 12:48 AM in Buisiness Information Delivery, English language, Information Governance, Management and Administration, Records Management, Weblogs | | Comments (3) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , , , , , ,

February 11, 2011

The New Guy's First Lesson in Information Governance

Greetings! While Tamir does an outstanding job keeping the RSD Blog fresh and interesting and relevant, the fact is he has quite a lot on his plate. This week, for example, he’s in Geneva, working with the marketing team there on some new deliverables, and sharing some of what we all learned last week at LegalTech. In addition, he is also preparing for next week’s webinar (you’re dialing in, right?). Busy times for Tamir, and, frankly a fascinating time for all of us at RSD.

By way of introduction, I am a Business Solutions Consultant for RSD, working out of our Chicago office. I’m a relatively new RSD employee. Previously, I spent 14 years in the Knowledge Management, SOA and Data Governance spaces. Mine is a hands-on pre-sales role, working with customers and potential customers to help build an Information Governance foundation. For this reason, much of what I will post here at the RSD Blog will be observations and experiences from real-world projects. It is easy, when discussing a topic as esoteric and overloaded as Information Governance, to think of it in very abstract terms. This is useful, but not sufficient in helping customers develop a strategy for managing their information. It’s my hope that I can generate discussion at a tangible level, passing along practical benefits and challenges my customers experience in their Information Governance maturation. I would very much like to hear from you as I do this. To get started, I will be posting a three-part series describing Information Governance in retail terms. I’ll introduce the idea today, and build it out over the next couple of weeks.

As you know, I am fairly new to RSD… naturally, this is not my first experience as The New Guy. No, that was my junior year in high school, when I was hired by the local Eckerd’s Drug store as a Pharmacy Technician. What a cool first job! While my friends were toiling away down the street at Del Taco and Baskin-Robbins, I got to take prescription slips, call for refill approvals, and even type some of the prescription information into that fancy new computin’ system. And at $3.85 an hour, I was making significantly more money than those aforementioned friends.

About 6 weeks into my employment, we had to stay late one night and give the store a thorough cleaning and restocking. It was explained to me that we were going to be visited the next day by "Ted Anderson"*, a Regional Vice President. Ted’s name was spoken in hushed tones, not unlike Voldemort’s in the Harry Potter books. He was the highest-ranking Eckerd’s executive we would ever see. What’s more, he had a reputation as a bit of a tyrant. My pharmacist told me that he would probably be gone by the time I came in for my shift the next day, but if not, all I should say to him was “Yes, Mr. Anderson.”

* - I have changed Mr. Anderson’s name just slightly because, for all I know, he Googles himself**, or perhaps even reads our blog, and might be a potential customer. I’d rather he NOT remember me for the story I am about to share.

** - Don't we all?

My pharmacist was wrong. Mr. Anderson was still in the store when I arrived the following afternoon. He was walking around the store, making pronouncements, assigning to-do lists. Three of my colleagues were following him, furiously scribbling notes. I stayed out of his way best I could, but he eventually made his way back to the pharmacy. And here I was, The New Guy, stocking shelves, laying low as instructed. I was hoping his time in my domain would be short. It wasn’t.

“Who do we have here?” I looked up from the crate I was unpacking, and it was Ted Anderson.

“Hi, sir. Jim Amsler, new pharmacy tech.” I had already said more than I was allowed. He looked at my name badge. We made polite conversation for a minute or so while my pharmacist watched nervously from behind her counter. Then came this:

“What do you think of the new layout?”

Apparently, shortly before I was hired, Eckerd's had rolled out a new store template. We were one of a half-dozen or so stores piloting the new design. And Ted Anderson was the chief architect behind the change. This was His Thing. Even though I didn’t know this at the time, I still should have punted the question, and made vague approving statements. Silly me. I didn’t.

“You know, I have actually been wondering about this. I don’t understand some parts of it. Like this End Cap here… it’s all Halloween Candy. It’s at the end of an aisle of dental products. That doesn’t make any sense to me.

My three colleagues all looked down at their shoelaces.

“Really, Mr. Amsler? What would you put here instead?”

Good question. I hadn’t thought about it. I made up something off the top of my head… I’m sure it was gibberish. It didn’t matter. There was no correct answer to this question. Ted Anderson patiently waited for me to finish whatever it was I was saying, maintaining unflinching eye contact. He then shredded me, preaching for 10 minutes on the fundamentals and process of store design. To this day, I remember his exact words when he was done: “Would you rather our customers walked into our store only to find a street bazaar?”

I remember this because I wasn't sure what a street bazaar was.

3149585212_12dd0e5121_b

To be fair, this retail model has worked for thousands of years... Photo courtesy of Ed Yourdon via Flickr.

Not to get all The Wonder Years on you, but… I learned a lot that day. Among other things, I learned:

  • Store Design is a science.
  • The process starts at the top levels of a retail organization.
  • Significant time and sums of money are spent on determining optimal store layout(s).
  • Once a model is approved at corporate, it then gets deployed to local stores.
  • This process is meticulously documented.
  • Customers expect each store to look like every other. Exceptions must be perfectly obvious and understandable.
  • Store Management can participate in this process through formal communication channels.
  • New Pharmacy Techs should keep their mouths closed when talking to an RVP.

As to the Information Governance space, first think about...

Ah, but I get ahead of myself.

Posted by James Amsler at 08:57 AM in Buisiness Information Delivery, English language, Information Governance, Management and Administration, Science, Weblogs | | Comments (3) | TrackBack (0)

Technorati Tags: , , , , , , , , ,

July 19, 2010

Step 2 – Implementing an Information Governance Solution

Dear {employee name}

 

Congratulations. You just spent the last two years defining, validating and publishing our global retention schedule. Your team did an excellent job coordinating the cross functional meetings and incorporating all the requirements from legal, business users, compliance, and IT into our information governance policies. Everyone in the company now has access to the retention schedule on our Intranet because of your team’s hard work. Job well done and please extend my congratulations to the rest of the team for completing our information governance project.  Enjoy the rest of the year off…

 

Sincerely,

Information Governance Officer

 

Completing a global retention schedule is certainly a significant and very important milestone, but you are not done. There is more – so much more. After you are done with step one, it’s now time to roll up your sleeves and begin implementing the retention schedule across the entire organization. Most companies have a very complex IT infrastructure – running hundreds of applications across a plethora of technology platforms. These technology platforms support business critical processes, back office operations, and a variety of business applications. To complicate matters, you have to manage these applications across different jurisdictions. Before you continue, you must first recognize you can’t do everything right away. This must be done in phases – typically subject to business cases, funding and resource availability.

Step Two – Map Information Governance Policy to Applications, Processes, and Jurisdictions

Start with the department or business unit in a jurisdiction with the biggest risk exposure. For example, some customers selected their accounting/finance department as the primary target for implementation while others selected product safety. Once this is selected, you need to map the information governance policies that apply to the business unit and “jurisdiction”. ThinkingHats You cannot and should not do this alone. For the purpose of this article, let’s use the UK jurisdiction as an example. You need to sit down with the head of your UK operation, compliance manager for UK, the person responsible for all the records for the UK (can be the the same person) and someone from the IT organization who understands all the applications used within the UK operation. It’s also very helpful to have business representation in this exercise. You then need to select and map the information governance policies that apply to UK – internal email, financial records, human resources, customer records, etc, etc, etc.    

The goal is to create a UK “information governance file plan” that includes the entire information governance hierarchy for the UK, along with its security and templates. Corporate records in the UK are grouped according to their file plan, so file plans are implemented as “easy to navigate” folders. The file plan also carries with it a set of rules for evaluating new records that must be properly governed. As new information is being created by the UK operation, the information governance rules are applied which guarantees compliance at content creation time. 

Stay tuned for step three to learn how these policies are enforced.

 

Photo is courtesy of jeanlouis_zimmermann from Flickr.

Posted by Tamir Sigal at 11:03 AM in English language, Information Governance, Management and Administration, Records Management | | Comments (2) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , , ,

June 22, 2010

Sécurité des systèmes d'information

Le CLUSIF a publié la semaine dernière son rapport biennal quant aux entreprises et à la sécurisation de leur système d'information.
S'appuyant sur les réponses de 350 sociétés de plus de 200 salariés, et sur l'analyse des 11 thèmes de la norme ISO 27002 (relative à la sécurité des SI), ce rapport souligne les failles actuelles ainsi que les améliorations mises en œuvre par les entreprises.

Restons optimistes

Nous retiendrons que les entreprises, reconnaissant leur dépendance vis à vis de informatique, sont de plus en plus nombreuses (73%, soit +14% par rapport à 2008)à formaliser leur politique en la matière (67 % confirment l'existence d'une charte Sécurité SI, + 17 % par rapport à 2008.

Une évolution qui s'explique sans doute par l'implication de plus en plus forte de la direction générale dans la politique de sécurité IT de l'entreprise. "La politique de sécurité de l'information des entreprises est massivement soutenue par la direction générale, qui a contribué pour plus de la moitié à son élaboration", constate le CLUSIF.

Il est également intéressant de relever que chez 47% des répondants, la fonction RSSI (responsable de la sécurité du système d'information) existe même si ces responsables sont un peu isolés dans l'entreprise.

Cette fonction est plus souvent liée à la DSI (36%) ainsi qu'à la direction générale (34%). Un second rattachement qui s'inscrit néanmoins en recul comparé à 2008 (45%).
Pour le CLUSIF, "ceci peut s'expliquer par l'arrivée plus nombreuse de RSSI au sein d'entreprises de tailles moyennes ayant un niveau de maturité en sécurité IT encore faible".

Des budgets épargnés

Les budgets restent très serrés, mais par rapport à 2008, la sécurité apparaît comme  une catégorie de dépenses plutôt épargnée.
Poutant le CLUSIF constate des disparités selon les secteurs d'activité. "61% des entreprises du secteur BTP et 43% des Transport et Télécoms ont augmenté leur budget en 2010 parfois de manière très importante : 15% des entreprises du BTP ont noté une augmentation de plus de 10% de leur budget"

Peut mieux faire

Le CLUSIF a ajouté dans son enquête le thème ISO 27002 numéro 9 (sécurité physique), et les résultats montrent pour 41% des entreprises, le responsable des « données papier » n’est pas clairement identifié.

33% (-7% vs 2008) des entreprises ne disposent toujours pas d’un plan de continuité d’activité pour traiter les crises majeures !…
Enfin, les aspects « conformité », pour lesquels des progrès restent à faire, au travers :

  • des « obligations CNIL » : en légère progression (68% « conforment », 20% « conforment pour leurs traitements sensibles », respectivement +4% et +1% vs 2008),
  • des audits de sécurité : 25% des entreprises n’en font toujours pas !…,
  • du tableau de bord de la sécurité informatique : 34% seulement en dispose (malgré les +11%).

A noter également, le sentiment de danger concernant la protection de la vie privée qui augmente (73% « mise en danger de la vie privée - fortement ou un peu », vs 60% en 2008).

Téléchargez l'intégralité des présentations faites par le CLUSIF autour du rapport 2010 sur les Menaces Informatiques et Pratiques de Sécurité en France.


Posted by Claude Super at 02:30 AM in Archiving solution, Current Affairs, Datacenter Solutions, French language, Information Governance, Management and Administration, Ouput Management, Records Management, Web/Tech | | Comments (4) | TrackBack (0)

April 09, 2010

eDiscovery et archivage de courriers électroniques

Pourquoi limiter l'eDiscovery au courrier électronique ?

Aujourd'hui, pour beaucoup le terme eDiscovery (l'équivalent en français pourrait être la recherche des preuves électroniques) fait immédiatement référence aux courriers électroniques, à des solutions d'archivage, de recherche et de restitution des messages.

Pourtant, l'eDiscovery va bien plus loin

En effet, les solutions d'eDiscovery permettent aux entreprises de retrouver les informations stockées électroniquement pour documenter des litiges et apporter un support rapide et en temps opportun. Ces données incluent les emails, les documents du type office (ex : MS-Word, les fichiers PDF, feuilles de calcul) mais également les messages instantanés, les conversations (chat) ainsi que tout autre document produit par des applications métiers (batch ou à la volée).

Une démarche proactive afin de maîtriser les risques : Il faut anticiper!
Le courrier électronique a été pendant longtemps considéré comme une source privilégiée pour l'eDiscovery et nombreux sont les cas aux USA qui en témoignent : Enron, Coleman Holdings Inc. v. Morgan Stanley & Co ou encore Zubulake vs. UBS Warburg Inc.

Aujourd'hui, la maîtrise des risques financiers (amendes très élevées) mais également en terme d'image et de réputation, pousse les entreprises à vouloir également maîtriser les contenus qu'elles génèrent et utilisent.

Une démarche réactive par la maîtrise des contenus : Il faut contrôler les contenus et leur diffusion pour être capable de réagir!
Sur ce blog, nous avons déjà évoqué les questions liées à la gestion de l'information dans plusieurs notes, notamment à propos des réseaux sociaux et de la responsabilité des entreprises, tant il est vrai que l'augmentation vertigineuse du volume de contenus qu'il faut maîtriser se complique singulièrement avec l'apparition des sites de microblogging, de networking ou plus simplement de réseautage.

Bien au-delà du courrier électronique, la réponse technique à l'eDiscovery est un ensemble de composants utilisés par l'entreprise pour :

Double démarche appuyée par des solutions performantes et adaptées sans lesquelles il est impossible de répondre aux exigences de l'eDiscovery.

Nous reviendrons très bientôt sur ces questions sur ce blog mais également à l'occasion de séminaires en ligne sur ce sujet mais également à propos de la gouvernance de l'information.

A bientôt.

Posted by Claude Super at 02:40 AM in Archiving solution, Buisiness Information Delivery, Enterprise Archiving and Retrieval, French language, Information Governance, Management and Administration, Ouput Management, Records Management | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , ,

Next »

Categories

Twitter Updates

    follow me on Twitter