enterprise information management: implementation strategies by graham riley
DESCRIPTION
There are many influences impacting you as you support your organization’s ability to expand and grow as a business, to be compliant with state and federal legislation, and to manage the exponential growth of information and data. In response to this change in the business environment, the ability to manage information at the enterprise level is now more critical and many organizations are looking to implement an enterprise information management program that addresses the needs of both the business and regulatory compliance for all records, regardless of format or location. In this session, You will learn how to conduct such a significant undertaking.TRANSCRIPT
EducationEducation Code: Code:
Enterprise Information Enterprise Information Management: Management:
Implementation StrategiesImplementation Strategies
Graham Riley
Manager of Account Services, Iron Mountain
EducationEducation Code: Code: FR02-2209
Learning Objectives
Upon completion of this session, participants will be able to:
* Explain the value of a compliant records and information management program
* Outline a process for implementing a compliant records and information management program in your organization
Session Outline* Background* Obstacles to a compliant records and
information management program* Areas of common ground* Foundation of a compliant records and
information management program* The compliant records and information
management program implementation process
Managing Compliance Proves Difficult
Changing Regulatory Environment
• Rule 26 of Civil Procedure• Sarbanes-Oxley• Gramm-Leach Bliley
• SEC Rule 17• MA Privacy Law• Patriot Act• HIPAA• FACTA
Convergence of Physical& Digital Records
Exponential InformationGrowth
Records & InformationManagement Professionals
RegulationAccording
4
Compounding the Problem: Rule 26
26(b)(2) Sets up provisions for “reasonably inaccessible” data
26(f)Mandates meet-and-confer sessions
26(a) Explicitly makes “electronic stored information” (ESI) a category of discoverable data
26(b)(5) Clarifies procedures for retrieval of privileged information that was produced inadvertently
Rule 26
Records Management
Information Technology
Recent History of Non-Compliance
December 2008: Large Entertainment Company Settles charges – Its Music Fan Websites Violated the Children’s Online Privacy
Protection Act
– Company Will Pay $1 Million Civil Penalty
February 2009: Retail pharmacy chain settles FTC charges– Failed to Protect Medical and Financial Privacy of Customers and
Employees
– Pays $2.25 Million to Settle Allegations of HIPAA Violations June 5, 2009: Large Insurance company named in security-breach
lawsuit June 2009: Large retailer to pay states $9.75M in data breach
settlement
Impact on Records Management
Held accountable for accessing records FAST
Forced to interpret communication between Legal and IT
Asked to do more with less
Doesn’t feel they have senior management support
Administer strict information disposal policies
RecordsManagement
Impact on Information Technology
Forced into reactive “fire-fighting” mode on discovery requests
Expected to understand records management processes, policies and retention
Struggles with what is acceptable to destroy and what is required to keep
InformationTechnology
Impact on Legal, Risk & Compliance
Also forced into “firefighting” mode
Asked to ensure compliance with little direct authority
Inadequate measurement systems
Trying to train employees but under-resourced to be effective
Legal, Risk & Compliance
And then there’s litigation!
PROBLEMPROBLEM
Nearly 1/3 had more than 20 lawsuits filed in 2008
43% of large organizations are forecasting an uptick in legislation in 2009
45% of are spending upwards of $1M on litigation—one in five are spending more than $10M
Consider the findings from organizations surveyed:
According to:
10
Litigation
In-ActiveRecords
ActiveRecords
Back-upTapes
ElectronicFiles
EnterpriseSystems
EmployeeLaptops
PortableHard Drives
Voicemail EmployeeFiles
Litigation Can Surface the Friction
Legal & Compliance
ITManagement
Records Management
Litigation
In-ActiveRecords
ActiveRecords
Back-upTapes
ElectronicFiles
EnterpriseSystems
EmployeeLaptops
PortableHard Drives
Voicemail EmployeeFiles
Litigation Can Surface the Friction
Legal & Compliance
ITManagement
Records Management
Disconnected Retrieval Process
Communication Breakdown
Wasted Time & Resources
The Way It Should Work…
Legal & Compliance
RecordsManagement
InformationTechnology
Legal Expertise
Process Expertise
Technology Expertise
Objections and Obstacles If it’s so important why isn’t everyone doing it?
Don’t understand the value proposition Don’t know where to start
– need clarity around HOW we do it?
Varying degrees or lack of organizational alignment Organizational “attitude” that compliance is optional Cannot get a straight answer specific for your
needs
Common Vision
Improve the profitability of the company by providing the Enterprise (location, division or department), with the ability to securely manage ALL information regardless of the
format or location, in a cost effective & compliant manner.
Every Department Has a Stake
Records Manager
Global RecordsManager
Director ofCompliance
General Counsel
Director of IT
CIOBusiness Partner
Departments
Departmental Priorities
* Increase functionality & features
* Increase capacity* New equipment &
systems* Strategic focus* Investment* Price
Boom EconomyDepressed Economy
* Price
* Operational focus
* Optimize existing systems
* Increase efficiency
* Operate cheaper
* Consolidate
Compliance Steering Committee
Compliance Strategy
ComplianceProgram
Program-Centric Approach Yields the Best Results
Best Practice* Defined strategy
* Consistent and empowered steering committee
* Defined repeatable process
* Projects remain but are a part of a program
* Regular maintenance across entire program
Project D
Project C
Project B
Project A
Process
Storage
Capacity
Security
Cost
ComplianceRetention
Litigation
Privacy
Storage ControlDisposal
Service
Search
Retrieve
Accurate
Responsive
Reliable
Building On The Foundation
CRIMP
What Is a Good Process?
ORGANIZEDetermine
Scope
1
ASSESSExamine& ID Risk
2
MANAGETrain &
Communicate
5
IMPLEMENTImplement
Base Program
4
AUDITReview & IDDeficiencies
6 DEVELOPCreate RecordsClassification
Scheme
3
20
Source: Iron Mountain Compliance Benchmark Report: Best Practices for Records Management, 2008.
Have you created and empowered a records management steering committee?
“Only 28% of US Companies surveyed have a Steering Committee.”
*Establish ownership- Executive sponsor- Dedicated CRIMP team- Steering committee
*Roles & responsibilities- Governance level- Implementation level- Administration level
*Determine program scope*Terminology
ORGANIZE
21
ASSESS
Have you identified and classified all records?
“with 65% of the sample rating their retrieval process as “quick,” it appears that strategic investments in indexing and tracking systems are providing good performance for organizations”.
Source: Iron Mountain Compliance Benchmark Report: Best Practices for Records Management, 2008
* Conduct a thorough records inventory.
* Evaluate your existing program; its strengths, limitations and capabilities.
* Determine the potential areas of risk and/or exposure to compliance regulations.
* Analyze your legal retention and access requirements.
* Build an overall master plan based on your assessments and all applicable compliance regulations.
22
DEVELOP
* Legally credible enterprise wide (media agnostic) retention schedule.
* Standardized enterprise policies (like vital records, legal hold, privacy, etc.)
* Keep in mind opportunities to measure via systemic embedded metrics – what do you want to measure in order to prove compliance and adoption.
Have you developed policies and procedures that address all physical and electronic records? Are your employees using them?
“Only 36% of companies have developed comprehensive programs that include training and employee acknowledgement. An additional 46% have some policies but struggle with implementing a program to standardize the use of the policies”.
Source: Iron Mountain Compliance Benchmark Report: Best Practices for Records Management, 2008 and recent Iron Mountain survey data
23
IMPLEMENT
Have you implemented an enterprise-wide records retention schedule?
“While 55% of organizations have implemented a retention schedule, over 70% of them report they have not updated it and over two years and only 30% of these retention schedules cover all media.”
Source: Iron Mountain Compliance Benchmark Report: Best Practices for Records Management, 2008.
Deploy I.T. systems.
Apply the retention schedule.
Assign standardized classification codes keyed to retention periods.
Routinely move records to secure offsite records storage.
Regularly review records to be destroyed. Destroy records whose retention period has expired.
Mark records related to pending or current legal matters as “held” to prevent destruction.
24
MANAGE
Are you providing the proper training for your program?
“Our 2008/09 responses show a 22% increase in the implementation of regularly scheduled records management training, though 57% of respondents are still doing nothing or simply offering informal occasional training.”
Source: Iron Mountain Compliance Benchmark Report: Best Practices for Records Management, 2008.
Manage the security, access and integrity of the data within the program.
Training is an event – education a process.
Enforce proper classification and disposal via reports, scheduled reviews, and other safeguards.
Maintain training and communication programs.
Ensure appropriate business unit oversight.
AUDIT
Are audit compliance procedures established and followed?
“Only 21% of respondents have a formal method to regularly audit the effectiveness of their records program implementation.”
Source: Iron Mountain Compliance Benchmark Report: Best Practices for Records Management, 2008.
Formal review program frequently and identify deficiencies.
Ensure that all records including e-mail, are being properly indexed and managed.
Pay special attention to disposal practices. Ensure that records in all forms related to pending or current legal matters are being “held” in order to prevent their destruction until the legal matter has been closed.
Confirm that records whose retention period have expired and are not on “hold” are routinely destroyed.
26
Next Steps
Changing Regulatory Environment
• Rule 26 of Civil Procedure• Sarbanes-Oxley• Gramm-Leach Bliley
• SEC Rule 17• MA Privacy Law• Patriot Act• HIPAA• FACTA
Convergence of Physical& Digital Records
Exponential InformationGrowth
Records & InformationManagement Professionals
RegulationAccording
27
Your Response
I am improving the profitability of the company by providing the Enterprise
(location, division or department), with the ability to securely manage ALL information
regardless of the format or location, in a cost effective & compliant manner.
Enterprise Information Management: Enterprise Information Management: Implementation StrategiesImplementation Strategies
Graham RileyManager of Account Services, Iron Mountain
Please Complete Your Please Complete Your Session EvaluationSession Evaluation
EducationEducation Code: Code: FR02-2209