Feature

From Document Manager Magazine Vol 17 No 06 - November/December 2009

Even among organisations which are using DM systems, take-up of Records Management remains surprisingly low. Dr. Vijay Magon of OITUK argues that a more practical approach - with less emphasis on standardisation - may be what is needed

It all It all started, as it usually does, with a simple idea: turn paper into electronic files which can save space and storage costs, and can be moved around and shared. Lessons learnt from early adoption of digital imaging systems fuelled the evolution of EDM systems which include electronic content, workflow, systems integration and collaboration. Coupled with maturing technologies, higher end-user expectations, and a greater hunger for the competitive edge, our irreversible dependency on digital information has grown beyond recognition and continues to drive new products and services.

While the benefits of this information revolution continue to manifest themselves in business enterprise, and more recently in social changes, the other side of the coin only hits the headlines when data misuse stories make it to the law courts.

The availability and access of information lays it open to misuse and abuse. Recent notable cases of data abuse have led to developments in legislation, guidelines and standards for storing, managing, and destroying documents, designed to protect the citizen and businesses. In short, compliance with legislation is no longer an option, and organisations are scrambling to make sense of Records Management (RM) within their operations to meet compliance requirements.

EDM has been around for over two decades and is in widespread use across the public and private sectors. It contains all the facilities for capturing documents and for managing document repositories - documents drive the business processes and are essential for business operations. What is RM and where does it fit in?

DM vs RM
The National Archives (TNA) differentiates between document and record management as follows:

Electronic document management tends to concentrate on management of the electronic object at the level of the physical item: for example, the email message, the individual document or spreadsheet, the presentation or html page. Each of these documents, or electronic objects, will have a document profile which describes essential attributes that allow the document to be described, indexed, retrieved and understood as an item in its own right. At this level, controls can also be placed on the individual document to determine access rights, to prevent changes being made, to track usage and to link versions. The document plays an integral role in a given business process.

RM encompasses all the primary aspects of electronic document management, but also requires additional information which governs management of the electronic record, the electronic file/folder, and the overall fileplan/classification scheme. An electronic record, however, may consist of more than one document or electronic object - for example, an email message with attached document, a dynamically interlinked text document and spreadsheet, an HTML page with multimedia elements.

To ensure that the record is complete and properly understood, the interlinking between these elements needs to be retained in metadata and made available for use within the record-keeping system. At this level, all the objects which constitute the record can be captured, managed, retrieved, and disposed of together as a unit.

Standards governing the management of records have been around for many years and are updated/replaced with time. For example, TNA-2002 expired in 2005 and is in the process of being replaced by the Europe-wide Moreq2 standard. The USA's DoD Directive 5015-2 gave rise to the DoD 5015-2 standard for RM. Other countries have their own standards.

TNA recommends that the records management function should be a specific programme within an organisation and should receive necessary levels of management support to ensure its effectiveness. This responsibility should extend throughout the lifecycle of the records from initiation/creation through to disposal.

To appreciate the differences between EDM and RM, it is useful to think of the document lifecycle - the period between document capture/creation and its destruction. This period contains two quite distinct but complementary phases:

• business process
• retention and destruction process

A document will typically start life in the business process - it can invoke business processes and play a key role until a pre-defined criteria is met, to mark the end of a process. A classic example is invoice approval: an invoice is received/captured to feed the approval process which may involve several users; the invoice represents a positive value to the business at this stage (does not matter how "value" is measured). Authorisation and payment mark the end of the approval process. Beyond this point, the invoice must be retained as a corporate record for a number of years - the value of the invoice to the business has dropped and in fact is negative because it no longer plays a role in the business process - and it costs to store the invoice.

The end of the business process marks the start of the retention and destruction process which is concluded when the record is destroyed. Clearly the transition point between the two phases - "declaration point" - will depend on the document type, business process, etc. and can vary across the lifecycle time line.

EDM continues to serve the business process while RM is intended to serve the records retention and destruction process. The penalties for not looking after corporate records are well known; the standards are in place and supported via a number of software solutions. So why aren't more organisations embracing RM solutions?

Standards-based RM raises a number of issues:
1. Standards-based RM enforces corporate-wide rules and regulations on document categorisation and organisation - the Fileplan. It is difficult to get two departments to talk to each other let alone all departments agreeing on a corporate-wide Fileplan.
2. RM solutions depend on end users to make it work; end users have a day job to serve the business and play vital roles in keeping the business processes ticking. Looking after records is another 'chore', and one that is not well rewarded.
3. RM solutions are designed to look after documents that are registered in such systems - the careful logging of these documents via metadata-sets. It is well known that an average business will hold its documents in more than one document repository - file servers, email systems, paper storage, EDM systems, etc. RM solutions do not easily reach out to such distributed repositories.

A PRACTICAL APPROACH
EDM systems have played a key role in allowing organisations to capture documents and use these within business processes, minimising dependencies on paper and maximising operational efficiencies. These systems include capture and registration functionality, typically integrated with business databases to support lookups and validation. Related documents can be organised via hierarchical folders. Can EDM be extended to support the key requirements of RM?

The essence of RM is: "what documents do I have, where are they, and when can I get rid of them?" To address this within an integrated EDM and RM framework - Electronic Document and Records Management (EDRM) - the primary functionality for capturing and managing documents and relating such documents to facilitate management of a group of related records as a single unit must be extended to include declaration, retention, destruction, and full auditing.

Most departments manage at the level of the individual document or electronic object. Inclusion of records management functionality within a document management framework must support the following essential requirements:
a. the ability to declare an electronic document as a record (or as a component of a record), and to maintain its integrity as an authentic representation of a business action or decision, and its relation to other documents via a hierarchical structure;
b. it must be possible to locate and access the information, by use of existing EDM retrieval functionality;
c. It must be possible to establish the properties of the record: who created the record, during which business process, and how long the record is to be retained;
d. The ability to consistently manage the retention and disposition of electronic records, retaining what should be kept and flagging disposal of what should not;
e. The ability to suspend disposition due to a specific circumstance ("legal hold.")
f. Full and detailed auditing of all activities during the document lifecycle.
It will be necessary to sustain electronic records over time as a valued corporate asset, in a manner that retains their reliability and integrity for as long as they are required, preserving their value as a corporate record. This will include prevention of changes to the content or context to retain authenticity, and continued maintenance in an appropriate format to retain accessibility.

The record-keeping requirements of existing records may need to be reviewed from time to time, where these are affected by changes in the external environment or changes in understanding of the long term value of particular groups of records.

DRIVERS FOR EDRM
Compliance
The basic requirement is for the application of retention policies on corporate documentation, including the functionality to declare documents as corporate records. The key objective is to notify a designated administrator when documents are due for destruction, and ensure that the process of keeping and destroying records is formally audited.

Freedom of Information
Freedom of Information (FoI) establishes the right by a citizen to request a public authority for information. This will require public bodies to undertake an Information Asset assessment to develop an Information Asset Register and then to develop a publication scheme setting out how they intend to publish the different classes of information they hold.

Data Protection Act
The Data Protection Act (DPA) that came into force in October 2001 gives the right of employees to inspect documents held by their employer.  The Act also sets out clear rules on the information that can be held on employees and its use plus the period for which the information can be retained.

Electronic Discovery
Electronic discovery (locating and analysing all data within an organisation) is a vital part of ensuring compliance with legal or regulatory requirements. With penalties for non-compliance calculated as a percentage of turnover, there's no room for error. Organisations need to know what they hold, where it is, and its impact on the business.

KEY BENEFITS
The EDRM model described above serves to deliver the essence of RM - it is not accredited against recognised standards but employs the key requirements from these standards to address what businesses actually want to know: "… how long should I keep my documents." The EDRM model offers the following key benefits:

• retrospective application of document retention rules
• does not depend on end-users to implement retention and destruction processes - needs a "records officer" to administer the system
• parametric approach for defining document profiles
• automatic declaration
• dashboard style reporting
• full auditing - for compliance and legal admissibility, the audit trail is vital
• process auditing, including holds on document destruction.

More info: www.oituk.com

Feature