The IT Strategist’s Guide to Transforming ECM
7 habits that help you unlock the value of enterprise content
Too much content with too few controls is a real liability. This habit looks at how to embed Information Governance into your ECM system and content-driven processes.
Build in Information Governance
Why is Information Governance Important?
Information Governance is all about taking control of business information—not just your unstructured digital content, but also structured data and paper documents. It encompasses the policies, procedures, and technologies that determine how your organization manages, secures, uses, retains, and disposes of this information.
Why is Information Governance important?
A robust Information Governance program helps your organization comply with laws and regulations, safeguard its data and reputation, and respond efficiently to eDiscovery or Freedom of Information Act (FOIA/FOI) requests. It also prevents information overload by keeping only the most valuable content.
What’s the urgency?
Organizations face ever-growing compliance obligations, like the new General Data Protection Regulation (GDPR) in the EU and the new NYDFS Cybersecurity Regulation (23 NYCRR Part 500) in the U.S. High-profile hacks, leaks, and data breaches (Equifax, Sony, US Office of Management and Budget, and Yahoo) amplify security risks. And the explosive growth in the volume and variety of content isn’t going to stop.
But we’ve already got a records management system
Records management is just one part of a broader Information Governance program. You also need to consider issues like data security and eDiscovery.
Plus, many companies have struggled with legacy records management systems due to low user adoption and a bolt-on approach. Distributed content stores, mobile working, and the use of unsanctioned file-sharing sites add to the challenge of managing records in a consistent, compliant way.
The Role Enterprise Architects Play in Information Governance
Information governance requires a holistic approach that can include people from legal, finance, corporate risk, HR, IT and lines of business. As experts in using technology to meet business objectives, here’s how enterprise architects can strengthen Information Governance.
- Systems Assessment. Identify the systems that store business content and records. These can include ECM repositories; CRM, ERP, HR, and LOB systems; e-mail inboxes, SharePoint sites, collaboration apps, and shared drives. An audit like this is often the first step in a new governance or compliance initiative.
- Solution Architecture. What’s the best way to set up your governance solution when content and records are spread across so many disparate systems? You’ll need to decide whether records should be managed in place (in the applications where they were created) or in a centralized repository. For many organizations, a hybrid approach is the right call.
- Technology Selection. Evaluate the technologies that can help your organization meet its compliance and governance objectives. Top considerations include how well they work with your existing systems and content repositories and how easily they integrate Information Governance into the natural flow of business. The less manual intervention the better.
- Cloud Adoption. Put cloud storage in your plans for significant savings over housing everything on-premises. Providers like AWS offer several tiers of secure, highly durable storage to meet a variety of data access and retrieval needs. Plus, you’ll get more value from your content by consolidating it on a modern platform where it’s available to people across the enterprise. To learn more about the benefits of cloud storage, read our habit on Embrace a Cloud Architecture.
- Digital Transformation. Don’t treat a new compliance requirement like a check-the-box exercise. Instead, use it as a catalyst for digital transformation. Look for opportunities to optimize information flows, automate repetitive functions, and modernize your infrastructure. The payoffs include improved business outcomes and a better end user experience.
Best Practices for Sustainable Information Governance
Here’s how some of the most forward-looking companies use technology to build an effective Information Governance program.
- Aim for Invisible Information Governance
A governance solution is useless if people don’t, well… use it. So, take advantage of technologies that allow governance to happen “invisibly” behind the scenes. By bypassing end users, your business is in a better position to run a consistent, legally defensible governance program. Examples include:
“Take advantage of technologies that allow governance to happen “invisibly” behind the scenes. By bypassing end users, your business is in a better position to run a consistent, legally defensible governance program.”
• Intelligent Classification. Solutions with this capability use a business rules engine to automatically declare a record, populate its metadata, and file it in the right place. Records management can be integrated seamlessly into any workflow. It’s effortless for users and eliminates haphazard, error-prone manual processes.
• Auto-Classification Engines: These solutions use machine learning and analytics to automate content classification at scale. They discover and tag sensitive or compliance-related data (like personally identifiable information, or PII) in TBs of unstructured content—a must for complying with regulations like GDPR or 23 NYCRR 500.
Manage Records Holistically
A strong information governance program requires a unified records management strategy. That means giving records managers the ability to apply standard policies and classification schemes to content stored in disparate applications and locations. A central hub for records management provides maximum flexibility for both the business and IT, with the ability to manage records in place, in a centralized repository, or both.
Build in Extra Controls
Extra security controls are needed to comply with today’s increasingly strict data protection regulations. Look for features that allow the business to limit which content people can see and what they can do with it. These safeguards go well beyond basic access control lists and permissions to include capabilities like:
• Security marks that identify content as having sensitive information (such as PII)
• Security classifications (top secret, secret, etc.) that travel with a file
• Roles that control the actions individuals can take with a file
• Encryption of content in transit and at rest
And while compliance is one thing, demonstrating it is another. Audit logs that detail the complete lifecycle of governed content can help you show compliance with confidence.
Future-Proof Your solution Information Governance isn’t a set-it-and-forget-it program. The technologies you implement need to be flexible enough to support new compliance and business demands—because they’re coming. Here are some features that will future-proof your solution:
• Open architecture so that records remain readable and accessible over time
• Connectors to a wide range of systems to support an evolving software environment
• Cloud-ready to enable durable, low-cost storage on a modern platform
• Ability to manage multiple file types, including video, email, and social media
• Ability to handle explosive growth in content
• Certified or aligned to leading industry standards like DoD 5015.02 and ISO:15489
Checklist for New Compliance Requirements
Improved regulatory or legal compliance is the top driver for ECM investment in 2017, according to research by Forrester. Here are a few of the new regulations that have organizations scrambling to upgrade their Information Governance capabilities. Which apply to you?
|23 NYCRR Part 500||GDPR||NARA 2019|
|Description||Set of cybersecurity requirements intended to protect customer data and information systems||Set of data protection laws that cover the management, use, and security of personal data||Mandate to manage all permanent records in electronic format|
|Applies to||Financial services firms that operate in New York state||Companies around the world that hold personal data on EU citizens||U.S. federal agencies|
|Enforcement Date||August 28, 2017||May 25, 2018||December 31, 2019|
|What's at Stake||Fines, imprisonment, and possible shut down of an organization’s business in New York state||Fines of up to 4% of annual global revenue in event of a security breach||An opportunity to modernize government operations|
|Good to Know||
Sets a new high watermark for compliance with specific requirements and teeth behind it
Expected to have a ripple effect in other U.S. states
GDPR applies in the UK even with BREXIT
Only 23% of companies feel they are fully prepared for 2018 deadline
|Technologies used to meet the 2016 mandate for managing email records won’t cut it|