School of Computer and Information Science

Information governance and Stewardship for Records and Information Management

Miranda Welch

01 June 2009

Thesis Abstract

Records and information management (RIM) professionals are faced with huge challenges dealing with the ever expanding volume of electronic information. They struggle to implement effective and efficient RIM programmes that ensure business information is controlled, managed, findable and of high quality. Poor recordkeeping practices result in poor quality information and the inability to share information across the organisation. In turn, this inability negatively impacts compliance, management reporting, risk management, governance, and accountability.

Data management professionals are similarly facing challenges relating to poor quality data.This also negatively impacts the shareability of information, compliance and management reporting, risk management and accountability.

To address this, the data management profession has started to implement formally structured data governance programmes to improve the quality of structured data across the organisation. An important component of data governance is stewardship, which is a formal process whereby data stewards, from the business rather than IT staff, are held accountable for the data quality.

However governance and stewardship are not, currently, significant components in RIM programmes.This thesis investigates the hypothesis that records and documents would be more effectively managed if they were under the stewardship of business stewards who are responsible for ensuring the quality of that information on behalf of the organisation.

The primary conclusion drawn from the research is that there are no obvious reasons why governance and stewardship cannot be equally applied to RIM. Moreover RIM professionals could leverage the governance and stewardship methodologies from the data management discipline for this purpose. A secondary conclusion is that information (incorporating both data and RIM) could be readily managed holistically across an organisation by a partnership between RIM, IT and the business to the potential advantage of all.

Acknowledgements

This research project has been a wonderful learning experience. The initial idea for this project started during my employment with BearingPoint, when I was working with some of the staff from the Australian data management team, looking at what they were doing and the strategies they were preparing for clients, and realizing that governance and stewardship couldsurely be equallyvalid for RIM and provide value to both RIM professionals and their organisations, and improve the quality of the information resources.

I would like to thank Ginny White and John Campbell who worked with me at BearingPointa few years ago, and who started me down this track initially, and the Australian BearingPoint team who originally wrote MIKE 2.0. I would also like to thank my supervisor, Dr Simon Shurville for his support and advice during the lasttwelve months of study.

Many thanks also to the data stewards who so willingly answered my questions and enlightened me about some of the practical aspects of stewardship, and the one hundred and eleven RIM practitioners who responded to my survey – thank you so much for your time.

Finally, thank you to my husband Robin for his love, support and encouragement while I have been trying to combine work, study and family life.

Miranda Welch

1

Table of contents

Thesis Abstract

Acknowledgements

Chapter One

Introduction

Records and Information Management

The Issue

Definitions

The Importance of Records and Information Management

Data Governance and Stewardship

Research Questions

Chapter Two

Literature Survey

Data Management, Data Governance and Stewardship

Records Management, Governance and Stewardship

Holistic View

Chapter Three

Research Methodology

chapter four

Research Results

RIM Practitioners Survey

Qualitative Research

Company A

Company B

Company C

Chapter Five

Data or Information? What’s the Difference?

Exploring the Similarities

Quality

Data Quality

Information Quality

Governance

Data Governance

Information Governance

Stewardship

Data Stewardship

Information Stewardship

Stewardship not Ownership

Chapter Six

Information Stewardship for RIM

Information Governance Sponsorship

Information Governance Council

Domain Specific Stewardship Groups

Information Stewards

IT and RIM

Chapter Seven

Responding to the Challenges and Research Questions

Challenges

Challenge 1 – Executive Level Support

Challenge 2 –Findability of Information

Challenge 3 – User Compliance With Recordkeeping Policies and Procedures

Challenge 4 – Relationship with IT

Challenge 5 – Quality and Integrity of Information

Answering the Research Questions

Chapter Eight

Conclusion

Further Work

Chapter Nine

References

Chapter One

Introduction

Records and Information Management

At the heart of this thesis are challenges faced by Records and Information Management (RIM) professionals to implement an effective and efficient records and information management programme. This introductory chapter examines what RIM entails, some of the issues commonly faced by RIM professionals. It lays the groundwork for the research questions that are the basis of this document; namely, that data governance and data stewardship methodologiesfrom the data management discipline are equally applicable to records and information management.

There are a myriad of definitions for records management available in the literature. One of the more widely quoted is the definition drawn from the International Standard for Records Management:

−“The field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records”(ISO15489-1 2001 p.3).

Another definition for records management, that is more business and legally oriented, comes from an EMC[1] white paper:

−“Records management is the application of policies, practices, technologies and other management controls to the information content required to: 1. Support business operations, and 2. Protect legal interests and respond to regulators”(Kahn and Blair 2004 p.5).

For the purposes of this thesis, these definitions provide a basis for discussing RIM, providing we also establish a very clear premise that “records” cover not only physical documents and records, but also documents and records stored in various formats in a multitude of electronic repositories such as Electronic Document and Records Management Systems (EDRMS) andEnterprise Content Management (ECM) systems, individual and shared drives, personal storage devices, PDAs, emails stored within email systems or email archiving solutions and Sharepoint sites. In essence, when we refer to records we refer to both physical and electronic records.

In the 21st century, most records and documents are born digital and stored digitally. Indeed, the Sedona Guidelines,which were published with the aim of providing guidelines for electronic document production in the context of litigation, emphasizes this point inthe first sentence of the preface.

−“Today most information created and received in organizations of all sizes is generated electronically in the form of e-mail messages and their attachments, word processing or spreadsheet documents, webpages, databases and the like”(The Sedona Conference 2007 p.vii).

Most organisations, in my experience, wish to store and manage their records and documents digitally, although, even with the ready availability of electronic information, the quantity of paper records is hardly subsiding. Organisations generally agree that they are struggling with a deluge of information and terabytes of digital storage. A recent article in Computerworld(Brandel 2008 p.22) cited research from market research firm IDC, that by 2011 the digital universe will be ten times the size it was in 2006. In the same article, Brandel quotes a New York based research firm which believes information overload is the “problem of the year”(Brandel 2008 p.22).

Newman refers to the information overload issue as “infoglut”(Newman 2005 p.3), and believes that the unstructured content is of greater concern than structured data.

−“Organizations are looking for methods to manage an expanding volume and velocity of information sources. While structured data sources (such as databases and file systems) continue to grow, the greater concern is the uncontrolled volume of unstructured content found in email systems, document management applications, records management systems and so forth”(Newman 2005 p.3).

Logan and Chin, reported on the lack of control over business information exhibited by many organisations in the United States in their Gartner Research Report:

−“Many federal government agencies are failing to manage their business information properly. Our research shows the U.S. federal government has this in common with other national governments around the world. As the amount of electronic information has exploded, governments and businesses have lost control of it”(Logan and Chin 2009 p.2).

Another Gartner research report, from Bell, Logan and Friedman describe the issue succinctly.“The volume of information is growing faster that our ability to manage it”(Bell, Logan et al. 2008 p.3).

In addition to the information overload issues, headlines around the world should regularly remind executives that inadequate corporate recordkeeping systems will incur either financial or reputational penalties. Poor recordkeeping practices can result in issues such as breaches of privacy, inappropriate disposal of information, non-compliance, operational failure, and loss of reputation. Some international examples include:

  • In Australia, 2005, the Palmer report of an investigation into the immigration detention of Cornelia Rau criticised the adequacy of Department of Immigration, Multicultural and Indigenous Affairs’ information systems, describing their database infrastructure as siloed, and explicitly making recommendations regarding the need to significantly improve DIMIA’s recordkeeping (Palmer 2005). The Victoria Police have been condemned for a systemic failure to provide proper information governance, following instances where surveillance squad files were leaked to an alleged drug trafficker and an alleged gangland murder suspect. The author of the inquiry criticised the lack of accountability, gaps in information governance and poorly monitored policies. (McKenzie 2009)
  • In New Zealand, a vindictive student deliberately deleted business critical information, including documentation on international patents, crucial project data and five years worth of engineering drawings from Hamilton business Progressive Hydraulics. These actions cost the business hundreds of thousands of dollars in attempts to recover the data and lost business (Van der Stoep 2009).
  • In the USA, the FBI disclosed that nearly a quarter of its investigative files relating to recent leaks of classified information were missing and could not be located(Gerstein 2006).Federal housing officials in the USA criticised the Newark Housing Authority for poor recordkeeping, including failure to produce a signed agreement to justify the payment of $6.9 million to the City of Newark. The money was intended to add police and health services at its apartment buildings, and they failed to document where the money was spent and whether the residents ever received the extra aid(Cave 2006).

The need for corporate accountability and transparency in the post-Enron era has intensified requirements to manage and control information more efficiently and with more transparency. Sarbanes-Oxley Act (2002) and the Basel II accord are two such examples, while in New Zealand and Australia, government agencies are increasingly subject to legislation and standards to ensure that they are managing information effectively. New Zealand has a new Public Records Act (2005), which requires compliance audits of government agencies commencing in 2010.

In summary, while RIM is a discipline that has been in existence for decades, it is becoming increasingly important for supporting compliance, accountability and good governance at a corporate level. Records management programmes struggle to effectively manage and control corporate information. In the Executive Summary to the 2007 Electronic Records Management Survey report, Cohasset Associates sum up the current state of records and information management:

−“While many organizations are moving in the right direction, Cohasset’s research clearly indicates that, for an alarming number, the job of records management is still not getting done”(Williams and Ashley 2007 p.10).

The Issue

In my professional experience as an RIM consultant, records and information management professionals consistently struggle for their programmes to be recognised, valued and trusted by senior management, IT and the business at large. According to research conducted by Forrester Consulting on behalf of Association of Records Managers and Administrators (ARMA) International in 2004:

−“Records and information (RIM) professionals are losing their influence in records management as ERM [electronic records management] emerges”(Swartz 2004 p.31).

−“Business and IT do not fully understand what ERM is; nor do they understand ERM’s role in compliance regulations and legislation”(Swartz 2004 p.31).

One of the latest research papers from the Association of Information and Image Management (AIIM) reinforces this perspective, among their key findings for their State of the ECM Industry 2009 research report.

−“Records managers are often being left out of the equation. In 36% of large organizations, IT is managing the Sharepoint rollout with no input from the Records Management Department. A further 14% admit that no-one is in charge and it’s completely out-of-control”(Miles 2009 p.4).

Organisations are increasingly dependent on the quality of their information, yet some still only pay lip service to the concept of valuing, organising and managing their information assets, as indicated by Cohasset Associates (Williams and Ashley 2007 p.47). Cohasset’s report on the 2007 Electronic Records Management Survey included a series of action items for success, and the first action item was:

−“Recognize and address the many significant existing problems in how records are currently managed” (Williams and Ashley 2007 p.47)

These are not new concerns. In 1995, John McDonald, working at the National Archives of Canada, wrote an article describing the modern office environment as “the wild frontier”.(McDonald 1995 p.70)

−“Instead of horses and wagons, our organizations have provided us with computers and software, telling us to charge off into the great unexplored plains of cyberspace where supposedly we can work more effectively. With a few mouse-clicks, we can easily send e-mail messages to people at all levels of the organization. We make no distinction between the substantive message and the informal “let’s do lunch” type – they all go through the same electronic channel. We use our own sometimes unorthodox approaches to describe and classify our documents. When our directories are too full, we simply get rid of the old stuff that we do not need any more”(McDonald 1995 p.71).

Ten years later, as a contributing author for a book titled Managing Electronic Records, McDonald suggests that “the wild frontier remains as elusive for most organizations as it was ten years ago”(McLeod and Hare 2005 p.2). McDonald discusses the changes that have occurred in the realms of legislation, policies, standards, systems and people, as well as, of course, technology. “The lack of understanding managers have of electronic records and records management”(McLeod and Hare 2005 p.8) is cited as a key inhibitor to progress. McDonald recommends “establishing a vision, enhancing awareness, assigning accountability, designing an architecture and building capacity”as actions that would help to accelerate the rate of change (McLeod and Hare 2005 p.8).

In the current environment of electronically generated and stored information, it is not unusual for a large percentage of an organisation’s records and documents to be stored outside of any formal, managed system as organisations struggle to manage and control their electronic records.

In a recent survey of electronic recordkeeping, Archives NZ reported that 20% of government organisations described their recordkeeping systems as “informal”, and a further 27% described their systems as “other”(Kazakov and Johnson 2007 p.6). This leaves just 53% of New Zealandgovernment sector organisations with a formal recordkeeping system. We have no way of knowing from that survey just how much of their total information (in the form of records and documents) is actually captured within those recordkeeping systems.

I have been unable to locate any research that asks organisations to estimate what percentage of the records they generate, receive and store are actually captured within a formal recordkeeping system. We may need to accept that responses to this question, while altogether illuminating, will always be totally subjective and unproved. My own experience, as a RIM consultant, suggests that in many organisations with a formal recordkeeping system, an average of between 25% - 35% of the entire volume of records, documents and emails generated, received and stored by an organisation would be stored within the formal recordkeeping system, either paper-based, electronic or a mixture of both. The remainder of the organisation’s information is likely to be stored in individual, ad hoc systems such as email folders, pst files, shared or local drives, hard drives, multiple ungoverned Sharepoint sites or personal paper files.

Among the pre-conference workshops for the Managing Electronic Records (MER) Conference 2008 in Chicago was a full day workshop titled “Successful ‘Enterprise’ Content and Records Management Programs”(Alsup, Cisco et al. 2008). It was run by presenters from the Gimmal Group, a leading ECRM systems integrator. When looking at the status of electronic document and records management systems, presenter Mike Alsup estimated that EDRMS solutions contain “less than 20% of electronic documents in most organisations”(Alsup, Cisco et al. 2008 p.5).

The RIM Practitioners survey conducted as part of the research for this thesis included a question intended to gather RIM professionals estimation of the percentage of the total volume of physical and electronic records and documents (including email) that are captured into their approved corporate repository. Just under thirty percent (28.8%) of respondents estimated that less than 25% of the total volume of their organisation’s information was stored in the corporate repository or repositories. A further 21.6% of respondents indicated that less than 50% of their organisational information was stored in approved corporate respositories. This meansthat just over 50% of respondents acknowledge that their corporate systems are less than effective in terms of managing and controlling their organisation’s information assets.