All Content Is Not Created Equal: Use Risk and Value in Enterprise Content Management

A version of this post previously appeared on CMSWire.


Enterprise content management (ECM) is going through some changes—on that (under)statement, we can all agree.

My recent posts on where I think ECM is headed have resulted in some substantial conversations; I’ll spare you the gory details. But the conversations made me realize I should take a step back and look at the ECM situation from a higher level to clear up any confusion about what I'm trying to do with these articles.

A New Approach to ECM

People have misunderstood me as advocating on behalf of this or that technology over others in these posts, when, in reality, what I’m suggesting is we need a new way to approach ECM to achieve success—a new way to conceptualize the ECM problem to avoid the missteps of the last 15 years.

For me, the way forward comes down to what content you focus on—or don’t—and why. If you treat all content as equal, and then undertake ECM to address it from this perspective, more often than not, you’ll fail.

Instead, you need to begin viewing content in terms of some combination of risk and value and treat it accordingly, using people, process, and technology to find success.

Breaking Down Content into Two Components: Risk and Value

Content risk is a fairly straightforward concept, but it helps to segment it along four dimensions:

  • Operational Risk: What’s the risk to the day-to-day business if this content can’t be found or accessed?
  • Legal Risk: What’s the risk to the organization’s ability to respond to/effectively defend against a lawsuit if this content can’t be found or accessed, or is kept longer than legally required?
  • Compliance and Regulatory Risk: What’s the risk to the organization if this content can’t be found or accessed in order to comply with regulations, standards, etc., or can’t be managed in accordance with regulations, standards, etc.?
  • Information Security and Privacy Risk: What’s the risk to the organization if access to this content isn’t managed properly, or if it leaves the organization as the result of a data breach?

Given this list, when you think about “doing ECM,” you should first assess the level of risk any given content poses in terms of each of these dimensions, and then choose the technology, process, and people effort appropriate to that risk.

For example, if a given category of content scores low on all four dimensions of risk, you should consider ignoring it until later—or even not addressing it at all. If it scores high on the Information Security and Privacy risk, you should consider finding a way to better control access to it or, if it’s outdated/obsolete and no longer needed, deleting it. If it poses an operational risk, you should consider either improving the native repository it resides in, to allow for more effective access, or moving it to a repository that does. And so on.

When you approach your content from this risk perspective, you’ll find that many of the challenges which previously seemed intractable—what business units to address, what repositories to use, what guidance to give to end users—tend to disappear. This is because using risk as a primary qualifier simplifies your decisions and focuses them on a single, clear, and business-valuable criterion—which is so often lacking in discussions about how to “do ECM.”

Now let’s look at the second component: the value of various content. Unlike risk, content value is more of a moving target. It typically depends on industry, company size, and organizational culture. Given these factors, it’s difficult to make meaningful generalizations about content value, but let’s give it a shot.

We can think about content value along the following dimensions:

  • Operational: What impact does this content have on operations, if it’s easily accessible and up to date?
  • Regulatory or Compliance: What impact does this content have on regulatory and compliance functions, if it’s easily accessible and up to date?
  • Legal: What impact does this content have on the legal function, if it’s easily accessible and up to date?

After looking at this list, you may be thinking, “These look like the flip side of the risk dimensions.” And you’d be right. Overwhelmingly, content risk dimensions and content value dimensions go hand in hand. It’s more a matter of shading—i.e. what aspect of the content are you stressing, what's the impact if something goes wrong, or the value if something goes right?

The reason you would choose one over the other (or choose both) depends on your specific situation—i.e. funding context, organizational culture, past history with ECM, etc. And it’s not a decision you should take lightly; betting on risk versus value, or vice versa, can backfire and prevent you from gaining the dollars and support you need to succeed with ECM. So choose wisely.

What This Looks Like in Practice

Okay, all this probably sounds good so far, but how do you act on it?

The most important thing you can do is to right-size your ECM technology portfolio—so that the lowest overhead repositories contain the lowest-risk, lowest-value content, and your highest overhead repositories contain the highest-risk, highest-value content—and ditto with those that fall somewhere in between.

So your legacy ECM systems (e.g. IBM FileNet, OpenText, Documentum), your enterprise business process management (BPM) systems (e.g. Pega, Lombardi, K2), and your line-of-business systems (e.g. mortgage origination, claims processing, account opening) should be reserved for content that is either high-risk, high-value, or both.

Low-risk, low-value content, in contrast, should live in low-overhead systems.

Let's Go “Do ECM”

Given all of this, the first thing you need to do to “do ECM” successfully is to assess your content for risk and value. Only by doing so can you determine the right level of effort and complexity to address it with.

Doing so gives you a greater likelihood of success with ECM. Failing to do so gives you a greater likelihood of failing (or of succeeding, but at too high a price).

The firms I see succeeding are all adopting this approach, and the firms I see struggling aren’t. Where do you fall in this spectrum? Are you considering risk and value, or are you adopting a one-size-fits-all approach? The answer will determine whether you ultimately succeed or fail.

And, finally, just in closing, I will add that one of Doculabs’ strengths is in bringing some much-needed perspective—and objectivity—to what’s contained in an organization’s various content repositories. Want to assess your own content risk and value? Looking to right-size your own ECM technology portfolio? Give us a call; we can help you do it.

Rich Medina
Joe Shepley
I’m VP and Practice Lead, focusing on developing Doculabs’ InfoSec practice and its applications in a wide range of industries.