This is the fourth in a series of posts highlighting the emerging trends and issues of information management, cloud-based file sharing, and collaboration.
When people hear the term “risk”, the first thing that comes to mind is security—but not all risk is managed by a robust security infrastructure or hi-tech security applications. Risk, from an information management perspective, are those concerns that are generated by day-to-day activities that should have policies and process that govern manage the information. These are real risks mainly because everyone acknowledges the need for governance, yet they are often over-looked because they are too…mundane.
Take a practical example: my job requires me to know about my clients problems regarding their compliance and general information management that they likely do not want spread to their competitors, or others. I need to record and use that information so that I can provide them with advice on how to fix the problem, which means it is being documented somewhere.
For the client, their risk is minimal as non-disclosure is covered by the contract that they signed with my employer (and practically, my notes would provide a limited insight to anyone else due to my shorthand). I personally have a minimal risk since I am not the signee of the contract, and by letter of the contract that I signed I have no inherent assumed risk…so who owns this risk in this scenario? My company, as with any corporation, has the greatest portion of risk.
The nature of the information and therefore the size of the risk that I handle is small enough that I can use whichever UIM allows me to work effectively. The risk mitigation has been handled by the process that I have for client information:
1. I manage all client data as a record and purge and/or sanitize the names from my “in-progress” and “group knowledge” information stores
2. Much of this disappears when the client engagement is over, and only key information remains in a “tactical” data store
3. Top level notes and metadata are transferred to our “records” systems.
My company is willing to trust me and assume the reputational risk and litigation risk based on the fact that I provide measurable value from the collected information. It is, therefore, a necessary risk for me to create, store, and access this information using my UIM of choice.
That is an example of the kinds of organizational risks that use and acceptance of consumer grade EFSS and ECM bring to an enterprise. But what if I was in Pharma and the “client data” was novel drug test information?
The use case is the same, the user need is the same but the risk is no longer acceptable. The mere presence of the primary data, especially the analysis outside of corporate controlled information sources, is a tangible risk. There are not only intellectual property rights to consider, but also audit trail requirements for that type of information. In this case, policy and trust are simply not sufficient based on the risk profile.
Despite the different risk profiles of these two scenarios, the users’ access and ability to acquire the consumer applications is the exact same, and there is almost no way to block users from getting the information into those applications without crippling the general movement of information out of the corporate walls. So IT can either spend its time playing whack-a-mole attempting to keep all of the different methods and tools out of the corporation, or, it can evaluate the users’ collaboration and usability needs and find a solution. Today, a very viable solution is a robust UIM that can be controlled by enterprise access management to limit how users can share or move documents.
Once we get past the nature of the system that is used to store the information, the next consideration is the information movement.
For most organizations there are two huge points of risk;
1. Movement out of the ECM for the purpose of analysis or presentation.
2. Movement into a UIM(s) as a source for a building a deliverable or communicating to partners/customers.
From an audit and tracking perspective, if the document moves from one file store associated with a user to another file store associated with the same user, verified based on enterprise access management, then the audit trail is maintained.
If each system has version control to verify modifications, the audit trail is likewise preserved. This is the primary risk that most industries currently do not have a good handle on. Will you still need to employ more robust eDiscovery systems if “something” goes wrong?
The simple answer is yes, but if the product is enterprise owned and has version control and access logging then your primary point of risk is the time period in which the information is housed outside of the system—the “in progress” period.
Remember, we defined the UIM use case as those that are NOT directly part of the business processes. The important information is stored as Tactical and Records, what we are talking about here is access not storage. The risk is visibility into where the information went and whom put it there.
Users need a junk drawer- a place where they can put random documents, partial analysis and build deliverables. It is just not realistic to believe that the whole process of analysis and creation with happen in the EIM—at least not without a very intense effort to understand and align the workflow to every unique work style.
The use of additional systems can complicate the organization’s risk profile, but it provides a better information management strategy.
Does this mean it is the Wild West and users all of a sudden can pull any document out of the EIM/ECM? No, but it does fulfill a key need, even if it is only a short term solution. The long term solution may in fact be a reboot of the ECM platform to provide better mobile experience along with a move to a robust classification system that filters all documents based on the risk profile of the information. How far out “long-term” is will be case dependent, and every organization needs to assess how factors like their industry’s regulations could influence that timeline.
The reality is that there will always a need for UIMs in some shape or form for work to get done. What types of information are allowed into the UIM and what the other pieces of your information management portfolio is a strategic decision that needs to be revisited, especially as vendors upgrade the “ECM/EIM” products to include more features and flexibility. What that mix looks like and how you rationalize the balance of UIM and EIM, will be the focus of the next, and final blog in the series.