We have spent a lot of time in the last couple of weeks talking about how to set the boundaries of organizational risk and responsibility with respect to information.
We always start by re-directing the conversation towards why the client cares about information. This then leads to a conversation focused on what information users need to get their job done. This is essentially the requirements gathering for their “UIM”, or User Information Management, system. This is how we describe the bunch of products and vendors that are part of the Enterprise File Sync and Share (EFSS) and cloud ECM markets. This would include products ranging from Evernote, Dropbox, to Box. Sometimes, these are not appropriate and you need a full-blown ECM that can be used for collaboration because such a large portion of a user’s day is spent handling records.
This is where it gets complicated in large part due to the central role of email and documents in the average person’s work. In our opinion, Office 365 and Google Apps are not information management technologies – they are productivity suites. However, the choice of Office 365 or Google Apps does have repercussions on your information management strategy, particularly as it relates to records and high value content that you would want in a true enterprise information management system.
At the end of the day, your enterprise information management strategy should be focused on the user needs. Users are the foundation of the revenue stream and the main source of risk. Their ability to get work done in the systems you provide is the key to both.
The critical starting point for your EIM strategy is understanding what users actually do with information. This is also a huge blind spot for C levels and IT who have organizational level views of how “stuff gets done” but rarely a user level view. The good news is that it is a solvable problem. One that we help clients with all the time.
Once you know what users do with information, it is important to define what they should not do by rationalizing their workflow against your organization’s regulations and internal rules. One of the key value points of a DoD certified ECM such as Laserfiche is that it eases the compliance overhead—the time and effort that staff spend proving their compliance.
Five points of EIM strategy in regards to complaince:
- Understand the tactical value of information. How do people use information to generate revenue. Remember this is about enterprise-wide platforms. This needs to be firmly grounded in the idea that information is an asset that furthers business goals.
- Define the importance of historical information across filetypes. Is there value in keeping audit logs and sensitive information past the required date? Would access to this information decrease the complexity of a user’s task?
- Build a complete picture of the retention and audit complexity. What are the patterns of information movement and storage location that put the organization at risk?
- Define the maturity of IT to successfully manage the EIM strategy. Does IT understand the compliance environment sufficiently and do we have a partner in the legal/compliance office who can supply the information?
- Evaluate IT’s vendor management strategy. What types of storage media are a no-go? For example, certain consumer EFSS may not be appropriate. If we need to lock down storage locations, how do we optimize the ECM/RM/DM to provide a single pane view of the users informational needs to get work done.
Compliance may be an organization issue, but the prime concern is the people handling the information. Compliance requires a good user experience – it is rare that you can force users to stay in a system. Start small, talk to the users, and understand their pain points – for example, why they continually put PII in their consumer dropbox. The answer is likely due to a hole in the EIM platform rather than animus or hubris.
