Analyst Corner: Guiding Your Organization Through Murky Waters: Defining Your Retention Management Program

ARMA International: Information Management Magazine

Analyst Corner: Guiding Your Organization Through Murky Waters: Defining Your Retention Management Program

In today's economic atmosphere, compliance and e-discovery concerns have prompted enterprises to seek guidance on records and retention management ranging from how to define effective records management policies to best practices for enforcing e-mail retention. As these organizations prioritize, they should understand how to establish the business value of records management, avoid adoption pitfalls, and define and enforce retention policies on a broad range of information.

Brian W. Hill

Recent regulatory requirements and the revisions of the United States Federal Rules of Civil Procedure (FRCP) have shifted historical focus from managing and retaining paper assets to retaining a broad array of electronically stored information (ESI). Yet, unbelievably, the 2007 Cohasset “ARMA AIIM Electronic Records Management Survey” noted that more than a third of organizations still do not include electronic records in their retention schedules. And, from inquiries Forrester receives, it’s clear this remains common practice.

However, the number of standalone deployments continues to increase. According to Forrester’s “Enterprise and SMB Software Survey, North America and Europe, Q3 2007,” 51% of enterprises that implemented some type of enterprise content management (ECM) software upgrade in 2008 would invest in a records management solution.

Since then, Forrester analysts have fielded hundreds of client ECM inquiries, of which more than 20% relate to records and retention management. These inquiries on records and retention management indicate that organizations struggle with defining the business value of and the costs and risks associated with records management. These inquiries also indicate that enterprises contend with defining and enforcing effective information retention policies across a range of information — from e-mail to content managed in collaboration tools like Microsoft SharePoint.

In this confusion, there are a few common topics professionals are asking about in pursuit of establishing the best possible e-discovery and retention management policies within their organizations. And, there are certainly a few key things to keep in mind and put into action.

Records Management Policies for E-Discovery

One common question concerns the amendments to the FRCP that took effect in December 2006. These changes include a focus on electronically stored information and clarify steps during the discovery process, such as organizations’ duty to preserve information that could be classified as relevant. The key is organizations must demonstrate a defensible data collection process. While seemingly vague legal language leaves some of these rules open to interpretation, the FRCP regulations serve as a clear mandate to implement retention policies and procedures — along with technology — to both enforce those policies and audit enforcement.

Although litigations and regulations affect a broad spectrum of enterprises, many organizations, unfortunately, still have an immature understanding of e-discovery and struggle with poor internal communications, ad hoc processes, and disjointed applications. In 2009, Forrester expects that many enterprises will initiate or accelerate their efforts to standardize e-discovery processes and synchronize supporting applications to cut costs.

However, a standard records management or retention policy simply doesn’t exist. Each organization has unique variables that preclude standardization, such as state and local laws and licensing regulations, federal regulations, and how business people and business processes use information. These professionals should ensure that the right team presides over policy definition and enactment and involve IT teams, legal departments, records managers, and business stakeholders in defining retention policies and deployment approaches. While this dialogue may not be easy, as the goals of these groups may be in direct opposition, meeting the most critical needs of each group is vital to successful implementations.

The Business Value of Electronic RecordsManagement

The relative importance of benefits generated by records management implementations varies from one organization to the next. In most cases, records management’s critical value comes from facilitating regulatory compliance and reducing legal risks associated with e-discovery. In addition to mitigating legal risk, records and retention management approaches can also drive down costs and improve operational efficiencies. By expunging content, for example, organizations can capture storage cost savings and improve operational efficiencies for information retrieval and backup and recovery.

Business value depends on how enterprises approach records and retention management. On a scale from
one to four, with one being low value and four being transformational, records management initiatives that focus solely on litigation concerns score, at best, a high two. Plenty of poor records management initiatives exist; and some organizations stumble with insufficient understanding of how business people use information. In the rush to address litigation concerns, some enterprises overlook potential burdens placed on individual end users and fail to realize the true business value of information.

It is important to support a broader range of content types. In e-discovery, most litigation to date has focused on e-mail, loose files, and employee desktops. In 2009, other content types will become increasingly important for e-discovery. To illustrate, in Forrester’s December 2008 “Global Role of Search in E-Discovery Strategy Online Survey,” 18% of respondents reported plans to add voicemail access by e-discovery in 2009. The same survey highlights that structured content in databases and line of business applications (e.g., ERP and CRM) will become increasingly important to e-discovery.

But establishing a strong value for records management requires organizations to look closely at how business stakeholders and business processes work with information. Organizations can establish strong business value by using records management as a tool to help enforce business policies governing what information to keep and for how long, while making sure employees who need the information can easily consume it. For many organizations, noninvasive retention policies that are largely transparent to the broad employee base prove especially effective and promote adoption. Professionals should work closely with business peers when establishing records and retention policies and pay close attention to their business context.

Risks with Electronic Records Management

Organizations that poorly define or enforce information retention face increased legal risk and operational inefficiencies. While records management technologies help with policy enforcement, risks include poor implementation of the technology and an unrealistic level of adoption from business stakeholders.

No substitute exists for experience in reducing records management adoption risk. Successful initiatives don’t thrust records management responsibilities on their business users. Instead they keep records classification simple, often by requiring business users to drag and drop information (i.e., e-mails or documents) into prescribed buckets or by applying other appropriate automation. These buckets, often represented as file system directories or e-mail categories, frequently drive retention management processes. Systems can then channel the information to a business stakeholder or records manager for appropriate classification. This approach helps keep things simple while improving policy enforcement.

E-mail Retention Best Practices

To support operational efficiencies for messaging systems, many organizations place quotas on individual mailboxes, with variations on size limits depending on functional role, rank, and other factors. However, these limits do little to support broader concerns with employee productivity or risk mitigation. Today, many organizations seek to move beyond blanket mailbox size-limit policies to more prescriptive policies based on how people use e-mail.

It is best to avoid scenarios that encourage business stakeholders to save information on their own, outside of the messaging environment and established policies. Personal e-mail archives present legal exposure and complicate e-discovery processes. Enterprises have limited visibility into personal archives, and collecting this data across multiple individual archives is time-consuming and costly. Instead, organizations can use configuration options in message archive solutions to define role- and information-based retention policies that allow business people to simply drag and drop their e-mail into an appropriate bucket for further classification and retention. For example, business stakeholders can place customer correspondence e-mail into a correspondence folder, where an e-mail archive solution can apply the appropriate retention policy to all e-mail, and subfolders, under this one folder.

Use of Microsoft SharePoint’s Records Management

Microsoft SharePoint offers limited records management capabilities that should only apply to content directly managed through SharePoint. Most enterprises do not use or plan to use SharePoint for broader records and retention management needs. SharePoint’s limitations include lack of physical records management and comprehensive file plan support. Microsoft will likely continue to improve records management support but, for now, organizations should look at tying other records management offerings into SharePoint. For example, ECM vendors including EMC, HP, IBM, and Open Text, offer some degree of records management support with Microsoft SharePoint. Organizations can use workflow and other approaches to publish SharePoint managed content into these vendors’ repositories for long-term retention.

Organizations using SharePoint should keep it focused on active and in-process documents and handle records management in one of two ways:

Use workflow to move the asset from SharePoint’s own document libraries to another document/records management environment. Most organizations, especially large enterprises, don’t attempt to build records management within SharePoint. For many, the need to manage both electronic and physical records prompts enterprises to buy a records management technology that already integrates with SharePoint, rather than attempting to build records management within SharePoint itself.
Capture metadata and indexing information in SharePoint’s document library, but manage the document asset in another system. This second model can prove more resource intensive and costly, but enterprises with sensitive intellectual property can use it for content they manage in another system while allowing employees to work with that content through SharePoint.

Records and Retention Management Pays Off

Organizations can dilute the value of records and retention management initiatives with poor implementation and/or a singularly legal focus. As the volume and variety of enterprise content accelerate, the benefits (e.g., risk mitigation, efficient retrieval, and operational efficiencies) that records and retention management solutions can deliver become increasingly important. Information and knowledge management professionals should involve legal, records management, and business stakeholders when identifying requirements and defining retention policies. A well-crafted records and retention management policy with supporting applications can keep enterprises out of legal hot water with defensible processes, while also empowering information workers and enabling operational improvements.

Brian Hill may be contacted at bhill@forrester.com.

From May - June 2009