For many businesses, growth brings challenges with records management and over-retention of information. Some large organizations now have hundreds of information systems and thousands of applications to manage.
If you are working to enhance an existing records management program to meet changing needs, records-enablement across your landscape of systems and applications is a key success factor. This white paper outlines the process for records enablement.
The Four Major Phases of Records Enablement
There are four major phases in the records enablement process:
- General Preparation - this involves reviewing and updating your policies, defining your operating model, profiling and prioritizing your systems, and deciding what tools to use.
- Specific Preparation - for each individual project you prioritized, this phase involves getting all key stakeholders on board, developing the project approach and plan, and setting expectations with stakeholders and users.
- Execution - for each project, this phase involves scanning content, classifying the information, and testing, review, and approval of actions (e.g. retain, dispose, migrate or archive).
- Ongoing - this involves ongoing training of users and ongoing monitoring and reporting on systems to ensure proper governance is maintained.
The Phases of Records Enablement
This whitepaper will explain the steps involved in each of the four phases.
Phase I Overview: General Preparation
There are six key steps within the General Preparation phase:
Step 1: Prepare the Program
Preparing the program involves three activities:
- Assess and update your Records Management/Information Governance program
- Assess and update your Retention Schedule
- Assess and update your Policies and Procedures
When you assess your program, do it at a high level to determine what level of records management enablement is realistic, where are your significant gaps, and what you should improve before starting.
When you assess your Retention Schedule, check that it includes all relevant series and is simple enough to facilitate automation. It should contain “big buckets” and few complex triggers.
When you assess your Policies and Procedures, check whether your policies and procedures for records management, ILM (information lifecycle management), Infosec/Privacy, Legal Hold, and Data are “adequately complete” and aligned. Note, for example, that some record types, formats, and media (such as email, social media, or video) require special handling. Your policies and procedures should indicate these requirements and your process should comply.
A key output of preparing the program is a definition of your organization’s disposition process. You should create a decision tree describing the steps for defensibly destroying your information. It should clearly indicate each decision point and responsibility, and will look something like this:
Example Decision Tree – Defensible Disposition
Step 2: Get Approvals
Getting approvals involves three activities:
- Develop the business case (if needed)
- Identify and secure stakeholders (Champions, Decision-Makers, Influencers, Blockers)
- Get funding and staff resources
Obtaining approval can be daunting at times depending on the hierarchy of your organization and the processes that are used to formalize the work. The policies we discussed earlier are a great place to start.
The policies and procedures that you created are foundational, and hard to for anyone to say "no" to. However, if following the policies and procedures requires more money or resources, the organization may be willing to accept the risk of not following them. In that case, there will be additional steps to get to "yes." Below are some examples of steps that can help you win approval.
Develop and circulate a business case. It is critical to set the stage for discussions with management by defining the problems that can be solved by records enablement. The benefits for the organization must be clearly stated – whether it is risk, privacy, cost savings, etc.
Identify the key stakeholders that you must win over to get funding and staff resources to do the required cleanup work. Make sure to tailor your message to appeal to each stakeholder. There will typically be four types of stakeholders to consider:
- Champion - Helps you get to “yes.” May or may not have the power to say "yes," but knows how to navigate the organization.
- Decision-Maker - Typically risk averse and will be weighing multiple requests to approve funding and work. Will rely on input from Champions and Influencers to aid in the decision-making process.
- Influencer - Many times is accountable for the financial impacts and ROI for projects. This person can be very valuable in the building of a business case if ROI and cost are core drivers for your organization.
- Blocker - Typically doesn’t have the power to say “yes,” but gives decision makers reasons to say “no.”
Get funding and staff resources. Be sure to give options for a solution that details the work required, estimated costs, and impacts of each option. For example, you can offer solutions of "do nothing," "do everything," and "somewhere in the middle." Try to illustrate that "do nothing" is not an option. The stakeholder will likely think "do everything" is too expensive and resource-intensive, which leaves "somewhere in the middle" as a viable option.
Be specific in what your records enablement program needs are, including people, technology and process changes. This will help you frame your scenarios when going to Decision-makers and give them fact-based information to consider.
It pays to work with stakeholders ahead of time. The best thing you can do is get everything in place so that the approval meeting is a formality. This approach can take more time but will allow you to address concerns or Blocker objections prior to the go/no-go decision.
Here are some proven arguments to gain buy-in and authority, appealing to different stakeholders.
- For stakeholders with oversight over information governance/records management: We’ve been building the program but now must “let out the clutch” and start engaging with the business units to provide tangible results. We need quick wins (the records management initiative will happen over several years, but wins will come quickly). By classifying and enabling our systems for records management, we can quickly start eliminating ROT (redundant, obsolete and trivial records), which is often greater than 40 percent of unmanaged volume. This demonstrates immediate highly visible value.
- For CISO or similar, who oversees records management: We can begin managing our systems for records management compliance and security/privacy purposes.
- For Legal stakeholders: We can ensure both ensured retention, efficient legal holds, and defensible disposition on these systems.
- For organizational adoption: It’s a necessary step for “governance by design” and for giving the business units the ability and responsibility for IG.
Step 3: Define the Operating Model, Roles and Responsibilities
Defining the operating model and relevant roles and responsibilities involves three activities:
- Define the core team (Records Management, Legal, Compliance, Infosec/Privacy, IT)
- Define business unit and external roles (Accountable Executive, Coordinators, Owners, Stewards, Custodians, SMEs)
- Define what they do (the operating model)
The relevant roles and responsibilities inserted into your operating model might look something like this at a high level:
Example Relevant Roles & Responsibilities Chart
Step 4: Conduct System Profiling and Prioritization
In this step, inventory your systems so you know the full scope of what you’re dealing with, and then begin categorizing them into priority tiers. You’ll then develop a high-level roadmap for first addressing the high priority systems.
System profiling and prioritization involves five activities:
- Develop profile criteria (records, value, risk; volumes; system records management capabilities; applicable methods)
- Inventory the systems and categorize the systems into tiers
- Prioritize the systems based on weighting
- Agree on the set of prioritized applications
- Develop a high-level roadmap for addressing them
As a first step define your system profile criteria, including:
- Does it house records?
- Does it use records?
- Is it adequate for managing its records?
- Is it business critical?
- Is it a likely discovery target?
When you begin prioritizing your systems into tiers, it’s useful to use these criteria to help with roadmap scheduling. Records-enable applications:
- When an application is out of compliance: if a system does not meet current record keeping requirements or regulations (e.g. SEC 17 for WORM), these systems are the top priority.
- When an application is currently being replaced: when the “hood is open,” add records management capabilities as part of the project.
- When a system is next scheduled for refurbishment: the functionality should be added when the “hood is open.”
- If a system is intended to be sunset: records management functionality should not be added, even if the “hood is open” for small modifications.
Step 5: Select and Prepare the Records Management Tools
Records management tool selection and preparation involves two activities:
- Inventory available tools, including records management, file/content analytics and classification, in-system, and others
- Supplement as necessary (license, “rent,” or procure services)
The first thing to understand about records management tools is that there are two general approaches:
- Centralized: The records repository is centralized, and you move your records into the central repository
- Federated: You leave your records in-place, but centralize records administration
The second thing to understand is that there are four primary records management capabilities, and you have flexibility in which systems handle them:
- Policy management – includes the retention schedule and rules
- Policy enforcement – includes records tracking and rule execution
- Records housing – includes the repository or repositories where the records reside
- Analysis and classification – includes automated and manual identifying, declaring, and categorizing records
Most centralized approaches to records management (and most records management systems) handle all four capabilities within the same system. Federated approaches centralize the first two capabilities, though they differ in how aggressive they are in “execution” – whether they just send a note to a human administrator to do something with a record, or actually command the in-place system to perform an action on records. Centralized and federated records management systems both typically have some way to manage the fourth capability but you can also use third-party file and content analytics tools, which are often better in these tasks than the records management systems.
Step 6: Finalize General Preparation (with steps 1-5 as inputs)
Finalizing general preparation involves four activities:
- Build the detailed business case and resource plan
- Define retention buckets (according to schedule, or simpler and big)
- Develop a detailed roadmap for the first projects
- Prepare the tools for the first projects
It’s now time to address the tier one systems on your roadmap and begin the specific preparation for each one.
Phase II Overview: Specific Preparation (for each project)
Specific Preparation has five steps:
For each system you’re going to records enable, do the following:
- Meet with IT (Infrastructure, Network), Legal/Compliance, RM, and Repository Owners (Business and IT) to understand any requirements or constraints
- Develop the project plan
- Determine if a high-touch or low-touch approach is warranted
- Have the department stakeholders review the plan
- Identify and schedule end user sessions as needed
Note that you may be able to address multiple systems in one project. In some cases, high touch sessions may be needed, or a less involved low-touch approach may be warranted. Once the plan is created it is important to have the department stakeholders review the plan before you start digging in. If needed, schedule meetings with end users to understand and confirm requirements, metadata, etc.
Phase III Overview: Execute Enablement (for each project)
This third phase consists of six steps for each project:
It’s finally time to enable some systems! For each system you’re going to records enable, do the following:
- Perform an initial rough scan
- Define the records management process
- Implement the records management technology
- Perform the record series classification
- Define metrics, measurement, and monitoring processes
- Test, review and approve, train, and sign off
Start by performing a rough scan of the system to get a better understanding of the types of records and record series you’re dealing with – which subset of the retention schedule you need to be concerned with. Then define the process that will identify, tag and manage the records.
This will require you to choose the appropriate centralized or federated records management approach. It may involve using the inherent records management capabilities of the file-housing system, moving the files to a different system with records management capabilities, or integrating the file-housing system with a records management system. The first and second of the above approaches are centralized, while the third is federated.
Then start the process. This may require activating the records management capabilities of the housing system or first migrating the files to the more adequate system. But the process includes identifying, declaring, and classifying the records in each system and assigning them their specific record series.
Some files may not be records, and you will need a management and disposition approach for such files. Other files will be records that have been retained beyond their retention period, and you will need a disposition strategy for these files. Both of these use cases, and several others, are beyond the scope of this white paper. They belong to defensible disposition and records management (as opposed to enablement) and are addressed elsewhere.
The last two steps, related to monitoring and standard application development processes, should be conducted during all steps in this phase, and finalized before sign-off.
Phase IV Overview: Ongoing (for each project)
The Ongoing phase consists of two steps for each project:
For each system you’ve records enabled, do the following:
- Engage and train (as needed) for ongoing
- Introduce governance metrics, monitoring, and reporting
And finally – don’t forget to ensure the sustainability of your records program by building the processes to keep it going. At a minimum this means continuous engagement and training with the relevant records custodians, records managers, system owners, and other relevant participants. It also means introducing relevant governance metrics, monitoring processes, and reporting.
A records enablement effort can seem overwhelming and it can be complicated. But by breaking the effort into a manageable set of steps and following best practices such as those described in this paper, you will position your records management efforts for success.