A new game plan for building a retention strategy that works.[ILLUSTRATION OMITTED]
That traditional concept of using a retention schedule to manage just "records" is no longer sufficient. This article offers practical advice for developing and implementing a modern, executable retention schedule based on the business value of all "information"--regardless of its location--in today's complex business environment.
Despite the digital sea change in the way information is created and stored, most organizations continue to use their retention schedule solely to define what a "record," is and they adopt a simplistic approach to managing these records, whether it's to "manage everything," "dispose of everything," or "keep just what's needed."
Some organizations, however, recognize that these antiquated approaches actually increase costs and risks because of a widening gap between those employees who understand the value of information--records and information management (RIM), legal, and other business units--and those who actually manage the data--IT.
These organizations are closing the gap by modernizing the retention schedule to reflect how the business values information, how legal obligations impact information, and how IT stores, secures, and disposes of information.
To create a retention strategy that works, they are bringing together stakeholders from RIM, legal, business, and IT units to create an information governance framework that lowers costs and risks by enabling the legally defensible disposal of valueless information.
Why Retention Schedules Don't Work
The traditional approaches to records retention don't work for a variety of reasons:
* IT now manages information, not RIM or legal.
* Data is now mostly created in electronic form, and data volumes are increasing at an exponential rate.
* The variety and complexity of information systems and technologies are rapidly progressing, so defining a record is far more difficult and becoming unnecessary.
* The cost of storage, backup, and management of information is increasing every year.
* As a result of evolving and increasingly complex regulations, organizations face equally painful risks when saving too much or too little information.
The daunting nature of responding to these challenges is evident in the results of a survey conducted by the Compliance, Governance and Oversight Council (CGOC), a forum of more than 1,300 corporate RIM, legal, and IT professionals who conduct research, form working groups, and host meetings on the topics of discovery, retention, privacy, and governance.
The CGOC study that resulted in the "Information Governance Benchmark Report" (www.cgoc.com/register/ benchmark-survey-information-governance-fortune-1000-companies) was conducted in collaboration with the Information Governance Reference Model (IGRM) project within the Electronic Discovery Reference Model group (EDRM) and sought perspectives on information governance, e-discovery, and records management from corporate practitioners in Forbes Global 1000 companies. (See www.edrm.net/igrm.)
By surveying these organizations, CGOC was able to capture the essence of painful compliance and governance disconnects. The report indicates many retention policies and schedules are not operational, and very few of the organizations are able to achieve defensible disposal of information.
Some interesting findings from the report include:
* Seventy-five percent of respondents cited an inability to defensibly dispose of data as their greatest challenge, and many highlighted massive volume of legacy data as financial drags on the business and compliance hazards.
* While 85% cited consistent collaboration and systematic linkage across stakeholders as a critical success factor of any information governance effort, 70% of organizations actually rely only on liaisons and "people glue" to link discovery and regulatory obligations to information management practices.
When it comes to retention schedules, the findings concluded that:
* Seventy-five percent of the respondents' schedules included only regulatory recordkeeping requirements or long-range business information.
* Only 34% incorporated the additional privacy and data protection regulatory obligations.
* Sixty-six percent said they did not describe legal holds by the records associated with them.
* Some 77% said their schedules were not actionable for business and IT staff.
* Fifty percent said their IT departments did not use the schedule.
All this is not surprising. IT generally has no idea how to execute the traditional retention schedule. And even flit did, the traditional retention schedule typically can't survive legal scrutiny because it doesn't automatically evolve with changes in the law. Consider that more than 100,000 international laws and regulations are potentially relevant to Forbes Global 1000 companies--and, globally, there are thousands of sources of these constantly changing laws, regulations, and industry standards for retention and privacy, including government legislative and agency resources, industry resources, and law databases.
Moving Inward a New Approach
Some 98% of respondents to the CGOC survey cited "defensible disposal of data" as the primary benefit of an information governance program, and a modern and executable retention schedule would create a legal framework for defensible disposal that could be understood by--and would take into account the needs of-business users and IT. Such a program would also:
* Track the flow of information through an organization, from creation to disposal
* Recognize the multi-dimensional nature and interdependencies of business processes as laid out in the IGRM
* Be regularly updated to keep up with changes in the law and the business
In such an environment, the users would have the information and tools they need to classify their records, and IT would have the knowledge and tools it needs to actually implement the schedule and appropriately dispose of valueless information at the right time.
Assembling a Collaborative Team
Creating this modern, executable retention schedule depends on taking a unified approach to information governance based on RIM, legal, and business stakeholders by collaborating with IT on information management. Only through such collaboration can IT reliably and consistently dispose of information that has no legal, regulatory, or business value.
Today, organizations have a vital ally in establishing this collaborative approach: ARMA International's Generally Accepted Recordkeeping Principles[R] (GARP*) and its complementary Information Governance Maturity Model, which provide a set of best practices and metrics against which any organization can measure its recordkeeping maturity. (See www.arma.org/garp.)
ARMA International and the EDRM have announced the formation of an alliance to focus on helping organizations understand the importance of overall information governance, the benefits it provides, and how to begin the process of achieving it. Working together, these two globally recognized and highly respected groups are collaborating on initiatives to help organizations address policies and practices, including an EDRM white paper integrating the IGRM with the GARP[R] Principles.
In addition, ARMA International recently unveiled the GARP[R] Assessment, a self-assessment tool organizations can use to detect the weaknesses and gaps in their retention schedule strategy. The assessment can be used to galvanize support from executives for the critical process changes that will be needed to increase recordkeeping maturity and systemically reduce risk and cost.
Once executive support has been secured, it is time to identify the appropriate stakeholders among RIM, legal, business, and IT users to participate in developing a new retention policy and schedule that will actually work in the specific organization. In many cases, the GARP[R] Assessment and the executive blessing will be sufficient to convince stakeholders to join the cause, but, if not, it may be necessary to demonstrate how a modern and executable retention schedule would address their particular cost, compliance, risk, or productivity pain points.
Building It So 'They Will Come'
Once the collaborative team of stakeholders has been assembled and a unified approach to information governance adopted, it is time to build the executable retention schedule, which can be the first effective step toward increasing process maturity. Following are key characteristics that must be incorporated into every retention schedule.
All stakeholders must recognize that today, information--not just "records"--is being managed. Trying to separate the two is operationally infeasible, and trying to have content creators declare records makes it difficult to produce consistent or compliant results. Because of this, the retention schedule must apply to all the information in an organization's possession.
A transparent legal framework must be put into action. It should clearly reveal how legal and regulatory obligations apply to information and a particular business, including what information is covered, who is obliged to comply, and how retention and disposition are triggered. This legal framework must include privacy obligations that impact the security and handling of the information.
Retention periods must take into account the business value of information. This value must be explicitly defined by the business stakeholders and must be made transparent to the other information stakeholders.
Retention schedules must be directly tied to the location of information, what record classes apply to specific repositories, and who is and has been responsible for managing them. IT must also know when and where to apply legal holds and when to dispose of information when it's no longer of value.
Data users must understand their obligations when creating information, and data stewards must understand the requirements for the disposition of information. The schedule must include the ability to communicate disposition in language that IT understands. For example, IT won't make sense of "Comply with record class HUM100." But it will understand: "Job applications created by the Human Resources Department users and stored in the HR shared drive must be permanently deleted 10 years after the termination of the employee."
The retention schedule must be flexible enough to adapt to and comply with local laws, obligations, and other limitations. Local users and data stewards have the knowledge required for this, so the information governance program must include an information flow back to those individuals managing the program centrally. This allows the organization to ensure compliance with corporate policy, but allows for local flexibility and deviation to promote execution at the local level by a local business, department, or even IT system.
The retention schedule must include an actionable mechanism that allows legal to execute a legal hold. This will enable IT to determine what information must be included in the hold and when the hold should be terminated.
The retention schedule should enable an organization to eliminate duplicate information. It should identify the classes of information in each repository and across repositories in different geographies.
The retention schedule must be continually updated in real time to account for changes in laws, to the business, and in technology. For example, several major legal research database providers offer tools that enable legal tracking of citations and automated alerts when laws change. An organization can then utilize available technology to incorporate those changes into the retention schedule and federate alerts throughout the organization to those systems and information owners that may be affected by the change. Legislative tracking is also an important component of staying current with the ever-changing legal landscape.
Keeping Information Moving
The traditional retention schedule has been used for decades to allow information to defensibly flow out of an organization. However, this once-useful tool has not kept pace with the changes in technology that allow users to create and store information in multiple locations and in various formats. This has led to uncontrolled data accumulation, which significantly increases the cost of storing and managing that information.
To address this massive accumulation, IT departments are increasing the use of quotas and across-the-board time limits on the life of information. But, without the ability to incorporate and execute on a retention schedule, the compliance risk associated with these actions will increase dramatically. Organizations must find a way to "release the pressure valve" and allow information to flow out as easily as it flows in, while still remaining compliant with the multiple legal, regulatory, and business requirements that impact that information.
Lorrie Luellig, J.D., can be contacted at firstname.lastname@example.org.