In this next blog, Part 3, I want to go over some important supporting topics for implementation, how this can speed up your progress for compliance and how an IGP can help you in other ways.
Information Access Points – Pull it Together in a Diagram
One thing that can help you speed up the IGP process and give you more control over all these different aspects is to map things out.
What you can look for is any and all access points from a document or piece of information from a staff member or the public. Map out all of these routes and you can see a network of who ‘touches’ what and where. Note who is supposed to be accessing and who is not supposed to be accessing information but CAN access it anyway, etc.
You need to know what is authorized and what is not fully secure for risk assessment. This may include a lot of conversation with your IT department. You may get to know them really well through this process, if not already.
This is just an example, find a way to visualize a map of your target topics to help you form a plan.
Each point of access in your mapping can hold potential for:
New or updated vital record definition and risk management plans.
Lifecycle mapping, updating requirements, and researching governance controls.
Implementation of solutions to cover those requirements if not already reasonable covered.
Possible redefinition or updated security permissions, access, and sharing.
New or updated policies and procedures around “use of” and “access to.”
Training on these new updates or even old policies in a new unit of time.
Audit and continuity plans that need to be made if not already there.
And, last but not least, Records Management controls that may not have previously been considered. For instance, adding metadata to content so it can be tracked or labeled for future disposition actions.
Cover Your Assets and Help Yourself in Many Other Ways
If there is anything that is a huge CYA on information management, that would be the IGP. But that is only if the plan is thoroughly covered, fully implemented, and kept up with. But truth is, it does a lot more than merely CYA! In addition to your agencies governance compliance requirements and security standards, it can also greatly help you with electronic content management solutions and implementation projects:
It can help you comply with Federal mandates, like the 2019 and 2023 mandates.
It can guide you for implementing NARA’s FERMI requirements.
It can help you elicit and complete proposals or bidding requirements when searching for electronic management solutions and tools.
It will help you implement standard business practices so that users are creating and using the content within the compliance framework and much more.
It can help you create compliant processes for end-users to automate their business actions.
Think of it as one large, high-level requirements and compliance plan. You can forever use your research and this IGP to guide you through the most important aspects from a paper to electronic solutions all over your agency.
Expanding your Knowledge
How is your level of knowledge when it comes to your agency’s systems and networks? This is important too. You need to know how they are laid out, permissioned, and secured. Most records managers are familiar with how their data is being backed up, but do you know the access to these networks?
Do you have an Active Directory or an LDAP managing your users?
Does it manage permissions to content on the various points of information access?
All systems? Or just some systems?
How is it laid out?
Who manages this?
What are the processes?
Are there any policies in place?
What is in place in your agency for policies regarding Rerecords Management, training, the security of information, sharing of information, remote access, etc., if any? You need to familiarize yourself with every policy your company currently has that discusses information governance. This can even include HR policies and financial policies that protect information or give guidelines for how information and document sharing is to be used in the company. You need to know what parts of the policy need to stay the same and what parts need to be updated and why.
Enterprise Content Management
If not already considered, you may need to invest in an Enterprise Content Management system (ECM) like Alfresco to help you actually implement a lot of requirements on the IGP. Some of you already have one and that is why you need an IGP and some of you will need an ECM to help you achieve compliance on an IGP.
Either way, making the IGP beforehand can greatly help you know what you need for an ECM. However, you also may need to change some detailed procedures, based on the ECM you choose. But, this policy can provide high-level requirements for:
What is the structure of the security and permissions for the points of access to the ECM?
Important content lifecycle information that can be extracted from your IGP that can help shape your ECM requirements.
Important information about metadata that can help shape your content model for the new solution.
Governance standards and record management control that can help you shape your requirements for the new ECM system or upgrade.
Support for migration — some information can be extracted from the IGP to help plan for migration.
The research you do for the IGP can be used to help make decisions in your ECM.
Implementation and Change Compliance
When implementing such a policy as an IGP, it is important you think all the way down the line to the users who will be actually doing these actions. Each section of the IGP must be analyzed with a mind to:
How? Literally, how will they apply this in the physical universe? Steps/actions users will take to apply this?
You need to know the ramifications so you can fully understand the possible risks and how to manage expectations.
Is this actually doable, enforceable as written?
What effects will this create if these policies are laid out this way, in that sequence, etc.?
Did you give them deadlines? Are these deadlines feasible? Is there anything that the deadlines ‘did not take into account’? (like major transitions, projects ending, mergers, other major business events that can interfere with these timelines?)
Is it too high level? Is it too detailed?
What are the potential ways this will get implemented? Will it get misunderstood? What level of training and audit will be needed?
Do you have policies and procedures planned to cover each aspect smoothly?
What are users doing today; will this be a massive change and thus bring about user acceptance issues?
How can we campaign this so it is more palatable?
Truth is, there are always going to be issued with end-users and implementation. But if you do your homework and really plan out each section with:
Full knowledge of the activity of the department will affect
The potential ways this can get implemented and how much it will cost, what are the risks, etc.
Knowing the intentions and new direction of management
Keep in mind, “what is the greater good?” (meaning “what is best for the whole agency?”) Is it better to make everyone’s jobs easier? Maybe. Is it better to be compliant so the company and its information are safe? You just may be changing their processes, but it might be vital to do so. This is assuming that the change is important and necessary to the IGP and the company.
You may need to justify the changes or affects this will cause so that the majority of people can’t refuse the logic of the change. Lay out training to help with this and remember the more communication the better. Tell every one of your plans throughout the research and discovery phase of this IGP. Once it comes to their department for implementation, users will already know that it is coming. Just keep stating your case – management at this stage should understand and have your back. If not, that is another campaign but I hope by this time you already ran that one and got the support you need!
Managing Expectations – Communication is Key
One thing that has helped me along the way is managing expectations. This is always a large topic on any project. Everyone sees things differently. Getting everyone “on the same page” can be one of the biggest hurdles. Remember when I said to ‘communicate more and more’? It is true, the more you communicate your intentions, goals, plans, procedures, eventually, your communication will sink in and the “understanding” gets better and better.
People who do not understand, often make fun of or flat out refuse to do things. They can also say they ‘will do it’, but since they don’t fully understand, they will not actually do it. Thankfully, there are some who will tell you they don’t understand, and you can fix that much easier. However, no matter the mix, the more people who understand you, your goals, and why this is important, the more compliance you will get.
“Expectation” is defined by the Google Dictionary as “a strong belief that something will happen or be the case in the future” Or “a belief that someone will or should achieve something.”
It is basically a prediction! Users can predict that something is coming down the line, see better what the plans, purpose and future actions are, and include themselves in the mix and PLAN for this occurrence.
Stakeholders need to be able to:
Understand the words coming out of your mouth/in writing
Hear it over and over again, in order for their expectations to be closer to your own – if not the same
Agree with the plan, at least somewhat, or decide they will comply regardless.
Communication is key, but you have to consider the following:
You must have their attention so that communication is willingly received (simple but sometimes missed!).
Communicate clearly so they can receive it easily (clear, short and simple terms).
Communicate a lot about it, you may need to repeat yourself several times.
Ask them to repeat what you just told them back to you (this is extremely helpful and if you can find a way to do this without making them feel like you are being condescended, then it can really show you who understands).
Communicate enough Don’t tell them a small fraction of information and then expect full understanding; don’t leave out important factors that could majorly affect them but also not too much as to overwhelm them with the information they don’t need to know.
Communicate to the right people, in the right sequence. You may need to go from the top down, or up through the chain of command and back down the other side, etc.
Answer people’s questions, acknowledge their concerns, keep notes.
Be ready with charts, diagrams and supporting documentation for those who learn in more visual ways.
Try to fix confusions and misunderstandings as fast as you can. You need to look for them and try to find the disconnect or disagreement. The disagreement may be legitimate — you may have something wrong on your end. You might need to compromise; keep an open mind for your own improvement as well.
You may be speaking clearly but they may not be understanding you FULLY. Actual duplication of ‘what you are trying to say’ or ‘what is needed’ is what you are looking for.
Logistics of a Successful Project
Most Project Managers are aware of the need for pre-planning logistics. This is another vital part of doing an IGP. You will need to know the answers to the following:
How much of a gap is there from the current scene to the ideal scene?
How much work, hours, and resources will it take to go from the current scene to the ideal scene?
What is the desired timeline? Do you have any deadlines imposed by governing bodies, mandates, audits, laws, leadership or legal counsel?
What is the realistic timeline considering the available resources (funding and personnel, etc.)?
What resources do I need in order for this to be successful?
What resources do I have available to me and for how long?
What is the gap between the above two bullet points?
Possible risks involved in timelines, funding, and resources?
Putting together a project schedule, approach and risk assessment are going to be vital for an IGP to stay on track and eliminate risks as best you can before they happen so you can plan for them.
Knowing the basics of Project Management will help you implement a successful IGP. You don’t have to be a specialist to implement an IGP, however, I suggest that you do some research on the basic steps and key aspects of Project Management so your bases are covered:
Project Initiation & Planning
Dependencies of successful implementation
Implementation of the IGP to completion.
Deliverables for this IGP mapped and completed.
Project Monitoring and Control
Change Control as needed through the IGP project.
Reporting for the IGP project.
Quality Control for the IGP project.
Closure reporting and monitoring.
To recap what we’ve learned in this 3-part blog series:
What is Information Governance is and why you need it
Get to know your agency very well
Make the decision and solidify your purpose for an IGP. Management should be on board at this point. Get the support from leadership that you need.
Make an IGP Team
Be aware of the 5 Phases of the IGP:
Draw up the plan
How to implement; start your draft IGP
Implementation and Change Control
Audit and Monitoring
Know what needs to go into your IGP Document
Introduction, purpose, goals, mission, etc.
High-level requirements and scope
Project plan and team
Policy and procedures
Audit and monitoring
Disaster recovery and business continuity
Use diagrams that help you map out access/control points
Think about how things will actually get implemented; make it possible and add realistic targets
Use the IGP for overall access, control, security and other governance requirements on all sorts of projects and policies. Let it guide your organization to compliance in all areas.
Use an ECM to help forward your IGP compliance and support.
Manage expectations and remember that communication is the key.
Managing the logistics to be sure you identify risks early to your project plan.
Good luck! Let me know if this was helpful or if you have any feedback.
In this next blog, Part 2, I want to go over the phases of the IGP and what goes into the IGP document. Please be sure to read the first part of this three-part blog “Vital Steps to Develop an Information Governance Plan – Part 1”.
Phases of an IGP
First Phase: Gather all the information needed. What is in place already, know your agency’s needs, inside and out. Get proper justification for an IGP and get the support from leadership if not obtained already. Come up with a high-level plan for the plan – what do you need to gather to go in your IGP? You have to start somewhere, and that is “what is ALREADY in place?” Whether good or bad, you need to know what is being done today with regards to information governance and all its policies, access points and personnel.
Start your IGP Project Plan: What is the scope of this IGP project? What are your resources? What are the timelines and risks?
Create an Information Governance Diagram: This can help you sort the data you have gathered thus far and put them into the main sections of your Information Governance Plan. Mapping this out can help you see the high-level areas that make up your IGP and you can use this in your plan, some examples can be:
Second Phase: Start drawing up the plan document itself. Create the IGP Document draft (see sections below). Sometimes it helps to start the document even before you “know all you need to know” – it can help you find areas you didn’t think about and structure the rest of your work. So, don’t be afraid to just start a draft policy and add sections to it that you need to iron out later.
Third Phase: Work out how it will be implemented. Do you need a phased approach? Do you have all the info you need in order to complete the document? No? How can you get this information and what is your approach? In the Third phase you may or may not complete the document, but your key research points should be visible and the sections of the document that you need to finalize should be clear.
You may need to draw up the policies that are going to be implemented before the IGP is complete, so take that into consideration. Sometimes the low-level policies need to be implemented earlier than the IG, so that could also be a part of this phase.
You may also need to dig into every department and find out how implementation will affect that area and what the risks are. This is where a phased approach can help ease yourself into the implementation for each area.
Fourth Phase: Your document is complete, and you have a solid implementation plan in place. Start to roll out your implementation (if not already started in phase three above). This can be conducting training and continuation of the policies that need to be created or applied.
You may need to help each department get over the hurdles that this will entail. There may need to be meetings that support the cause and push understanding for smoother implementation.
Each department may need its own pilot or phased approached as discussed earlier. You may need to make a different plan for each area (with the help of the whole team and the department head).
You will need to have an agreement on how changes will occur and how to switch gears depending on feedback from the implementation. You may find that something is lacking or that design or policy is in need of re-vamping. Have the team decide on the changes and their risks. Updating the plan, sub-policies, training, etc., may be needed.
Fifth Phase: Audit, Monitoring: You will need to conduct audits for continued process improvement. You may find all sorts of errors or bottlenecks that need to be corrected in your IGP. This is a learning process and it takes time. You need to have a solid plan for monitoring and then follow up with it. This may even entail a completely different set of team members in each department unless you have the luxury to have Records Custodians/Coordinators in each area; they can be very useful for this type of monitoring.
Look into what your margins were, your ‘success criteria,’ and see if you are meeting the marks. Do you have good reports and statistics that help you determine if you are meeting your desired goals? Are they helping you audit your project? If so this should help you determine how things are going.
Analyze what was done or not done and come up with a plan to correct it. It might be a change to the policies or IGP or it might be training and employee correction.
What Goes IN the IGP?
Now, let’s dive into the “meat” of the IGP document. This can greatly vary from agency to agency.
At a high level, your IGP might include the following:
1. Introduction, Purpose, Goals, Mission, etc. Spell out why this document is here and why it is needed. You can even add some details of the “current issues” that this policy is trying to solve or you can just add its purpose and milestones. Adding in metrics for success can also be very successful in keeping everyone’s “eyes on the mountain.”
Note: Depending on the scope, these may differ from your “Project Plan.” The IGP may be more a high-level guide for information assets agency-wide, whereas a Project Plan will go over specifically how to get the IGP completed and implemented. The Project Plan may only be directed at the IGP project team, whereas the IGP itself will be for everyone.
2. Requirements and Scope. This could help focus the attention of the reader as to what this IGP will be applied to or focused on. You may have an agency-wide IGP or maybe specific IGPs for certain entities. Including what regulatory and governance compliance you are aiming for is a must. It can help you focus the rest of the document as well.
Keep in mind the following ERM Requirement Categories from NARA, as discussed earlier:
Maintenance and Use
These sections can help guide you in the scope of each asset type that is being governed. For instance, in your IGP you may want to manage electronic documents. In order to successfully manage all electronic documents, you will need to govern these areas, to some degree, so you can capture this in your IGP.
3. High-Level Project Plan and Team. This can be everyone on the project team and what the activities and actions are going to be from the Project Management perspective on a high-level basis. You don’t have to get into major details about the IGP Project, like a communication plan or a schedule; that would be better suited for the Project Plan if you make one.
4. Project Compliance. This can include how things will be implemented. Will you need to do this departmentally or roll it out in phases? What are the expectations of the staff? What are the steps for Change Control? How will implementation be structured? Part of the compliance is adhering to the policies and procedures – this section may need to include “why all these policies?” and “how are you going to achieve the purposes and goals of Information Governance by applying these policies?” Keep in mind your audiences – what is better suited for the project plan vs. what should be for everyone’s knowledge in the IGP?
5. Policy and Procedures. This may include the in-place policies and procedures or new policies and procedures that will result from this IGP or are the basis of this IGP. Most of the time, the IGP itself is too high level so you may need to have detailed supporting policies and procedures. The IGP can give a direction and a guideline for these policies. Policies/Procedures/User Guides that may need to be included for this section are:
TXT/IM’s and Social Media
Retention Schedules and implementation
Legal Hold Procedures
Disposition (Destructions & Transfer procedures etc.)
Security models and role-based access controls
Back up plans
Disaster recovery plans
System design documentation
Privacy & information sharing
Social Media, Instant Messaging, Mobil Device plans
Training & schedules
Capture, scanning or conversions, etc.
Hard copy records plan and retrievals
System user guides
6. Training. How will the training be conducted? When? What’s the frequency and what are the topics? How will the policies and procedures be covered for everyone who needs to know them? Some people may say you don’t need this in the IGP. And that is OK – it can all be covered in a separate training policy/plan. Just think about “what is important for your agency?” If you need a more elaborate, separate policy/plan for a training approach then add it to the list of policies that you need to support this IGP.
7. Audit and Monitoring. Add how you will be auditing this plan, as well as the regulatory audits that your agency is subject to that affects the IGP and the users on the subjects of the IGP. You may also need to discuss the reporting needed here to assist in the monitoring and reporting so that those requirements are clear as well.
8. Disaster Recovery and Business Continuity. How will these different areas be covered in a disaster? What are your back-up plans? Make sure to do research on this, you may have 2-15 different types of disaster recovery plans based on the different types of content and their locations, etc. You may need separate policies/procedures for these, but they can be covered, in general, in the IGP.
9. Definitions. “Understanding” and “communication” are the most important things when conveying any policy. So, when trying to implement your IGP it is important that you have a place to explain any misunderstood terms by adding a small Glossary and Acronyms section. (You can’t have understanding without communication, and you can’t have communication without words, so if those words are not understood, then you do not have actual understanding of your policies and procedures).
Today, I wanted to dive into a topic that I don’t see many people writing about; Information Governance Plans (IGP) and how to initiate one. In this three-part blog I will discuss what the vital steps are to create an IGP and how to keep you on track for successful implementation.
We’ll address the following questions:
What is Information Governance?
Why is it important?
Who is responsible for an Information Governance Plan?
What do you need to know in order to create an IGP?
What must you keep in mind throughout the IGP process?
What are the five stages to initiating an IGP?
What are the pain points of implementing an IGP; what are the pitfalls?
What are the sections and topics that can go into an IGP?
What do I need to know in order to be successful in implementing an IGP?
What is the key to getting compliance in an IGP?
Why is Project Management important for a successful implementation of an IGP?
In order to embark on the IGP path you must understand these two critical components:
What Information Governance is and whyyou need it
The intricate details of all the information requirements and layout of your own agency
For number one above, there are many good books and blogs on the topic. One of my favorites is “Information Nation: Seven Keys to Information Management Compliance” by Barclay Blair and Randolph Kahn.
Also, you need to gather all of your agency’s issues and risks that surround information governance in your agency. This can require some digging, but chances are you already know something of the risks and issues on your plate, that is why you are reading this blog. Most of what you might run into is being caused by not enough control, metrics, policies, or training in place around the agency’s information assets.
Things that are very helpful to know are:
Why do you need an IGP?
What are the different facets of Information Governance?
What goes into the plan documentation?
What are the pitfalls and risks?
What are the benefits?
What it is actually like to implement an IGP, and not just “on paper,” but in real life scenarios.
What must you keep in mind? How can you set correct expectations?
For number two above, if you have spent a good amount of time at your organization then chances are you already know a lot of the “ins and outs” of the day-to-day activities and how information is captured, managed, accessed and disposed of.
But if you are a new member to the team, then you need to really dive in and learn a lot about these aspects. What is in place today? What IGP initiatives have been started in the past, if any? What are the policies and how are things being run?
You need to know the staff layout, departments and structures, the projects, the internal and external governing policies, etc. If you are a Records Manager, this is most likely in line with your job description already. Ask questions like:
What is our mission?
What are we producing?
Why are we producing it?
Who produces what?
What information assets are the result of all this production?
What are the vital records and do they have a back-up plan?
Start with the basics, of course. Soon you will be putting together a plan that could potentially change the way things are managed today, so you need to know your agency very well in order to make such changes smoothly.
Also, a word of advice, if you are new to the agency: You need to make yourself known. Let everyone know who you are and what you are there to do. You don’t need to be “popular” but you need to be “known” far and wide, since your goals will include everyone in the agency. If they don’t know who you are, and why you are there, they will not give you vital information you need in order to do your job or they may not accept/comply with your requests.
What is Information Governance and Why do You Need it?
Information Governance is the set of policies and procedures around the capture, control, and access of all your agency’s information assets.
The amount of electronic information assets today is astounding. Implementing a way to govern the safety, proper use and access to these assets falls under the topic of Information Governance.
This can be a whole network of requirements, plans and policies to govern your informational assets, including: documents, records, metadata, databases, hard copy records, statistics, and vital records. It encompasses things like security, continuity, access rights, metadata and structures, retention schedules, audit requirements, content repositories, and disaster recovery plans.
The National Archives and Records Administration (NARA) has identified the following for Universal Electronic Records Management (ERM) Requirements Categories:
Maintenance and Use
These six sections can help you identify the stages most all content and information go through in order to compile a complete IGP.
Let’s Jump In
You need to make a decision. Decide WHAT you are doing this for and WHY must it be done. This must be a solid decision — you need to justify your project and actions even if you already have executive level approval. You will need to keep it in your mind and everyone else’s mind all along the way.
You are embarking on a big journey. Start with your own decision and then get more and more people on board with that vision. In the beginning, you may need to ask yourself some questions first:
What are your intentions with this program?
What are management/leadership intentions with this program?
What is the “Ideal Scene”? (What would be the ideal state for your agency with regards to Information Governance?) You may need to ask a lot of people to find out.
What is the current scene? What is the gap between the current scene and the ideal scene?
What has been done thus far on the topic of Information Governance?
What was successful? Why was it successful?
What was unsuccessful? Why was it unsuccessful?
How will you gauge your actions so that you know if the project is meeting its marks? Success criteria? What will the signs of success be?
What will the milestones be?
Keep an idea of reports and statistics that can help you monitor things along the way so that later you can look over the project and be sure you’re making progress and meeting your milestones.
Next, where do you start?! That is not extremely important but there is usually a “logical” sequence of actions. So, after you have your own purpose SOLID in your mind, AND you have mapped out the “existing scene” vs. the “ideal scene”:
Where are all your information assets? Physical locations?
What state are they in?
Who is managing them?
Why are they managed that way?
Who all are the heavy hitters on the Information Governance lines? Who are your “Cheer-leaders”?
Who do you need to meet with to get these questions answered?
You need to know the details of what you plan to manage in the IGP and who you will need help from to manage it correctly.
It is a Journey, Not Just a Policy
I was told once to “just put together an IGP fast.” This is, most of the time, not very realistic. The IGP is the result, the paper record, of what you need to research, what you need to do, what you have already done. It can be (typically), a living document and sometimes ongoing year after year, especially when you first start out.
It’s more like a standard way of life than a ‘policy.’ Not to make it sound like a mysterious thing, but it is something that takes a lot of research and decision-making and after the decisions are made it takes a lot of actions, steps, and carry-through to actually stick.
Sometimes a lot of what SHOULD go in an IGP has not even been dreamt up yet, let alone decided upon or known. And making such a document is not on one person’s shoulders. You need a whole Information Governance Committee to
Get all the information needed to support it, and
To make solid decisions on what you are going to do.
This is potentially a huge journey that you and your whole agency will be engaged in. From the employees doing data entry to the top executives, this IGP may have something to do with them.
Put Together Your IGP Avengers Team
If you do not already have an IGP team, you will need one. One thing we all know we need is Executive Sponsorship. Yes, as always, the more executive/leadership cheerleaders you have on your side, the better! BUT you also need a team of key stakeholders that can “pull the weight” with you – it is not a one man show (unless you are a very small organization). These team members typically have a vital status and a direct need for managing Information Governance. These IGP members can be:
Leadership Sponsor or Representative — You will need one or more sponsors, stakeholders, cheerleaders or supporters from management/ leadership that is fully on board with the initiative. The more the merrier, but you must have at least one.
Records ManagementRepresentative — Typically the Records Manager, this is a must and typically this person is the one spearheading the whole operation.
Information Technology Group –In addition to the IT Manager, you may need System Admins, DBAs, etc. I personally think the more the better. IT staff can carry a wealth of information and a lot of IGP’s are framed around some very technical concepts, so it is vital they have input to this IGP project.
HR Representative — There are lots of implementation and training actions that they need to be aware of. HR typically needs to be involved due to the high level of ‘end user’ involvement and security aspects, etc.
Project and Department Leads –They are very highly suggested however they have been harder to include at times due to their workload. Again, the more, the merrier. It is important that they know what is going on, because the IGP may heavily impact their daily routines and their staff. They also carry a wealth of information and give vital inputs to the project.
Legal Representative (General Counsel) –They are typically very busy but there are points where their participation might be vital. However, you can scale down their actions items so that they review and participate in the areas they are needed most, if they are unable to attend all of the meetings, etc.
Other –If you have/or can afford a Project Manager, Subject Matter Experts, and Business Analysts on this project then you are setting yourself up for even more success. Not everyone can afford them, but these roles may make or break an IGP in large corporations. You may also have other stakeholders with a lot of knowledge to add to the group, like training staff, audit staff, or financial executives that can help with audits and governance to federal, state, and local laws. Choose who you need at what time, and this may vary depending on the topic under discussion on the IGP.
For some helpful tips, see the whitepaper on “Creating an ECM Advisory Board and Program Charter” by Ronda Ringo on the Armedia, LLC website:
The top IGP team members that create a successful IGP project are:
1) Leadership level supporters
2) Records Management team
3) Information Technology staff
In Part 1 of this 3 part blog we discussed:
What is Information Governance, what is an Information Governance Plan (IGP) and why do you need them?
Knowing your agency really well.
Making decisions and solidifying your purpose for an IGP.
Making an IGP Team.
Please be sure to read the second part of this blog, “Vital Steps to Develop an Information Governance Plan – Part 2”. The second part of this three-part blog includes:
Be aware of the five phases of the IGP:
Drawing up the plan
How to implement; start your draft IGP
Implementation and Change Control
Audit and monitoring
Know what needs go into your IGP document
Introduction, purpose, goals, mission, etc.
High level requirements and scope
Project plan and team
Policy and procedures
Audit and monitoring
Disaster recovery and business continuity
Good luck! Let me know if this was helpful or if you have any feedback.
The NARA 2019/2022 Deadline is looming. Organizations are scrambling to get organized and meet the deadlines. But, going fully digital isn’t something you can just fly through. There are dozens, even hundreds of questions to consider, from mapping out your content to mapping your new database, to organizing metadata, there’s a lot to do. I’ve covered these details in my previous 2 blog posts about NARA 2019/2022 deadline.
Now let’s wrap up this three-part blog by discussing the ‘day forward’ content and the lifecycles that you can create for your content.
What’s a Records Lifecycle?
Wikipedia defines a records lifecycle as “the records management phase of the records life-cycle consists of creation, classification, maintenance, and disposition.”
In my diagrams (images 3 and 4 below) I will be using NARA’s Universal ERM Requirements categories for sectioning of the lifecycles:
Metadata, Maintenance, and Use
Transfer, Disposition, Disposal
In the previous post, I covered the importance of making a plan for your content and making a plan for your scanned-in content. In this last blog post of the series, let’s cover the lifecycle topic in more detail.
Implement a Lifecycle for Day Forward Content:
To begin, let’s take up a simple example of a high-level electronic record lifecycle. See image 3.
Image 1: High-level concept of a record Lifecycle
Using NARA’s Universal Electronic Records Requirement Categories, I created a basic lifecycle of a typical record. Mapping out a high-level flow for your own agency can help you stay organized when creating a breakdown for other record types. Some things you may want to keep uniform throughout your agency, so I always suggest making your own high-level lifecycle first and then making some detailed ones for more specific content types.
Once you have a plan for your content, as I discussed in blog part 2, you can use a detailed lifecycle to help you map out what critical steps need to occur with the content during its “life.” This may only be for “Day Forward” content and may or may not apply to your 2019 and 2022 scanned in content.
But either way, it can be a very important piece to think about when configuring your system to do what you, and the end-users, need it to do. It will also help you stay compliant to mandates going forward.
So, gather your document types and categories and work out a more specific Lifecycle for each. Start with Vital Records or mission-critical processes. See image 4.
Image 2: An example of a detailed record Lifecycle
In this detailed lifecycle (image 4) I show an example of what one agency’s “Project Documentation” is supposed to go through. This can greatly differ from agency to agency, but it helps to map it out. In this example the steps are:
Content can be ingested in several ways into the Project Library (document creation).
After some time, the project gets completed and “closed out.”
The Project Manager creates a Project Archival workflow to get approved for archival.
The Director of Project Management approves the project closeout.
Upon approval, the content is moved to the “Archive” folder on the project site making the content still available to those who still have access.
Due to the rules set on this folder, the moved content is declared as a “record” and sent to the Records Management Site File Plan in the proper Retention Schedule Category.
A notification is sent to the RM team letting them know that the project was closed out and has arrived for further controls/steps.
Record specific metadata is added to the content after arriving into the RM site.
At some point based on its embedded retention schedule, it is eligible for cut-off.
At some point based on its embedded retention schedule, it is eligible for disposition (Destroy or Transfer per this example).
Before content is destroyed or transferred it is sent through an approval workflow to the Director of Project Management.
Upon approval, the applicable Record Management staff destroy the content (or perform the transfer) and create a disposition report and file it along with the disposition certificate.
Remember, this is just a sample I’ve put together. Use it as a guideline, not as an exhaustive list. Each plan will differ based on your organization’s specific needs.
What Can go in a Lifecycle?
A lifecycle can vary from agency to agency, document to document, department to department. So, the answer to that question can be answered with another question – “How many things can be done to/with electronic content?” (SO MUCH!)
Here are some high-level areas to consider. Any one of these, in some way, could be a part of a record lifecycle, several times:
Metadata (manual/automatic addition/changing of metadata at different points in the lifecycle)
Security changes (addition of markings or downgrade of markings)
Versioning (up or down)
User access (granting or retracting)
Copy/move (from one library/folder to another)
System integration activities
Declaring a document as an official agency record
Cut-off or event declaration
Reporting (automatic or manual reports)
Audit log updates/reports
You’ll want to think through all of these and make sure you fully understand what your data needs are, and anticipate any changes in the future. It won’t hurt to check more checkboxes here, even if you don’t have a need for some of these stages.
Document Everything (Even Though it’s a Lot of Work)
Creating a detailed lifecycle for your record can be a LOT of work. So, the reasons for creating these may need to be thoroughly justified and prioritized. You may need to start with only vital records and chances are, there is already a lifecycle in place for them it’s just a matter of documenting them so they can be recreated in the electronic world.
Why document them? Well maybe it’s best to sort out the requirements on the lifecycles and their processes in order to configure them correctly and you can’t do that without documenting what the lifecycle for the record is.
But why should we go through all of this work for record lifecycles?
Well, the answers can vary… maybe it is because in order to fully comply with regulatory, fiscal, audit, NARA and retention demands you need to sort out the requirements and lifecycle around your vital records so you can be sure you are meeting all of these demands!
Once you do this, configuring your ECM to stay compliant is much more straightforward. For instance, even if you just had a diagram (like image 4 above) and a set of requirements for each of your vital records lifecycles, you could implement things electronically much faster!
I say “vital records” because to me, that is a logical place to start. But you can do this for all/any of your content based on your own criteria.
An information governance plan can greatly help you with this!
As I stated in part 2 of this blog, it really helps to create an Information Governance Plan. This plan will lay out all of your regulatory, fiscal, audit, NARA and retention demands (and much much more).
Going through all the steps of assessment, planning, execution, documentation, and fulfilling the requirements of NARA 2019/2022, is quite the task.
In my three-part blog series, I hope I’ve helped you understand the complexity and importance of each step. And I hope you’ve seen that there is a system to achieve this. It’s not a copy-paste system, but it’s a solid set of guidelines to get you to full compliance.
There are tools to help along the way. Tools like Alfresco and Ephesoft.
If you haven’t seen my 2 previous posts from this series, here are the links:
In the first part of this series, I raised the issues of the importance and complexity of meeting the NARA 2019/2022 deadlines. It’s not something you can rush through and companies will need to have a plan before they jump into action.
Now I would like to go over the following in part 2 of this 3 part blog:
Making a plan for scanned content to comply with the 2019 and 2022 mandates.
Further evaluation of your content to help you correctly configure things.
Why it is important to map out what you have and how to link it to your retention schedule.
Examples on configuration and implementation of electronic solutions for your 2019 and 2022 ingested content.
Setting up and configuring a content Library.
Seamless mapping to your retention schedule.
How using an ingestion tool like Ephesoft can speed up your progress.
Once you’ve finished evaluating your content, the next stage is making a plan for the scanned-in content.
Making a Plan for Your Scanned-in Content
Let’s start with a basic plan. In order to make that plan ask yourself:
How will this content be ingested, scanned in? Will we have a tool like Ephesoft to help with data extraction?
What do we have to scan in, what are its document types/categories?
Where will it go in the system? What libraries do I need to set up for this content?
What folder structure needs to be in each library so that I can scan the documents into the proper folder? This may be crucial – you may not want to dump everything into the “HR” library. Perhaps you would rather scan all the “Application Records”, ensuring they go into the “Applications” folder in the HR Library – that way it is much easier to map them to the Records Retention Schedule and File Plan.
What are the crucial metadata for each type of document, or category of documents, being scanned in? Can we add high level ‘bulk’ metadata to everything that goes into a certain library? Does metadata need to be manually added to folders/records, individually, after they are ingested into the target library and folders? What are they? What folders/libraries do they all apply to? Some metadata may need to be added to every library and some may only apply to a folder in a library. Sort out your data model and what metadata is needed at what level and on what objects (document, folder, library?)
Will all of this content be an official record as soon as it hits the library? Or will some of it still be in some kind of draft mode? If everything is already an official record, and no more edits are needed, then it is better to ingest everything after your plans and rules are set up in the system. If you have everything mapped out, then all you need to do is add the content to the right folders in the library and the system adds the needed metadata and links it to the proper category in the File Plan Retention Schedule because you set it up first before adding the content.
Who will have access to each of these libraries? What type of access should they have? (Read, Write, Manage, etc.). Set up the permissions on the library and the subfolders ahead of time.
As you can see, there are plenty of little details to consider before you get to actually do any work, however, this is a crucial phase. Spending some time to think through these details can help you save time in the long run.
Setting up a Library Structure
In Alfresco and most other ECMs, you can set up a library for your content. Within that library, you can section-off your content into sub-categories or groups. For example, you can have a library site just for HR records and folders for the different areas of HR (Applications, Employee Records, I-9 forms, etc.) You can scan in your content into the proper folders within that library.
You could also set up a library for a certain project or program and scan all the records for that project onto the library site in Alfresco.
If you are like me, you may want to put this into a visual chart. See image 1 for a high-level concept of a plan and library set up.
Image 1: Your high-level plan to get content into the system can be put into a simple diagram to help visualize your structure.
Of course, how your library will look depends on your data and your organization’s needs. You may have dozens of top-level categories with a handful of sub-categories. Or, it can be similar to the image, with a handful of top-level categories, and multiple sub-categories. It all depends on your specific needs.
Configuring Your Library to Help You Stay Compliant
This type of configuration can help you do several things:
It can help you organize things by a certain group, topic or category.
It can help you with permissions and user access – only give access to that library for users on a “need to know” basis.
It can help you classify and add security markings to content as needed.
It can help you add the proper metadata that is specific to that content type/topic/category only. Certain metadata that applies to HR may not apply to the Project Library and vice versa. You can add special metadata to a certain Library to be automatically added to that group of information or subfolders within the Library.
It can help you map your content from the library site directly to a spot in the File Plan (on the Records Management Site in Alfresco) so that as the content is being added to the folder structure in the group site library, it can also obtain its future Retention Schedule. So, if/when the document gets declared as an official agency record, it will automatically get mapped to that spot in the File Plan Retention Schedule, making it seamless for both the end-user and the Records Manager. See image 2.
Smarter System – Seamless Mapping to Your Retention Schedule
With the above set up, the system can be “told” the answers to the following questions:
What area of the agency is the content from? (example: HR site Library)
What are the major topics of the content? (example: ‘Applications’ folder in theHR Library)
What year is the content from? (example: 2012 – can be metadata or in a 2012 folder)
Example: Content is from Library: “HR”, the content was put into the folder “Applications”, the content was labeled as being a “2012 document” (upon ingestion with Ephesoft) or it was added to a 2012 folder. It was also marked as an official record ( upon ingestion or at a later point in time after ingestion). From this information above, can you properly give it retention (cutoff/disposition) date? Yes, in most cases. OK good, then you can now map it to the “2012 HR Applications” folder in your File Plan/Retention Schedule and from that point on the system does the rest under the Records Managers’ control.
Image 2: Content can be managed and mapped to a certain spot in the File Plan for retention controls.
When Ingesting, Use a Tool like Ephesoft:
Ingesting your content through Ephesoft is a very popular and less time-consuming way to do things. This tool will help you process the content in a batch, and add the needed metadata before it hits the target library.
If you use Ephesoft, you can improve your paper-to-electronic processing time by 80%, collecting metadata along the way before it hits the target electronic library.
This is vitally important because when you add content into a system, the system typically adds the timestamp of when it is ingested into the system, but it may not know the date of the document.
For instance, you may be scanning in documents from 2012. This is vital information to you and Records Management, but the content is going into the system today, in 2019! So, Ephesoft can help you to make sure your content is being properly labeled so that you can properly disposition it later.
When your content is labeled properly, e.g. “Document Date 2012,” now Records Management controls know not only the schedule it is under, but also the date from which to start the retention countdown. You can put this content in a 2012 folder, OR add “2012” metadata to the document, and the system takes it from there.
As the process of meeting the NARA 2019/2022 Deadlines is quite complex, you’ll need to do a lot of planning and mapping out how your content will be organized. Spending time in the planning stage, using the key questions I’ve listed above, will save your organization countless hours in the future.
Having a well-organized database is key to efficiency and using a tool like Ephesoft for batch-processing will help you digitize your documents at a much faster pace.
To get a better understanding of the entire process, make sure you read through the other two parts of this series: