The Organization Structure Needed within an Information governance framework for an ERM Program

Organizations that plan to manage their records and information properly (implement information governance) require Corporate (Centralized) Records Management Functions.

The responsibilities that need to be met by these functions include:

• Maintain Information and Records Management policies and procedures
• Maintain corporate Business Classification Scheme and other records management instruments (metadata model, controlled vocabulary, security and access control, and retention schedules)
• Lead Records Management Community of Practice
• Advice on relevant legislation
• Define ERM reference information to be used by the ERM systems
• Ensure information is preserved
• Carry out disposition reviews, and
• Audit staff compliance with policy, standards, and guidelines

A major theme in records management over the past several years has been enforcement.  I recall the comment of a judge that “Policies are nothing more than intentions” unless they are followed.

For this to happen, you need commitment from senior management and a mechanism for auditing staff.

Decades ago, I worked for Rockwell International which had a Corporate Records Management function, in which I worked.  Records Management was part of the Finance Function.  Our policies were Volume 6 of the Finance Policies.

We were able to use the internal financial auditors to enforce our records management policies.

There has always been a lot of discussion of where the records management function fits within an organization.  Today, reporting to Legal and/or Compliance is popular.  My position has always been that I want to belong in the function of the organization where records management gets supported.

Using internal financial auditors, at the time, to enforce records management policies and procedures worked very well.

By Carl E.Weise

When does information governance matter?

The answer is that good and successful information governance continues throughout the lifetime of an ERM program or initiative.  It starts when the initiative begins.  After it has started, the project team and others develop the records management environment, usually with a program or a series of projects, to implement the ERM system.  A Corporate Records Management function will need to be created, if one does not already exist.  Positions will need to be filled and the records management instruments will need to be developed.  Records Management Instruments, according to ISO 15489, include a records classification scheme, metadata model, security and access controls, controlled vocabulary and a retention schedule, associated with the records classification scheme.

At some point, often a year or two after the ERM implementation starts (usually less for small installations), the ERM environment goes live. 

After that point, the records management instruments are used for real, and continue to be used for many years.  In fact, for a much longer period than the implementation during which they were developed.  During this time, records will be migrated to the new ERM system.  It is over this extended period of development and use, that good governance over the information must be ensured, and over the ‘Instruments’ used to operate the whole ERM Environment.

So, while most energy during an ERM implementation project are focussed on the relatively short-term implementation tasks, it is important to remember that the post-implementation period will be much longer, and itself needs to be the focus of governance efforts.

Good Information Governance should continue throughout the lifetime of an ERM initiative, and hence create a sound foundation for an organization’s compliance with legislative and regulatory requirements, and delivery of the envisaged productivity benefits.

By Carl E. Weise

Information Governance

Implementing an ERM system is not simply installing a computer application or system. Records management discipline and Information Governance is required.

Information Governance is concerned with defining accountability for an organization’s information assets (especially its records).  If Governance is implemented properly – that is, if the there is GOOD governance - the organization’s information management should be compliant with any relevant legislation or regulations, and it should have a sound basis for exploiting information, and delivering productivity benefits.

The organization should be able to exploit new ways of working more effectively, such as changes in information access channels, or new business or service delivery models.   (For example, where citizens drive the interaction with government).

Good governance will also help to address all the interfaces between the customer, your organization and other providers.  For example, imagine you are a broker of services between a number of providers and the end customer.  You must be able to coordinate service delivery, possibly from a number of partners and providers, to achieve a seamless range of services from your customers’ perspective.

Lastly, and, importantly, information governance provides a way of ensuring that good information management practices can be sustained over long periods.  For example, ensuring that procedures, and other Records Management Instruments, are maintained, as the detailed requirements around them evolve and change.

So, basically, good governance boils down, pretty much, to being a fashionable term for good management – and information governance is, therefore, looking after information properly.

With ERM systems, we are fortunate to have computer tools to enable organizations to do just that.

By Carl E. Weise

The Road to Compliance

No, this is not an old movie knockoff, but it is a solid approach to moving your company toward a more defensible position of compliance.

Many vendors will present you with the statement that their products are compliant with this regulation or that one. Truth is, no single product is compliant by itself nor is it technology alone that brings you to be compliant. It is a combination of factors, including processes and procedures, that are well documented and practiced in a consistent manner.

First and foremost in addressing compliance related issues and how to address them is to gain an understanding of the best methods to identify the requirements and develop a strategy that will allow you to design, build and maintain an ECM environment that will bring you into a level of compliance that is clear, concise, documented and maintained. The best starting point is to establish a foundation of knowledge from which you build upon and that begins with training.

Investment in training for your employees will ensure a baseline understanding of standard practices and concepts from which you can build, knowing you are all starting from the same place.

By Bob Larrivee.

Compliance Framework

A leading manufacturer sees compliance as an ongoing process with three main activities. You need to prevent non-compliance by providing senior management commitment, risk assessment, policies, procedures, and training. You need to detect non-compliance by having compliance reviews, monitoring dashboards, ombudsperson network, and compliance audits. And you need a non-compliance response having an investigation unit, employee discipline, communication, and systems improvement. Part of their risk assessment is running "Be a Criminal Day" for staff handling money to identify ways that bad employees or temps could steal money from the company or customers. It is then important to respond immediately to identified risks and improve processes and security.

How do I ensure Information Management Compliance?

AIIM published some time ago a book called Information Nation with Randolph A. Kahn, Esq., and Barclay T. Blairs that provides you with a seven step approach to information management compliance. It provides you with a business approach to evaluate, design, or improve current information management practices. The Seven Keys to information management compliance that the authors advance are designed to help professionals in each of those areas understand their responsibilities and what they must contribute to their organization's information management effort, and the seven steps are:

• Good policies and procedures
• Executive-level responsibility
• Proper delegation
• Program communication & training
• Auditing and monitoring to measure compliance
• Effective & consistent enforcement
• Continuous improvement

For more information about Information Management Compliance check out the 'Legislation, Regulations & Standards' module of our ECM Practitioner program.

Information Management Compliance, - Which tasks or processes are relevant?

Chris Harris-Jones from the analyst Ovum in Europe defined Information Management Compliance to usually refer to the following tasks:

• Finding and retrieving information on demand
• Controlling access and confidentiality
• Monitoring and reporting for enforcement
• Comprehensive auditing
• Secure retention and destruction

But we should not jump to any conclusions based on this, and I would recommend that you start by identifying what Information Management Compliance means for your organization. This could include all of the above tasks, but also how to scan documents to ensure legal admissibility, processes for legal hold, etc. Take a look at my previous posts “What are the necessary components of ECM?” for more information about the information lifecycle and relevant ECM components. 

AIIM & Doculabs Compliance Blueprint

Compliance means according to Oxford Advanced Learners Dictionary “the practice of obeying rules or requests made by people in authority: procedures that must be followed to ensure full compliance with the law”. This is not only legal requirements, but also organizational rules and requests. This could be industry standards, organizational policies and guidelines. Compliance is therefore important for all of us; Manufacturers want to produce a product in a consistent way to ensure quality, consultants want to follow their procedures to foresee problems, sales people should follow a sales cycle to sell a product, and so on. All this means complying with company procedures and policies, even if this is not in all cases written down.

AIIM produced last year a Compliance Blueprint Poster in partnership with Doculabs, and you can download this from our website: http://www.aiim.org/article-aiim.asp?ID=30971   

Implementing Information Governance – Management

This is the last (for now) of three posts about the essential factors that contribute to the successful implementation of an Information Governance Framework.

The Management aspects of the Information Governance model must define clearly who is accountable for the management of information at every level of the organization. The most important appointments will be the Chief Information Officer (that is the CIO or an equivalent post) and the members of the Information Governance Board, which should be a sub-group of the Executive Board and include (for example) the Finance Director, the Operations Director, and the CIO or equivalent.

During the ECM-related implementation project or program a ‘Program or Project Owner’ (referred to as the Senior Responsible Owner in some UK organizations) should be appointed to be personally accountable to the Information Governance Board or Executive Board, again depending on organization size, for delivering the expected benefits of the implementation project or program. In some organizations, a Content Manager will be appointed in addition to the CIO; in smaller organizations, one individual may perform both roles.

Check out the ECM Specialist training program for more information about how to implement an Information Governance Framework.

Implementing Information Governance – Organization

There are three essential factors that contribute to the successful implementation of an Information Governance Framework: Policies, Management and Organization, and I will in this post focus on roles and responsibilities in the organization.

New ongoing roles and responsibilities that will need to be set up for ECM to work properly in an organization, and one of the key roles is that of the Content Management Function. This could be a single part-time role for a person in a small organization, or a whole department in a larger one. The tasks of the content management function include:

• Maintaining the top-level (corporate) Business Classification Scheme
• Development and application of organization-wide Information Management and Content Management policy
• Leading the Community of Practice for Content Management
• Advising on the content management implications of relevant legislation such as Privacy, or Data Protection, laws
• Defining reference information to be used by the ECM systems
• Ensuring that information is preserved in the interest of both the business and its customers and partners, and in the national interest
• Carrying out disposition reviews according to the retention schedules, transferring information to archive, or destroying those no longer required
• And auditing staff compliance with policy, standards, and guidelines

Most organizations find it beneficial to create specialist teams physically close to the end users to help them configure the ECM Environment to their preferred ways of working, and to provide hands-on support as required.  We call these teams, ‘information hubs’ or ‘iHubs’, to emphasize the importance of their location at the centre of user groups within the organisation.  This is a much more effective arrangement than merely leaving all support to a central IT Help Desk.