SharePoint Records Management Revisited
A few years back, I wrote a post about how SharePoint by itself couldn’t do records management (RM) and that, even with any number of add ons available to help it do RM better, large organizations shouldn’t use SharePoint to do so. I wanted to return to the topic and write a sustained reconsideration of how far SharePoint has (or hasn’t) come in the last three years.
But as I sat down to write, I realized that, regardless of whether SharePoint today is better at doing RM, RM itself is becoming almost besides the point at many organizations, let alone whether SharePoint (or any other system) can support it—the real center of managing information to deliver business value is shifting, and fast. But before you all hoist me on my own petard for this assertion, let me explain what I mean.
Records, Schmekerds
Ever since we’ve been in a predominantly electronic world (circa 2000ish), RM has struggled to do its job, i.e., help the organization retain records as long as required by laws, regulations, etc., and then dispose of them. The retaining records part hasn’t been the problem, it’s the disposing of them that RM has struggled with. Most organizations today still keep everything forever, whether or not they have RM in place.
And even over the last three years, as RM professionals have worked to evolve into information governance (IG) professionals, not much has really changed: we’re still keeping everything forever, and the dream of being the savior who unlocks the value of information for the business is no closer to reality than it was when we only managed the boxes in the basement.
This is why, at most organizations I work with, RM is not high on the priority list of enterprise capabilities that are getting support and funding. And so, I hate to break it to you, whether SharePoint can do records or not isn’t something folks care too much about any more—or at least, they shouldn’t. Instead, the most critical question of the moment I see for large firms is, how do I protect my most sensitive corporate data from getting into the wrong hands? Followed almost immediately by, How can I also help the business get value from the information we’re protecting?
Information Security is Information Management
Think about it for a second: the most sensitive data, like personal health information (PHI) and personally identifiable information (PII) also happens to be some of the most valuable information an organization manages. So if you manage PHI/PII in order to protect it, you’re halfway to managing it to deliver value to the organization. And if you manage PHI/PII to protect it and deliver value to the organization in the process, you’re accomplishing everything IG, RM, ECM, document management, and every other buzz word applied to managing unstructured data has been striving for over the last 30 years.
Which is why I’ve been writing about the increasing importance of the Chief Information Security Officer (CISO) to corporate information management. I feel that the CISO is the right person in the current environment to own information management and be successful. Furthermore, at an increasing number of large, heavily regulated organizations, I’m seeing the CISO pick up the information management gauntlet and run with it…very successfully. This is a trend that I think will only pick up speed over the next 18 months.
The Final Word
So what does this all mean for doing RM in SharePoint? Well, if you’re an information management professional and you’re still spending your time worrying about RM in SharePoint (or anywhere else), you should stop. The center of gravity of information management is shifting and you need to shift with it. Managing high risk, high value information is the game these days, both to protect it from the inevitable breach (a matter of when not if) as well as to make it more manageable by end users. Your champions are no longer IT, RM, or legal, but rather the CISO and their stakeholders (typically the rest of the C Suite). And they have enterprise visibility and real budget and support combined with the disinclination of senior executives to (1) appear before government hearings, (2) pay multimillion dollar fines, and (3) go to jail. Compared to this, whether we keep records for the appointed time and then dispose of them seems hardly worth the effort, whether it’s in SharePoint or some other system.
agile ramblings 
Good points. And this is mostly true of organizations—outside of government. Managing records in SharePoint is a hot issue in the US federal government because it is more compliance-driven than the private sector. There is also still tons of paper records in government, so they aren’t even ready for a SharePoint or other electronic system in many cases. Regardless of the organization type, really all information needs to be managed so that you can get the right information to the right people at the right time while mitigating risks. RM should be part of an overall focus on information that includes what you mentioned plus knowledge management and others who have tended to be on their own.
Kevin,
Thanks for expanding the view to include government…I definitely had my private sector blinders on!
And I totally agree that getting the right info to the right people at the right time (and keeping it from the wrong people) is the goal no matter what you call it. My point was just that it seems that information security is the place (in the private sector) that this is going to happen most successfully these days, rather than IT, RM, legal, etc.
Appreciate your jumping in and getting the conversation started!
Cheers,
Joe
Joe – I think what you list in priorities is correct. Disposal is not a priority but one of the processes in Information Lifecycle Management. A company is spending 35M a year to maintain its PB’s and only 20M worth are being used. How does the company justify the 15M of waste to it’s shareholders? If I had a dollar for every IT person who told me of the performance problems because of the amount of data…
The issue is not getting rid of the information but the process of review and approval which I have seen reach comical levels. In many cases, automatic disposal is the way to go and removes the pain and fear many feel in reviewing and approving. It also needs to be part of system design so it launches ready to go. This is actually where moving to the cloud has helped us as neither the provider nor the business group wants to be part of a painful review process.
The records that cannot be automated such as revenue records doesn’t mean a streamlined, simplified process cannot be developed. Using workflow with set players vs. emails works better as no one can cc the email to folks who always panic. There are ways to minimize effort.
Provide information value to the business a key priority? You bet. Protect the data from the bad folks? Sure, although with the number of breaches it doesn’t seem to be that high a priority unless it’s intellectual property. Disposal a priority? Um, no that just takes place.
Randy,
Couldn’t agree more about comical levels of reviews…and all that just to follow an already published policy! If you have a policy that says you dispose of data once it reaches the end of its retention according to the retention schedule, then you shouldn’t be asking business folks if you can dispose of it. Once you check to make sure it’s not on legal hold, away you go.
The problem I see is that compliance types like RM and information governance will write policies and get them approved without doing the requisite organizational change management needed. Too often, they haven’t fostered a dialogue with stakeholders to make sure they understand the change and what it will mean to them or communicated to end users what the change means to and requires from them. This happens for lots of reasons, but I suspect a big one is that the folks trying to get the policy done dread how painful the change management process will be. And they’re right! But without it, you’ll have a policy in place that you struggle to enforce…if you can enforce it at all.
Thanks for jumping in!
Cheers,
Joe
“Managing high risk, high value information is the game these days, both to protect it from the inevitable breach (a matter of when not if) as well as to make it more manageable by end users.” You’ve nailed it Joe.
Thanks, Jolanta! Always glad to hear from you…I hope all is well!
Great article. Having used SharePoint for several years, the strength of the system was not the system itself but the the service providers. If the expectation is for tech systems to drive the business the focus becomes on the automation rather than the owner who determines the governance. The automation may be akin to artificial intelligence. There has to be policy and procedures, which I believe supports the need for a CISO. RM systems like SharePoint should support the business in the same way as document warehouses supported the business. And even then, if there are no destruction dates set for documents in warehouses, where boxes of information stack up year after year only to be rifled through by hand when information is needed, do we understand the need for digital records? One last thought, with the addition of cloud servers and other systems like LMS’s and CMS’s, businesses need to understand these systems are not storage lockers because you have no room in your open office spaces. The value is compliance,