TSG attended the MeR 2018 conference this past week. One consistent theme in multiple presentations was the focus on ‘good enough’ when implementing a records retention program rather than a detailed comprehensive plan that would require combing through compliance laws and policies and implementing complex retention schedules. This post will present our thoughts from the conference and why “just good enough” is emerging as such a trend.
“Good Enough” is better than “Great but never implemented”
Our thoughts were that risk, volume and technology are the biggest drivers to an implementation that is “good enough”. Various presenters pointed out the astronomical rate at which content is being created daily. Consider all of the emails and the instant messages in addition to the content and data updates that employees make daily. Each employee can easily produce 100’s of content/data updates every day, each item having the possibility of being a record. The volume of data is growing so quickly that content and records management processes are becoming bottle necks. Clients with records management processes requiring a manual review/intervention cannot keep up with the volume being produced. For clients that have not implemented a solution, it can be overwhelming to start since avenues for creating content are only increasing, yet the importance of doing something now is also increasing. The EU General Data Protection Regulation (GDPR) goes into effect May 25, 2018. This regulation will impact all companies that collect data on EU citizens. GDPR law protects personal and sensitive data of EU citizens and requires companies gathering and managing this data protect it from misuse and exploitation. High fines are imposed on companies that are out of compliance. For more information on this regulation see our blog post here.
Practitioners at the conference generally concurred that companies have to stop analyzing and start implementing. Below are some first steps that can be taken to being implementing “good enough”.
Minimize Policies
It is not uncommon for file plans to call for 100+ different record retention policies. This level of detail takes considerable time, cost and effort. Clients that have gone down this path often find that their projects are delayed due to:
- Internal resources not having time to allocate to the project
- Key resources moving positions/leaving the company
- More complex file plans create more complex decisions, additional consensus meetings, etc.
- Budget cuts – the longer a project goes on, the more likely it is to have their budget cut/reduced
In one instance a file plan implementation that was supposed to take 3 months was extended to 3 years due to the factors mentioned above. Several presenters spoke of “bucketizing” file retention. Don’t worry about enforcing 1, 2, or 5 year retentions separately. If it doesn’t hurt to keep the 1 and 2 year items for 5 years, just lump them altogether in a 5 year bucket. The classification rules are easier and there are fewer policies to manage.
Delete unneeded information
On average 80% of the information stored on file servers is of no value and can be deleted. Below are a few rules some clients have used to purge content:
- Create a policy around the use of Instant Messenger (IM) stating that decisions cannot be made on instant messenger threads. This would allow all IM data to be treated as a non-record and deleted every X days.
- Scan file shares and SharePoint sites for documents that were created by Employees that left the company > 5 years ago and have not been updated or accessed. Flag this content for deletion.
- SharePoint sites that have not been accessed in more than X years could be deleted
- Data/content that is no longer in use and is past the maximum retention length can be deleted. For example, a records management plan with a retention of 7 years can identify millions of files older than 7 years that can be deleted.
Auto Classification/Scanning Content
The technology for auto-classification is improving the speed at which records are classified and advances in Machine Learning (ML) and Artificial Intelligence (AI) are helping even more. Most of the products today require the creation of rules to flag and file content. Example rules include:
- Look for content containing a 8-12 digit number patterns to flag content containing PII information such as phone numbers, social security numbers, etc.
- Flag all content containing a price quote
- Flag documents based on type (invoice, contract, etc.) by presence or frequency of key terms
In the future ML and AI will add a deeper layer of understanding to the content such as, which price quotes were sent out to clients (classify as a record) and which price quotes were drafted and never sent (non records). Clients have found that classification software is not an immediate fix to classification needs. It can be a very useful tool, but requires tuning and multiple iterations to make the technology useful. In a case study for an insurance company, presented at the conference, scanning a single department’s file share resulted in deletion of 87% of the files. Only 13% were retained as records or business value.
Manage through Process
Internal processes can be put into place to start gaining control of a company’s records. In the client examples below, records management is being slowly applied across the organization. This allows for adjustments to be made along the way.
- Insert a Records Management approval to every IT project so a records manager can confirm that each application is controlling records and deleting content/data per a defined retention schedule
- Manage records in place rather than requiring the records to be transferred to a single system
- Be certain to have a solution that allows for simple search and retrieval of records. Record sets grow quickly and are typically read-only by nature. Having a simple search, view and light-weight reporting tool available is a key requirement
Summary: Simple beats Complex for Records Management
Successful approaches keep the data and record analysis process as simple as possible. When not mandated by regulations, organizations can avoid the cost and expense of conducting a year-long analysis of content types and disposition rules. Instead the approach of focusing on one area of information at a time and applying a minimalist record retention schedule to that set of information is recommended. This approach aligns with our presentation at the MER conference on 10 simple ways to Improve your ECM/RM implementation. TSG has found that clients that take steps to improve specific areas such as search, approval, or dashboard reporting, are much more successful in the long run as measured improvements over time achieve much more success than a multi-million dollar project. A simple measured incremental approach can be implemented quickly, is less risky and generally more successful.