Automating Information Governance

Transcrição

AIIM Market Intelligence
Delivering the priorities and opinions of AIIM’s 80,000 community
Industry
Watch
- assuring compliance
Underwritten in part by:
aiim.org l 301.587.8202
About the Research
Our ability to deliver such high-quality research is partially made possible by our underwriting companies,
without whom we would have to return to a paid subscription model. For that, we hope you will join us in
thanking our underwriters, who are:
CCube Solutions.
13 Diamond Court
Opal Drive, Fox Milne
Milton Keynes MK15 0DU
UK
Tel: 01908 677752
Fax: 01908 679444
Email: [email protected]
Web: www.ccubesolutions.com
Concept Searching, Inc
8300 Greensboro Drive,
Suite 800, McLean, VA 22102
Tel: +1-703-531-8567
Tel Europe: +44-(0)1438-213545
Web: www.conceptsearching.com IBM Corporation
Corporate headquarters:
1 New Orchard Road
Armonk, New York 10504-1722
Tel: +1-855-221-0702
Web: www.ibm.com/ILG
OpenText
275 Frank Tompa Dr,
Waterloo, ON N2L 0A1
Tel: +1-800-499-6544
Web: www.opentext.com/infogov
AvePoint
Harborside Financial Center,
Plaza 10
3 Second Street, 9th Floor
Jersey City, New Jersey 07311
Tel: +1-800-661-6588
Web: www.avepoint.com
ASG Software Solutions
1333 Third Avenue South
Naples, FL USA 34102
Tel: 800-932-5536 (USA Only) Email: [email protected]
Web: www.asg.com
Industry
Rather than redistribute a copy of this report to your colleagues or clients, we would prefer that you direct
them to www.aiim.org/research for a download of their own. Permission is not given for other aggregators to
host this report on their own website.
Watch
As the non-profit association dedicated to nurturing, growing and supporting the information management
community, AIIM is proud to provide this research at no charge. In this way, the entire community can
leverage the education, thought leadership and direction provided by our work. We would like these
research findings to be as widely distributed as possible. Feel free to use individual elements of this
research in presentations and publications with the attribution – “© AIIM 2014, www.aiim.org”
Process Used and Survey Demographics
While we appreciate the support of these sponsors, we also greatly value our objectivity and independence
as a non-profit industry association. The results of the survey and the market commentary made in this
report are independent of any bias from the vendor community.
The survey was taken using a web-based tool by 531 individual members of the AIIM community between
Mar 15, and Apr 08, 2014. Invitations to take the survey were sent via e-mail to a selection of the 80,000
AIIM community members.
Survey demographics can be found in Appendix 2. Graphs throughout the report exclude responses from
organizations with less than 10 employees, and suppliers of ECM products and services, taking the number
of respondents to 487.
©2014 AIIM - The Global Community of Information Professionals
1
About AIIM
Doug Miles is head of the AIIM Market Intelligence Division. He has over 30 years’ experience of working
with users and vendors across a broad spectrum of IT applications. He was an early pioneer of document
management systems for business and engineering applications, and has produced many AIIM survey
reports on issues and drivers for Capture, ECM, Records Management, SharePoint, Mobile, Cloud, Social
Business and Big Data. Doug has also worked closely with other enterprise-level IT systems such as ERP,
BI and CRM. Doug has an MSc in Communications Engineering and is a member of the IET in the UK.
© 2014
AIIM - Find, Control, and Optimize Your Information
1100 Wayne Avenue, Suite 1100, Silver Spring, MD 20910
Phone: 301.587.8202
www.aiim.org
Industry
About the Author
Watch
AIIM has been an advocate and supporter of information professionals for 70 years. The association mission
is to ensure that information professionals understand the current and future challenges of managing
information assets in an era of social, mobile, cloud and big data. AIIM builds on a strong heritage of
research and member service. Today, AIIM is a global, non-profit organization that provides independent
research, education and certification programs to information professionals. AIIM represents the entire
information management community: practitioners, technology suppliers, integrators and consultants.
2
Table of Contents
Multiple Repositories and Cloud . . . . . . . . . . . 20
Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Introduction
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Key Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Coping with Information Volumes . . . . . . . . . . . . . 4
Maturity of Policies and Systems
Information Governance Policies . . . . . . . . . . . 9
Maturity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
IG Policy Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Audit and Conformance
Audit and Conformance . . . . . . . . . . . . . . . . . . 11
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Issues from Non-Compliance . . . . . . . . . . . . . . . 12
Data Protection . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Retention Policies . . . . . . . . . . . . . . . . . . . . . . . . 13
Savings on Storage . . . . . . . . . . . . . . . . . . . . . . . 14
Conclusion and Recommendations
Conclusion and Recommendations . . . . . . . . 23
Recommendations . . . . . . . . . . . . . . . . . . . . . . . 23
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Appendix 1 - Survey Demographics
Appendix 1 - Survey Demographics . . . . . . . . 24
Survey Background . . . . . . . . . . . . . . . . . . . . . . . 24
Organizational Size . . . . . . . . . . . . . . . . . . . . . . . 24
Industry Sector . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Job Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Appendix 2 - Selective Comments
Information Governance Policies
Opinions and Spend Intentions . . . . . . . . . . . . 21
Spend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Maturity of Policies and Systems . . . . . . . . . . . 5
Paper v. Electronic . . . . . . . . . . . . . . . . . . . . . . . . . 5
IG/RM Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
RM Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Perception of IG . . . . . . . . . . . . . . . . . . . . . . . . . . 7
IG Risks and Rewards . . . . . . . . . . . . . . . . . . . . . . 7
Opinions and Spend Intentions
Industry
Multiple Repositories and Cloud
About the Research . . . . . . . . . . . . . . . . . . . . . . 1
Process Used and Survey Demographics . . . . . . . 1
About AIIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
About the Author . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Watch
About the Research
Appendix 2 - Selective Comments . . . . . . . . . . 26
ASG Software Solutions . . . . . . . . . . . . . . . . . . . 27
AvePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
CCube solutions . . . . . . . . . . . . . . . . . . . . . . . . . 28
Concept Searching, Inc. . . . . . . . . . . . . . . . . . . . 28
IBM Corporation . . . . . . . . . . . . . . . . . . . . . . . . . 29
OpenText . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
About AIIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Automated Classification
Automated Classification . . . . . . . . . . . . . . . . 14
Automated Agents . . . . . . . . . . . . . . . . . . . . . . . . 15
Automated Records Declaration . . . . . . . . . . . . . 16
Content Types . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Accuracy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Experiences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Email Archives
Email Archives . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Legal Hold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3
Introduction
Key Findings
Coping with Information Volumes
n On the whole, organizations are stabilizing the volume of paper records, but electronic records are
“increasing rapidly” in 68% of organizations surveyed. While 32% reported an actual decrease in their
paper records, not one respondent could report a decrease in electronic records.
In this report we take an in-depth look at information governance policies, privacy and records management
issues, policy enforcement, and how well technology can set or correct metadata, detect security risks, and
enforce deletion policies.
We therefore need to work harder to protect live content and preserve content records, but the volume,
velocity and variety of content generation makes it nearly impossible to manually maintain and enforce the
policies we so earnestly set. Computers are more consistent than humans, but you still have to teach them and trust them. We seem to be at an adoption tipping-point for automating real-time compliance processes,
and for machine audit of existing content for metadata accuracy, content security, and de-duplication. Is this
a silver bullet? What are the early adopter experiences?
Industry
However, in the past twelve months, the impact of data leaks and security breaches, most especially the
Edward Snowdon activities, has brought the security and privacy elements of information governance
strongly into play. Metadata has become an issue for front-page news, and heads-of-state discuss
individuals’ rights to data privacy and information deletion. Meanwhile, massive data leaks of personal
information have damaged corporate reputations and hardened already strong views in some jurisdictions.
Watch
What’s in a name? When it first came into vogue a few years ago, “information governance” (IG) was often
considered to be just an updated form of records management (RM), extended to take account of the US
legal discovery rules. If all electronically stored information can be requested prior to a court case, not just
content that has been specifically declared as a record, then work-in-progress, content on laptops and
mobiles, back-ups, and, in particular, email archives, are all discoverable, and need to be “governed”.
n Only 12% of respondents feel confident that they store only what they need to store. 42% are not
confident about what is safe to delete.
n 43% feel that automated classification is the only way to keep up with rapidly increasing information
volumes. 14% are already using it, but a further 35% have immediate plans for adoption.
n Of those already using auto-classification, only 10% have been disappointed with the results. In
particular, classifying scanned documents has performed better than or as well as expected for 83% of
users.
n Improved searchability, higher productivity and defensible compliance are given as the top three benefits
from automated classification.
IG Policies
n The three biggest risks from failure of information governance are excess litigation costs, loss of
intellectual property and damage to reputation. 24% have had a compliance issue around litigation and
discovery in the last 2 years.
n 40% of organizations have recently moved, or plan to move in the next year or so, from a traditional RM
view to a much wider IG view. 33% are still working in classic RM mode, including 18% who are still
taking a mostly paper-records view.
n The three biggest benefits from good information governance are reduction in storage costs, exploiting
and sharing knowledge resources, and faster response to events and inquiries. Users are also becoming
more aware of the need to support big data analytics.
n Getting senior level endorsement and involvement is the biggest issue in creating an IG policy. Then
enforcement once the policy has been agreed.
4
n Only 10% have an IG policy in place that is respected and enforced – 21% have a policy in place but it is
mostly ignored. For 55% the IG policy is a work-in-progress.
n Use of cloud or SaaS systems for RM is up from 5% to 7% in the past year, with those actively planning
up from 11% to 14%. But those saying “unlikely” or “never” is up from 46% to 51%.
Watch
Email and Cloud
n RM policies for email are still very variable. 18% keep everything, 16% delete everything, 22% have no
policy or strategy. 17% move emails to their ECM/RM system or a dedicated archive with RM retention
functions, but only 5% use automation.
Industry
n Of those who have information governance policies, only 19% regularly audit for compliance. 40%
of organizations do not allocate any staff time for IG training, and only 4% specifically update senior
management.
Spending Plans
n On the whole, users are likely to increase spend on all aspects of IG in the next 12 months, in particular
IG training, email archive, search, RM systems and automated tools. Spend on back-file scanning of
paper records is set to increase, but outsourced RM, both paper and electronic, is net-neutral.
The good news on paper records is that the number of organizations reporting a rapid increase has dropped
from 15% to 10% since our survey a year ago1, and that smaller organizations have balanced out, with
the same number reporting increasing volume to those reporting decreasing volume. The bad news is that
bigger organizations seem to have suffered a setback with 48% reporting an increase compared to 31%
reporting a decrease – a gap of 17% compared to a 3% gap last year. There is no obvious explanation for
this.
Paper v. Electronic
Maturity of Policies and Systems
Figure 1: Is the volume of your paper/electronic records?
(N=483)
Decreasing
rapidly, 7%
Increasing
rapidly,
10%
Decreasing
somewhat,
25%
Increasing
somewhat,
32%
Decreasing
somewhat,
0%
Stable, 4%
Decreasing
rapidly, 0%
Increasing
somewhat,
28%
Increasing
rapidly,
68%
Stable,
27%
Paper Records
Electronic Records
When it comes to electronic records, the picture is much clearer: nobody
reporting a decrease, and
We don’tishave
We have
robust,increasing” volumes.informaon and
around 70% of all sizes are reporting
“rapidly
enterprise-wide
informaon
governance
policies, 15%
We have
©2014 AIIM - The Global Community
Information Professionals
establishedofpolicies
in some areas/
departments but
records
management
policies, 7%
We have definite
plans to develop
enterprise - wide
informaon and
records
management
policies, 14%
5
10%
Decreasing
somewhat,
25%
Industry
Watch
Increasing
somewhat, Decreasing
Increasing
28%
somewhat,
IG/RM Policies
somewhat,
Decreasing
0%
Decreasing
Increasing 32%
rapidly, 0%
Before
being
too
specific
about
all-encompassing
information
governance
policies,
it
is useful
to look at
rapidly,
Increasing
rapidly, 7%
Stable, 4%
rapidly,
10% levels of basic records management. Just 15% of respondents
policies in general, and maturity
feel they
Decreasing
have robust, enterprise wide IG policies, albeit rising to 22% for the largest organizations. The68%
rest of the
Stable,
somewhat,
picture
is somewhat patchy. 28% have departmental or geographical
variations, 38% feel they are still some
Increasing
25% 27%
way from maturity, and 21% actually
have
no
policies
in
place
as
yet
although two thirds of those have
somewhat,
Increasing
somewhat,
good intentions.
would seem that
12% of even the largest28%
organizations
have Records
no agreed RM policies.
Paper ItRecords
Electronic
32%
Increasing
Figure 2: How mature are your information governance and records management
policies?
rapidly,
(N=483)
68%
Stable,
We don’t have
We have robust,
27%
informaon and
enterprise-wide
records
management
Paper Records informaon
Electronic Records
governance
policies, 7%
We have definite
policies, 15%
plans to develop
enterprise - wide
informaon and
records
We don’t have
management
We have robust,
informaon and
policies, 14%
enterprise-wide
records
management
informaon
governance
policies, 7%
We have definite
We have policies, 15%
plans to develop
established policies
enterprise - wide
in some areas/
informaon and
departments but
records
management
not others, 26%
We have
policies, 14%
informaon
and
records
management
We have
policies but have
established policies
nothing you could
in some areas/
describe as mature,
departments but
38%
not others, 26%
We have
informaon and
records
RM Systems
management
Supporting these policies, we see an equally wide range of system architectures.
Onlybut23%
policies
havehave what
nothing you
could
we would call the classic EDRMS system, combining content, document and records
management.
27%
describe as mature,
have RM capability in their ECM/DM system but don’t use it – although most (22%) say they are planning
0%
10%
20% 38%
30%
to turn it on in the next 12-18 months. A similar proportion, 25%, have separate systems for active content
management and records management. Often this involves SharePoint as the DM system, with a more
It is incorporated
ECM/DM
system
robust RM system
underlyinginit.our
26%
have no
RM capability.
We have
records
management
capability
in mechanism
our
Figure
3: How
would
you describe
your
for managing electronic records? (N=478)
ECM/DM system but no plans to use it
10%
20%
30%
We plan to add/ turn-on records management 0%
in our ECM system in the next 12-18 months
It is incorporated
in ourforECM/DM
system
We have
separate systems
acve content
management and records management
We have records management capability in our
OurECM/DM
DM system
doesn’t
support
system
but no
plans records
to use it
management
We plan to add/ turn-on records management
in our ECM system in the next 12-18 months
We don’t have an ECM/DM system
We have separate systems for acve content
Our DM system doesn’t support records
management
We don’t have an ECM/DM system
Records
management is
about
©2014 AIIM - The Global Community of mostly
Information
Professionals
paper files in our
organizaon, 18%
We have looked
at things this way
for quite some
me (3+ years),
18%
6
We have records management capability in our
ECM/DM system but no plans to use it
We plan to add/ turn-on records management
Perception
of IG in the next 12-18 months
in our ECM system
Industry
Unfortunately, there are still some organizations that have yet to accept the reality of electronic records, and
continue to live in the paper world – 18% in this survey
Watch
As we noted in the introduction, information governance as a term has burst into popularity in the last few
We have separate systems for acve content
years – at least on the part of the vendors. Although this survey was self-elected against a title that included
the word “information governance”, there is strong evidence that the term – and indeed the practice –
OuraDM
system
has struck
chord
withdoesn’t
users. support
Figure 4records
shows that the number of organizations changing their view from
management of declared recordsmanagement
to management of all electronically stored information has jumped from
18% to 34% in the last 2 years, with a further 24% planning to adjust their view in the next 12-18 months.
We don’t
an ECM/DM
system are more likely to have made the move – perhaps as they are
There is evidence
thathave
smaller
organizations
less likely to have had traditional RM roles.
Figure 4: To what extent would you say the perception of information governance in your
organization has progressed from management of declared records, to management of ALL
electronically stored information for privacy, security and e-discovery? (N=425)
Records
Managers
manage records,
and IT take good
care of the rest,
9%
We have recently
adjusted our view
to align with this,
16%
Records Managers
manage records,
but the rest is not
so well managed,
15%
We have looked
at things this way
for quite some
me (3+ years),
18%
Records
management is
mostly about
paper files in our
organizaon, 18%
We have plans
to adjust
responsibilies in
the next 12-18
months, 24%
40% of organizations have recently changed, or are about to change, from a declared records view of
information management and control to an IG view across all of their stored information.
IG Risks and Rewards
So accepting that the majority of our respondents understand the wider implications of IG, we asked what
they considered to be the three biggest risks associated with IG failures. Excess litigation costs or damages
heads the list, followed by loss of valuable information and then loss of customer confidence – all of which
would be considered major business disasters.
Understandably, loss of intellectual property is of the most concern to smaller businesses, and inability to
respond to information requests is a particular concern of mid-sized organizations.
7
Figure 5: Which of the following do you consider to be the biggest risks to your company from a
failure of information governance? (Max THREE) (N=482)
0%
5% 10% 15% 20% 25% 30% 35% 40% 45%
40%
20%
0%
Faster response to events, accidents, press
acvies, FOI enquiries, etc.
Reduce
storage andand
infrastructure
costs to
More
personalized
accurate service
customers
ExploitSupport
and share
knowledge
resources
for our
potenal
big data/analycs
iniaves
Faster response to events, accidents, press
acvies, FOI enquiries,
etc.
Beer customer/supplier
relaonships
More personalized and accurate service to
Pro-acvely support patents,
ligaon,
customers
healthcare, tax collecon, etc.
Support for potenal big data/analycs
Beer reputaon/improved iniaves
shareholder
value
Watch
Loss of intellectual property or company
confidenal informaon
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Loss of customer confidence or bad publicity
from data loss
Excess ligaon costs or damages resulng from
Inability to respond to requests
(e.g., Freedom
poor records
keeping of
Informaon)
Loss of intellectual property or company
confidenal informaon
Audit qualificaons due to inadequate records
Loss of customer confidence or bad publicity
Regulator acon from loss/exposure
from data loss of
personally idenfiable informaon
Inability to respond to requests (e.g., Freedom of
Infringement of industry-specific
compliance
Informaon)
regulaons
Audit
qualificaons
due
to
inadequate
Poor outcome of customer/supplierrecords
disputes
due to gaps in communicaons trail
Regulator acon from loss/exposure of
personally idenfiable informaon
Fines resulng from poor records keeping
Infringement of industry-specific compliance
Criminal prosecuon for allowing
personally
regulaons
sensive data to be lost
Poor outcome of customer/supplier disputes
due to gaps in communicaons trail
On the positive side, users see many benefits from good information governance, the most significant of
resulng
from
poor
records keeping
which is toFines
reduce
storage
and
infrastructure
costs – and this is a tangible cost-saving benefit. Next comes
exploitation and sharing of knowledge, followed by faster response to events, accidents, press activities, etc.
20%
40%
60%
Criminal prosecuon for allowing personally 0%
– and in the modern era of sensive
24 hour news
social media comment, this can be vitally important to prevent
data toand
be lost
reputational damage, and, indeed, to saving lives.
Reduce storage and infrastructure costs
Figure 6: Which three of the following do you consider to be the biggest benefits to your company
Exploit and share
knowledge
resources
from our
good
information
governance? (max THREE) (N=478)
Industry
Excess ligaon costs or damages resulng from
poor records keeping
60%
Beer customer/supplier relaonships
Faster and cheaper financial audits
Pro-acvely support patents, ligaon,
healthcare, tax collecon, etc.
Beer reputaon/improved shareholder
value
Faster and cheaper financial audits 0%
10%
20%
30%
40%
50%
Geng senior management endorsement
It is also worthy of note that support for big data initiatives has moved up from 6th last year to 5th place.
Having the right people at the table
anybody
to be interested
©2014 AIIM - The GlobalGeng
Community
of Information
Professionals
0%
Enforcing it once it is completed
10%
20%
30%
40%
50%
8
More personalized and accurate service to
customers
Support for potenal big data/analycs
iniaves
Information Governance Policies
0%
10%
20%
30%
40%
Industry
Figure 7: What have been the three biggest issues with creating an
information governance policy? (N=387)
Watch
Beer customer/supplier
Creating a comprehensive
informationrelaonships
governance policy can be daunting, and the key to success is to
obtain senior management endorsement. However, even with support from the top, other senior managers
Pro-acvely support patents, ligaon,
need to sign-up to takehealthcare,
part. Our tax
users
also identified
enforcement of the policy once in place as a big issue,
collecon,
etc.
which we will return to later.
Beer reputaon/improved shareholder
value
The scope of extending coverage from records
to include all stored content is considered to be an issue,
especially for mid-sized businesses, but identifying the legal requirements does not come high on the list,
Fasterconfusing)
and cheaper
financial
audits
despite changing (and
laws
on data
protection. For smaller organizations, finding time and
resources is obviously difficult, and this heads the list for them.
50%
Geng senior management endorsement
Enforcing it once it is completed
Allocang sufficient me from the day jobs
Extending coverage to all stored content
Translang the policies into system rules
Geng anybody to be interested
Having the right people at the table
Nailing down classificaon and taxonomy
Being over ambious in scope and detail
Trying to cover too many scenarios
Idenfying the legal requirements
Most respondents have had to fight to gain involvement
0% and
5% support
10% from
15% senior
20% management
25% 30% for creating
an IG policy. Enforcing it once complete is a further issue for many.
The RM/IM/Compliance department takes
responsibility
Each line of business or department
manages their own records
Responsibility
IT paper
are mostly
responsible
As we have moved from the
records
era to electronic records, the involvement of IT has increased
steadily. Moving The
on again
to
the
IG
era
where
all stored content needs to be managed for security,
IG Commiee set and supervise
accessibility and lifecycle,
the
involvement
of
IT
is paramount, even if the ultimate responsibility still lies with
policies for all departments
the Records Manager or increasingly the Compliance Officer. However, we can see from Figure 8 that in
The legal
department
takes the
lead
28% of organizations
records
management
responsibility
resides within each line of business or department
– a situation which is unlikely to be conducive to a coordinated, enterprise-wide information governance
There is no formal allocaon of
initiative. Only 10% have a formal IGresponsibilies
committee to oversee activities, policies and systems. In 24% of
organizations, responsibility has not been formally or specifically allocated.
9
Trying to cover too many scenarios
Idenfying the legal requirements
Figure 8: How would you describe allocation of responsibility for information governance and
retention of records in your organization? (N=393)
0%
5%
10%
15%
20%
25%
30%
Industry
The RM/IM/Compliance department takes
responsibility
Watch
Each line of business or department
manages their own records
IT are mostly responsible
The IG Commiee set and supervise
policies for all departments
The legal department takes the lead
There is no formal allocaon of
responsibilies
Despite the publicity that data leaks and privacy breaches have generated over the last year, there is little
evidence that organizations have taken much notice ― in particular their senior managers. Overall, 52%
have undertaken or are undertaking IG projects, but sadly, for a third of those it has been a somewhat
wasted exercise in that the policy is largely unreferenced and unaudited. Only 8% feel that the policy is in
place and is working.
Maturity
Figure 9: Which of the following do you think best describes the way that information governance
policy is regarded in your organization? (N=391)
Nobody takes
much interest, 10%
Senior
management show
lile interest or
investment, 9%
It’s in place, it’s
important and it's
communicated and
enforced, 8%
We have a policy
but it’s largely unreferenced and unaudited, 17%
We have lile in
the way of official
policy, just
accepted pracce,
12%
It’s very variable
across different
departments, 17%
We are working
hard to achieve a
corporate-wide
view, 27%
IG Policy Scope
Best practice for information governance is to ensure that all stored content is addressed by the policy
(content at rest), as well as any content being accessed or transferred between servers, websites, user
0%The10%
20%
30% 40%
60%
70%access, privacy
clients or mobile devices (content in motion).
issues
addressed
should50%
include
secure
protection, back-up, disaster recovery, retention, legal discovery and legal hold.
Informaon retenon
Access/confidenality
Data protecon and PII
Deleon and disposion processes
Legal holds and e-discovery
Informaon in moon – laptops, USBs, etc.
10
important and
Weit's
are working
communicated
hardand
to achieve a
enforced,corporate-wide
8%
view, 27%
much interest, 10%
across different
Senior 17%
departments,
management show
We have a policy
Although most organizations with IG policies
cover
from
Figure
lile interest
or a variety of these requirements, it is obvious
but it’s
largely
un10 that there are many gaps for most.investment, 9%
referenced and unaudited, 17%
Figure 10: Which of the following
elements
We have
lile in are included in your information governance policy?
(Check
all that apply) (N=388)
the way
of official
20%
30%
40%
50%
60%
Informaon retenon
70%
We are working
hard to achieve a
corporate-wide
view, 27%
Access/confidenality
across different
Data protecon
and PII 17%
departments,
Deleon and disposion processes
Industry
10%
Watch
policy, just
accepted pracce, 0%
12%
Legal holds and e-discovery
Content in archive/back up
10%
20%
30%
40%
50%
60%
70%
Laws and regulaons in mulple
jurisdicons
Informaon
retenon
Mobile access andAccess/confidenality
on-device storage
Devices outside of corp. control
& home)
Data(BYOD
protecon
and PII
UseDeleon
of cloud-based
content sharing
and disposion
processes
None of these/We
policy
Legal holdshave
and no
e-discovery
0%
Audit of compliance
Content in archive/back up
Audit and Conformance
Audit of compliance
As we suggested
earlier,
an IGinpolicy
thatjurisdicons
is not referenced and supported is not going to help the business
Laws and
regulaons
mulple
0%
10%
20%
30%
40%
50%
achieve compliance and remain compliant.
Mobile access and on-device storage
Training
All staff,
regularly
Devices outside of corp. control
(BYOD
& home)
One way to ensure that staff are made aware of the importance of information governance in particular and
Useisoftocloud-based
sharing
compliance in general
train
them content
as part hoc
of their post recruitment on-boarding. The only way to keep
All staff,
occasionally/ad
them aware is to trainNone
all staff
as part ofhave
a regular
program.
of these/We
no policy
Newinrecruits
only do not allocate any time to IG training, and only 12%
Unfortunately, 40% of organizations
our survey
regularly train all staff. A tiny 4% hold specific update sessions for senior management.
RM staff only
Figure 11: Do you allocate specific staff training-time to information governance?
Training/updates
for senior
(Tick
those that apply) (N=392)
management
0%
10%
20%
30%
40%
50%
No, we don't allocate training me
All staff, regularly
All staff, occasionally/ad hoc
New recruits only
RM staff only
Very rarely,
Training/updates
for senior
31%
management
Yes, on a
regular basis,
19%
Yes, but
sporadically,
18%
11
RM staff only
Training/updates for senior
management
Audit
Yes, on a
regular basis,
19%
Very rarely,
31%
Yes,
departmentally,
17%
Issues from Non-Compliance
It seems that many organizations are more prepared to accept the consequences of non-compliance with
information governance rules than to implement and mandate improved policies. 52% report that they have
had issues of non-compliance over the last two years. 25% have failed internal audits as part of governance
monitoring, but more seriously, 24% have had external litigation and discovery issues, rising to 31% of the
largest organizations. 17% have had problems with their external auditors. Taking Figure 13 as a whole, this
represents an enormous amount of disruption, cost and potential risk to the business.
Somemes,
when
pressured to
do so, 14%
Yes, but
sporadically,
18%
Watch
Figure 12: Do you audit and measure compliance with policies across the business?
(N=305 with IG policies)
Industry
When it comes to specific auditing of IG policy compliance, only 19% of those with policies run regular
audits across the business. 17% carry out departmental checks. 45% ― nearly half – rarely audit or only
do so under pressure. Not training staff and not auditing performance shows little intent that IG is a serious
consideration for day-to-day operations.
Figure 13: In your organization, has non-compliance created a significant issue with any of the
following in the last 2 years? (Tick all that apply) (N=381)
0%
10%
20%
30%
40%
50%
None of these
Internal audits (regulatory, financial, HR)
Ligaon and discovery
External audits (industry, government)
Freedom of Informaon Requests (FOI)
Regulatory submissions
Customer audits/SLA reviews
Cerficaons (ISO, etc.)
Data Protection
Data protection and privacy rules vary country-by-country and state-by-state, and some are on a roadmap
of change (such as in the EU). Most organizations have a responsibility to protect the information they hold
0%
10%
20%
30%
40%
about their employees, and many hold customer or client data of greater or lesser sensitivity. 18% of our
respondents were honest enough to admit that their organization would probably fail if audited against their
We would probably struggle if audited against
applicable
andprotecon
7% admitted
that they have suffered privacy breaches or data loss. A further 26%
thelegislation,
relevant data
legislaon
We operate to the minimum requirements of
relevant
data protecon
legislaon
©2014 AIIMthe
- The
Global Community
of Information
Professionals
We have to meet stricter requirements than
12
10%
20%
30%
40%
Watch
0%
Industry
0%
10%
20%
30%
40%
50%
None of these
Customer audits/SLA reviews
audits–(regulatory,
financial,
HR) as these are potentially legal offenses. Another 22% feel
felt unableInternal
to comment
perhaps not
surprisingly,
Cerficaons
(ISO,
etc.)
that they are operating at the very minimum of requirements.
Overall, Figure 14 paints a picture suggesting
Ligaon and discovery
that half of organizations are running significant risks.
External audits (industry, government)
Figure 14: Which of the following would you say describe the attitude to privacy protection and data
lossofprevention
your organization?
(Check those that apply) (N=380)
Freedom
InformaoninRequests
(FOI)
Customer
audits/SLA
reviews
We would probably
struggle
if audited
against
the relevant data protecon legislaon
Cerficaons (ISO, etc.)
We operate to the minimum requirements of
most due to the nature of our business
We could be a target for the of personal data
0%
but senior management aren’t too concerned
10%
20%
30%
40%
We could be a target for the of personal data
but senior
management aren’t too concerned
Retention
Policies
WeWe
would
probably
know
we are struggle
a target if
foraudited
the ofagainst
personal
the relevant
data
legislaon
data
butprotecon
have had no
incidences
We operate
to the
minimum
requirements
of
We have
suffered
privacy
breaches and/or
data loss
Unable
comment
most due to the nature
of ourto
business
WhenWe
it comes
to are
compliance
with
data
know we
a target for
the
of retention
personal policies, there is both a legal risk to the business where
undeleted recordsdata
maybut
be have
exposed
at trial,
and a financial penalty for excess storage costs. In Figure 15,
had no
incidences
we have separated out deletion of paper records, emails and other electronic records.
We have suffered privacy breaches and/or
This is obviously an area of concern, as data
84%loss
do not delete emails and electronic records in a formal way
0% not10%
30%that 40%
60%defined
(compared to 45% for paper records, which itself is still
good). 20%
It may be
they do50%
not have
tobe
comment
retention periods, they are notUnable
actually
carrying out destruction when the retention period is up, or they
don’tsuch
haveasdefined
retenon
may wait until other We
factors
storage
space come into play. For paper records (other than those
periods/policies
managed by an electronic system), destruction is normally a manual process, but so, it would seem, is the
deletion of electronic records and email for many. Only 20% have automated email deletion, and just 9%
Mosttothings
never records at the end of their retention period.
have automated systems in place
deleteare
electronic
deleted/destroyed
Figure 15: How rigorously would you say content deletion/destruction isPaper
carried
out in your
records
When IT decide to raonalizeorganization?
storage
(N=384)
Emails
volumes
0%
10% 20% 30% 40%Electronic
50% records
60%
Someme aer the retenon date,
butretenon
not sooner
We don’t have defined
periods/policies
Manual process or confirmaon at end of
retenon period
Most things are never
deleted/destroyed
Fully automated, at end of
retenon period
Paper records
When IT decide to raonalize storage
Emails
volumes
Electronic records
but not sooner
Manual process or confirmaon at end of
retenon period
retenon period
0%
5%
10%
15%
20%
25%
We don’t have them
We have them but they are mostly not
followed
13
Emails
Electronic records
volumes
but not sooner
84% ofManual
organizations
ad hoc processes
process have
or confirmaon
at end ofwhen it comes to deletion of emails or electronic records.
retenon period
Savings on Storage
0%
5%
10%
15%
20%
Industry
Figure 16: To what extent are your data retention policies keeping your storage
requirements in check?) (N=391)
Watch
retenon period
Given the lack of rigor in deletion policies within most organizations, it is hardly surprising that most are
seeing little reduction in storage requirements as a result of data retention policies, although 21% feel they
are seeing a worthwhile reduction and 18% a small difference. For many (23%), it will be many years before
the effects kick-in – a powerful argument for the near 40% doing nothing to get started as soon as possible.
25%
We don’t have them
They make a worthwhile difference
Only making a small difference
We have them but they are mostly not
followed
Haven’t yet kicked-in for most of our
records/content
They are having a significant effect
Automated Classification
There are a number of mechanisms for automated classification. The record may be tagged at the point of
declaration, or there may be a post-process, either during migration to another system or as a batch agent.
Some may work on the existing metadata of a document or email; others will run analytics on the content
to create new metadata. The process may be fully automatic, or the user may be prompted to confirm the
suggested tagging or metadata revision.
14
According to Figure 17, 45% of those responding to our survey perform some form of automated
classification, including 18% at the point of ingestion and 28% as part of the workflow. 15% conduct postprocess metadata cleaning.
Figure 17: Do you do any of the following? (Check all that apply) (N=341)
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
None of these
Automa
cally classify/declare content at the
point of inges
on to ECM/RM/email system
Automa
cally classify/declare content as
part of workflow/process
None of these
Prompt for records declara
on and
suggest
classifica
on
Automa
cally classify/declare
content
at the
or improvement
Prompt for records declara
on
and
suggest
Process migrated content classifica
on
for metadata
or re-alignment
Use OCRcorrec
on
to auto-classify
inbound
scanned documents
Automated
Agents
Trawl
legacy content for data cleansing
point of inges
on
to to
ECM/RM/email
system
Use OCR
auto-classify inbound
scanned documents
Automa
cally classify/declare
content as
part
of
Trawl legacy contentworkflow/process
for data cleansing
Industry
10%
Watch
0%
Automated or batch agents are quite
popular with 45% using them in one form or other. Many of these
or improvement
applications flow down from a process of correcting misapplied or unapplied metadata, thereby, for example,
Process migrated content for metadata
correcting security settings, and enabling deletions against the retention rules, and of course, improving
correc
on or re-alignment
5% or 10%
15%
20%
searchability. Tagging, detecting duplicate files and0%
encrypting
redacting
are the
most 25%
popular30%
applications.
There are also a number of techniques in use to monitor system health and unusual user activity.
Tag/add metadata based on rules
Figure 18: Do you use any automated agents to perform any of the following functions:
(N=155,
excl.
188 not using batch agents)
Detect
duplicate
files
Encryp
ng or redac
ng content
0%
5%
10%
15%
20%
25%
30%
Tag/add metadata based on rules
Monitor unusual user ac
vity
Detect
files
Flag for dele
on based
onduplicate
applica
on
of
reten
on rules
Encryp
ng
or redac
ng
contentof
Monitor
performance
and resilience
ECM/ERM system
user ac
vity
Detect securityMonitor
risks andunusual
misallocated
access
or confiden
ality
Flag for dele
on based on applica
on of
Pre-migra
on data
selec
on
or
reten
on
rules
metadata mapping
Monitor performance and resilience of
Measure access
frequency
for
ECM/ERM
system
hierarchical storage
Detect security risks and misallocated access
Detect/par
on/delete
trivial or nonor confiden
ality
important content
Pre-migra
on data selec
on or
metadata mapping
Measure access frequency for
hierarchical storage
Detect/par
on/delete trivial or nonimportant content
We have no plans,
24%
We are doing it
successfully across a
number of content
types, 8%
We are doing it
15
We are doing it
successfully across a
number of content
types, 8%
We have no plans,
24%
We’re
justdoing
geng
We are
it
started, 25%
successfully
across
one or two content
types, 6%
It’s something we
plan to do in the
future, 28%
We are keen to
just
automateWe’re
as soon
asgeng
started, 25%
we can, 10%
We have no plans,
24%
We are doing it
successfully
across
We are doing
it
one or
successfully across
a two content
number of contenttypes, 6%
types, 8%
Industry
Detect/par
on/delete
trivial
nonFigure
19: How would you
bestordescribe
your overall plans for automated declaration/
important
content of records? (N=366)
classification
Watch
Flag for dele
on basedoronconfiden
ality
applica
on of
reten
on rules
Pre-migra
on data selec
on or
Monitor performance
and resilience
metadata
mappingof
ECM/ERM system
MeasureDeclaration
access frequency for
Automated
Records
Detect security
risks andhierarchical
misallocated
access
storage
or classification
confiden
ality that leads to, or takes place at, records declaration time,
If we narrow down the automated
trivial
or nonthen we canDetect/par
on/delete
see that
there is a huge
interest
in
Pre-migra
on
data selec
on
or moving as quickly as possible in this direction. Only 14% are
important
content
successfully auto-classifying across
multiple
content types plus 6% across one or two types, but 25% are
metadata
mapping
just getting started and another 10% are keen to get going soon. In total, nearly half of the survey-takers are
Measure access frequency for
moving quickly in the directionhierarchical
of auto-classification.
storage
Content Types
It’s something we
We are keen to
to do in the
automate
soon as
The most popular applicationplan
area
is inbound documents – both scanned
andaselectronic.
This has the
future, 28%
we can,
10%
benefit of automating routing and distribution as part of the digital mailroom
concept,
as well as pre-
allocating the trailer documents that are often just checked for compliance purposes and then archived.
Despite the increasing volume of emails exchanged with customers, automating the response mechanism is
0%
10%
20%
30%
40%
50%
only half-way up the table.
Incoming
scanned
Figure 20: Are you
using
automated declaration/classification for the following
content
Incoming electronic (PDF, Web, etc.) types? (N=112 users)
Office documents 0%
10%
20%
30%
40%
50%
On exit from process
workflow
Incoming
scanned
Email
Incoming electronic (PDF, Web,
etc.)
OfficeSharePoint
documents
Output
documents
to customers
On exit
from process
workflow
Website content
Email
Internal social business
systems
SharePoint
Instanttomessaging
Output documents
customers
Website content
Internal social business systems
Instant messaging
16
Benefits
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
Industry
Figure 21: What would you expect to be/what have been the two biggest benefits from automated
classification? (Max TWO) (N=355)
Watch
As we will see later in the report, 43% of respondents agree that automated classification is the only way
to keep up with the volume of content that needs to be processed or sorted. However, coping strategies
are seldom funded, so we asked about specific benefits. Searchability, productivity and compliance come
out as the strongest. There is no business value in content that can’t be found; people are being bogged
down trying to tag content manually; and if they get it wrong, or avoid doing it altogether, then they will be in
breach of compliance.
Improved searchability
General staff producvity
Defensible compliance
Storage volume reducon
Staff cooperaon
Big data readiness
Improved searchability
Migraon
General staff producvity
Not sure yet
Defensible compliance
Repository alignment
Repository
alignment
We also asked
the non-users
what is putting them off from using automated classification and declaration.
By far theStorage
biggestvolume
reason
is that nobody is pushing for it. They need a champion. Then, of course, there is
reducon
the fact that they need to sort out their IG policies first or they will have no rules to put into the classification
Staff
cooperaon
engine. Only a few
non-users
questioned how well the process might work from the technical standpoint.
Big data readiness
It’s hard to actually
Accuracy
measure this,
measure this,
5% of representative documents,
Muchclassification
beer
Measuring18%
the accuracyMigraon
of automated
requires the setting up
or
Much beer
than expected,
than
expected,
using a sampling technique
with
human
verification.
It
would
seem
from
Figure
22
that
users
are
more
likely
Not
as
good
Not sure yet
17%
27%
expected,
to put this in place for scanned documents than for electronic as
ones.
Either way, for both types of document,
12%
only
Not as11%
goodfeel that the accuracy of the classification engine is worse than expected, with the accuracy on
as expected,
scanned
documents using OCR being generally much better than expected.
11%
Figure 22: How would you describe the accuracy of automated declaration/ classification that you
About the same
About
same
are achieving
for the
electronic/scanned
documents? (N=125 users)
measure this,
18%
as expected,
54%
measure this,
5%
Much beer
than expected,
Electronic Documents
17%
Not as good
as expected,
11%
0%
About the same
as expected,
54%
Start small and build out with confidence
as expected,
56%
Not as good
as expected,
12%
20%
Seng up the rules is challenging and
me-consuming
Electronic Documents
Much beer
Scanned Documents
than expected,
27%
40%
60%
About the same
as expected,
56%
Scanned Documents
Generally, it works and is well worth
the investment
Needs constant monitoring to
ensure compliance
0%
It takes a huge load off of operaonal staff
20%
40%
60%
17
measure this,
18%
measure this,
5%
Much beer
than expected,
17%
Much beer
than expected,
Not as good
as expected,
When asked about the accuracy and consistency of human beings
versus
machines, there is a general 27%
12%
consensus
that humans are more accurate than machines, but much less consistent and generally too slow,
Not as good
as expected,
although
26% consider machines can be both more accurate and more consistent. On the other hand, 44%
11%
feel that machine prompting for human decision works the best.
is to start with smaller, more achievable projects and build out from there. There seems to be no doubt that
time will need to be invested in setting up the rules, and that even then, consistent monitoring is needed to
Electronic
Documents
Scanned
Documents
ensure compliance
is being
met. On that basis, the consensus is that automated
classification
works and is
a worthwhile investment.
Figure 23: What have been your experiences with automated classification?
(Check any that apply) (N=120 users)
0%
20%
40%
Watch
About the same
About the same
as expected,
as expected,
56%
We asked the users what they had learned
54%from their automated classification projects. The general advice
Industry
Experiences
60%
Start small and build out with confidence
Needs constant monitoring to
ensure compliance
It takes a huge load off of operaonal staff
Generally, it works and is well worth
the investment
Seng up the rules is challenging and
me-consuming
When it gets it wrong it can be very wrong!
It has transformed the completeness and
accuracy of our records
We needed to increase the spread/number of
training documents
90% of those using automated classification are satisfied that the performance is sufficiently accurate,
0% and 5%
15%is important.
20%
25%
although attention needs to be given to the rules setup,
ongoing10%
monitoring
Fixed deleon periods enforced
on mailserver
Automacally selected for archive into
Email Archives
ECM/RM system
In a classic records management or information governance scenario, emails are simply another form
Manually
selected
for archive
of electronic document,
a (small)
proportion
of into
which need to be tagged and declared as records into
ECM/RM
system
the records management system. Unfortunately, even a small proportion of a massive daily volume can
overwhelm a user’s ability
(or enthusiasm)
foremail
tagging. On top of that, there is the potential that excessive
Moved
to a dedicated
numbers of emails will clutter up the
clutter up
the RM system, or overwhelm it with duplicates. Automating
archiving
system
the declaration of emails
into
records
can
be
one
way to overcome this, although while 14% of our
Reliant on email server to create
respondents direct email records to
ECM, only 3% use automation – and this is despite the fact that most
archives/back-ups
inbound emails are already scrutinized by quite intelligent spam and virus filters.
Reliant on archive sengs in email client
For some organizations (13%),(e.g.,
the Outlook
answer Archive)
has been to implement a dedicated archive to handle bulk
emails, where they can be dealt with in a robust, and possibly automated way.
We keep everything
It’s not mandated or policed in any way
18
We needed to increase the spread/number of
training documents
Figure 24: How would you best describe your mechanism for archiving emails? (N=357)
0%
5%
10%
15%
20%
25%
Industry
Fixed deleon periods enforced
on mailserver
Watch
Automacally selected for archive into
ECM/RM system
Manually selected for archive into
ECM/RM system
Moved to a dedicated email
archiving system
Reliant on email server to create
archives/back-ups
Reliant on archive sengs in email client
(e.g., Outlook Archive)
The remaining email strategies in Figure 24 leave much to be desired. 17% keep everything, 16% delete
everything after a fixed period, and 22% have no policy or strategy.
It’s not mandated or policed in any way
We keep everything
For those that do have a dedicated email archive, most could not consider it to be a records management
repository. 30% still do mass deletion, with only 8% using any kind of metadata analysis or rules to justify
their actions, such as recommended by the Capstone guidance for government agencies. Only 8% go
further and analyze the body content of emails for classification purposes.
When it comes to RM functionalities such as retention management, 24% have basic retention and hold
functions for legal discovery, plus 10% who have rules-based automated retentions. More encouragingly,
16% have integrated search, discovery and hold integration with other content systems using manage-inplace scenarios.
Figure 25: What level of RM functionality do you use on your email archive system?
(N=49 users, excl. 15 Don't Know)
0%
5%
10%
15%
20%
25%
30%
35%
Fixed deleon based on elapsed me
Fixed deleon using rules and system
metadata (e.g., as per Capstone)
Classificaon using content analycs of
body content
Basic retenons and holds
Event-triggered deleon
Automated retenons and holds based
on rules
Search/discovery/hold integraon with
other content systems
17% keep all emails, 16% delete after a fixed period, and 22% have no policy or strategy – a total of 55%
who are not providing formal governance of emails.
0%
Triggered by ECM/RM system(s)
20%
40%
60%
19
Fixed deleon using rules and system
Classificaon using content analycs of
body content 0%
Legal Hold
5%
10%
15%
20%
25%
30%
35%
Industry
Automated
and holds based
Figure 26:retenons
What mechanism
do you use to release content from legal hold?
on rules
(N=246, excl. 100 Don't Knows)
20%
40%
60%
other content systems0%
Watch
Basic based
retenons
and holds
As we implied in
the deleon
previous
section,
disconnected
Fixed
on elapsed
me repositories for different content types such as email
create their own problems when it comes to legal discovery processes and the application of holds to
Fixed deleon
using
rules
and
system
Event-triggered
deleon
prevent discoverable
content
being
deleted
as part of the end-of-retention period process. 53% of our
respondentsAutomated
are reliantretenons
on ad hocand
manual
processes
for searching and applying legal hold. 9% are able to
holds
basedof
using
content
analycs
move contentClassificaon
to a dedicated
e-discovery
or rules
litigation system, and as mentioned previously, 16% are able to
on
content
use manage-in-place across multiplebody
repositories.
other
content
systems
Basic
retenons
holds
When it comes to releasing
content
fromand
legal
hold, the picture is even more casual, with 78% reliant on ad
hoc manual processes, which are inevitably error prone, either resulting in content staying on permanent
deleon
hold, or returning content toEvent-triggered
a normal retention
plan when it should be re-categorized.
Triggered by ECM/RM system(s)
20%
40%
60%
Covered off in a legal discovery/ hold
Triggered by ECM/RM
system(s)
management
app
Downby
tocase
individual
users in system
Legal
Triggered
management
Timed prompts to the Legal department for
review and acon 0%
Triggered by case management system
Verbal
requests to
to the
IT orLegal
RM on
compleon
Timed prompts
department
for
of and
ligaon
review
acon
Covered off in a legal discovery/ hold
Ad hoc: no formal
mechanism
management
app
Down to individual users in Legal
Verbal requests to IT or RM on compleon
of ligaon
Multiple Repositories and
Cloud
As we have discussed,Adinformation
governance
needs to be applied across the business, across different
hoc: no formal
mechanism
content types and across different content repositories. If there is no connection between repositories, then
0%
10%
20% or 30%
40%rules
50%
60% each set of
IG will need to be applied to each one, and furthermore,
when laws
regulatory
change,
repository rules will need to be updated. In addition, e-discovery searches will need to be repeated across
Store as much
content
as possible
in a single
each repository,
and hold
processes
applied
in multiple places.
ECM/DM/RM system
Figure 27: What is your strategy for dealing with information governance across multiple
Migrate/declare records
into to a single
repositories?
RM system
0%
10% 20% 30% 40% 50% 60%
Manage content in place across mulple
repositories,
not using
Store as much content
as possible
in aCMIS
single
ECM/DM/RM system
repositories, using CMIS-compable connectors
Migrate/declare records into to a single
RM system
We don't have a strategy as such
repositories, not using CMIS
repositories, using CMIS-compable connectors
We don't have a strategy as such
No, definitely not,
14%
Yes – already do,
7%
20
ECM/DM/RM system
Migrate/declare records into to a single
RM system
From Figure
27,inwe
canacross
see that
in total 30% have a single ECM/RM system as a strategic objective, and
Manage
content
place
mulple
18% are planning
around
manage-in-place,
with about a third adopting CMIS compatible connectors. For
repositories, not using CMIS
the largest organizations, as we can imagine, a single enterprise-wide RM system is more of a challenge,
Manage
in place
and onlycontent
19% feel
they across
shouldmulple
go in this direction, although even in these businesses, 44% don’t actually
repositories,
CMIS-compable
have using
an agreed
strategy. connectors
Industry
On average, our respondents suggest that 25% of their stored content is made up of declared records,
and from a storage point of view, there could be a cost benefit of moving this data to a cloud infrastructure.
However, there are also issues of sensitivity, reliability and long-term storage which might predicate against
putting records in the cloud. Users are somewhat divided on this. Compared to our survey last year1, those
already using the cloud are up from 5% to 7%, and those with active plans are up from 11% to 14%, but the
number generally in favor (as and when the security and reliability mature) is down from 54% to 49%.
Watch
CloudWe don't have a strategy as such
Figure 28: Would you consider adopting a Cloud/SaaS system for your records?
Yes – acvely
considering/
planning it, 14%
No, probably not,
37%
Yes – already do,
7%
No, definitely not,
14%
Yes – but only
when security and
reliability mature,
28%
It is noticeably the smallest organizations that are further ahead here – 29% either doing or planning, with
mid-sized furthest behind – only 3% doing and 10% planning. For the largest organizations, “cloud” is more
likely to mean their own private cloud, and the adoption rate is 8% doing and 18% planning.
Opinions and Spend Intentions
To better understand the how IG is perceived, and the levels of confidence from those designated as datastewards, we presented a number of statements, with the following conclusions:
n Only 14% feel confident that they are only storing content which is needed by the business.
n 42% do not feel confident that they can identify what content is safe to delete.
n 45% say that their strategy for managing increasing content volume is to buy more discs.
n 43% agree that automated classification is the only way to keep up with increasing volumes
(only 17% disagree).
n 31% feel that their board-level managers are not sufficiently conscious of the consequences of
a data loss.
n 51% feel that there organization is underspending on IG compared to the potential risk. Only 16%
feel they have the balance right.
21
Figure 29: How do you feel about the following statements? (N=347)
80% 60% 40% 20% 0% 20% 40% 60% 80%
We feel confident that we can idenfy what is
safe to delete
Our strategy for managing increasing content
volume is to buy more discs
Automated classificaon is the only way to
keep up with the volumes coming at us80% 60% 40% 20% 0% 20% 40% 60% 80%
Watch
Industry
We feel confident that we only store what we
need to store
Our
board-level
arestore
very conscious
We
feel
confidentmanagers
that we only
what we
of the consequences
of to
data
loss
need
store
spend on
informaon
governance
We feelOur
confident
that
we can idenfy
what isis
appropriate
risk
safe to
to the
delete
Strongly agree
Automated classificaon is the only way to
keep up with the volumes coming at us
Spend Our board-level managers are very conscious
the consequences
data
loss
Despite the view thatofmost
organizationsofare
underspending,
there is an across-the-board plan to spend
Our12
spend
on informaon
governance
is area. It is heartening to see IG training at the top of the
more in the next
months
in almost every
product
appropriate
to the to
riskfulfill this need – see Appendix 4).
list (and AIIM has a recently developed
course
-5%
0%
5%
10%
15%
20%
25%
30%
Records management
and
email management
systems show a strong growth, as do search, e-discovery
Informaon
governanceDisagree
training Neither agree nor disagree
Strongly Disagree
Agree
Strongly agree
and automated classification systems. Increased recruitment of RM/IM staff and compliance staff is also
indicated. Email management/Email archive
Enterprise search
Figure 30: How do you think your organization's spending on the following products and
Dedicated ERM system(s)
applications in the next 12 months will compare with what was actually spent in the last 12 months?
Back-file scanning of paper records
(N=335, net more, excl. “Same”)
ERM modules or add-ons
-5%
0%
5%
10%
15%
20%
25%
30%
e-Discovery applicaons or modules
Informaon
governance
training
Automated
classificaon
tools
Agree
Our strategy for managing increasing content
Strongly Disagree
Neither agree nor disagree
volume is toDisagree
buy more discs
Email management/Email
archive
RM/IM
staff
Enterprise
search
Compliance
staff
Dedicated
ERM
system(s)
Social records management
Back-file
scanning of
paper records
SaaS/Cloud
provision
for RM
ERM
modules
or
add-ons
Outsource electronic records
e-Discovery Outsource
applicaonspaper
or modules
records
Automated classificaon tools
RM/IM staff
Compliance staff
Social records management
SaaS/Cloud provision for RM
Outsource electronic records
Outsource paper records
22
Conclusion and Recommendations
n Monitor legal, compliance and audit issues within your own business, and with peers and competitors,
in order to highlight the need to take information governance seriously at the highest levels in your
organization.
Recommendations
Most recognize that it is too much to expect users to be diligent in following policies, especially given rapidly
increasing volumes of content. There is, therefore, a very strong interest in automated tagging, metadata
correction and records classification. Early adopters seem to be having success with the technology,
and there is a general view that this is the only way to demonstrate compliance, reduce litigation risk and
keep some check on the rapidly growing volumes of stored content. A strategy of rules-based metadata
application and back-file correction provides a vehicle for security validation, compliance audit, retention
management, and of course, improved search - and can do so at scale.
Industry
However, we have seen that despite initial good intent in creating information governance policies, many
are somewhat limited in scope, and there is generally very poor follow through with training, audit and
enforcement. This leaves many organizations at risk. Data custodians admit that they are keeping far too
much content that has little value to the business, and yet they struggle to categorize what can be deleted.
Watch
Most organizations have come to the realization over the past few years that without policies and
mechanisms for defensible deletion of content, they will be spending increasing amounts of money on
storage, and also risk holding on to content that it would be safer to delete. Events of the past twelve months
have added a new level of risk whereby the legal requirements to keep safe custody of sensitive data, and
the need to maintain the trust of customers, has brought a huge realization that many more types of content
and information need to be governed, and at all stages in the lifecycle from creation to deletion.
n Create an information governance team including representatives from IT, Records Management,
Compliance, Legal, and Line of Business.
n Draft an information governance policy. Focus initial efforts on areas where the content is the most
sensitive (e.g., HR records, customer records, IP), but also where there is least governance at present
(e.g., email, shared drives, cloud file shares, mobile).
n If you have an ECM or records management system that is no longer front-of-house for content and
records management, revitalize it, switch on RM functions, and ensure it fulfills the need for both internal
and external collaboration.
n As part of this re-engagement of ECM, consider running automated metadata correction, de-duplication,
and retention policy enforcement in order to remove redundant, out-of-date and trivial content, and to
improve search capabilities.
n Investigate day-forward automated classification, particularly for email, process archives and routine
inbound content. Consider how to use automation to simplify user filing accuracy, and in effect, automate
ongoing compliance.
References
1 AIIM Industry Watch, “Information Governance: records, risks and retention in the litigation age”,
March 2013, http://www.aiim.org/Research-and-Publications/Research/Industry-Watch/InfoGov-2013
23
Appendix 1 - Survey Demographics
Survey Background
Survey respondents represent organizations of all sizes. Larger organizations over 5,000 employees
represent 33%, with mid-sized organizations of 500 to 5,000 employees at 39%. Small-to-mid sized
organizations with 10 to 500 employees constitute 28%. Respondents from organizations with less than 10
employees and suppliers of ECM products and services have been eliminated from the results, taking the
total to 487 respondents.
5,001-10,000
emps, 11%
5,001-10,000
emps, 11%
1,001-5,000
emps, 29%
1,001-5,000
emps, 29%
11-100 emps,
12% 101-500
emps, 16%
101-500
emps, 16%
501-1,000
emps, 11%
over 10,000
emps, 22%
11-100 emps,
12%
over 10,000
emps, 22%
Industry
Organizational Size
Watch
531 individual members of the AIIM community took the survey between Mar 15, and Apr 08, 2014, using
a Web-based tool. Invitations to take the survey were sent via email to a selection of the 80,000 AIIM
community members.
501-1,000
emps, 11%
Geography
Asia, Far East,
Australia, NZ,
74% of the participants are based in North 2%
America, with 19%1%from Europe and 7% rest-of-world.
Middle East,
Central/
Africa, S.Africa,
S.America, 1%
4%
Asia, Far East,
Australia, NZ,
1%
2%
E.Middle
Europe,
East,
Russia,S.Africa,
1%
Central/
Africa,
S.America, 1%
4%
E. Europe,
W. Europe,
6%
Russia, 1%
UK, Ireland,
12% 6%
W. Europe,
US, 57%
UK, Ireland,
12%
Canada, 17%
US, 57%
Canada, 17%
Life Science,
Pharmaceucal,
Document
1%
Services Provider,
2%
Life Science,
Non-Profit,
Pharmaceucal,
Document
Charity, 3%
1%
Services
Provider,Professionals
©2014 AIIM - The Global Community
of Information
Retail, Transport, 2%
Real Non-Profit,
Estate, 4%
Media,
Entertainment,
Publishing, 1%
Media,
Other,
1%
Entertainment,
Publishing, 1%Government &
Public Services -
24
US, 57%
Canada, 17%
Industry Sector
Canada, 17%
Local and National Government together make up 26%. Finance and Banking 14%, and Energy 8%.
Other, 1%
Government &
Public Services Local/State,
Government19%
&
Public Services Local/State, 19%
Finance, Banking,
Insurance, 14%
Finance, Banking,
Insurance, 14%
Consultants, 6%
Consultants, 6%
Government &
Public Agencies Naonal/ &
Government
Internaonal,
7%Public Agencies
Naonal/
Internaonal, 7%
Telecoms,
Water,
Healthcare,
5%
Ulies, 6%
Telecoms, Water,
Educaon,
6%
Ulies,
6%
Manufacturing,
Educaon,
6%
Aerospace, Food,
Process, 6%
Manufacturing,
Aerospace, Food,
Process, 6%
Industry
Media,
Entertainment,
Publishing,
Media, 1%
Entertainment,
Publishing,
Other,
1% 1%
Watch
Life Science,
Pharmaceucal,
Document
1%
Services Provider, Life Science,
Pharmaceucal,
2%
Document
1%
Services Provider,
Non-Profit,
Charity, 3% 2%
Non-Profit,
Retail,Charity,
Transport,
3%
Real Estate, 4%
Retail, Transport,
IT &Real
HighEstate,
Tech —4%
not ECM, 4%
IT & High Tech —
not
ECM, 4% &
Engineering
Construcon, 4%
Engineering &
Legal and4%
Construcon,
Professional
Services,
5%
Legal and
Professional
Services, 5%
Healthcare, 5%
Energy, Oil & Gas,
Mining, 8%
Energy, Oil & Gas,
Mining, 8%
Job Roles
27% of respondents are from IT, 55% have a records management or information management role, and
17% are line-of-business managers.
President, CEO,
Managing
Legal/Corporate
Director,CEO,
2%
Other, 3%
President,
Council/Corporate
Managing
Legal/Corporate
Compliance, 3%
Director, 2%
Other,IT3%staff, 12%
Council/Corporate
Compliance, 3%
Business
Consultant, 5%
Business
Consultant, 5%
Line-of-business
execuve,
department
Line-of-business
head
or process
execuve,
department
owner, 4%
head or process
owner, 4%
Head of records/
compliance/
informaon
Head
of records/
management,
compliance/
22%
informaon
management,
22%
IT staff, 12%
Head of IT, 3%
Head of IT, 3%
IT Consultant or
Project Manager,
12%
IT Consultant
or
Project Manager,
12%
Records or
document
management
Records or
staff, 33%
document
management
staff, 33%
25
Appendix 2 - Selective Comments
n Policy without audit, custodial accountability and CONSEQUENCES is like speed limits with no radar...
who cares?
Watch
n There is a big struggle between RM and IT regarding automation of any kind in my organization, and the
lack of a strong IG Framework only makes it worse.
Industry
Do you have any general comments to make about your collaboration projects?
(Selective)
n While some are starting to "get it," I think that most mid- and high-level managers still don't grasp the
importance of good IG. They still see it as "filing" to be left to clerks.
n Automated classification is the way to go but it’s hard to raise the profile.
n Have some experience of automated classification and the problem is the investment in resources to
build and maintain the rule sets / classification schemes.
n As we move to adopting SP2010's records center and using a 3rd party records management tool,
I am excited to see this process work from declaration to destruction and allow the staff to feel more
comfortable and confident in these tools.
n It's always hard to get executive levels to see the big picture.
n Automated classification what/how is still a mystery to us.
26
Industry
ASG Software Solutions connects sophistication and experience with agility and technological efficiency, through its
vendor-agnostic cloud, content and systems solutions. ASG helps companies solve today’s most pressing business
issues, including everything from reducing operating costs and enhancing workforce productivity to ensuring
regulatory compliance. With customers like American Express, Coca-Cola, GE, HSBC, IBM, Lockheed Martin, Merrill
Lynch, Procter & Gamble, Sony, Toyota, Verizon, and Wells Fargo, ASG can proudly say that more than 70 percent
of global Fortune 500 companies trust it to optimize their existing IT investments. Founded in 1986, ASG Software
Solutions is a global company headquartered in Naples, Florida, USA, with more than 1,200 employees. For more
information, visit www.asg.com or find us on Facebook, LinkedIn, Twitter or YouTube.
Watch
ASG Software Solutions
ASG’s world class enterprise content management portfolio includes:
n
n
n
n
ASG-ViewDirect®, the world’s most scalable, full-featured enterprise content retention, storage and archiving
suite, which supports all platforms, databases, storage devices, data formats and volumes of enterprise content in
distributed and mainframe environments.
ASG-Cypress®, a modular document output and customer communication management suite that facilitates
ingesting, composing, formatting, personalizing and distributing content to support physical and electronic
communications.
ASG-Total Content Integrator™, which provides a unified, federated, content aggregation and integration
technology for transparent search, discovery and presentation of electronic documents, records and other content
anywhere in the enterprise.
ASG-Records Manager™, which facilitates the automatic capture, classification and disposition of electronic
transactional records in high-volume environments according to varied information.
www.asg.com
AvePoint
AvePoint is the established leader in enterprise-class big data management, governance, and compliance software
solutions for next-generation social collaboration platforms. Focusing on helping enterprises in their digitization
journey to enable their information workers to collaborate with confidence, AvePoint is first to market with a unique
solution that centralizes access and control of information assets residing in disparate collaboration and document
management systems on-premises and in the cloud. AvePoint solutions and services aim to bring together business,
IT, as well as compliance and risk officers to serve key business objectives such as big data, cloud integration,
compliance, enterprise content management, and mobile data access monitoring.
Founded in 2001 and based out of Jersey City, NJ, AvePoint serves more than 13,000 organizations in five
continents across all industry sectors, with focused practices in the energy and utilities; financial services; healthcare
and pharmaceuticals; and public sector industries. AvePoint is a Depth Managed Microsoft Gold Certified Application
Development Partner and Gold Certified Collaboration and Content Partner, as well as a US Government GSA
provider via strategic partnerships. AvePoint is privately held and backed by Goldman Sachs and Summit Partners.
www.avepoint.com
27
•
•
•
•
Legal Compliance
Invoice Capture and Authorisation
Health Records Management
Local Authority Applications
• Law Enforcement Applications
• Human Resource Management
• Information Web Portals
• Electronic Forms Solutions
• Electronic Records Management
• Collaboration Facilities
We work with companies and organisations across the public and private sectors. Our clients including Hospitals,
local authorities, Law Enforcement Agencies and the private sector. The common theme running through all these
customers is their need for a robust, legislation compliant information management system, which acts as a hub for
vital information which can be accessed and archived at the touch of a button and deliver information to those who
need it, when they need it. As a team of talented programmers, developers and other IT Specialists – our staff have
a wealth of experience and market knowledge.
• Document & Records Management
• Workflow
• Web Portal & Systems Integration
The key to all solutions we provide is integration with the business to ensure that information is delivered on time
and to the right place. We have provided integrated solutions over the last 15 years using the following underlying
technologies:
Industry
CCube Solutions specializes in providing Electronic Document and Content Management & Workflow solutions,
based on the CCube software suite. Systems scale from small departmental applications to large enterprise -wide
solutions and include: the CCube Portal, Electronic Forms, Workflow, Content Searching, and CCube Electronic
Document & Records Management System (EDRMS), offering specialised solutions, including:
Watch
CCube solutions
www.ccubesolutions.com
Concept Searching, Inc.
Concept Searching is the industry leader in advanced semantic metadata generation, auto-classification,
and taxonomy management. Its award winning products employ the only statistical metadata generation and
classification technologies that use compound term processing to generate intelligent metadata from unstructured
and semi-structured data. Compound term processing, or identifying concepts in context, solves a variety of
business challenges and enables enterprise-wide information governance. Using these concept identification
capabilities, organizations can transform content into business assets to improve performance.
Concept Searching’s Smart Content Framework™ for information governance is a combination of best practices
and underlying products that encompass the entire portfolio of unstructured information assets, providing the ability
to develop and deploy a strategic and tactical information governance plan. The framework delivers intelligent
metadata enabled solutions, which enable concept based searching; automatic declaration of documents of record;
real-time identification, and protection of privacy and confidential data; intelligent migration; cost reductions in
eDiscovery, litigation support, and FOIA; content management; granular identification of content for text analytics;
and structure for enterprise social networking applications. The solutions are deployed in diverse industries by both
Fortune 1000 and small companies that need to meet strict compliance, data privacy, and information governance
regulations.
Concept Searching has a Microsoft Gold Application Development competency and is a Business-Critical
SharePoint partner. The Concept Searching Microsoft platforms use a single code base, able to be deployed in
SharePoint 2007, 2010, 2013, and Office 365, providing clients with the choice of on-premise, cloud based, or
hybrid environments. conceptClassifier for Office 365 is currently the only native Office 365 product available that
addresses information government challenges, in the cloud or in hybrid environments.
Concept Searching is headquartered in the US, with offices in the UK, Canada, and South Africa. For more
information about Concept Searching’s solutions and technologies please visit www.conceptsearching.com.
www.conceptsearching.com
28
The risks associated with increasing data volume are particularly challenging for organizations that are unable to
apply sound information lifecycle governance practices toward managing their data.
Watch
IBM Enterprise Content Management solutions deliver content in context to fully harness its potential. These
industry-specific solutions can capture, activate, share, analyze and govern unstructured data to lower costs and risk
while improving efficiency. As the volume of content continues to rise, organizations struggle to use it effectively. IBM
Enterprise Content Management provides a way to discover the content, recognize its value, and then act on it for
better business insight and outcomes.
Industry
IBM Corporation
Providing our customers with the ability to govern their information is a key pillar in IBM’s Enterprise Content
Management business. With IBM’s Information Lifecycle Governance (ILG) solutions, companies can improve their
information economics by lowering information costs and risks while maximizing data value. Only IBM provides
holistic information governance solutions for:
n
Defensible Disposal - Curb storage growth, lower IT and
legal costs, and enhance information economics.
eDiscovery - Strategically manage the eDiscovery process
to reduce legal cost and risk.
n
n
Records and Retention - Identify, classify and manage data
disposal according to retention schedules to reduce volume,
mitigate cost & risk and improve information economics.
Value-based Archiving - Coordinate archiving and storage
of data based on its business value to reduce storage space
and cost.
IBM’s information lifecycle governance solutions help customers manage enterprise information according to its
business value. By approaching information governance as an economic solution to data growth – i.e. information
economics – companies can increase the value of information assets while driving down cost and risk. To learn
more, visit: www.ibm.com/ILG
n
Legacy Data Cleanup - Improve information economics
through identification, classification and remediation of
redundant, obsolete and trivial data.
n
www.ibm.com/ILG
About OpenText
OpenText is the leader in Enterprise Information Management (EIM), providing EIM software that helps companies
of all sizes and industries to manage, secure, and leverage their unstructured business information, either in their
data center or in the cloud. Over 50,000 companies already use OpenText solutions to unleash the power of their
information.
OpenText Enterprise Content Management (ECM) solutions facilitate agile information governance strategies
designed to reduce risk and mitigate the cost of growing volumes of content in the enterprise - freeing organizations
to focus on using information to drive growth and innovation. ECM solutions from OpenText unite capture, document
and records management, workflow, search and archiving as well as applications and add-ons such as email,
eDiscovery, auto-classification, contract management, case management and engineering document management
to accellerate time to information governance while mitigating the risk of growing volumes of content.
ECM is a fundemental practice of managing and extracting value from unstructured enterprise content. OpenText
ECM solutions enable organizations to harness the value of their information and enable the strategic CIO to
transform every line of business and better compete in the new information economy.
To learn more about OpenText please visit: www.opentext.com/infogov.
www.opentext.com
29
Information Governance
Learn a systematic approach to improve
access to information, reduce costs, and
meet legal/regulatory requirements.
The volume, variety, and velocity of organizational information is changing
the game for governance and compliance. Applying a paper paradigm of
policies and processes no longer works -- and it certainly doesn’t scale.
Governance functions must now be automated, and focus as much on
defensible disposition as on retention; as much on data extraction as data
archiving.
The Information Governance course is comprised of 10 modules that may
be purchased individually or as a complete package leading to the AIIM
Practitioner designation that is earned upon successful passing of the
exam. Once purchased, the course module(s), supporting materials, and
exam are accessible online and on demand from AIIM’s training portal for
6 months. Upon occasion, this course is also offered in a live, instructor-led
virtual classroom format.
Our enrollment page at www.aiim.org/training will indicate when/if
such a class has been scheduled.
n Improve how
information is captured,
shared, accessed,
stored, and disposed of
n Reduce storage and
legal costs
n Save time and money
through greater
interoperability
and standardized
components
Your Learning Options
n Design a pragmatic
framework for managing
information assets
AIIM’s Information Governance course is founded on these best practices
to provide you with a systematic approach for managing information assets
and ensuring regulatory compliance. The information is applicable across
all industries and is independent of any particular technology or vendor
solution.
Watch
Course Benefits and Objectives
IT, compliance officers,
legal staff, records
management personnel,
archivists, consultants,
and other information
professionals who are
planning to establish or
improve your information
governance program.
You’ll acquire the
necessary skills to:
Industry
Training Program
This course is ideal
for...
n Ensure legal and
regulatory compliance
AIIM (www.aiim.org) AIIM is the global community of information professionals. We provide the education,
research and certification that information professionals need to manage and share information assets in an
era of mobile, social, cloud and big data.
© 2014
AIIM
1100 Wayne Avenue, Suite 1100
Silver Spring, MD 20910
+1 301.587.8202
www.aiim.org
AIIM Europe
The IT Centre, Lowesmoor Wharf
Worcester, WR1 2RR, UK
+44 (0)1905 727600
www.aiim.eu
30

Automating Information Governance

Transcrição

Documentos relacionados

Roadmaps for a multilateral decentralized Internet Governance

Archive clipping - Graduate School of Business

aiim15 ebook

Slot Online Games Free E Monopoly Um Echtes Geld Spielen

Port Governance in Santos, Brazil: A Qualitative Approach

Apresentação do PowerPoint

Rúben Pereira

Declaration of Compliance with the German Corporate Governance

Promoting peace, security, justice and governance in the post

W orking Papers Series

EMBRACE THE CHAOS

King 3 - Application of King 3 principles for year