Global Records and Information Management Risk: Proactive and Practical Approaches to Effective Records Management September 16, 2014 Maura Dunn, MLS, CRM Lee Karas, MBA Agenda Drivers for your Records and Information Management (RIM) program Developing Key Performance Indicators (KPI) and metrics KPI monitoring Identifying and evaluating risks RIM program implementation planning and approach 2 You are not in the business to manage records Records must support the business you are in Proactive records and information management (RIM) increases competitive advantage and optimizes costs 3 1
Let your business drive your program priorities Technology advances Web 2.0 technologies Data breaches Mergers, acquisitions and divestitures Information systems integration Liability Risk Transition Global operations and expectations Litigation Economic instability Shareholder demands Budget constraints Regulation Privacy Litigation Technology 4 Link your RIM program goals to your organization s drivers Decrease litigation response costs Manage information proactively from creation through preservation and disposal Optimize costs through increased storage efficiency and timely destruction of unneeded information Increase competitive advantage by capitalizing on information assets Increase organizational efficiency through timely access to information Minimize impact on staff, automated capture and deletion of information wherever possible Increase efficiency and consistency, decrease cost in your business processes Create a culturally aware program for a global organization Allow flexibility within standards Comply with global regulatory and legal requirements Increase capacity for storage through Cloud computing 5 Determine how the RIM program supports the business Review the processes within your RIM program Declaring records, archiving records, managing legal holds, etc. Identify the primary goal of each RIM process Comply with legal requirements Manual, inconsistent processes for storing and dispositioning records Minimize cost Time and cost associated with storing duplicate and out-of-date information Time and cost associated with searching for or recreating needed information Increase productivity Multiple copies and versions of the same document Difficulty in locating the correct document when needed Incorporate aspects of the Generally Accepted Recordkeeping Principles to further define the goal of each process 6 2
Now you have the goals, it s time to implement 7 What are key performance indicators? Key Performance Indicator (KPI) A measure of progress toward an organization goal Metric An individual data point measuring one aspect of an organization s performance A single KPI may comprise one or more metrics 8 How do I know what KPIs are right for me? 1. KPIs must be concrete and clear KPI: Increased program awareness/understanding Metric: Number of employees taking RIM program training 2. Choose KPIs that measure the positive impact of RIM on the business KPI: Decreased hardcopy storage costs Metric: Number of boxes destroyed in accordance with records retention schedule (RRS) Metric: Number of boxes shipped to offsite storage KPI: Increased control of electronic documents Metric: Number of electronic documents stored in ECM Metric: Number of electronic documents tagged for retention Metric: Number of electronic documents destroyed IAW with RRS 3. Choose KPIs that measure how RIM mitigates risk KPI: Decreased cost/time to respond to ediscovery / other requests Metric: Cost of information collection, production Metric: Response time 9 3
Monitor KPIs by gathering operational metrics Metrics should be easy to gather Automate data gathering through electronic systems Utilize sampling to capture user-driven metrics KPIs should be directly mapped to the metrics Develop a system (spreadsheet, database) to capture, analyze and present KPIs / metrics Develop a dashboard to communicate meaningful status to senior leaders 10 Effective compliance monitoring includes active, ongoing risk assessment Risks change over time For example Y2K SOX Compliance Federal Rules of Civil Procedure Dodd Frank Cloud Computing Global Privacy / Security 11 Effective compliance monitoring includes active, ongoing risk assessment Group organizational risks by dimension Risk Dimension Privacy Regulation Litigation Technology Risk Item(s) Security surrounding consumer, customer and employee data Concerns about protecting employee data in order not to precipitate any harm to them Requirements for records creation and retention Potential fines, operational impact due to an inability to demonstrate compliance with relevant regulations Increased vigilance over email and storage processes Potential fines, sanctions for spoliation, failure to produce Potentially damaging information that could have been destroyed Availability of cloud storage 3 rd party hosted applications Proliferation of mobile devices 12 4
Effective compliance monitoring includes active, ongoing risk assessment Prioritize risks based on impact, probability and tolerance Risk Aspect Assessment Impact What is the cost / damage that would result were the risk to occur? Probability How likely is it that the risk will occur? Tolerance How tolerant are you to the potential cost / damage represented by the risk? 13 Develop a RIM action plan to address risks Tolerance + Probability determine risk mitigation priority Probability High Low Do Something Further Analysis Further Analysis Do Nothing Impact of Risk Policy Process Reaction Technology Low High Tolerance Level Impact drives reaction 14 Actively manage, improve your RIM program through KPIs and metrics Monitor the day-to-day performance of your program through the use of detailed metrics Issue: The rising cost of office space across the firm has made storage of inactive material in office space unacceptable KPI: Percentage of office space used for records storage must be reduced Result: Hold quarterly office clean-up days instead of annual Utilize KPIs to report to management or request funding to address chronic / emergent issues Issue: The firm s new acquisition has dramatically increased the potential for litigation and you still do not have an effective litigation hold policy KPI: The total cost of the records program is a much smaller percentage of the potential cost of damaging litigation / sanctions Result: Leverage the increased risk to fund the litigation hold policy project to reduce the potential cost of damaging litigation / sanctions 15 5
Risk mitigation priorities and impact define the implementation approach Software selection PHASE 1: Business Unit Preparation Assess current content repositories Validate function / processes / record categories for business unit Validate records owners according to processes Determine business units with single processes and workflows Collect requirements for workflow, records management and retention management PHASE 2: Design Assess infrastructure needs Design system, including workflow and RM functionality (retention and disposition properties) Support email management, ediscovery and Legal Hold processes Support ERP, BI, HRIS, other applications archiving / disposition initiatives RISK EXPOSURE Year One Year Two PHASE 3: Implementation Conduct regular meetings Update Policy, Standard Operating Procedures, Guidance Documents Assess backfile (hardcopy, electronic) Train, train, train Out Years 16 Your RIM program should address people, process and technology Policy Process Data Content Applications Sample RIM Framework 17 17 Implementation may take several years; break it into manageable chunks PLAN BUILD IMPLEMENT REFINE Visioning Strategy Change Management Roadmap Framework Organization Policy Taxonomy Retention Schedule Enterprise Information Map Processes Technology Requirements Technology Selection/Decision Organizational Support Embedded Recordkeeping Technology Configuration Training Rollout Program Management Compliance Monitoring Refresh Additional Projects Backfile Migration Information Systems Update Employee Support Keep Everything Policy Process Data Apps Policy Process Data Apps Policy Process Data Apps Mature, adaptable RM program 18 6
Develop a detailed roadmap to guide implementation activities Year 1 Year 2 Year 3 Develop RM governance structure Develop change management plan Develop roadmap Conduct RM working group meetings Refine and implement training plan Refine and implement communications plan Update roadmap Refresh governance and records management organizational structure Refresh training Support ongoing communication Develop and implement ongoing Policy Develop / update RM policy Generate taxonomy, file plan and records retention schedule Develop policy framework Develop additional RM policies Identify vital records compliance monitoring Develop or modify and implement policies, as needed Develop vital records protection program Process Review existing process documentation Embed recordkeeping into business processes Refresh recordkeeping processes, as needed Data/Content Define unstructured data migration planning, including content inventory Execute unstructured data migration plan Refresh content inventory Applications Define structured data migration planning, including content inventory Execute structured data migration plan Embed recordkeeping requirements into IT change management process Develop records management functional requirements Develop software requirements to support records management Develop hardware requirements to support records management Evaluate and select software Size and set up hardware Implement software Refine RM functionality 19 Your RIM program needs to grow with you over time 20 Global Records and Information Management Risk: Proactive and Practical Approaches to Effective Records Management Maura Dunn, MLS, CRM President, TrailBlazer Consulting, LLC Maura.Dunn@trailblazer.us.com 610-659-6678 Lee Karas, MBA Executive Vice President, TrailBlazer Consulting, LLC Lee.Karas@trailblazer.us.com 312-246-2745 21 7