Skip to content

Who’s been sleeping in my bed? Getting RM just right at your organization

April 12, 2010

In my practice, I tend to see two broad approaches to records management (RM) at organizations. In the first, everything is managed as a record—by casting the net as wide as possible, these organizations hope to be able to tightly control all their content and thereby reduce risk. In the second, only a narrowly defined set of information is considered records and managed; the rest is classified as non-records and left essentially to its own devices—by casting the net as narrowly as possible, these organizations admit that tight control over all information is not possible and focus their resources only on the most important corporate information, hoping to thereby increase their chances of succeeding at RM.

While the impetus for adopting each approach makes a certain amount of sense, as viable, long-term corporate strategy, they both fall short. The first is difficult to realize…and far too expensive to support even if realized—all content, regardless of importance or risk, is managed using a very resource-intensive ecosystem of tools and hardware. The second is far easier to realize because a far smaller set of content is in scope for RM (i.e., only a narrowly defined set of corporate records) but exposes the organization to an unacceptable level of litigation risk: because much of the content considered to be non-records is likely discoverable during a lawsuit and because it falls outside the scope of RM at the organization, it will be far more expensive and difficult to discover in a predictable, consistent way.

What I recommend in response to both of these is a tiered approach to RM that falls somewhere in between the two (hence the somewhat tongue-in-cheek title of the post) and allows an organization to manage different kinds of information using different levels of control based on risk and value to the organization. The result is a messier picture of information at the organization, but a far more practical one that can be supported with a greater degree of success.

A good way to begin is to plot out the two flawed approaches against two axes: risk and manageability.

In each figure, as you move from left to right, the content gets easier to manage (store, search, retrieve, retain, dispose, and so on) and as you move from bottom to top, it poses greater risk (litigation, compliance, operational, and so on) to the organization.

These figures clearly illustrate the shortcomings with each approach: the first handles all content as if it posed high risk to the organization (too expensive) and the second ignores a wide range of content that in fact poses significant risk to the organization (too risky).

In part the problem with these approaches comes from the fact that they force all the content at an organization into two categories, records and non-records, when in reality an organization’s content falls into a more nuanced set of categories:

For the purposes of the discussion here, we might define these categories as follows:

  • Declared Records – any memorialized information that has ongoing legal, business, or historical value that an organization intends to retain as evidence of its business operations, e.g. final contracts
  • Likely Discoverable Information – all information, regardless of format, created, maintained, and stored by employees at work or at home if done in furtherance of the employee’s job duties or using an organization’s systems that are likely to become relevant to future litigation, e.g. redline drafts of contracts
  • Other Business-related Information (OBRI) – information that relates to the organization and is created, maintained, or stored on an organization’s systems or its facilities, but is not a Declared Record and thus not subject to retention requirements as defined in the retention plan, e.g. an excel spreadsheet used to track tasks assigned to resources in a department
  • Non-business-related Information (NBRI) – information created, maintained, or stored by an organization’s employees and created or stored on its systems or its facilities, but which is not in furtherance of their job duties, e.g. an email to a coworker confirming the time of a lunch appointment

Given these thumbnail definitions, let’s take a look at the advantages this more nuanced view of organizational content has over the first two approaches.

First, it accounts for more than simply RM requirements. By introducing legal- and business-relevant categories, it allows the organization’s view of its content to better reflect (and perhaps meet) the needs of the whole enterprise.

Second, it allows the organization to categorize its content with greater precision. By providing five categories rather than two, the organization can now zero in on:

  • Non-records that pose significant discovery risk – i.e., that fall into Likely Discoverable Information
  • Non-records that, although they don’t pose significant discovery risk, are nonetheless operationally important – i.e., OBRI that doesn’t fall into Likely Discoverable Information
  • Non-records that can be managed lightly and disposed of with little ceremony – i.e., NBRI that doesn’t fall into Likely Discoverable Information

Third, it allows an organization to manage its content based on a more robust risk model, which includes legal and operational risk considerations in addition to RM ones.

Finally, it allows the organization to design an ECM technology coexistence strategy grounded in the risk profile of different content types. Take a look at the following figure:

By grouping the five content types into four groups we can begin to map appropriate technology solutions to each one with less risk of over- or under-achieving in each case. Doing so might yield something like the following:

  1. Declared Records: store in a managed ECM repository with the ability to systematically manage retention/disposition as well as legal holds; should provide robust full-text search capabilities
  2. Likely Discoverable Information (minus Declared Records): store in a managed ECM repository with the ability to systematically manage legal holds; should provide robust full-text search capabilities
  3. OBRI (minus Likely Discoverable Information): store in a lighter-weight document management system that provides versioning, check in/check out, and robust keyword search capabilities; systematic RM or legal hold capabilities not needed
  4. NBRI (minus Likely Discoverable Information): store in place; aggressive disposition

In practice, of course, the results of this exercise will depend on the organization’s technology portfolio, ECM maturity, corporate culture, industry vertical, and so on. But I think even the over-simplification presented here illustrates how powerfully this approach can transform how an organization manages its content. As always, I’d love to hear from folks who’ve tried any of the approaches here (or others) to structure how they manage content at their organization—let me know what worked and what didn’t, and we can get the conversation going.

from → Consulting Practice, E-discovery, ECM, IT, ITSM, Records Management, Risk Management
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s