It's been interesting watching some of the articles recently about the challenges of managing e-mail as if there is a need to manage every piece of it that exists. I've been writing about this topic for quite some time, and while I've also stated it isn't a simple task... it's nowhere NEAR as hard as some make it out to be! In fact, it's hard to believe there were 153K hits for the literal search of the phrase "managing email"
I think what's happened over time is a lot of misinformation from numerous sources, especially those that are urging organizations and individuals to "save everything" when there is NO REASON TO.
What is important is that every organization develop a policy for Records Management that clearly identifies what a "record" is for their organization. This should include elements such as:
- It documents an official decision or transaction
- It provides guidance to staff about what to do or how to do something
- It communicates a policy to others inside or outside your organization
Naturally, depending on the industry segment you operate in, there are other critical factors to consider based on who regulates what you do and what laws you operate under. Also, once a legal action is entered into or you become aware one MAY be pending, all documents (including e-mail) related to the matter must be retained until the matter is resolved.
But all this said, much can be done in the course of normal business to minimize the volume of e-mail any organization is required to manage, and most of this can be done by staff on receipt of the e-mail itself. FIRST... develop a policy and communicate to all employees the definition of a record for your organization. Follow the "KISS principle" when doing this, but make sure it's comprehensive. Make sure employees understand this applies to ALL information, but especially e-mail.
Next, direct employees to delete all e-mail that is NOT a record if it is received on the company system, as soon as practical. A Company's e-mail system is not intended for personal e-mail or other information that is not related to the 'business of the business', and while the occasional use of information systems is generally in keeping with most organizational policies, they are NOT designed to store or retain such information. Yep, this sounds harsh... but it will generally eliminate a good 40-50% of the volume of e-mail. If you include the non-business e-mail received from vendors, trade publications, internal messages of informational only value, this number will likely climb to 70-80% of the volume.
The next steps are more painful, and absent the existence of an Electronic Records Management System (ERMS) of some type, it is difficult to achieve success. The management of records is related to the content included in a record. That content and its value determine the length of retention required for the information.
All organizations should have a Records Retention Schedule (RRS) (a topic for an independent post) in place that suits their business needs and the laws, regulations and statutes that govern their industry segment. If an RRS exists, then it is much simpler to manage the 20-30% of e-mail that fits the definition of a record. Of the approaches used to accomplish this, the application of what are commonly known as "rule and role based" principles are among the most successful.
Rule and Role based retention practices involve an evaluation of the work being performed by various functional entities within an organization and comparing these against the records they routinely create and/or receive. This list of records is then compared tot he RRS to determine retention periods, which results in the development of a short list of retention periods for users to select from to assign to the records. After generation of records, or following review of those received, users select from this "pick list" to associate a retention period with the record prior to it being stored.
This is best done through an interface with an ERMS, but absent an official proper records management repository, the records can be stored on organizational servers that are routinely backed up to protect content form alteration of destruction prior to their assigned retention periods.
This is intended as a simple overview of one process that greatly reduces both the volume of e-mail being retained unnecessarily and the effort required to achieve compliance with legal and business needs for effective records management.
Monday, November 24, 2008
Wednesday, November 12, 2008
Got your head in the clouds (computing)?
But now they only block the sun
They rain and snow on ev'ryone
So many things I would have done
But clouds got in my way
I've looked at clouds from both sides now
From up and down, and still somehow
It's cloud illusions I recall
I really don't know clouds at all....
I think Joni Mitchell summed it up well when she said "I really don't know clouds at all".
There's been a lot of discussion about cloud computing, what it is, what it isn't and the benefits and concerns around it. Much of the discussion indicates that while it isn't a mature enough concept, a lot of organizations are charging forward and putting their information assets at risk in this environment. One of my most recent favorite articles made a brilliant observation.
The writer, Ed Sperling, stated "In all companies, cloud computing needs to be part of an overall security risk management equation. It's easier to figure out in newer companies, but the process is still the same. Still, cloud computing should never be viewed as simply a way to save money unless a company doesn't care about security or doesn't have anything to steal. And in that case, why is the company even in business?" And I think it's a valid point to raise.
Risk is a critical component to consider when it comes to the storage and management of information assets, the lifeblood of many organizations. You need them to make informed decisions and to perform the 'business of your business', and protecting them form exposure is critical to ensure you retain your competitive edge over others.
Examples have been given where this seems to be a more logical option for consideration for SMBs (small to medium businesses) or for start ups, as a means of cost avoidance of procuring a large hardware infrastructure and minimizing the cost exposure related to application purchases. But again, I question this... if you're a new business and attempting to gain a foothold in the marketplace, wouldn't you want to do everything possible to keep your information as 'close to the breast' as possible? And while there isn't extensive evidence of the risk associated with cloud storage, (we aren't hearing rampant stories of data exposure), even secure environments are being routinely hacked... so these environments are obviously much more prone to it.
I think the jury is still out on cloud... and I fear many may not like the final verdict when they eventually hear it.
Labels:
cloud computing,
hack,
information assets,
security
Monday, October 27, 2008
Long time, no post
I guess I've been a baaaaaad blogger, letting this sit idle for such a long time. Not that I haven't had a lot to say, just been saying it elsewhere and trying to figure out if/how to focus my energies to one source.
So much to say, where to begin? Okay... the ARMA Conference inLas Vegas . I was finally allowed to attend, but the notice came so late the airfare for a 90 minute flight ended up being nearly $400- thankfully I had a round trip coupon, but WHAT a waste of a good R/T coupon that was destined to get me to New Orleans =(
The conference was well attended, 4600 total, about half that many full paid attendees. Lots of sessions both on the paid and free side (those in the exhibit hall from vendors; some with the assistance of RIMs or techxperts). Lots of sessions on e-mail management and compliance issues, many on gaining management support for RIM programs, marketing RIM, and implementing ERMS tools. (Nope, you'll NEVER hear them referred to as 'solutions' here) It sure would be nice if the handouts for the expo floor sessions were ALSO made available to attendees!
Efforts were made to relate the sessions to domains and levels called out in the ARMA RIM Competencies which I stand firmly behind as a great document to provide guidance for where you are and where you may want to go in your RIM career.... obligatory disclaimer here, as I worked to help develop this document for 3+ well spent long years. Unfortunately, I think the efforts fell a bit short of their goals.
Talking to numerous attendees, some of them first-timers, many felt the sessions had the following problems:
1) the description did not accurately match the content
2) the ratings were higher than the content presented
3) the domains were misstated- content didn't stay on track for domains
A number of attendees told me that after the first day, they adjusted their plans and went to higher rated sessions, and still didn't feel they were getting what they expected in all cases. But, as I explained to them, this is a work in progress and it should improve over the coming year... and I STRONGLY SUGGESTED to them that they provide some of their feedback to ARMAs EDC and education department. If no one tells them, nothing will change.
I'm torn between the old "tracks" and the new "competency based" arrangement of sessions- one thing I'd like to see greater consideration given to is adjusting things so sessions of a common nature and differing levels are placed against each other in the same time slots, instead of making attendees choose betweens similar level sessions in multiple domains. Fortunately, almost ALL of the sessions handouts were posted in advance this time, so you did get an opportunity to review them before attending and make some choices of where to spend your time. Too bad a lot of first time attendees weren't aware of this option.
Biggest complaint? MISERABLE DISTANCES to be traveled between the hotel and the conference center, and between the general session and the expo floor/sessions. For those of us who are mobility impaired, it was a real pain (lterally) to walk these distances.
Biggest compliment? Plenty of people in the hall to tell you where things were if you were having trouble finding them.
Biggest disappointment? ARMA is STILL not doing a good job of marketing the Poster Sessions. Having delivered on every year sinceLong Beach (except this year) many attendees still don't know what they are supposed to be or intended to offer, and where to find them. This year they were in a dimly lit hallway- probably the best layout thus far was in San Antonio , but even then, no one seemed to know what they were.
Major suggestion? Re-instate the prior year's practice of ensuring EVERY first time attendee get a ribbon, and seriously encourage all Leadership and "old-timers" to directly approach and engage these people. I personally tried to approach every one I saw and ask how their experience was going and if they needed help navigating the landscape. Most of them were grateful and said that no one else had spoken to them. =(
Given the non-trivial cost of attending this annual event (registration, airfare, lodging, ground transportation, meals and incidentals) it would be nice to see more done to make the experience an overall win-win. Employers are becoming more reluctant to spend money sending employees to 4-5 day events unless they have an understanding of the take-aways and benefits of attendance. For members, the networking opportunities are excellent and the chance to catch up with friends and colleagues makes it a worthwhile experience. Employers however, are looking for hard benefits to their bottom line... and while you can come away with benchmarking information and suggestions for improvements to practices, sometimes it's hard to show that direct cost-to-benefit ratio.
So much to say, where to begin? Okay... the ARMA Conference in
The conference was well attended, 4600 total, about half that many full paid attendees. Lots of sessions both on the paid and free side (those in the exhibit hall from vendors; some with the assistance of RIMs or techxperts). Lots of sessions on e-mail management and compliance issues, many on gaining management support for RIM programs, marketing RIM, and implementing ERMS tools. (Nope, you'll NEVER hear them referred to as 'solutions' here) It sure would be nice if the handouts for the expo floor sessions were ALSO made available to attendees!
Efforts were made to relate the sessions to domains and levels called out in the ARMA RIM Competencies which I stand firmly behind as a great document to provide guidance for where you are and where you may want to go in your RIM career.... obligatory disclaimer here, as I worked to help develop this document for 3+ well spent long years. Unfortunately, I think the efforts fell a bit short of their goals.
Talking to numerous attendees, some of them first-timers, many felt the sessions had the following problems:
1) the description did not accurately match the content
2) the ratings were higher than the content presented
3) the domains were misstated- content didn't stay on track for domains
A number of attendees told me that after the first day, they adjusted their plans and went to higher rated sessions, and still didn't feel they were getting what they expected in all cases. But, as I explained to them, this is a work in progress and it should improve over the coming year... and I STRONGLY SUGGESTED to them that they provide some of their feedback to ARMAs EDC and education department. If no one tells them, nothing will change.
I'm torn between the old "tracks" and the new "competency based" arrangement of sessions- one thing I'd like to see greater consideration given to is adjusting things so sessions of a common nature and differing levels are placed against each other in the same time slots, instead of making attendees choose betweens similar level sessions in multiple domains. Fortunately, almost ALL of the sessions handouts were posted in advance this time, so you did get an opportunity to review them before attending and make some choices of where to spend your time. Too bad a lot of first time attendees weren't aware of this option.
Biggest complaint? MISERABLE DISTANCES to be traveled between the hotel and the conference center, and between the general session and the expo floor/sessions. For those of us who are mobility impaired, it was a real pain (lterally) to walk these distances.
Biggest compliment? Plenty of people in the hall to tell you where things were if you were having trouble finding them.
Biggest disappointment? ARMA is STILL not doing a good job of marketing the Poster Sessions. Having delivered on every year since
Major suggestion? Re-instate the prior year's practice of ensuring EVERY first time attendee get a ribbon, and seriously encourage all Leadership and "old-timers" to directly approach and engage these people. I personally tried to approach every one I saw and ask how their experience was going and if they needed help navigating the landscape. Most of them were grateful and said that no one else had spoken to them. =(
Given the non-trivial cost of attending this annual event (registration, airfare, lodging, ground transportation, meals and incidentals) it would be nice to see more done to make the experience an overall win-win. Employers are becoming more reluctant to spend money sending employees to 4-5 day events unless they have an understanding of the take-aways and benefits of attendance. For members, the networking opportunities are excellent and the chance to catch up with friends and colleagues makes it a worthwhile experience. Employers however, are looking for hard benefits to their bottom line... and while you can come away with benchmarking information and suggestions for improvements to practices, sometimes it's hard to show that direct cost-to-benefit ratio.
Labels:
ARMA,
conference,
education,
information assets,
records,
RIM practices
Thursday, September 11, 2008
Red Flag guidelines in effect Nov 1, 2008
The 2007 changes to FACTA go live in November; details can be found here.
The 2007 amendment to the Fair and Accurate Credit Transactions Act (FACTA) (15 USC 1681m(e)) directed the Federal Trade Commission and 5 other federal agencies to establish Guidelines for financial institutions and creditors (as defined) to develop and implement a WRITTEN Identity Theft Program for new and existing accounts.
"Creditor" as defined in the Guidelines includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.
The 2007 amendment to the Fair and Accurate Credit Transactions Act (FACTA) (15 USC 1681m(e)) directed the Federal Trade Commission and 5 other federal agencies to establish Guidelines for financial institutions and creditors (as defined) to develop and implement a WRITTEN Identity Theft Program for new and existing accounts.
"Creditor" as defined in the Guidelines includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.
Labels:
FACTA,
financial records,
identity theft,
privacy
Subscribe to:
Posts (Atom)