Managing in the New Business Reality

Transcription

1 Industry Watch A Summary of Findings from the AIIM International and Kahn Consulting, Inc. Policies and Practices Survey Managing in the New Business Reality Authored by Randolph A. Kahn, ESQ. and Barclay T. Blair at for

2 Managing in the New Business Reality A Summary of Findings from the AIIM International and Kahn Consulting, Inc. Policies and Practices Survey By Randolph A. Kahn, ESQ. and Barclay T. Blair What Is Industry Watch? The AIIM Industry Watch is a summary of industry trends based on survey data that is collected from the AIIM community of end-users. A valid sample of responses received within the allotted time are then analyzed by AIIM and the consultant. A report of those findings is assembled into this concise paper providing a snapshot of an industry at the time of the survey. The survey and corresponding Industry Watch is an occasional series. Survey topics are focused and will vary each time. Charts of the raw data will appear in the Appendix of each paper by: AIIM International Kahn Consulting, Inc. ISBN No part of this publication may be reproduced without prior written permission of the publisher or author. Published in the United States of America. Published by AIIM International 1100 Wayne Avenue, Suite 1100 Silver Spring, MD US Tel: /

3 Executive Summary is an indispensable part of today s business process. However, there is a growing policy vacuum in organizations when it comes to managing and controlling the use of information technology. Although a vast majority of organizations use and other electronic communication technologies for real business every day, too many organizations are failing to implement policies designed to ensure that the technology is used properly and that digital information is properly retained. At the same time, Sarbanes-Oxley and the increased perception that has important legal and compliance implications are having an effect on management, with a majority of organizations planning to increase the security of their systems and implement new policies to address the new realities. Key Findings Despite spam, increasing volume, and security worries, s popularity continues. One hundred percent of organizations use for business purposes, and 74% view as a productivity tool with clear benefits to their organization. Real business use. Organizations are aggressively adopting for highly-sensitive and valuable business processes and transactions, with 93% using to answer inquiries from customers, with 84% using it to discuss business strategy, 71% to negotiate contracts, 69% to exchange invoices and payment information, and 44% to file with official bodies. Policy vacuum. Organizations are adopting new technologies to do business, with a majority using (100%), mobile messaging (59%), wireless PDAs (81%), online discussion forums (71%), and peer-to-peer (P2P) file sharing (51%). However, a majority of organizations are failing to create policies to control and manage these technologies. For example, only 22% of organizations have formal written policies for P2P file sharing. In transition. Organizations have paid attention to Sarbanes- Oxley and the high-profile media coverage of business failures, litigation, and corporate malfeasance, in which played a starring role. A majority of organizations are making or planning to make changes to the way they manage as a result, by creating new policies (68%) and taking action to improve security (64%). Retention Inattention. Despite increased awareness of the need to properly manage and store messages, a majority of organizations are failing to provide written guidance to employees. Sixty percent have NO formal policy governing retention. A majority of companies do not even tell employees where, how, or by whom messages should be retained. About the Survey 1 Policies and Practices: An Industry Study was jointly conducted in Q by AIIM International and Kahn Consulting, Inc. This report provides a summary of key findings from the survey. Over 1,000 respondents from a wide variety of industries across the U.S. participated in the survey. Respondents were quite evenly distributed among major industries, with significant representation from Manufacturing and Engineering (12%); Banking, Finance, and Insurance (16%); and Government and Public Service (24%). 2 The survey also had a good mix of respondents from small and large organizations, with about half of the survey respondents belonging to organizations with less than 1,000 employees and the other half from organizations with more than 1,000 employees. The pool of survey 1 This Study should be cited as: Policies and Practices: An Industry Study Conducted by AIIM International and Kahn Consulting, Inc., Throughout this document, the term organizations is used to refer to all private, public, non-commercial, and other entities conducting business AIIM International and Kahn Consulting, Inc. 3

4 respondents is sufficiently broad and deep to provide statistically significant and useful insights. The business world has changed. While the use of and other electronic communications technologies is seemingly growing, a rash of high-profile business failures, corporate malfeasance, litigation, and new laws and regulations, such as the Sarbanes-Oxley Act, have placed a renewed emphasis on good management controls and organizational accountability. Anecdotally, the increasing frequency of a starring role for in lawsuits and investigations over the past few years had led the survey s authors to believe that there may be a gap in the way that technology is being managed (a suspicion that is largely confirmed by the result of the survey). As such, the survey was designed to gather information on how and other electronic communications technologies are being used by organizations today. More specifically, it sought to explore how policies and practices are being used (or not being used) as a management control are they being used, what issues are they addressing, and where are they failing. It also sought information on how is being used today, and with what frequency. Finally, the survey sought to find out if organizations today are changing the way that they use and why. Continues to Transform Business Resp to litigation Filing official docs Invoices Customer Inq Resp to regulators Confidential info Oper/prod strategies HR issues Contracts 23% 38% 44% 56% 64% 69% 71% 84% 93% Source: Managing in the New Business Reality, AIIM International and Kahn Consulting, Inc., 2003 The Survey should remove any lingering doubt that and other electronic communications technologies have profoundly changed the way that we do business today. isn t about the company picnic anymore. In fact, 100% of organizations surveyed indicated that they use for business purposes. has played a part in many high-profile lawsuits and investigations, scores of employees have been terminated, and a myriad of other ills have been attached to . Despite this, organizations not only continue to rely on , but also seem to be expanding use to activities with real business, legal, and compliance implications AIIM International and Kahn Consulting, Inc.

5 Recently passed laws like the federal E-SIGN Act and the state-level Uniform Electronic Transactions Act that encourage the use of electronic documents and signatures may be having some affect, as 71% of organizations now use to negotiate contracts and agreements, and 69% use it to exchange invoices, statements, and payment information. Nearly all organizations (93%) use as a tool for communicating with customers. The use of for sensitive business process indicates a comfort with the digital medium. And, it is not just companies that feel this comfort regulators and government agencies seem to increasingly be on board too. The Survey shows that 38% of organizations use to respond to regulators, and 44% use it to file with official bodies. plays a big role both inside and outside organizations. A majority of them use to discuss human resource (HR) issues (56%), to discuss operational or product strategies (84%), and to exchange confidential or sensitive information (65%). The bottom line is that is used every day in our organizations for real business purposes. The Survey also indicates that, while organizations are increasingly comfortable with doing business in the electronic world, many have not invested in the hardware and software that supports proper management and retention of digital information. For example, only 35% of organizations have a separate back-end system specifically used for retaining messages, and a minority use records management (23%), document management (34%), or management and archiving software (40%). Properly capturing and retaining and other types of important digital information is clearly more challenging without a supportive technology environment. Similarly, although organizations are clearly using to transmit sensitive information with privacy, confidentiality, and trade secret implications, less than half have invested in encryption technology. This suggests that for many organizations, comfort with using for important business processes is likely more the result of familiarity with the technology than investment in security. Many organizations have had their false sense of security shattered when unprotected messages have ended up in the wrong hands and trade secrets have been lost, or customer s privacy has been violated, for example. The Policy Vacuum P to P FTP Newsgroups Voice mail Int/Ext disc forums Wireless/PDA Laptops Text messaging IM Source: Managing in the New Business Reality, AIIM International and Kahn Consulting, Inc., 2003 Allow Use Have Policy 2003 AIIM International and Kahn Consulting, Inc. 5

6 Information technology is clearly transforming business today. Fully 100% of organizations surveyed are using to conduct business. As expected, nearly every organization uses laptop computers and voic (both 98%), but organizations are also using a surprising variety of less common technologies including Instant Messaging (IM), message boards, and Peer-to-Peer (P2P) file sharing for business purposes. However, while most organizations surveyed are allowing employees to use these technologies, many are failing to ensure that they have adequate management controls and security precautions in place. For example, even though 59% of organizations allow employees to use newsgroups for business, only 17% of organizations provide formal written policies for their use. It s much the same story with wireless-enabled handheld devices such as Personal Digital Assistants (PDAs) and Tablet PCs, where 81% of organizations allow their use, but only 28% have formal written policies. P2P file sharing is no better, with less than half of organizations that allow its use providing employees with written guidelines, despite recent cases where companies have become embroiled in copyright disputes over music files shared over the corporate network. Instant Messaging (IM) is graduating from a chat tool for teenagers to an enterprise messaging tool with real business uses and real legal implications. Forty-six percent of organizations use it for business, but less than half of those have a formal policy this despite new rules from regulators like the National Association of Securities Dealers that require IM messages to be retained like any other business correspondence. The disconnect between the use of these technologies and the lack of rules to regulate their use is problematic. Failure to provide rules creates security risks and retention issues, and may allow technology to be used in a way that does not promote business interests. Some of this policy vacuum can be attributed to the lag time that seems to occur between a technology s adoption and the creation of a policy. In other cases, the cause is not so clear. For example, the fact that text messaging or -enabled mobile phones may be relatively new to many organizations may partly explain why only 21% of organizations have a written policy even though a majority of them (59%) allow its use. However, it is hard to apply the same logic to newsgroups (59% use/17% policy) or file transfer protocol (FTP) (82% use/35% policy) since both are mature technologies that have been in widespread use for many years. In many organizations, the answer may be as simple (yet potentially dangerous) that they have never had a problem with the technology, so they haven t felt the need to create the control. A passive approach to policy-making can be dangerous, as the business world learned over the past decade or so as evolved to become the commonplace tool it is today. In the nascent days of use, organizations took a passive approach to management that forced them to react to problems, after the fact, by drafting policies, training, auditing, monitoring, and retraining and occasionally firing violators just to get use under control. was rolled out across the business world without enough consideration of what could go wrong, and the liability that lay within the system. Indeed, much that could go wrong did go wrong. Consequently organizations were forced to legislate better behavior through policy or other means. Now, while employees still violate policies (and a few employees likely always will) the majority of organizations (80%) have prohibited use policies, at a minimum, that tell the workforce how to deal with all kinds of conduct that could get the employees and the organization in serious trouble AIIM International and Kahn Consulting, Inc.

7 Pay Attention to Retention Content of determines whether or not that constitutes an official record. If so, it is to be retained outside of the system. If it is not a record, it should be deleted. There is no way there can be one retention period for all messages. Survey Respondent #14 Each user pretty much determines this individually. I do it for my department, since I m the department head. Survey Respondent #39 I drafted an use and an retention policy two years ago, and I m still waiting for upper management s review! Survey Respondent #175 Most organizations have clearly got the message that they need to guide employees on the proper way to use the system. For example, 70% of organizations tell their employees what to expect in terms of the privacy of at work, 80% dictate acceptable use of the system, and 73% provide guidelines on content. Maybe the countless highprofile lawsuits involving pornography and inappropriate content are finally starting to have an effect. On the other hand, even though a majority of organizations are making changes to they way is managed because of its increasing legal importance (due to Sarbanes-Oxley, lawsuits, and so on), 60% have NO formal policy governing its retention; 54% do not even tell employees where, how, or by whom messages should be retained. It is little wonder that the nearly two-thirds of survey respondents felt that their organization needed new policies and more retention and storage training. And, even when organizations do retain messages, only 37% retain messages according to their content. As the respondent quotes above help to illustrate, the remaining organizations use a hodge-podge of techniques, with 31% keeping indefinitely, and 26% retaining it less than 120 days. Sixty-seven percent use maximum mailbox sizes as a method of creating a de facto retention limitation. While use has eclipsed telephone use in many businesses, the replacement of one technology with the other does not mean that they can be handled with the same ease. , unlike phone calls, is memorialized in a form that sometimes makes it tough to manage. And yet, it is clear from the Survey, substantive business relationships are now formed via , and important documents and evidence may only reside in form. Losing the means losing your ability to defend your organization s legal position. Where are the rules that make sure the company has evidence of its business dealings and can defend itself in the context of litigation, audit, or investigation? Those rules are not drafted with the necessary regularity. A Transition Period Many organizations are in a period of transition in the way that they manage and use and related technologies. Organizations have paid attention to Sarbanes-Oxley and the high-profile media coverage of business failures and corporate malfeasance (such as Andersen/Enron), with 40% citing these as the reason they are making (or planning to make) changes in the way is retained and managed. Others cite lawsuits, business losses, viruses, system downtime, or other damage directly experienced by the organization as the reason for change (30%). Finally, fully 47% cite the increasing volume of in their organization as a reason that practices need to change. The kinds of changes that organizations are making vary. The good news is that a majority of organizations (68%) see the creation of new policies as the most important change they can make to address the realities of their operating and business environment. Also, a majority (64%) has taken action (or plan to) to make their systems more secure. Beyond that, there seems to be some confusion amongst 2003 AIIM International and Kahn Consulting, Inc. 7

8 organizations as to where their management problems exactly lie. For example, while some say they need to retain more messages (25%), an even greater number believe they need to retain fewer messages (31%). Similarly, while some believe the path forward is to retain for longer periods. Clearly, training should play a big role during transition periods like this. A majority of organizations believe that training will help their organizations, and 46% of organizations have offered training on policy issues during the last year which reflects the majority belief that employees could benefit from more mail retention and storage training (67%). Despite Problems, Still Viewed Positively Despite some concerns about security, volume, and spam, the vast majority of organizations still view in a positive light. In fact, 74% view as a productivity tool with clear benefits to their organization. Less than 1% of organizations viewed as a tool that wastes time and causes more harm that good. This is true even though users are spending a significant portion of their day dealing with . Sixty-five percent of users spend at least a quarter of their working day on writing, reading, or otherwise dealing with , and 25% of users spend more than half. It s little wonder users are spending so much of their day on , as 83% receive at least 20 message per day, with 26% receiving 60 or more. This is not to say that use is totally problem free. users are fed up with spam (and the tools used to deal with it in some cases), with over 15% of respondents commenting on unwanted messages. One respondent noted our spam filtering hinders as much as it helps, and another that spamming is such a productivity eater. Conclusion ranks up there as one of the most significant technologies that has transformed the way we work, play, and structure our day. Ubiquity in use, however, does not mean we are managing and other communications technologies in the best ways possible. , like all sorts of other communication technologies, burst into use in business and grew almost unfettered until we realized that harnessing the technology meant serious management of a wide variety of new issues. With use came comfort with the new technology. With comfort came new, more significant uses of the technology. Today real business of all types is routinely done in . But, organizations have not evolved far enough, fast enough in they way they control and manage use AIIM International and Kahn Consulting, Inc.

9 About The Authors Randolph Kahn is the coauthor of the recently published book Rules and an internationally recognized authority on the legal, compliance, and policy issues of information technology and information management, and trusted advisor and consultant to Fortune 500 companies, governmental agencies, and court systems. As founder and principal of Kahn Consulting, Inc., ( Mr. Kahn leads a team of information management, regulatory, compliance, technology, and policy professionals who serve as consultants and advisors to major institutions around the globe. Mr. Kahn, conducts numerous seminars and training programs for thousands of participants at corporate and government institutions and member organizations each year. He teaches Legal Issues in Records and Information Management at George Washington University and has authored dozens of published works. Barclay T. Blair leads the Technology Consulting operations for Kahn Consulting. Mr. Blair has a broad information technology background, with extensive expertise in the technology and policy considerations of information management, information security, public key infrastructure, XML, online transactions, and related topics. He is a Rapporteur within the Information Security Committee of the American Bar Association (ABA), and an editor of the ABA s PKI Assessment Guidelines, published in 2003 after more than five years of drafting. Mr. Blair has authored and edited dozens of publication and has spoken internationally about information technology and security matters. About AIIM International AIIM International is the global authority on enterprise content management (ECM). ECM technologies, tools and methods used to capture, manage, store, preserve, and deliver information to support business processes. AIIM promotes the understanding, adoption, and use of ECM technologies through education, networking, marketing, research, standards, and advocacy programs. As a neutral and unbiased source of information, AIIM is uniquely positioned as a 501(c) 6 non-profit association dedicated to growing the Enterprise Content Management Industry through its: Market Education: Expand the global market for ECM solutions. Provide educational programs and information services that help users make informed and effective technology decisions and help suppliers better understand user needs and requirements. Networking: Through chapters, programs, and the Web, create opportunities that expand the global base of users seeking ECM solutions and allow our user, supplier, and channel members to engage and connect with one another. Industry Advocacy: Through our own efforts and strategic partnerships, become the global voice of the ECM industry in key standards organizations, with the media, and with government decision-makers. The AIIM community has a variety of opportunities for you. Visit us on our Web site at AIIM International and Kahn Consulting, Inc. 9