Assigning Responsibility for Content Is a Corporate Imperative!

Note: John Isaza, Esq. is the co-author of this blog.

Content, including records and information, has become a pervasive and strategic part of companies — large and small.¹ Records and information are commonly considered an important and strategic asset of any organization. ²Yet many companies treat this asset as, at best, a cost center — an important issue but not an urgent one. But this may be changing. A sense of urgency about content is growing. The regulatory environment is demanding accountability for the management of content. At the same time, liability for failing to control unfettered information raises the stakes tremendously. This blog explores this problem in a bit more detail and proposes an approach to manage it.

THE PROBLEM

With the explosion of customer-facing content comes a host of risks — that companies are associating themselves with content that might be erroneous or inappropriate or out of date or non-compliant with brand standards or is infected with viruses and other cyber risks or discloses confidential information such as about customers, in violation of privacy laws. These risks are magnified by the fact that information — whether for the external market or internal processes — is scattered across multiple locations and devices, including desktops, smart phones and cloud-based storage.

At the same time, internal content has become more complex and strategic. Example: effective market and product collateral often requires combining existing content about a product line with information that is specific to a particular product. Another example: for larger companies, provocative intranet content can help to facilitate interaction between different lines of business and spark efforts to realize synergies between them.

Another part of the content management challenge: policies, processes, and systems to enforce retention and disposition of records that document a company’s customer interactions, transactions, and other processes. Retention and disposition of records is regulated by various external authorities and by the need to be ready to respond to regulatory action or litigation.

Given the growing importance of content and records, and the related risks, one might think that issues related to content would be on the priorities of the typical executive team. In fact, this is often not the case. While Marketing is typically responsible for content related to marketing and sales, often no one has been designated as responsible to create and enforce standards for other kinds of content and protect against cyber privacy risks.

To be sure, some specialized aspects of content policy are the focus of corporate legal and compliance staff. For example, issues like compliance with Safe Harbor, which relates to European privacy regulation, and breach notification tend to be technical, owned by legal counsel whether in or out of house. But here too it is essential that a business owner within the company can translate to line managers and employees the practical upshot (“what we should do on Monday”) of policies to comply with issues like Safe Harbor.

A POSSIBLE APPROACH

So where should organizations start in tackling this many-headed issue?

Bearing in mind the Generally Accepted Recordkeeping Principles (the “Principles”) of ARMA International (just one of many possible starting points), organizations should begin with an assessment of how they measure on a maturity model based on the following principles:

• Accountability
• Transparency
• Integrity
• Protection
• Compliance
• Availability
• Retention
• Disposition

The object is to find out where the organization resides on a scale of 1 to 5, with 1 being non- existent treatment of the principle and 5 being transformative in the industry vertical of the organization. This assessment would, at minimum, create a baseline for a better future state while at the same time help the organization prioritize the salient issues that need the most help.

Once organizations have measured themselves against these principles, companies must begin assigning responsibility for policies, processes, and systems related to content risks – a high priority under the Principle of Protection. To that end they should address the following:

• Organization-wide management of the content life cycle, including scanning content when it comes through the firewall and maintaining retention, archiving, and disposition schedules.
• Policies to enforce security over and prevent exposure of confidential data.
• Meta data models to surround content with information about it that can facilitate its categorization, discovery, and retrieval — across multiple repositories.
• Maintain the ability to share information both internally and externally in a consistent way. This can involve version control, retention of version history, and ability to manage document check-in/check- out.

This is an important agenda — and a daunting one. Companies considering who should be the owner who has company-wide responsibility to define and enforce content standards should follow these guidelines:

• The owner should not be the IT group. In this as in other areas, IT should serve as a facilitator of business policies and processes — not have ultimate responsibility.
• The owner should be a person or group that understands how content is used in the course of the business and is able to train disparate groups around the company in how to comply with the standards.

The approach should be company-wide. When different units of the company do risk analysis separately, they are inclined to miss commonalities between different instances of risk across the company. They are likely to understate the combined impact of these risks and miss opportunities for the company as a whole to mitigate them. As with any risk management effort, it is essential to communicate the ultimate goals: enhancing the company’s stability and continuity; avoiding unpleasant surprises for shareholders; and maintaining the confidence of business partners and other stakeholders. Risk management should not be viewed as consisting of a set of rules. It should engage the hearts and minds of management and employees as they make decisions every day.

The benefits and risks of content can only increase in the future, as innovations such as streaming video and virtual reality take hold. For the top executive teams and even boards of many companies, the time to act is now: designating responsibility to create and enforce content standards should be a near-term priority.

About the Expert

John Isaza is a California-based attorney, CEO of Information Governance Solutions featuring Virgo™, a cloud-based software for records management and global research, and partner at Rimon, where he chairs the records management and information governance practice. Mr. Isaza is one of the world’s foremost experts in the field. He has developed information governance and records retention programs for some of the most highly regulated Global 1000 companies. He is co-author of 7 Steps for Legal Holds of ESI & Other Documents, a contributing author to the ABA’s Internet Law for the Business Lawyer, 2nd Edition, as well as co-editor of the upcoming Handbook on Global Social Media for Business Lawyers. He currently co-Chairs the American Bar’s Social Media Subcommittee, as well as the Fellows of ARMA International.

About the Expert

Mark Rosenman has had leadership roles in knowledge management at top global firms McKinsey and KPMG and at entrepreneurial firms Tatum LLC and Newport Board Group, where he is currently Chief Knowledge Officer. He was a main architect of McKinsey’s first firm-wide document portal and of standards for publishing internal documents. He has extensive experience building line management consensus for content policies and processes. Click here to learn more about Mark Rosenman or contact him.

Get the insight that will help you survive No Man's Land.

By downloading our eBook, you'll receive an outline of the 5 steps you need to take that will help you focus on the right priorities so you can get your business past No Man's Land.

1 As mobile, social and cloud technologies transform business models and processes, digital content is becoming a potent force for differentiation and competitive advantage in the marketplace. According to a study by the research firm Utah Media Group, companies are now spending more on content-based initiatives and programs than on advertising. The reason? As audiences become more sophisticated, traditional, interruption-based advertising and promotion techniques like telemarketing become less effective. Marketers want to associate their brands with a “hub” of compelling content that speaks to its audience’s interests and nurtures a two-way dialogue, starting with web site visitors responding to a call to action.

2 See definition of Information Governance Professional (IGP) available at http://www.arma.org/igp-resources which defines an IGP as “a person who has earned the only certification that demonstrates he or she has the strategic perspective and the requisite knowledge to help an organization leverage information for maximum value while reducing the costs and mitigating the risks associated with using and governing this important asset.”