Success with Information Governance

Mike Everley Laurie Fischer Robin Martin

Second Vice President Managing Director Second Vice President

Ameritas Huron Consulting Group Ameritas

• Introductions / About Ameritas• Background: RIM at Ameritas • Assessment / Gap Analysis / Maturity Model• Compliance and Remediation Plan• Information Governance• Lessons Learned and Next Steps

2 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.

Overview

About

Ameritas offers competitive insurance, retirement and investment products

– Life insurance– Annuities– Individual disability income insurance– Group dental, vision and hearing care insurance– Retirement plans– Investments– Mutual funds– Asset management– Public finance

3 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.

• Over 2,500 Employees• Home Office: Lincoln, Nebraska

– Administrative Offices: Cincinnati, Ohio; Bethesda, Maryland; San Antonio, Texas; Austin, Texas; Wayne, Nebraska

• Technology Environment– Lotus Notes for Email– Mix of applications – commercial and custom built– Oracle DB for structured records– Transitioning from Novell to Microsoft for file shares– Imaging since mid-1980s

• Image more than 12 million documents per year• Transitioning from custom application to Documentum xCP

4 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.

About

RIM at Ameritas in 2010

• Components– Records Retention Schedule– Records Management Policy– Procedures

• Focused on physical records management– Relatively mature program

• Tactical, not strategic, approach to RIM

5 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.

General Observation

Information Management Maturity Model1

6 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.

• Many organizations have done a good job in the past managing paper records and typically rate around a “4”

• Those same organizations have not yet applied the same rigor to the management of electronic information

• 90% of corporate information is in electronic format

In Development

•Developing recordkeeping

awareness

Sub-standard

•Recordkeeping ad hoc /

unaddressed

Proactive

•Information Governance

integration in business decisions

Transformational

•Routine compliance with program

requirements

21 3 4 5

Essential

•Policies and Procedures in place

•Increased record awareness

Citation: http://www.arma.org/garp/metrics.cfm

2011 Assessment: Three-Phased Approach

7 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.

Current State Assessment

•Review all relevant policies and procedures

•Stakeholder interviews and focus groups to

define current state of information

management practices

•Identify RIM vulnerabilities and develop key

observations of “as is” state

Analysis and Recommendations

•Identify best practice standards and

benchmarking targets

•Evaluate current information management

processes against standards and industry

best practices including “The Principles”

•Assign maturity rating and develop

recommendations for the enhancement of

information management practices

Strategy and Roadmap

•Summarize assessment, methodology and

recommendations

•Validate with sponsors

•Develop strategies

•Develop tactical project plans for each

strategy

•Develop implementation roadmap

Information Management PrinciplesUsed as Foundation to Assessment and Gap Analysis

8 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.

Principle Description

Accountability A senior executive (or person of comparable authority) shall oversee the information governance program and delegate responsibility for records and information management to appropriate individuals. The organization adopts policies and procedures to guide personnel and ensure that the program can be audited.

Transparency An organization’s business processes and activities, including its information governance program, shall be documented in an open and verifiable manner, and the documentation shall be available to all personnel and appropriate interested parties.

Integrity An information governance program shall be constructed so the information generated by or managed for the organization has a reasonable and suitable guarantee of authenticity and reliability.

Protection An information governance program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, classified, essential to business continuity, or that otherwise require protection.

Compliance An information governance program shall be constructed to comply with applicable laws and other binding authorities, as well as with the organization’s policies.

Availability An organization shall maintain records and information in a manner that ensures timely, efficient, and accurate retrieval of needed information.

Retention An organization shall maintain its records and information for an appropriate time, taking into account its legal, regulatory, fiscal, operational, and historical requirements.

Disposition An organization shall provide secure and appropriate disposition for records and information that are no longer required to be maintained by applicable laws and the organization’s policies.

Current State Findings: RIM Program Governance

• RIM Policy and Procedures primarily reflected management of physical records

• RIM Governance Infrastructure was sufficient for a traditional recordkeeping environment but did not cover the broader needs for Information Governance– Well-established role of “Department Records Representatives”

• Records Retention Schedule and foundational legal research in need of a comprehensive refresh (last refresh was 2008)

• No standardized compliance review practices in place

9 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.

Current State Findings: RIM Practices and Procedures

• Procedures for the lifecycle management of hardcopy records were established and consistently practiced– Inactive Records Storage– “Clean Your Files Week”– Annual attestation process– Legal Hold Orders

• Procedures originally developed in 2008 – in need of update• Procedures for managing electronic information lacking• Training provided sporadically

10 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.

Current State Findings: Electronically Stored Information

• Consistent application of retention policy wasn’t occurring in either the unstructured content or structured data environments

• Shared drives / hard drives primarily used as unstructured content repositories

• Limited use of Oracle content management • Although many structured data systems are considered the

“system of record,” none could be considered a true recordkeeping system

11 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.

Current State Findings: Electronically Stored Information

• No ESI Data Map or Data Source Catalogue• Email size and time limit quotas are set, but users can request

more space and manually “archive” up to five years• Ambiguity regarding the use / retention of “backups”

12 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.

• Based on gap analysis, series of recommendations:– RIM Program Infrastructure Refinement– Retention Schedule and Legal Research Update– Update Policies and Procedures– Enhanced training and education– Strategy for Unstructured Content Management– Structured Data System Remediation Pan– ESI Data Map

13 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.

Recommendations

What Have We Accomplished So Far?

• Updated Records Retention Schedule, RIM Policy and Procedures (primarily for hardcopy)

• Established Standards– Imaging– Electronic Recordkeeping Standards

• Established Structured Data System Remediation Plan– Identified critical systems– Defined risk-based assessment process– Developed “Compliance / Remediation Plan” process

14 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.

Structured Data Remediation Plan

• For each identified system:– Does the system contain “records” and how does this relate

to the retention schedule• Issue of relational databases, transactional systems, etc.

– Risk / cost analysis of over-retention– Remediation options

• Manual• Systematic

15 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.

Obstacles to Success

• Structured Data Remediation Resource Issue– Although RIM and IT were partnering, issues that were much

broader needed greater holistic approach– Resource limitations pushed completion timeline out unacceptably– One-up, tactical “projects”

versus holistic strategy

16 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.

RIM vs. Information Governance

• Records Management is tactical

• Information Governance is strategic

• To be strategic, you need partners, sponsors, and a network

© 2013 Huron Consulting Group. All rights reserved. Proprietary & Confidential. 17

Tactical vs. Strategic Characteristics

Tactical Strategic

Client-driven Business driven

Top down Up, down, and across

Silo’d accountability Collective accountability

Difficult to value Measurable

Information Governance

• The coordinated, inter-disciplinary approach to satisfying information compliance requirements, managing information risks and optimizing information value

• Encompasses and reconciles the various legal and compliance requirements and risks addressed by different information-focused disciplines

• Involve a top-down, overarching framework, informed by the information requirements of all information stakeholders that enable an organization to make decisions about information for the good of the overall organization and consistent with senior management’s strategy

18 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.

Information and Records Management Advisory Team

• Identified senior-level stakeholders– RIM, IT, Legal, Business Units

• Defined Mission and Strategic Objectives• Developed Charter• Meeting Agendas and Scheduling• First Meeting: March 19, 2013

19 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.

Information Governance Infrastructure

20 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.

Information & Records Governance Sponsors

CIO General Counsel Records Management

Advisory TeamLegal & Corporate

SecretaryInformation

Technology*Accounting Broker Dealer Corporate Actuarial Corporate

Facilities*Group Human Resources Individual Planning &

CommunicationRetirement Plans Investment Advisor

Audit Services * co-chairs

Working TeamsStructured Systems Remediation Team

Unstructured Content Team

Change Management / Communication Team

Benefits so far

• Increased awareness of information management– Advisory team wants to move at a faster pace– Project methodology

• Resource Issue– RIM as well as business

• Silo’d Decisions Averted• Priorities Redefined

– Structured vs. unstructured

21 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.

Lessons Learned

• Importance of senior management support• Flexibility is key• Socialize the Principles• Don’t under-estimate the need for tight collaboration – Legal,

RIM, IT, key business stakeholders– Establish Information Governance sooner versus later

• Issue of resources• What’s Next?

22 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.

Thank you!

For more information, contact:

Laurie A. FischerManaging Director

Huron Consulting GroupTel: 312-880-3476Cell: 312-965-1641

lfischer@huronconsultinggroup.com

23 © 2014 Huron Consulting Group. All rights reserved. Proprietary & Confidential.