What are the sore points in data management or document management? What are the “eternal obstacles” that most organizations cut their teeth on?

Most organizations implicitly or explicitly have a “records management system,” by whatever term such a system is known in the company. The main thing is that the (legally) relevant documents, files, receipts, etc. are systematically kept and managed, i.e. someone takes care of them. – Is that so? Have you ever wondered why document management in our company does not work as it should?

The following four“pain points” are statistically the most common problems encountered in the practical implementation of a project or maintenance of a business information management program. They also carry the greatest risks. At the end of this article, corresponding starting points are formulated in order to minimize the corresponding risks.

• Lack of responsibilities
• Enforcement deficits
• Broken custody chain & data theft
• Non-compliance with official retention rules (schedule compliance) and, as a result, lack of or uncontrolled data destruction.

1. Lack of responsibilities

“The root of all of our problems with information, and we do have lots of problems with it, is the fact that there is no accountability for information as such.” (Debra Logan, Gartner)

The refrigerator analogy in the KRM video makes it clear in a simple way what happens when no one cares about the lifecycle of business information. IT usually only cares about the systems or infrastructure and not about the meaning of information in the business context. Therefore, many organizations lack a role (information manager, records manager) responsible for the handling and lifecycle of business information subject to retention. And where roles and tasks are defined, there need to be clear rules regarding the use of the system. “Ownership” and “stewardship” (operational responsibility, e.g. quality of data) as well as transparent documentation of all responsibilities up to the regulation of liability issues in the event of a court case.

2. enforcement deficits – “Successfully selling what nobody wants”

The famous case of Enron in 2001/2002 has shown what can happen when guidelines exist but are poorly enforced or even deliberately circumvented. Arthur Andersen has gone bankrupt. If retention programs and specialized units exist at all in companies, the corresponding guidelines must be enforced, which is not purely a management problem, but also has a lot to do with corporate culture, which can be influenced by appropriate communication measures. The US industry association AIIM has repeatedly identified the same weak points in various surveys:

• Two-thirds of organizations have an information management strategy, but only a little over 20% apply it.
• Nearly 80% of organizations have retention policies, but only a little over 30% enforce them.
• More than 70% have regulations regarding handling mobile devices as well as social media, but only 30% enforce them.

These values have hardly changed over time. However, policies without enforcement opportunities are useless and remember: Policies without sanction opportunities in case of rule violation are ineffective. There remains the unpleasant challenge of actually enforcing something that no one really wants.

3. broken custody chain and data theft

Many data gaps occur when employees leave the company or move to another area without transferring their relevant data and documents to the successor or supervisor. For legal services, for example, it is a nightmare when transactions or business events can no longer be traced because the e-mails with important decisions and statements have been deleted by default three months after the employee has left and thus all evidence has been lost. Even more serious are the effects of the unlawful withdrawal of data from employees who leave the company. It is very common and proven that employees intentionally take sensitive and confidential data to their next employer or to their own company. An insightful study by Osterman Research (2016) found that the corresponding impacts are higher than anticipated. Over 80% of those who leave their jobs take their self-generated data with them, even though it legally belongs to the company (work products); almost 30% who leave their jobs take data generated by their colleagues in the company with them. The study provides explanatory reasons and preventive measures; among other things, the unlawful extraction of data via “removable or mobile devices” should be prevented by technical hurdles (which is also a pretty hopeless undertaking).

4. non-compliance with the official retention rules (schedule non-compliance) and, as a consequence, lack of or uncontrolled data destruction.

If a retention schedule exists and specifies, for example, that certain files should be destroyed after 10 years, then this should be done. The rule today, however, is that many specifications – if they are defined – are handled very laxly. This leads to permanent non-compliance with retention periods once established. One important reason is that most retention schedules are pure reference points that have never experienced functional integration of lifecycle attributes (deadline, trigger) into any document management or ERP systems. This would allow at least partial automation of records lifecycle management. However, the fully networked and automated control of the retention period remains a vision that is technically feasible (DM/RM systems have the corresponding functionality), but for organizational reasons is hardly ever encountered in everyday business (cf. Chap. 4.4.11 of the Information Governance Guide: Tools for Managing an Enterprise-wide Archive Plan).

Finally, as a consequence of inadequate handling of storage instruments, the destruction of expired records is not carried out systematically, thus confirming the KRM thesis that only those organizations have their data under control that can also delete them in a controlled manner, because anyone can store!

Retaining data too long carries smaller risks than premature mistaken destruction, but large data cemeteries generate unnecessary costs. The same applies here as for prevention: Discipline in enforcing rules once they have been defined. In addition, data cleanups should be carried out on a regular basis; the KRM offers a hand in this.

Starting points for risk minimization