Automating Information Governance
Transcrição
Automating Information Governance
AIIM Market Intelligence Delivering the priorities and opinions of AIIM’s 80,000 community Industry Watch Automating Information Governance - assuring compliance Underwritten in part by: aiim.org l 301.587.8202 About the Research Our ability to deliver such high-quality research is partially made possible by our underwriting companies, without whom we would have to return to a paid subscription model. For that, we hope you will join us in thanking our underwriters, who are: CCube Solutions. 13 Diamond Court Opal Drive, Fox Milne Milton Keynes MK15 0DU UK Tel: 01908 677752 Fax: 01908 679444 Email: [email protected] Web: www.ccubesolutions.com Concept Searching, Inc 8300 Greensboro Drive, Suite 800, McLean, VA 22102 Tel: +1-703-531-8567 Tel Europe: +44-(0)1438-213545 Web: www.conceptsearching.com IBM Corporation Corporate headquarters: 1 New Orchard Road Armonk, New York 10504-1722 Tel: +1-855-221-0702 Web: www.ibm.com/ILG OpenText 275 Frank Tompa Dr, Waterloo, ON N2L 0A1 Tel: +1-800-499-6544 Email: [email protected] Web: www.opentext.com/infogov Automating Information Governance AvePoint Harborside Financial Center, Plaza 10 3 Second Street, 9th Floor Jersey City, New Jersey 07311 Tel: +1-800-661-6588 Email: [email protected] Web: www.avepoint.com - assuring compliance ASG Software Solutions 1333 Third Avenue South Naples, FL USA 34102 Tel: 800-932-5536 (USA Only) Email: [email protected] Web: www.asg.com Industry Rather than redistribute a copy of this report to your colleagues or clients, we would prefer that you direct them to www.aiim.org/research for a download of their own. Permission is not given for other aggregators to host this report on their own website. Watch As the non-profit association dedicated to nurturing, growing and supporting the information management community, AIIM is proud to provide this research at no charge. In this way, the entire community can leverage the education, thought leadership and direction provided by our work. We would like these research findings to be as widely distributed as possible. Feel free to use individual elements of this research in presentations and publications with the attribution – “© AIIM 2014, www.aiim.org” Process Used and Survey Demographics While we appreciate the support of these sponsors, we also greatly value our objectivity and independence as a non-profit industry association. The results of the survey and the market commentary made in this report are independent of any bias from the vendor community. The survey was taken using a web-based tool by 531 individual members of the AIIM community between Mar 15, and Apr 08, 2014. Invitations to take the survey were sent via e-mail to a selection of the 80,000 AIIM community members. Survey demographics can be found in Appendix 2. Graphs throughout the report exclude responses from organizations with less than 10 employees, and suppliers of ECM products and services, taking the number of respondents to 487. ©2014 AIIM - The Global Community of Information Professionals 1 About AIIM Doug Miles is head of the AIIM Market Intelligence Division. He has over 30 years’ experience of working with users and vendors across a broad spectrum of IT applications. He was an early pioneer of document management systems for business and engineering applications, and has produced many AIIM survey reports on issues and drivers for Capture, ECM, Records Management, SharePoint, Mobile, Cloud, Social Business and Big Data. Doug has also worked closely with other enterprise-level IT systems such as ERP, BI and CRM. Doug has an MSc in Communications Engineering and is a member of the IET in the UK. Automating Information Governance ©2014 AIIM - The Global Community of Information Professionals - assuring compliance © 2014 AIIM - Find, Control, and Optimize Your Information 1100 Wayne Avenue, Suite 1100, Silver Spring, MD 20910 Phone: 301.587.8202 www.aiim.org Industry About the Author Watch AIIM has been an advocate and supporter of information professionals for 70 years. The association mission is to ensure that information professionals understand the current and future challenges of managing information assets in an era of social, mobile, cloud and big data. AIIM builds on a strong heritage of research and member service. Today, AIIM is a global, non-profit organization that provides independent research, education and certification programs to information professionals. AIIM represents the entire information management community: practitioners, technology suppliers, integrators and consultants. 2 Table of Contents Multiple Repositories and Cloud . . . . . . . . . . . 20 Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Introduction Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Key Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Coping with Information Volumes . . . . . . . . . . . . . 4 Maturity of Policies and Systems Information Governance Policies . . . . . . . . . . . 9 Maturity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 IG Policy Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Audit and Conformance Audit and Conformance . . . . . . . . . . . . . . . . . . 11 Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Issues from Non-Compliance . . . . . . . . . . . . . . . 12 Data Protection . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Retention Policies . . . . . . . . . . . . . . . . . . . . . . . . 13 Savings on Storage . . . . . . . . . . . . . . . . . . . . . . . 14 Conclusion and Recommendations Conclusion and Recommendations . . . . . . . . 23 Recommendations . . . . . . . . . . . . . . . . . . . . . . . 23 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Appendix 1 - Survey Demographics Appendix 1 - Survey Demographics . . . . . . . . 24 Survey Background . . . . . . . . . . . . . . . . . . . . . . . 24 Organizational Size . . . . . . . . . . . . . . . . . . . . . . . 24 Industry Sector . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Job Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Appendix 2 - Selective Comments Automating Information Governance Information Governance Policies Opinions and Spend Intentions . . . . . . . . . . . . 21 Spend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 - assuring compliance Maturity of Policies and Systems . . . . . . . . . . . 5 Paper v. Electronic . . . . . . . . . . . . . . . . . . . . . . . . . 5 IG/RM Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 RM Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Perception of IG . . . . . . . . . . . . . . . . . . . . . . . . . . 7 IG Risks and Rewards . . . . . . . . . . . . . . . . . . . . . . 7 Opinions and Spend Intentions Industry Multiple Repositories and Cloud About the Research . . . . . . . . . . . . . . . . . . . . . . 1 Process Used and Survey Demographics . . . . . . . 1 About AIIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 About the Author . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Watch About the Research Appendix 2 - Selective Comments . . . . . . . . . . 26 Underwritten in part by: ASG Software Solutions . . . . . . . . . . . . . . . . . . . 27 AvePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 CCube solutions . . . . . . . . . . . . . . . . . . . . . . . . . 28 Concept Searching, Inc. . . . . . . . . . . . . . . . . . . . 28 IBM Corporation . . . . . . . . . . . . . . . . . . . . . . . . . 29 OpenText . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 About AIIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Automated Classification Automated Classification . . . . . . . . . . . . . . . . 14 Automated Agents . . . . . . . . . . . . . . . . . . . . . . . . 15 Automated Records Declaration . . . . . . . . . . . . . 16 Content Types . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Accuracy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Experiences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Email Archives Email Archives . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Legal Hold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 ©2014 AIIM - The Global Community of Information Professionals 3 Introduction Key Findings Coping with Information Volumes n On the whole, organizations are stabilizing the volume of paper records, but electronic records are “increasing rapidly” in 68% of organizations surveyed. While 32% reported an actual decrease in their paper records, not one respondent could report a decrease in electronic records. Automating Information Governance In this report we take an in-depth look at information governance policies, privacy and records management issues, policy enforcement, and how well technology can set or correct metadata, detect security risks, and enforce deletion policies. - assuring compliance We therefore need to work harder to protect live content and preserve content records, but the volume, velocity and variety of content generation makes it nearly impossible to manually maintain and enforce the policies we so earnestly set. Computers are more consistent than humans, but you still have to teach them and trust them. We seem to be at an adoption tipping-point for automating real-time compliance processes, and for machine audit of existing content for metadata accuracy, content security, and de-duplication. Is this a silver bullet? What are the early adopter experiences? Industry However, in the past twelve months, the impact of data leaks and security breaches, most especially the Edward Snowdon activities, has brought the security and privacy elements of information governance strongly into play. Metadata has become an issue for front-page news, and heads-of-state discuss individuals’ rights to data privacy and information deletion. Meanwhile, massive data leaks of personal information have damaged corporate reputations and hardened already strong views in some jurisdictions. Watch What’s in a name? When it first came into vogue a few years ago, “information governance” (IG) was often considered to be just an updated form of records management (RM), extended to take account of the US legal discovery rules. If all electronically stored information can be requested prior to a court case, not just content that has been specifically declared as a record, then work-in-progress, content on laptops and mobiles, back-ups, and, in particular, email archives, are all discoverable, and need to be “governed”. n Only 12% of respondents feel confident that they store only what they need to store. 42% are not confident about what is safe to delete. n 43% feel that automated classification is the only way to keep up with rapidly increasing information volumes. 14% are already using it, but a further 35% have immediate plans for adoption. n Of those already using auto-classification, only 10% have been disappointed with the results. In particular, classifying scanned documents has performed better than or as well as expected for 83% of users. n Improved searchability, higher productivity and defensible compliance are given as the top three benefits from automated classification. IG Policies n The three biggest risks from failure of information governance are excess litigation costs, loss of intellectual property and damage to reputation. 24% have had a compliance issue around litigation and discovery in the last 2 years. n 40% of organizations have recently moved, or plan to move in the next year or so, from a traditional RM view to a much wider IG view. 33% are still working in classic RM mode, including 18% who are still taking a mostly paper-records view. n The three biggest benefits from good information governance are reduction in storage costs, exploiting and sharing knowledge resources, and faster response to events and inquiries. Users are also becoming more aware of the need to support big data analytics. n Getting senior level endorsement and involvement is the biggest issue in creating an IG policy. Then enforcement once the policy has been agreed. ©2014 AIIM - The Global Community of Information Professionals 4 n Only 10% have an IG policy in place that is respected and enforced – 21% have a policy in place but it is mostly ignored. For 55% the IG policy is a work-in-progress. n Use of cloud or SaaS systems for RM is up from 5% to 7% in the past year, with those actively planning up from 11% to 14%. But those saying “unlikely” or “never” is up from 46% to 51%. Watch Email and Cloud n RM policies for email are still very variable. 18% keep everything, 16% delete everything, 22% have no policy or strategy. 17% move emails to their ECM/RM system or a dedicated archive with RM retention functions, but only 5% use automation. Industry n Of those who have information governance policies, only 19% regularly audit for compliance. 40% of organizations do not allocate any staff time for IG training, and only 4% specifically update senior management. Spending Plans n On the whole, users are likely to increase spend on all aspects of IG in the next 12 months, in particular IG training, email archive, search, RM systems and automated tools. Spend on back-file scanning of paper records is set to increase, but outsourced RM, both paper and electronic, is net-neutral. The good news on paper records is that the number of organizations reporting a rapid increase has dropped from 15% to 10% since our survey a year ago1, and that smaller organizations have balanced out, with the same number reporting increasing volume to those reporting decreasing volume. The bad news is that bigger organizations seem to have suffered a setback with 48% reporting an increase compared to 31% reporting a decrease – a gap of 17% compared to a 3% gap last year. There is no obvious explanation for this. Automating Information Governance Paper v. Electronic - assuring compliance Maturity of Policies and Systems Figure 1: Is the volume of your paper/electronic records? (N=483) Decreasing rapidly, 7% Increasing rapidly, 10% Decreasing somewhat, 25% Increasing somewhat, 32% Decreasing somewhat, 0% Stable, 4% Decreasing rapidly, 0% Increasing somewhat, 28% Increasing rapidly, 68% Stable, 27% Paper Records Electronic Records When it comes to electronic records, the picture is much clearer: nobody reporting a decrease, and We don’tishave We have robust,increasing” volumes.informaon and around 70% of all sizes are reporting “rapidly enterprise-wide informaon governance policies, 15% We have ©2014 AIIM - The Global Community Information Professionals establishedofpolicies in some areas/ departments but records management policies, 7% We have definite plans to develop enterprise - wide informaon and records management policies, 14% 5 10% Decreasing somewhat, 25% Industry Watch Automating Information Governance - assuring compliance Increasing somewhat, Decreasing Increasing 28% somewhat, IG/RM Policies somewhat, Decreasing 0% Decreasing Increasing 32% rapidly, 0% Before being too specific about all-encompassing information governance policies, it is useful to look at rapidly, Increasing rapidly, 7% Stable, 4% rapidly, 10% levels of basic records management. Just 15% of respondents policies in general, and maturity feel they Decreasing have robust, enterprise wide IG policies, albeit rising to 22% for the largest organizations. The68% rest of the Stable, somewhat, picture is somewhat patchy. 28% have departmental or geographical variations, 38% feel they are still some Increasing 25% 27% way from maturity, and 21% actually have no policies in place as yet although two thirds of those have somewhat, Increasing somewhat, good intentions. would seem that 12% of even the largest28% organizations have Records no agreed RM policies. Paper ItRecords Electronic 32% Increasing Figure 2: How mature are your information governance and records management policies? rapidly, (N=483) 68% Stable, We don’t have We have robust, 27% informaon and enterprise-wide records management Paper Records informaon Electronic Records governance policies, 7% We have definite policies, 15% plans to develop enterprise - wide informaon and records We don’t have management We have robust, informaon and policies, 14% enterprise-wide records management informaon governance policies, 7% We have definite We have policies, 15% plans to develop established policies enterprise - wide in some areas/ informaon and departments but records management not others, 26% We have policies, 14% informaon and records management We have policies but have established policies nothing you could in some areas/ describe as mature, departments but 38% not others, 26% We have informaon and records RM Systems management Supporting these policies, we see an equally wide range of system architectures. Onlybut23% policies havehave what nothing you could we would call the classic EDRMS system, combining content, document and records management. 27% describe as mature, have RM capability in their ECM/DM system but don’t use it – although most (22%) say they are planning 0% 10% 20% 38% 30% to turn it on in the next 12-18 months. A similar proportion, 25%, have separate systems for active content management and records management. Often this involves SharePoint as the DM system, with a more It is incorporated ECM/DM system robust RM system underlyinginit.our 26% have no RM capability. We have records management capability in mechanism our Figure 3: How would you describe your for managing electronic records? (N=478) ECM/DM system but no plans to use it 10% 20% 30% We plan to add/ turn-on records management 0% in our ECM system in the next 12-18 months It is incorporated in ourforECM/DM system We have separate systems acve content management and records management We have records management capability in our OurECM/DM DM system doesn’t support system but no plans records to use it management We plan to add/ turn-on records management in our ECM system in the next 12-18 months We don’t have an ECM/DM system We have separate systems for acve content management and records management Our DM system doesn’t support records management We don’t have an ECM/DM system Records management is about ©2014 AIIM - The Global Community of mostly Information Professionals paper files in our organizaon, 18% We have looked at things this way for quite some me (3+ years), 18% 6 We have records management capability in our ECM/DM system but no plans to use it We plan to add/ turn-on records management Perception of IG in the next 12-18 months in our ECM system Industry Unfortunately, there are still some organizations that have yet to accept the reality of electronic records, and continue to live in the paper world – 18% in this survey Watch As we noted in the introduction, information governance as a term has burst into popularity in the last few We have separate systems for acve content years – at least on the part of the vendors. Although this survey was self-elected against a title that included management and records management the word “information governance”, there is strong evidence that the term – and indeed the practice – OuraDM system has struck chord withdoesn’t users. support Figure 4records shows that the number of organizations changing their view from management of declared recordsmanagement to management of all electronically stored information has jumped from 18% to 34% in the last 2 years, with a further 24% planning to adjust their view in the next 12-18 months. We don’t an ECM/DM system are more likely to have made the move – perhaps as they are There is evidence thathave smaller organizations less likely to have had traditional RM roles. Figure 4: To what extent would you say the perception of information governance in your organization has progressed from management of declared records, to management of ALL electronically stored information for privacy, security and e-discovery? (N=425) Records Managers manage records, and IT take good care of the rest, 9% We have recently adjusted our view to align with this, 16% Automating Information Governance Records Managers manage records, but the rest is not so well managed, 15% We have looked at things this way for quite some me (3+ years), 18% - assuring compliance Records management is mostly about paper files in our organizaon, 18% We have plans to adjust responsibilies in the next 12-18 months, 24% 40% of organizations have recently changed, or are about to change, from a declared records view of information management and control to an IG view across all of their stored information. IG Risks and Rewards So accepting that the majority of our respondents understand the wider implications of IG, we asked what they considered to be the three biggest risks associated with IG failures. Excess litigation costs or damages heads the list, followed by loss of valuable information and then loss of customer confidence – all of which would be considered major business disasters. Understandably, loss of intellectual property is of the most concern to smaller businesses, and inability to respond to information requests is a particular concern of mid-sized organizations. ©2014 AIIM - The Global Community of Information Professionals 7 Figure 5: Which of the following do you consider to be the biggest risks to your company from a failure of information governance? (Max THREE) (N=482) 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 40% Automating Information Governance 20% - assuring compliance 0% Faster response to events, accidents, press acvies, FOI enquiries, etc. Reduce storage andand infrastructure costs to More personalized accurate service customers ExploitSupport and share knowledge resources for our potenal big data/analycs iniaves Faster response to events, accidents, press acvies, FOI enquiries, etc. Beer customer/supplier relaonships More personalized and accurate service to Pro-acvely support patents, ligaon, customers healthcare, tax collecon, etc. Support for potenal big data/analycs Beer reputaon/improved iniaves shareholder value Watch Loss of intellectual property or company confidenal informaon 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Loss of customer confidence or bad publicity from data loss Excess ligaon costs or damages resulng from Inability to respond to requests (e.g., Freedom poor records keeping of Informaon) Loss of intellectual property or company confidenal informaon Audit qualificaons due to inadequate records Loss of customer confidence or bad publicity Regulator acon from loss/exposure from data loss of personally idenfiable informaon Inability to respond to requests (e.g., Freedom of Infringement of industry-specific compliance Informaon) regulaons Audit qualificaons due to inadequate Poor outcome of customer/supplierrecords disputes due to gaps in communicaons trail Regulator acon from loss/exposure of personally idenfiable informaon Fines resulng from poor records keeping Infringement of industry-specific compliance Criminal prosecuon for allowing personally regulaons sensive data to be lost Poor outcome of customer/supplier disputes due to gaps in communicaons trail On the positive side, users see many benefits from good information governance, the most significant of resulng from poor records keeping which is toFines reduce storage and infrastructure costs – and this is a tangible cost-saving benefit. Next comes exploitation and sharing of knowledge, followed by faster response to events, accidents, press activities, etc. 20% 40% 60% Criminal prosecuon for allowing personally 0% – and in the modern era of sensive 24 hour news social media comment, this can be vitally important to prevent data toand be lost reputational damage, and, indeed, to saving lives. Reduce storage and infrastructure costs Figure 6: Which three of the following do you consider to be the biggest benefits to your company Exploit and share knowledge resources from our good information governance? (max THREE) (N=478) Industry Excess ligaon costs or damages resulng from poor records keeping 60% Beer customer/supplier relaonships Faster and cheaper financial audits Pro-acvely support patents, ligaon, healthcare, tax collecon, etc. Beer reputaon/improved shareholder value Faster and cheaper financial audits 0% 10% 20% 30% 40% 50% Geng senior management endorsement It is also worthy of note that support for big data initiatives has moved up from 6th last year to 5th place. Having the right people at the table anybody to be interested ©2014 AIIM - The GlobalGeng Community of Information Professionals 0% Enforcing it once it is completed 10% 20% 30% 40% 50% 8 More personalized and accurate service to customers Support for potenal big data/analycs iniaves Information Governance Policies 0% 10% 20% 30% 40% Industry Figure 7: What have been the three biggest issues with creating an information governance policy? (N=387) Watch Beer customer/supplier Creating a comprehensive informationrelaonships governance policy can be daunting, and the key to success is to obtain senior management endorsement. However, even with support from the top, other senior managers Pro-acvely support patents, ligaon, need to sign-up to takehealthcare, part. Our tax users also identified enforcement of the policy once in place as a big issue, collecon, etc. which we will return to later. Beer reputaon/improved shareholder value The scope of extending coverage from records to include all stored content is considered to be an issue, especially for mid-sized businesses, but identifying the legal requirements does not come high on the list, Fasterconfusing) and cheaper financial audits despite changing (and laws on data protection. For smaller organizations, finding time and resources is obviously difficult, and this heads the list for them. 50% Geng senior management endorsement Enforcing it once it is completed Allocang sufficient me from the day jobs Extending coverage to all stored content Translang the policies into system rules Automating Information Governance Geng anybody to be interested - assuring compliance Having the right people at the table Nailing down classificaon and taxonomy Being over ambious in scope and detail Trying to cover too many scenarios Idenfying the legal requirements Most respondents have had to fight to gain involvement 0% and 5% support 10% from 15% senior 20% management 25% 30% for creating an IG policy. Enforcing it once complete is a further issue for many. The RM/IM/Compliance department takes responsibility Each line of business or department manages their own records Responsibility IT paper are mostly responsible As we have moved from the records era to electronic records, the involvement of IT has increased steadily. Moving The on again to the IG era where all stored content needs to be managed for security, IG Commiee set and supervise accessibility and lifecycle, the involvement of IT is paramount, even if the ultimate responsibility still lies with policies for all departments the Records Manager or increasingly the Compliance Officer. However, we can see from Figure 8 that in The legal department takes the lead 28% of organizations records management responsibility resides within each line of business or department – a situation which is unlikely to be conducive to a coordinated, enterprise-wide information governance There is no formal allocaon of initiative. Only 10% have a formal IGresponsibilies committee to oversee activities, policies and systems. In 24% of organizations, responsibility has not been formally or specifically allocated. ©2014 AIIM - The Global Community of Information Professionals 9 Trying to cover too many scenarios Idenfying the legal requirements Figure 8: How would you describe allocation of responsibility for information governance and retention of records in your organization? (N=393) 0% 5% 10% 15% 20% 25% 30% Industry The RM/IM/Compliance department takes responsibility Watch Each line of business or department manages their own records IT are mostly responsible The IG Commiee set and supervise policies for all departments The legal department takes the lead There is no formal allocaon of responsibilies Automating Information Governance Despite the publicity that data leaks and privacy breaches have generated over the last year, there is little evidence that organizations have taken much notice ― in particular their senior managers. Overall, 52% have undertaken or are undertaking IG projects, but sadly, for a third of those it has been a somewhat wasted exercise in that the policy is largely unreferenced and unaudited. Only 8% feel that the policy is in place and is working. - assuring compliance Maturity Figure 9: Which of the following do you think best describes the way that information governance policy is regarded in your organization? (N=391) Nobody takes much interest, 10% Senior management show lile interest or investment, 9% It’s in place, it’s important and it's communicated and enforced, 8% We have a policy but it’s largely unreferenced and unaudited, 17% We have lile in the way of official policy, just accepted pracce, 12% It’s very variable across different departments, 17% We are working hard to achieve a corporate-wide view, 27% IG Policy Scope Best practice for information governance is to ensure that all stored content is addressed by the policy (content at rest), as well as any content being accessed or transferred between servers, websites, user 0%The10% 20% 30% 40% 60% 70%access, privacy clients or mobile devices (content in motion). issues addressed should50% include secure protection, back-up, disaster recovery, retention, legal discovery and legal hold. Informaon retenon Access/confidenality Data protecon and PII Deleon and disposion processes Legal holds and e-discovery ©2014 AIIM - The Global Community of Information Professionals Informaon in moon – laptops, USBs, etc. 10 important and Weit's are working communicated hardand to achieve a enforced,corporate-wide 8% view, 27% much interest, 10% It’s very variable across different Senior 17% departments, management show We have a policy Although most organizations with IG policies cover from Figure lile interest or a variety of these requirements, it is obvious but it’s largely un10 that there are many gaps for most.investment, 9% referenced and unaudited, 17% Figure 10: Which of the following elements We have lile in are included in your information governance policy? (Check all that apply) (N=388) the way of official 20% 30% 40% 50% 60% Informaon retenon 70% We are working hard to achieve a corporate-wide view, 27% Access/confidenality It’s very variable across different Data protecon and PII 17% departments, Deleon and disposion processes Industry 10% Watch policy, just accepted pracce, 0% 12% Legal holds and e-discovery Informaon in moon – laptops, USBs, etc. Content in archive/back up 10% 20% 30% 40% 50% 60% 70% Laws and regulaons in mulple jurisdicons Informaon retenon Mobile access andAccess/confidenality on-device storage Devices outside of corp. control & home) Data(BYOD protecon and PII UseDeleon of cloud-based content sharing and disposion processes None of these/We policy Legal holdshave and no e-discovery Automating Information Governance 0% - assuring compliance Audit of compliance Informaon in moon – laptops, USBs, etc. Content in archive/back up Audit and Conformance Audit of compliance As we suggested earlier, an IGinpolicy thatjurisdicons is not referenced and supported is not going to help the business Laws and regulaons mulple 0% 10% 20% 30% 40% 50% achieve compliance and remain compliant. Mobile access and on-device storage Training All staff, regularly Devices outside of corp. control (BYOD & home) One way to ensure that staff are made aware of the importance of information governance in particular and Useisoftocloud-based sharing compliance in general train them content as part hoc of their post recruitment on-boarding. The only way to keep All staff, occasionally/ad them aware is to trainNone all staff as part ofhave a regular program. of these/We no policy Newinrecruits only do not allocate any time to IG training, and only 12% Unfortunately, 40% of organizations our survey regularly train all staff. A tiny 4% hold specific update sessions for senior management. RM staff only Figure 11: Do you allocate specific staff training-time to information governance? Training/updates for senior (Tick those that apply) (N=392) management 0% 10% 20% 30% 40% 50% No, we don't allocate training me All staff, regularly All staff, occasionally/ad hoc New recruits only RM staff only Very rarely, Training/updates for senior 31% management Yes, on a regular basis, 19% No, we don't allocate training me ©2014 AIIM - The Global Community of Information Professionals Yes, but sporadically, 18% 11 RM staff only Training/updates for senior management Audit Yes, on a regular basis, 19% Very rarely, 31% Yes, departmentally, 17% Issues from Non-Compliance It seems that many organizations are more prepared to accept the consequences of non-compliance with information governance rules than to implement and mandate improved policies. 52% report that they have had issues of non-compliance over the last two years. 25% have failed internal audits as part of governance monitoring, but more seriously, 24% have had external litigation and discovery issues, rising to 31% of the largest organizations. 17% have had problems with their external auditors. Taking Figure 13 as a whole, this represents an enormous amount of disruption, cost and potential risk to the business. Automating Information Governance Somemes, when pressured to do so, 14% - assuring compliance Yes, but sporadically, 18% Watch Figure 12: Do you audit and measure compliance with policies across the business? (N=305 with IG policies) Industry No, we don't allocate training me When it comes to specific auditing of IG policy compliance, only 19% of those with policies run regular audits across the business. 17% carry out departmental checks. 45% ― nearly half – rarely audit or only do so under pressure. Not training staff and not auditing performance shows little intent that IG is a serious consideration for day-to-day operations. Figure 13: In your organization, has non-compliance created a significant issue with any of the following in the last 2 years? (Tick all that apply) (N=381) 0% 10% 20% 30% 40% 50% None of these Internal audits (regulatory, financial, HR) Ligaon and discovery External audits (industry, government) Freedom of Informaon Requests (FOI) Regulatory submissions Customer audits/SLA reviews Cerficaons (ISO, etc.) Data Protection Data protection and privacy rules vary country-by-country and state-by-state, and some are on a roadmap of change (such as in the EU). Most organizations have a responsibility to protect the information they hold 0% 10% 20% 30% 40% about their employees, and many hold customer or client data of greater or lesser sensitivity. 18% of our respondents were honest enough to admit that their organization would probably fail if audited against their We would probably struggle if audited against applicable andprotecon 7% admitted that they have suffered privacy breaches or data loss. A further 26% thelegislation, relevant data legislaon We operate to the minimum requirements of relevant data protecon legislaon ©2014 AIIMthe - The Global Community of Information Professionals We have to meet stricter requirements than 12 10% 20% 30% 40% Watch 0% Regulatory submissions Industry 0% 10% 20% 30% 40% 50% Regulatory submissions None of these Customer audits/SLA reviews audits–(regulatory, financial, HR) as these are potentially legal offenses. Another 22% feel felt unableInternal to comment perhaps not surprisingly, Cerficaons (ISO, etc.) that they are operating at the very minimum of requirements. Overall, Figure 14 paints a picture suggesting Ligaon and discovery that half of organizations are running significant risks. External audits (industry, government) Figure 14: Which of the following would you say describe the attitude to privacy protection and data lossofprevention your organization? (Check those that apply) (N=380) Freedom InformaoninRequests (FOI) Customer audits/SLA reviews We would probably struggle if audited against the relevant data protecon legislaon Cerficaons (ISO, etc.) We operate to the minimum requirements of the relevant data protecon legislaon We have to meet stricter requirements than most due to the nature of our business We could be a target for the of personal data 0% but senior management aren’t too concerned 10% 20% 30% 40% We could be a target for the of personal data but senior management aren’t too concerned Retention Policies Automating Information Governance - assuring compliance WeWe would probably know we are struggle a target if foraudited the ofagainst personal the relevant data legislaon data butprotecon have had no incidences We operate to the minimum requirements of We have suffered privacy breaches and/or the relevant data protecon legislaon data loss We have to meet stricter requirements than Unable comment most due to the nature of ourto business WhenWe it comes to are compliance with data know we a target for the of retention personal policies, there is both a legal risk to the business where undeleted recordsdata maybut be have exposed at trial, and a financial penalty for excess storage costs. In Figure 15, had no incidences we have separated out deletion of paper records, emails and other electronic records. We have suffered privacy breaches and/or This is obviously an area of concern, as data 84%loss do not delete emails and electronic records in a formal way 0% not10% 30%that 40% 60%defined (compared to 45% for paper records, which itself is still good). 20% It may be they do50% not have tobe comment retention periods, they are notUnable actually carrying out destruction when the retention period is up, or they don’tsuch haveasdefined retenon may wait until other We factors storage space come into play. For paper records (other than those periods/policies managed by an electronic system), destruction is normally a manual process, but so, it would seem, is the deletion of electronic records and email for many. Only 20% have automated email deletion, and just 9% Mosttothings never records at the end of their retention period. have automated systems in place deleteare electronic deleted/destroyed Figure 15: How rigorously would you say content deletion/destruction isPaper carried out in your records When IT decide to raonalizeorganization? storage (N=384) Emails volumes 0% 10% 20% 30% 40%Electronic 50% records 60% Someme aer the retenon date, butretenon not sooner We don’t have defined periods/policies Manual process or confirmaon at end of retenon period Most things are never deleted/destroyed Fully automated, at end of retenon period Paper records When IT decide to raonalize storage Emails volumes Electronic records Someme aer the retenon date, but not sooner Manual process or confirmaon at end of retenon period Fully automated, at end of retenon period 0% 5% 10% 15% 20% 25% We don’t have them ©2014 AIIM - The Global Community of Information Professionals We have them but they are mostly not followed 13 Emails Electronic records volumes Someme aer the retenon date, but not sooner 84% ofManual organizations ad hoc processes process have or confirmaon at end ofwhen it comes to deletion of emails or electronic records. retenon period Fully automated, at end of Savings on Storage 0% 5% 10% 15% 20% Industry Figure 16: To what extent are your data retention policies keeping your storage requirements in check?) (N=391) Watch retenon period Given the lack of rigor in deletion policies within most organizations, it is hardly surprising that most are seeing little reduction in storage requirements as a result of data retention policies, although 21% feel they are seeing a worthwhile reduction and 18% a small difference. For many (23%), it will be many years before the effects kick-in – a powerful argument for the near 40% doing nothing to get started as soon as possible. 25% We don’t have them They make a worthwhile difference Automating Information Governance Only making a small difference - assuring compliance We have them but they are mostly not followed Haven’t yet kicked-in for most of our records/content They are having a significant effect Automated Classification There are a number of mechanisms for automated classification. The record may be tagged at the point of declaration, or there may be a post-process, either during migration to another system or as a batch agent. Some may work on the existing metadata of a document or email; others will run analytics on the content to create new metadata. The process may be fully automatic, or the user may be prompted to confirm the suggested tagging or metadata revision. ©2014 AIIM - The Global Community of Information Professionals 14 According to Figure 17, 45% of those responding to our survey perform some form of automated classification, including 18% at the point of ingestion and 28% as part of the workflow. 15% conduct postprocess metadata cleaning. Figure 17: Do you do any of the following? (Check all that apply) (N=341) 20% 30% 40% 50% 60% 0% 10% 20% 30% 40% 50% 60% None of these Automa cally classify/declare content at the point of inges on to ECM/RM/email system Automa cally classify/declare content as part of workflow/process None of these Prompt for records declara on and suggest classifica on Automa cally classify/declare content at the or improvement Prompt for records declara on and suggest Process migrated content classifica on for metadata or re-alignment Use OCRcorrec on to auto-classify inbound scanned documents Automated Agents Trawl legacy content for data cleansing Automating Information Governance - assuring compliance point of inges on to to ECM/RM/email system Use OCR auto-classify inbound scanned documents Automa cally classify/declare content as part of Trawl legacy contentworkflow/process for data cleansing Industry 10% Watch 0% Automated or batch agents are quite popular with 45% using them in one form or other. Many of these or improvement applications flow down from a process of correcting misapplied or unapplied metadata, thereby, for example, Process migrated content for metadata correcting security settings, and enabling deletions against the retention rules, and of course, improving correc on or re-alignment 5% or 10% 15% 20% searchability. Tagging, detecting duplicate files and0% encrypting redacting are the most 25% popular30% applications. There are also a number of techniques in use to monitor system health and unusual user activity. Tag/add metadata based on rules Figure 18: Do you use any automated agents to perform any of the following functions: (N=155, excl. 188 not using batch agents) Detect duplicate files Encryp ng or redac ng content 0% 5% 10% 15% 20% 25% 30% Tag/add metadata based on rules Monitor unusual user ac vity Detect files Flag for dele on based onduplicate applica on of reten on rules Encryp ng or redac ng contentof Monitor performance and resilience ECM/ERM system user ac vity Detect securityMonitor risks andunusual misallocated access or confiden ality Flag for dele on based on applica on of Pre-migra on data selec on or reten on rules metadata mapping Monitor performance and resilience of Measure access frequency for ECM/ERM system hierarchical storage Detect security risks and misallocated access Detect/par on/delete trivial or nonor confiden ality important content Pre-migra on data selec on or metadata mapping Measure access frequency for hierarchical storage Detect/par on/delete trivial or nonimportant content ©2014 AIIM - The Global Community of Information Professionals We have no plans, 24% We are doing it successfully across a number of content types, 8% We are doing it 15 We are doing it successfully across a number of content types, 8% We have no plans, 24% We’re justdoing geng We are it started, 25% successfully across one or two content types, 6% It’s something we plan to do in the future, 28% We are keen to just automateWe’re as soon asgeng started, 25% we can, 10% Automating Information Governance We have no plans, 24% - assuring compliance We are doing it successfully across We are doing it one or successfully across a two content number of contenttypes, 6% types, 8% Industry Detect/par on/delete trivial nonFigure 19: How would you bestordescribe your overall plans for automated declaration/ important content of records? (N=366) classification Watch Flag for dele on basedoronconfiden ality applica on of reten on rules Pre-migra on data selec on or Monitor performance and resilience metadata mappingof ECM/ERM system MeasureDeclaration access frequency for Automated Records Detect security risks andhierarchical misallocated access storage or classification confiden ality that leads to, or takes place at, records declaration time, If we narrow down the automated trivial or nonthen we canDetect/par on/delete see that there is a huge interest in Pre-migra on data selec on or moving as quickly as possible in this direction. Only 14% are important content successfully auto-classifying across multiple content types plus 6% across one or two types, but 25% are metadata mapping just getting started and another 10% are keen to get going soon. In total, nearly half of the survey-takers are Measure access frequency for moving quickly in the directionhierarchical of auto-classification. storage Content Types It’s something we We are keen to to do in the automate soon as The most popular applicationplan area is inbound documents – both scanned andaselectronic. This has the future, 28% we can, 10% benefit of automating routing and distribution as part of the digital mailroom concept, as well as pre- allocating the trailer documents that are often just checked for compliance purposes and then archived. Despite the increasing volume of emails exchanged with customers, automating the response mechanism is 0% 10% 20% 30% 40% 50% only half-way up the table. Incoming scanned Figure 20: Are you using automated declaration/classification for the following content Incoming electronic (PDF, Web, etc.) types? (N=112 users) Office documents 0% 10% 20% 30% 40% 50% On exit from process workflow Incoming scanned Email Incoming electronic (PDF, Web, etc.) OfficeSharePoint documents Output documents to customers On exit from process workflow Website content Email Internal social business systems SharePoint Instanttomessaging Output documents customers Website content Internal social business systems Instant messaging ©2014 AIIM - The Global Community of Information Professionals 16 Benefits 0% 10% 20% 30% 40% 50% 60% 0% 10% 20% 30% 40% 50% 60% Industry Figure 21: What would you expect to be/what have been the two biggest benefits from automated classification? (Max TWO) (N=355) Watch As we will see later in the report, 43% of respondents agree that automated classification is the only way to keep up with the volume of content that needs to be processed or sorted. However, coping strategies are seldom funded, so we asked about specific benefits. Searchability, productivity and compliance come out as the strongest. There is no business value in content that can’t be found; people are being bogged down trying to tag content manually; and if they get it wrong, or avoid doing it altogether, then they will be in breach of compliance. Improved searchability General staff producvity Defensible compliance Storage volume reducon Staff cooperaon Big data readiness Improved searchability Migraon General staff producvity Not sure yet Defensible compliance Automating Information Governance - assuring compliance Repository alignment Repository alignment We also asked the non-users what is putting them off from using automated classification and declaration. By far theStorage biggestvolume reason is that nobody is pushing for it. They need a champion. Then, of course, there is reducon the fact that they need to sort out their IG policies first or they will have no rules to put into the classification Staff cooperaon engine. Only a few non-users questioned how well the process might work from the technical standpoint. Big data readiness It’s hard to actually It’s hard to actually Accuracy measure this, measure this, 5% of representative documents, Muchclassification beer Measuring18% the accuracyMigraon of automated requires the setting up or Much beer than expected, than expected, using a sampling technique with human verification. It would seem from Figure 22 that users are more likely Not as good Not sure yet 17% 27% expected, to put this in place for scanned documents than for electronic as ones. Either way, for both types of document, 12% only Not as11% goodfeel that the accuracy of the classification engine is worse than expected, with the accuracy on as expected, scanned documents using OCR being generally much better than expected. 11% Figure 22: How would you describe the accuracy of automated declaration/ classification that you About the same About same are achieving for the electronic/scanned documents? (N=125 users) It’s hard to actually measure this, 18% as expected, 54% It’s hard to actually measure this, 5% Much beer than expected, Electronic Documents 17% Not as good as expected, 11% 0% About the same as expected, 54% Start small and build out with confidence as expected, 56% Not as good as expected, 12% 20% Seng up the rules is challenging and me-consuming Electronic Documents Much beer Scanned Documents than expected, 27% 40% 60% About the same as expected, 56% Scanned Documents Generally, it works and is well worth the investment Needs constant monitoring to ensure compliance ©2014 AIIM - The Global Community of Information Professionals 0% It takes a huge load off of operaonal staff 20% 40% 60% 17 It’s hard to actually measure this, 18% It’s hard to actually measure this, 5% Much beer than expected, 17% Much beer than expected, Not as good as expected, When asked about the accuracy and consistency of human beings versus machines, there is a general 27% 12% consensus that humans are more accurate than machines, but much less consistent and generally too slow, Not as good as expected, although 26% consider machines can be both more accurate and more consistent. On the other hand, 44% 11% feel that machine prompting for human decision works the best. is to start with smaller, more achievable projects and build out from there. There seems to be no doubt that time will need to be invested in setting up the rules, and that even then, consistent monitoring is needed to Electronic Documents Scanned Documents ensure compliance is being met. On that basis, the consensus is that automated classification works and is a worthwhile investment. Figure 23: What have been your experiences with automated classification? (Check any that apply) (N=120 users) 0% 20% 40% Watch About the same About the same as expected, as expected, 56% We asked the users what they had learned 54%from their automated classification projects. The general advice Industry Experiences 60% Start small and build out with confidence Needs constant monitoring to ensure compliance It takes a huge load off of operaonal staff Automating Information Governance Generally, it works and is well worth the investment - assuring compliance Seng up the rules is challenging and me-consuming When it gets it wrong it can be very wrong! It has transformed the completeness and accuracy of our records We needed to increase the spread/number of training documents 90% of those using automated classification are satisfied that the performance is sufficiently accurate, 0% and 5% 15%is important. 20% 25% although attention needs to be given to the rules setup, ongoing10% monitoring Fixed deleon periods enforced on mailserver Automacally selected for archive into Email Archives ECM/RM system In a classic records management or information governance scenario, emails are simply another form Manually selected for archive of electronic document, a (small) proportion of into which need to be tagged and declared as records into ECM/RM system the records management system. Unfortunately, even a small proportion of a massive daily volume can overwhelm a user’s ability (or enthusiasm) foremail tagging. On top of that, there is the potential that excessive Moved to a dedicated numbers of emails will clutter up the clutter up the RM system, or overwhelm it with duplicates. Automating archiving system the declaration of emails into records can be one way to overcome this, although while 14% of our Reliant on email server to create respondents direct email records to ECM, only 3% use automation – and this is despite the fact that most archives/back-ups inbound emails are already scrutinized by quite intelligent spam and virus filters. Reliant on archive sengs in email client For some organizations (13%),(e.g., the Outlook answer Archive) has been to implement a dedicated archive to handle bulk emails, where they can be dealt with in a robust, and possibly automated way. We keep everything It’s not mandated or policed in any way ©2014 AIIM - The Global Community of Information Professionals 18 We needed to increase the spread/number of training documents Figure 24: How would you best describe your mechanism for archiving emails? (N=357) 0% 5% 10% 15% 20% 25% Industry Fixed deleon periods enforced on mailserver Watch Automacally selected for archive into ECM/RM system Manually selected for archive into ECM/RM system Moved to a dedicated email archiving system Reliant on email server to create archives/back-ups Reliant on archive sengs in email client (e.g., Outlook Archive) The remaining email strategies in Figure 24 leave much to be desired. 17% keep everything, 16% delete everything after a fixed period, and 22% have no policy or strategy. Automating Information Governance It’s not mandated or policed in any way - assuring compliance We keep everything For those that do have a dedicated email archive, most could not consider it to be a records management repository. 30% still do mass deletion, with only 8% using any kind of metadata analysis or rules to justify their actions, such as recommended by the Capstone guidance for government agencies. Only 8% go further and analyze the body content of emails for classification purposes. When it comes to RM functionalities such as retention management, 24% have basic retention and hold functions for legal discovery, plus 10% who have rules-based automated retentions. More encouragingly, 16% have integrated search, discovery and hold integration with other content systems using manage-inplace scenarios. Figure 25: What level of RM functionality do you use on your email archive system? (N=49 users, excl. 15 Don't Know) 0% 5% 10% 15% 20% 25% 30% 35% Fixed deleon based on elapsed me Fixed deleon using rules and system metadata (e.g., as per Capstone) Classificaon using content analycs of body content Basic retenons and holds Event-triggered deleon Automated retenons and holds based on rules Search/discovery/hold integraon with other content systems 17% keep all emails, 16% delete after a fixed period, and 22% have no policy or strategy – a total of 55% who are not providing formal governance of emails. 0% ©2014 AIIM - The Global Community of Information Professionals Triggered by ECM/RM system(s) 20% 40% 60% 19 Fixed deleon using rules and system metadata (e.g., as per Capstone) Classificaon using content analycs of body content 0% Legal Hold 5% 10% 15% 20% 25% 30% 35% Industry Automated and holds based Figure 26:retenons What mechanism do you use to release content from legal hold? on rules (N=246, excl. 100 Don't Knows) Search/discovery/hold integraon with 20% 40% 60% other content systems0% Watch Basic based retenons and holds As we implied in the deleon previous section, disconnected Fixed on elapsed me repositories for different content types such as email create their own problems when it comes to legal discovery processes and the application of holds to Fixed deleon using rules and system Event-triggered deleon prevent discoverable content being deleted as part of the end-of-retention period process. 53% of our metadata (e.g., as per Capstone) respondentsAutomated are reliantretenons on ad hocand manual processes for searching and applying legal hold. 9% are able to holds basedof using content analycs move contentClassificaon to a dedicated e-discovery or rules litigation system, and as mentioned previously, 16% are able to on content use manage-in-place across multiplebody repositories. Search/discovery/hold integraon with other content systems Basic retenons holds When it comes to releasing content fromand legal hold, the picture is even more casual, with 78% reliant on ad hoc manual processes, which are inevitably error prone, either resulting in content staying on permanent deleon hold, or returning content toEvent-triggered a normal retention plan when it should be re-categorized. Triggered by ECM/RM system(s) 20% 40% 60% Covered off in a legal discovery/ hold Triggered by ECM/RM system(s) management app Downby tocase individual users in system Legal Triggered management Automating Information Governance Timed prompts to the Legal department for review and acon 0% - assuring compliance Triggered by case management system Verbal requests to to the IT orLegal RM on compleon Timed prompts department for of and ligaon review acon Covered off in a legal discovery/ hold Ad hoc: no formal mechanism management app Down to individual users in Legal Verbal requests to IT or RM on compleon of ligaon Multiple Repositories and Cloud As we have discussed,Adinformation governance needs to be applied across the business, across different hoc: no formal mechanism content types and across different content repositories. If there is no connection between repositories, then 0% 10% 20% or 30% 40%rules 50% 60% each set of IG will need to be applied to each one, and furthermore, when laws regulatory change, repository rules will need to be updated. In addition, e-discovery searches will need to be repeated across Store as much content as possible in a single each repository, and hold processes applied in multiple places. ECM/DM/RM system Figure 27: What is your strategy for dealing with information governance across multiple Migrate/declare records into to a single repositories? (N=308, excl. 37 Don't Knows) RM system 0% 10% 20% 30% 40% 50% 60% Manage content in place across mulple repositories, not using Store as much content as possible in aCMIS single ECM/DM/RM system Manage content in place across mulple repositories, using CMIS-compable connectors Migrate/declare records into to a single RM system We don't have a strategy as such Manage content in place across mulple repositories, not using CMIS Manage content in place across mulple repositories, using CMIS-compable connectors We don't have a strategy as such ©2014 AIIM - The Global Community of Information Professionals No, definitely not, 14% Yes – already do, 7% 20 ECM/DM/RM system Migrate/declare records into to a single RM system From Figure 27,inwe canacross see that in total 30% have a single ECM/RM system as a strategic objective, and Manage content place mulple 18% are planning around manage-in-place, with about a third adopting CMIS compatible connectors. For repositories, not using CMIS the largest organizations, as we can imagine, a single enterprise-wide RM system is more of a challenge, Manage in place and onlycontent 19% feel they across shouldmulple go in this direction, although even in these businesses, 44% don’t actually repositories, CMIS-compable have using an agreed strategy. connectors Industry On average, our respondents suggest that 25% of their stored content is made up of declared records, and from a storage point of view, there could be a cost benefit of moving this data to a cloud infrastructure. However, there are also issues of sensitivity, reliability and long-term storage which might predicate against putting records in the cloud. Users are somewhat divided on this. Compared to our survey last year1, those already using the cloud are up from 5% to 7%, and those with active plans are up from 11% to 14%, but the number generally in favor (as and when the security and reliability mature) is down from 54% to 49%. Watch CloudWe don't have a strategy as such Figure 28: Would you consider adopting a Cloud/SaaS system for your records? (N=308, excl. 37 Don't Knows) Yes – acvely considering/ planning it, 14% No, probably not, 37% Automating Information Governance Yes – already do, 7% - assuring compliance No, definitely not, 14% Yes – but only when security and reliability mature, 28% It is noticeably the smallest organizations that are further ahead here – 29% either doing or planning, with mid-sized furthest behind – only 3% doing and 10% planning. For the largest organizations, “cloud” is more likely to mean their own private cloud, and the adoption rate is 8% doing and 18% planning. Opinions and Spend Intentions To better understand the how IG is perceived, and the levels of confidence from those designated as datastewards, we presented a number of statements, with the following conclusions: n Only 14% feel confident that they are only storing content which is needed by the business. n 42% do not feel confident that they can identify what content is safe to delete. n 45% say that their strategy for managing increasing content volume is to buy more discs. n 43% agree that automated classification is the only way to keep up with increasing volumes (only 17% disagree). n 31% feel that their board-level managers are not sufficiently conscious of the consequences of a data loss. n 51% feel that there organization is underspending on IG compared to the potential risk. Only 16% feel they have the balance right. ©2014 AIIM - The Global Community of Information Professionals 21 Figure 29: How do you feel about the following statements? (N=347) 80% 60% 40% 20% 0% 20% 40% 60% 80% We feel confident that we can idenfy what is safe to delete Our strategy for managing increasing content volume is to buy more discs Automated classificaon is the only way to keep up with the volumes coming at us80% 60% 40% 20% 0% 20% 40% 60% 80% Watch Industry We feel confident that we only store what we need to store Our board-level arestore very conscious We feel confidentmanagers that we only what we of the consequences of to data loss need store spend on informaon governance We feelOur confident that we can idenfy what isis appropriate risk safe to to the delete Strongly agree Automated classificaon is the only way to keep up with the volumes coming at us Spend Our board-level managers are very conscious the consequences data loss Despite the view thatofmost organizationsofare underspending, there is an across-the-board plan to spend Our12 spend on informaon governance is area. It is heartening to see IG training at the top of the more in the next months in almost every product appropriate to the to riskfulfill this need – see Appendix 4). list (and AIIM has a recently developed course -5% 0% 5% 10% 15% 20% 25% 30% Records management and email management systems show a strong growth, as do search, e-discovery Informaon governanceDisagree training Neither agree nor disagree Strongly Disagree Agree Strongly agree and automated classification systems. Increased recruitment of RM/IM staff and compliance staff is also indicated. Email management/Email archive Enterprise search Figure 30: How do you think your organization's spending on the following products and Dedicated ERM system(s) applications in the next 12 months will compare with what was actually spent in the last 12 months? Back-file scanning of paper records (N=335, net more, excl. “Same”) ERM modules or add-ons -5% 0% 5% 10% 15% 20% 25% 30% e-Discovery applicaons or modules Informaon governance training Automated classificaon tools Automating Information Governance Agree - assuring compliance Our strategy for managing increasing content Strongly Disagree Neither agree nor disagree volume is toDisagree buy more discs Email management/Email archive RM/IM staff Enterprise search Compliance staff Dedicated ERM system(s) Social records management Back-file scanning of paper records SaaS/Cloud provision for RM ERM modules or add-ons Outsource electronic records e-Discovery Outsource applicaonspaper or modules records Automated classificaon tools RM/IM staff Compliance staff Social records management SaaS/Cloud provision for RM Outsource electronic records Outsource paper records ©2014 AIIM - The Global Community of Information Professionals 22 Conclusion and Recommendations n Monitor legal, compliance and audit issues within your own business, and with peers and competitors, in order to highlight the need to take information governance seriously at the highest levels in your organization. Automating Information Governance Recommendations - assuring compliance Most recognize that it is too much to expect users to be diligent in following policies, especially given rapidly increasing volumes of content. There is, therefore, a very strong interest in automated tagging, metadata correction and records classification. Early adopters seem to be having success with the technology, and there is a general view that this is the only way to demonstrate compliance, reduce litigation risk and keep some check on the rapidly growing volumes of stored content. A strategy of rules-based metadata application and back-file correction provides a vehicle for security validation, compliance audit, retention management, and of course, improved search - and can do so at scale. Industry However, we have seen that despite initial good intent in creating information governance policies, many are somewhat limited in scope, and there is generally very poor follow through with training, audit and enforcement. This leaves many organizations at risk. Data custodians admit that they are keeping far too much content that has little value to the business, and yet they struggle to categorize what can be deleted. Watch Most organizations have come to the realization over the past few years that without policies and mechanisms for defensible deletion of content, they will be spending increasing amounts of money on storage, and also risk holding on to content that it would be safer to delete. Events of the past twelve months have added a new level of risk whereby the legal requirements to keep safe custody of sensitive data, and the need to maintain the trust of customers, has brought a huge realization that many more types of content and information need to be governed, and at all stages in the lifecycle from creation to deletion. n Create an information governance team including representatives from IT, Records Management, Compliance, Legal, and Line of Business. n Draft an information governance policy. Focus initial efforts on areas where the content is the most sensitive (e.g., HR records, customer records, IP), but also where there is least governance at present (e.g., email, shared drives, cloud file shares, mobile). n If you have an ECM or records management system that is no longer front-of-house for content and records management, revitalize it, switch on RM functions, and ensure it fulfills the need for both internal and external collaboration. n As part of this re-engagement of ECM, consider running automated metadata correction, de-duplication, and retention policy enforcement in order to remove redundant, out-of-date and trivial content, and to improve search capabilities. n Investigate day-forward automated classification, particularly for email, process archives and routine inbound content. Consider how to use automation to simplify user filing accuracy, and in effect, automate ongoing compliance. References 1 AIIM Industry Watch, “Information Governance: records, risks and retention in the litigation age”, March 2013, http://www.aiim.org/Research-and-Publications/Research/Industry-Watch/InfoGov-2013 ©2014 AIIM - The Global Community of Information Professionals 23 Appendix 1 - Survey Demographics Survey Background Survey respondents represent organizations of all sizes. Larger organizations over 5,000 employees represent 33%, with mid-sized organizations of 500 to 5,000 employees at 39%. Small-to-mid sized organizations with 10 to 500 employees constitute 28%. Respondents from organizations with less than 10 employees and suppliers of ECM products and services have been eliminated from the results, taking the total to 487 respondents. 5,001-10,000 emps, 11% 5,001-10,000 emps, 11% 1,001-5,000 emps, 29% 1,001-5,000 emps, 29% 11-100 emps, 12% 101-500 emps, 16% 101-500 emps, 16% 501-1,000 emps, 11% Automating Information Governance over 10,000 emps, 22% 11-100 emps, 12% - assuring compliance over 10,000 emps, 22% Industry Organizational Size Watch 531 individual members of the AIIM community took the survey between Mar 15, and Apr 08, 2014, using a Web-based tool. Invitations to take the survey were sent via email to a selection of the 80,000 AIIM community members. 501-1,000 emps, 11% Geography Asia, Far East, Australia, NZ, 74% of the participants are based in North 2% America, with 19%1%from Europe and 7% rest-of-world. Middle East, Central/ Africa, S.Africa, S.America, 1% 4% Asia, Far East, Australia, NZ, 1% 2% E.Middle Europe, East, Russia,S.Africa, 1% Central/ Africa, S.America, 1% 4% E. Europe, W. Europe, 6% Russia, 1% UK, Ireland, 12% 6% W. Europe, US, 57% UK, Ireland, 12% Canada, 17% US, 57% Canada, 17% Life Science, Pharmaceucal, Document 1% Services Provider, 2% Life Science, Non-Profit, Pharmaceucal, Document Charity, 3% 1% Services Provider,Professionals ©2014 AIIM - The Global Community of Information Retail, Transport, 2% Real Non-Profit, Estate, 4% Media, Entertainment, Publishing, 1% Media, Other, 1% Entertainment, Publishing, 1%Government & Public Services - 24 US, 57% Canada, 17% Industry Sector Canada, 17% Local and National Government together make up 26%. Finance and Banking 14%, and Energy 8%. Other, 1% Government & Public Services Local/State, Government19% & Public Services Local/State, 19% Finance, Banking, Insurance, 14% Finance, Banking, Insurance, 14% Consultants, 6% Consultants, 6% Automating Information Governance Government & Public Agencies Naonal/ & Government Internaonal, 7%Public Agencies Naonal/ Internaonal, 7% - assuring compliance Telecoms, Water, Healthcare, 5% Ulies, 6% Telecoms, Water, Educaon, 6% Ulies, 6% Manufacturing, Educaon, 6% Aerospace, Food, Process, 6% Manufacturing, Aerospace, Food, Process, 6% Industry Media, Entertainment, Publishing, Media, 1% Entertainment, Publishing, Other, 1% 1% Watch Life Science, Pharmaceucal, Document 1% Services Provider, Life Science, Pharmaceucal, 2% Document 1% Services Provider, Non-Profit, Charity, 3% 2% Non-Profit, Retail,Charity, Transport, 3% Real Estate, 4% Retail, Transport, IT &Real HighEstate, Tech —4% not ECM, 4% IT & High Tech — not ECM, 4% & Engineering Construcon, 4% Engineering & Legal and4% Construcon, Professional Services, 5% Legal and Professional Services, 5% Healthcare, 5% Energy, Oil & Gas, Mining, 8% Energy, Oil & Gas, Mining, 8% Job Roles 27% of respondents are from IT, 55% have a records management or information management role, and 17% are line-of-business managers. President, CEO, Managing Legal/Corporate Director,CEO, 2% Other, 3% President, Council/Corporate Managing Legal/Corporate Compliance, 3% Director, 2% Other,IT3%staff, 12% Council/Corporate Compliance, 3% Business Consultant, 5% Business Consultant, 5% Line-of-business execuve, department Line-of-business head or process execuve, department owner, 4% head or process owner, 4% Head of records/ compliance/ informaon Head of records/ management, compliance/ 22% informaon management, 22% ©2014 AIIM - The Global Community of Information Professionals IT staff, 12% Head of IT, 3% Head of IT, 3% IT Consultant or Project Manager, 12% IT Consultant or Project Manager, 12% Records or document management Records or staff, 33% document management staff, 33% 25 Appendix 2 - Selective Comments n Policy without audit, custodial accountability and CONSEQUENCES is like speed limits with no radar... who cares? Watch n There is a big struggle between RM and IT regarding automation of any kind in my organization, and the lack of a strong IG Framework only makes it worse. Industry Do you have any general comments to make about your collaboration projects? (Selective) n While some are starting to "get it," I think that most mid- and high-level managers still don't grasp the importance of good IG. They still see it as "filing" to be left to clerks. n Automated classification is the way to go but it’s hard to raise the profile. n Have some experience of automated classification and the problem is the investment in resources to build and maintain the rule sets / classification schemes. n As we move to adopting SP2010's records center and using a 3rd party records management tool, I am excited to see this process work from declaration to destruction and allow the staff to feel more comfortable and confident in these tools. ©2014 AIIM - The Global Community of Information Professionals Automating Information Governance n It's always hard to get executive levels to see the big picture. - assuring compliance n Automated classification what/how is still a mystery to us. 26 Underwritten in part by: Industry ASG Software Solutions connects sophistication and experience with agility and technological efficiency, through its vendor-agnostic cloud, content and systems solutions. ASG helps companies solve today’s most pressing business issues, including everything from reducing operating costs and enhancing workforce productivity to ensuring regulatory compliance. With customers like American Express, Coca-Cola, GE, HSBC, IBM, Lockheed Martin, Merrill Lynch, Procter & Gamble, Sony, Toyota, Verizon, and Wells Fargo, ASG can proudly say that more than 70 percent of global Fortune 500 companies trust it to optimize their existing IT investments. Founded in 1986, ASG Software Solutions is a global company headquartered in Naples, Florida, USA, with more than 1,200 employees. For more information, visit www.asg.com or find us on Facebook, LinkedIn, Twitter or YouTube. Watch ASG Software Solutions ASG’s world class enterprise content management portfolio includes: n n Automating Information Governance n - assuring compliance n ASG-ViewDirect®, the world’s most scalable, full-featured enterprise content retention, storage and archiving suite, which supports all platforms, databases, storage devices, data formats and volumes of enterprise content in distributed and mainframe environments. ASG-Cypress®, a modular document output and customer communication management suite that facilitates ingesting, composing, formatting, personalizing and distributing content to support physical and electronic communications. ASG-Total Content Integrator™, which provides a unified, federated, content aggregation and integration technology for transparent search, discovery and presentation of electronic documents, records and other content anywhere in the enterprise. ASG-Records Manager™, which facilitates the automatic capture, classification and disposition of electronic transactional records in high-volume environments according to varied information. www.asg.com AvePoint AvePoint is the established leader in enterprise-class big data management, governance, and compliance software solutions for next-generation social collaboration platforms. Focusing on helping enterprises in their digitization journey to enable their information workers to collaborate with confidence, AvePoint is first to market with a unique solution that centralizes access and control of information assets residing in disparate collaboration and document management systems on-premises and in the cloud. AvePoint solutions and services aim to bring together business, IT, as well as compliance and risk officers to serve key business objectives such as big data, cloud integration, compliance, enterprise content management, and mobile data access monitoring. Founded in 2001 and based out of Jersey City, NJ, AvePoint serves more than 13,000 organizations in five continents across all industry sectors, with focused practices in the energy and utilities; financial services; healthcare and pharmaceuticals; and public sector industries. AvePoint is a Depth Managed Microsoft Gold Certified Application Development Partner and Gold Certified Collaboration and Content Partner, as well as a US Government GSA provider via strategic partnerships. AvePoint is privately held and backed by Goldman Sachs and Summit Partners. www.avepoint.com ©2014 AIIM - The Global Community of Information Professionals 27 Underwritten in part by: • • • • Legal Compliance Invoice Capture and Authorisation Health Records Management Local Authority Applications • Law Enforcement Applications • Human Resource Management • Information Web Portals • Electronic Forms Solutions • Electronic Records Management • Collaboration Facilities We work with companies and organisations across the public and private sectors. Our clients including Hospitals, local authorities, Law Enforcement Agencies and the private sector. The common theme running through all these customers is their need for a robust, legislation compliant information management system, which acts as a hub for vital information which can be accessed and archived at the touch of a button and deliver information to those who need it, when they need it. As a team of talented programmers, developers and other IT Specialists – our staff have a wealth of experience and market knowledge. Automating Information Governance • Document & Records Management • Workflow • Web Portal & Systems Integration - assuring compliance The key to all solutions we provide is integration with the business to ensure that information is delivered on time and to the right place. We have provided integrated solutions over the last 15 years using the following underlying technologies: Industry CCube Solutions specializes in providing Electronic Document and Content Management & Workflow solutions, based on the CCube software suite. Systems scale from small departmental applications to large enterprise -wide solutions and include: the CCube Portal, Electronic Forms, Workflow, Content Searching, and CCube Electronic Document & Records Management System (EDRMS), offering specialised solutions, including: Watch CCube solutions www.ccubesolutions.com Concept Searching, Inc. Concept Searching is the industry leader in advanced semantic metadata generation, auto-classification, and taxonomy management. Its award winning products employ the only statistical metadata generation and classification technologies that use compound term processing to generate intelligent metadata from unstructured and semi-structured data. Compound term processing, or identifying concepts in context, solves a variety of business challenges and enables enterprise-wide information governance. Using these concept identification capabilities, organizations can transform content into business assets to improve performance. Concept Searching’s Smart Content Framework™ for information governance is a combination of best practices and underlying products that encompass the entire portfolio of unstructured information assets, providing the ability to develop and deploy a strategic and tactical information governance plan. The framework delivers intelligent metadata enabled solutions, which enable concept based searching; automatic declaration of documents of record; real-time identification, and protection of privacy and confidential data; intelligent migration; cost reductions in eDiscovery, litigation support, and FOIA; content management; granular identification of content for text analytics; and structure for enterprise social networking applications. The solutions are deployed in diverse industries by both Fortune 1000 and small companies that need to meet strict compliance, data privacy, and information governance regulations. Concept Searching has a Microsoft Gold Application Development competency and is a Business-Critical SharePoint partner. The Concept Searching Microsoft platforms use a single code base, able to be deployed in SharePoint 2007, 2010, 2013, and Office 365, providing clients with the choice of on-premise, cloud based, or hybrid environments. conceptClassifier for Office 365 is currently the only native Office 365 product available that addresses information government challenges, in the cloud or in hybrid environments. Concept Searching is headquartered in the US, with offices in the UK, Canada, and South Africa. For more information about Concept Searching’s solutions and technologies please visit www.conceptsearching.com. www.conceptsearching.com ©2014 AIIM - The Global Community of Information Professionals 28 Underwritten in part by: The risks associated with increasing data volume are particularly challenging for organizations that are unable to apply sound information lifecycle governance practices toward managing their data. Watch IBM Enterprise Content Management solutions deliver content in context to fully harness its potential. These industry-specific solutions can capture, activate, share, analyze and govern unstructured data to lower costs and risk while improving efficiency. As the volume of content continues to rise, organizations struggle to use it effectively. IBM Enterprise Content Management provides a way to discover the content, recognize its value, and then act on it for better business insight and outcomes. Industry IBM Corporation Providing our customers with the ability to govern their information is a key pillar in IBM’s Enterprise Content Management business. With IBM’s Information Lifecycle Governance (ILG) solutions, companies can improve their information economics by lowering information costs and risks while maximizing data value. Only IBM provides holistic information governance solutions for: n Defensible Disposal - Curb storage growth, lower IT and legal costs, and enhance information economics. eDiscovery - Strategically manage the eDiscovery process to reduce legal cost and risk. n n Records and Retention - Identify, classify and manage data disposal according to retention schedules to reduce volume, mitigate cost & risk and improve information economics. Value-based Archiving - Coordinate archiving and storage of data based on its business value to reduce storage space and cost. IBM’s information lifecycle governance solutions help customers manage enterprise information according to its business value. By approaching information governance as an economic solution to data growth – i.e. information economics – companies can increase the value of information assets while driving down cost and risk. To learn more, visit: www.ibm.com/ILG Automating Information Governance n Legacy Data Cleanup - Improve information economics through identification, classification and remediation of redundant, obsolete and trivial data. - assuring compliance n www.ibm.com/ILG About OpenText OpenText is the leader in Enterprise Information Management (EIM), providing EIM software that helps companies of all sizes and industries to manage, secure, and leverage their unstructured business information, either in their data center or in the cloud. Over 50,000 companies already use OpenText solutions to unleash the power of their information. OpenText Enterprise Content Management (ECM) solutions facilitate agile information governance strategies designed to reduce risk and mitigate the cost of growing volumes of content in the enterprise - freeing organizations to focus on using information to drive growth and innovation. ECM solutions from OpenText unite capture, document and records management, workflow, search and archiving as well as applications and add-ons such as email, eDiscovery, auto-classification, contract management, case management and engineering document management to accellerate time to information governance while mitigating the risk of growing volumes of content. ECM is a fundemental practice of managing and extracting value from unstructured enterprise content. OpenText ECM solutions enable organizations to harness the value of their information and enable the strategic CIO to transform every line of business and better compete in the new information economy. To learn more about OpenText please visit: www.opentext.com/infogov. www.opentext.com ©2014 AIIM - The Global Community of Information Professionals 29 Information Governance Learn a systematic approach to improve access to information, reduce costs, and meet legal/regulatory requirements. The volume, variety, and velocity of organizational information is changing the game for governance and compliance. Applying a paper paradigm of policies and processes no longer works -- and it certainly doesn’t scale. Governance functions must now be automated, and focus as much on defensible disposition as on retention; as much on data extraction as data archiving. The Information Governance course is comprised of 10 modules that may be purchased individually or as a complete package leading to the AIIM Information Governance Practitioner designation that is earned upon successful passing of the exam. Once purchased, the course module(s), supporting materials, and exam are accessible online and on demand from AIIM’s training portal for 6 months. Upon occasion, this course is also offered in a live, instructor-led virtual classroom format. Our enrollment page at www.aiim.org/training will indicate when/if such a class has been scheduled. n Improve how information is captured, shared, accessed, stored, and disposed of n Reduce storage and legal costs n Save time and money through greater interoperability and standardized components Automating Information Governance Your Learning Options n Design a pragmatic framework for managing information assets - assuring compliance AIIM’s Information Governance course is founded on these best practices to provide you with a systematic approach for managing information assets and ensuring regulatory compliance. The information is applicable across all industries and is independent of any particular technology or vendor solution. Watch Course Benefits and Objectives IT, compliance officers, legal staff, records management personnel, archivists, consultants, and other information professionals who are planning to establish or improve your information governance program. You’ll acquire the necessary skills to: Industry Information Governance Training Program This course is ideal for... n Ensure legal and regulatory compliance AIIM (www.aiim.org) AIIM is the global community of information professionals. We provide the education, research and certification that information professionals need to manage and share information assets in an era of mobile, social, cloud and big data. © 2014 AIIM 1100 Wayne Avenue, Suite 1100 Silver Spring, MD 20910 +1 301.587.8202 www.aiim.org AIIM Europe The IT Centre, Lowesmoor Wharf Worcester, WR1 2RR, UK +44 (0)1905 727600 www.aiim.eu ©2014 AIIM - The Global Community of Information Professionals 30