Records management by stealth: An Australian practitioner’s view
Records management is, and always has been, a balancing act. On one side is compliance. It is at the very core of why records management exists. On the other side is the end user experience with creating, capturing and using records. These two sides usually pull in different directions. It is very difficult to manage a record if it is not identified and captured, and it is unrealistic to expect end users to be highly skilled record keepers, with hours of their day devoted to keeping records perfectly. Records management as a profession is under increasing pressure to develop approaches and solutions that perfectly balance these competing priorities.
This article will address an approach colloquially known as records management by stealth – otherwise known as compliance by design. Whilst the concept of records management by stealth is relatively straightforward, the execution of it has been patchy. This leads to some important questions:
(1) What exactly is records management by stealth?
(2) Why has execution been patchy?
(3) Why aren’t we seeing more of this? and
(4) Why hasn’t it become the norm in our industry?
To help answer these questions, I will be reviewing the current state of play in an Australian context, examining some solutions and sharing a case study to give practical guidance on ways forward, or at the very least to start the process of rethinking how we go about delivering records management by stealth.
What is records management by stealth?
Records management by stealth delivers compliant records management with minimal interaction from people. Put simply, records management ‘just happens’ without people feeling they are working specifically on record management tasks or being distracted from their actual job.
There are different flavours of records management by stealth: An approach may be system centric, business process centric or people and culture centric.
What drives this is putting the end user experience front and centre. Different approaches achieve this aim: It may be a traditional Electronic Document and Records Management System (EDRMS) software that is configured to offer alternative, more user-friendly taxonomies or repurposing other platforms such as O365 and SharePoint to build in records management functionality. Other approaches rely on auto-classification/auto-harvesting of records to a single records management repository – an example of this is the Australian Government’s Digital Records Transformation Program in 2016 which in essence embodies this aim.
As always, there will be the vendor-led approach, much the same as we’ve seen recently in the UK and Europe with the EU General Data Protection Regulation: There will be someone, somewhere who will aim to sell a solution that solves all your problems with the flick of a switch. And, of course, fit for purpose software will always form an integral part of our solution set. We also need to be mindful of our own skill sets to ensure we are personally equipped to cope with these pressures and challenges.
So, whether you are just starting out in planning a records management program or looking to increase the efficacy of an existing one, read on for some options for planning and delivering records management by stealth.
Firstly, we will look at the challenges in our industry and how we as a profession may be part of the problem.
A challenging landscape
The challenges we face today in records management are many. I am sure we have all encountered at some point in our careers, challenges such as:
- user acceptance of the solutions we provide;
- getting recognition and support for our programs;
- the challenges of managing vast numbers of records contained in legacy systems; keeping up with modern ways of working based on people expecting access anytime, anywhere, from any device;
- user reluctance to move away from shared drives or network drives and their hierarchical/folder-centric approach;
- not enough resources to deliver programs and projects; comments such as ‘we don’t need EDRM, we have enterprise search’;
- and a dilution of focus on compliance and good records management, replaced by a focus on software solutions as the answer to everything.
What has been the response to these challenges? There are numerous examples of poor record-keeping reports in the media and in government audits and reviews. Over the last few years, public-sector audits and review of record-keeping compliance in government show that compliant records management is still patchy.
Records and information governance professionals, along with senior staff and business managers who hold ultimate accountability for records compliance, can do more to address these challenges.
Are records managers part of the problem?
How does your organisation see you and your colleagues and the profession which you represent? Perhaps a difficult question to ask, and with answers that may make us uncomfortable. It is tough to acknowledge that records management teams are not always viewed as providers of a critical service to an organisation. The perception persists that records teams are responsible for paper records only and are to be found in the basement. One of the most unflattering descriptions I have heard of a records management team is ‘Business Prevention Unit’. And perhaps this perception leads to under-resourcing, inadequate job grades and fighting to be a contributor to the right kinds of projects.
Anecdotally, I hear from business managers that the protocols around records management are seen as too restrictive, too costly, too inflexible and not adequate to support modern ways of working.
Figure 1. SharePoint Online to Content Manager integration – functional overview.
Regardless of the truth of these statements, if there is a perception problem, then there is an actual problem. There are strategies we can employ that enable us to provide compliant records programs that are seen as adding value, rather than cost and difficulty, to our business partners within our organisations. Usually these strategies are risk-based rather than prescriptive.
I would like to explore what this might look like:
- Structure the records function to act as a trusted advisor, aligning with businesses and functions within your organisation - Job roles move away from operational, process-bound activity to consultancy and advisory. Records function sets policy and provides tools and guidance and provides a second line of defence in the operational risk framework.
- Work with existing records staff to upskill. Build an in-house skills program if needed. Records teams traditionally hold a wealth of corporate knowledge which can be shaped and repurposed.
- Identify and cultivate a team and personal brand - There is a plethora of writings available on the importance of having a personal brand, which can also extend to our teams. Investigate what works for you, and what works for the culture in your organisation.
- Strategic alignments in the workplace - Who in your organisation is seen as an innovator? Or who has the ‘loudest’ voice when it comes to decision-making? There are some obvious areas to align with where we work towards common goals: the compliance, risk, legal, information security and internal audit functions are some examples. How to build a strategic alignment? It can be very beneficial to deliver a tactical solution to this business area, so they can become another champion for your records programme. Work on joint projects. Give a presentation at their team meetings on joint goals. Offer secondments across the teams for cross-skilling.
Now that we have some strategies, we can use on our own teams to be better prepared to deliver compliance by design, let us look at solutions.
Some approaches
Let us look at some ways of achieving records management by stealth. To start with, we need a strong foundation layer for managing retention in flexible, perhaps non-traditional ways.
A strong foundation based on risk-based records policy
Managing large volume of records means a focus on managing records that is risk-based and that assumes all records are not created equal.
- Identify high value/high risk records (there may be some overlap with vital records). All records need to be managed but not all records are created equal. Low risk/low value records are more suitable for automatic disposal in an EDRMS. Sampling and spot checks are used rather than explicit approvals for each disposal action. This enables us to ensure that resources are focused on high value/high risk records, rather than stretching too thin to cover all records, many of which may be of limited or short-term value.
- Blanket retention assists managing records where record-by-record appraisal is not feasible or not cost-effective - Blanket retention means applying a single disposal class to a large group of records that may technically fit in to multiple disposal classes. An analysis is usually required, using a data discovery tool such as HP ControlPoint, that can identify duplicates, redundant and low value records, and help to understand content. From this, if high value records are identified, these should be targeted for management in an EDRMS. For the remainder of records, an appraisal can be made to pick the ‘safest’ disposal class which ensures over-retention is kept to a minimum. Evidence of the analysis and risk assessments used, plus appropriate authorisation, must be retained to ensure defensible disposal.
- Use of rolled up or ‘big bucket’ retention is becoming more widespread - Disposal classes are rolled up into bigger groupings to provide a much smaller number of disposal classes to work with. The Australian Government Administrative Functions Disposal Authority Express (AFDA Express) is a good example of this.5 In AFDA Express, 1068 retention categories are rolled up to 88. This supports applying retention and disposal in electronic systems and provides a manageable, defensible way to control the ‘big data’ problem from a records disposal perspective.
Once we have a strong, risk-based foundation layer, we can look at solutions.
An overview of solutions
Here is a quick overview of software solutions in the Australian market. This is not intended to be exhaustive and is from my view as a practitioner and a consultant.
EDRMS, also known as Enterprise Content Management (ECM), systems are at the core of the market, but there are some non-traditional approaches emerging. It is interesting to note that in 2017 Gartner redefined ECM as Content Services Platforms. In that year, 19 vendors met the criteria for the new Magic Quadrant for Content Services Platforms (as usual with a fee charged for inclusion).
Traditional EDRMS
In Australia, particularly in the Australian public sector and state governments, there is almost a de facto standard of using Micro Focus Content Manager, which for many years was called TRIM and that name stubbornly sticks. Other traditional or long-standing EDRMS are iManage, IBM Records Manager, IBM FileNet Content Manager, OpenText, Objective and Technology One ECM.
Traditional EDRMS with custom front end/ enhancement
We are increasingly seeing organisations use their EDRMS solution as a platform on which custom interfaces are built. A higher education institution in Sydney, Australia, used their EDRMS as a repository for archival images. A custom Web front end allowed the public to browse tagged photos through a ‘tag cloud’, bringing this rich historical resource to life. Another higher education institution in Sydney uses their EDRMS to drive a custom Web-based work-flow solution tackling critical business processes such as handling allegations of misconduct. The EDRMS is the core platform, and the workflow solution is a Web-based layer that provides seamless access to a process. Critical records are captured in to the EDRMS as part of this process.
Non-traditional EDRMS
It is no surprise that organisations are looking to leverage their Microsoft enterprise investment to provide a records management solution. Microsoft introduced the Records Centre Template to Microsoft Office SharePoint Server in 2007. It is still the solution for out-of-the-box records management in SharePoint Other software vendors have seen an opportunity to provide a different flavour of records management in SharePoint such as RecordPoint and AvePoint.
Figure 2. How the Content Manager App manages content.
Other non-traditional options
Alfresco launched in 2005 as an open-source document management solution which rapidly evolved to Web content management. Fairly new into the market in Australia is the German ELO Digital Office Document Management System, which has been available in its home country of Germany since 1996.
Emerging technology/compliance engines
This is an interesting space to watch as innovative solutions are brought to market.
Cube was launched by The Content Group in 2011 to address structured and unstructured information in financial services organisations. Cube provides not only a software solution but backs this up with a real-time knowledge base for industry trend analysis across many jurisdictions around the globe. Offering ‘enterprise compliance as a service’, EncompaaS is due to enter the market in the first half of 2019, providing governance over on-premise and cloud-based information, including in-place records management.
Case study
We have looked at different approaches and software solutions in the market, so how are organisations in Australia using these approaches? We will look at one case study in detail. This is a combined case study, where we look at the same solution implemented by two very different organisations. This is written from a consultant’s perspective, helping these organisations design and deliver a solution.
Organisation one
Industry: Infrastructure project/public–private partnership
User base: Approximately 900 staff with large number of external base users on collaboration platforms
Solution: Traditional EDRMS, SharePoint front end, line of business system integration
The State of Victoria, Australia, has embarked on a significant number of infrastructure projects to support a rapidly expanding population. Known as Victoria’s Big Build, there are more than 40 major transport projects under way with a budget of AUS$38 billion. Much of the work is being delivered via a public–private partnership model.
Such a large-scale program of work introduces very complex information management needs. Ultimately this is a government project which is subject to public records legislation, but it also has the additional commercial document management elements of a significant infrastructure project. This case study is on one of the largest projects within Victoria’s Big Build.
Organisation two
Industry: Higher education
User base: Approximately 15,000
Solution: Traditional EDRMS, SharePoint front end and rolled up retention
This University is one of Australia’s oldest tertiary institutions. It has used a traditional EDRMS for close to 20 years and faces the challenge of professional and academic staff increasingly wanting access anywhere, anytime to corporate information. It is subject to legislation and standards as defined by the Public Record Office, Victoria. A solution was devised to use a SharePoint front end to the traditional EDRMS, combined with rolled up retention for easy application of disposal.
Common technology
For both organisations, the key components of the selected solution are Micro Focus Content Manager, integrated with Microsoft SharePoint Online.
Why this approach? Very early on, it was recognized that the only way to address the records legislative requirements and provide a modern platform for staff to work within, was to combine two pieces of software: Content Manager, to provide a robust, compliant records management back end, and SharePoint Online, to deliver secure collaboration spaces available through any mobile device. Integration is provided by an add-on application from Micro Focus called the Content Manager Governance and Compliance SharePoint App.
User interfaces are fairly standard: desktop PC, corporate mobile devices including phones and tablets, plus a wide range of devices through bring-your-own-device.
Stage 1: Readiness assessment
Both organisations started with a readiness assessment, to address two different issues, before proceeding with the integration between Content Manager and SharePoint.
Organisation 1 – Strategic review of information repositories. This organisation already had SharePoint Online for intra-net deployed to staff. There were over 30 line of business applications also holding business information. The strategic review identified all information repositories, mapped out the life cycle of records contained within the repositories and determined the end state: that is, would records be managed in place or be transferred to Content Manager.
This piece of work provided a clear roadmap for how and when records would be managed not just across Share-Point, but all line of business applications.
Organisation 2 – SharePoint Information Architecture and review of retention. This organisation was considered a SharePoint ‘greenfield’ site. Microsoft SharePoint Online and Office 365 had been made available to staff, but in a very Laissez-faire way – minimal training and support, no overarching information architecture and no standards.
In order to provide a good foundation for integrating Content Manager and SharePoint, a full information architecture for SharePoint was developed, supported by a structured provisioning process through a Service Desk.
The information architecture for SharePoint included:
- site taxonomy – site collections/sites;
- naming standards for sites and libraries; base set of parent content types;
- enterprise metadata/term store;
- naming standards for site columns;
- permissions and access controls;
- access controls;
- library configurations;
- web part on pages;
- search; and
- interaction with other O365 content/storage features such as OneDrive.
Stage 2: The integration
The integration is provided by the Content Manager Governance and Compliance App. The diagram in the following shows a functional view of how SharePoint Online, Content Manager and the Content Manager App interact.
SharePoint Online. SharePoint Online is the collaboration platform. Here, people will develop and share content, with their teams, across their organisation and with authorised external parties. Access may be from multiple device types, and organisations may introduce two-factor authentication or other security protocols for added security.
Content Manager. Content Manager is the records management compliance engine. Here is where the business classification scheme, retention schedules and disposal actions occur. Each disposal action is authorised, and a small record stub is retained for destroyed records, to support defensible retention.
Content Manager App. The App is loaded in to the Share-Point App Catalog and applied to site collections and sites. It provides management over SharePoint content. Content may be actively managed by the App – content is put under management, a metadata stub is created in Content Manager with a URL to the SharePoint item, the content lives in SharePoint until it is no longer active content, then it can be archived to Content Manager. While under management, a full audit trail of activity on that content in SharePoint is written to Content Manager for full auditability.
Content may be passively managed by the App – at the end of content life cycle, such as decommissioning or closing a site, all content can be archived to CM in one process.
The key to managing or archiving content is content mapping.
How content mapping works
Compliance by design is central to content mapping. Essentially, we do not want to interfere with how end users work and structure their information in SharePoint. SharePoint is a collaboration platform. Information will be structured around projects, teams, work product or business processes. This may not align with how information needs to be structured for records retention. So, to bridge this gap, we apply content mapping
- Metadata: Standard and custom columns in Share-Point are mapped to associated standard and additional fields in Content Manager.
- Content types: SharePoint content types are used to identify different types of documents and apply specific metadata. These are mapped to Content Manager record types, which serve the same purpose within Content Manager.
- Libraries: SharePoint libraries are allocated one or more Content Manager folders to contain content. It is the Content Manager folder that has business classification terms and a retention category applied.
Most of the mapping is driven by policies and rules and does not require manual input.
The trigger for when content is managed and then archived from SharePoint to Content Manager is defined by life cycle management policies. The way we build this mapping is compliance by design.
Stage 3: Ongoing monitoring
The Content Manager App provides a range of searches to monitor managed content. All managed records have a metadata stub, which is allocated a unique record number.
All sites and libraries are created as records with their URL captured.
At any time, an administrator can identify which sites or libraries are under management and retrieve managed content.
What next for these organisations
Our two case study organisations have taken the important first steps for delivering records management by stealth. The near future will see their solutions bedded down and refined through continual review and improvement.
Records management is frequently seen as a cost to the business where its value is not always apparent. Compliance by design enables us to deliver records management solutions, where records are identified, captured and managed through their life cycle, with minimal end user input. We have looked at a range of approaches within an Australian context. No matter whether you are just starting out building a records management programme, or you have years of experience, hopefully you will find something to help you on your journey.
Nicola Sanderson has been involved in the information management industry for over 20 years, based in Australia and working across the Asia-Pacific region and the UK. Nicola has worked both as a practitioner and consultant and is now Principal Consultant with an information governance consulting firm focusing on Micro Focus Content Manager and Microsoft SharePoint. Email: nicola.sanderson@informotion.com.au. This is an edited version of an article originally published in Business Information Review, a quarterly peer-reviewed academic journal that publishes articles on information and knowledge management.