Friday, April 1, 2016

ATR: On Associations and Information Governance

I imagine that I'll tick off more than a few people with this post, but my blog, so my opinion.

Don Lueders recently posted An Open Letter to ARMA on his blog. I'm not going to work through it point by point, but I would like to add my voice to a seeming cacophony of voices on AIIM and ARMA and the profession that I've grown up in.

Associations

Both of the major information management professional associations, ARMA and AIIM, are being disrupted. As someone who spent most of my career volunteering for one thing or another for ARMA (and I still do a few things), it's painful to see. There are many factors at play here and the disruption certainly isn't unique to these associations. I don't think it's fair to say that membership declines are solely due to young people wanting to network in different ways. It's about time and value. Let's face it, going to your employer and getting money to belong to a professional association isn't as easy as it once was. Getting funding for monthly meetings or an annual conference is also quite difficult. Travel and education budgets are usually the first victims of corporate cost cutting. Many companies put it kind of bluntly -- "There are 20 of you who want to go to conferences, belong to associations and go to various meetings. We figure that costs us about four grand a nose. If you want us to continue doing that, who doesn't want to be here next year?" That's a pretty brutal summary, but for many of us, it is the calculus in play. So that means the employee needs to think very carefully about the value of his or her own money going to these activities and for many people, that's not in the family budget, either.

The other big factor is time. Few of us work "just" a 40 hour week. We're tethered to email; we journey to the cloud from home computers to crank out a bit more work in the evening; We're doing the work that several people would have done in years past. And at home, our kids are overscheduled, we have to work out, or we need to binge watch that great show that we didn't have time to watch in real time. When I was a kid, I can remember my Dad having time to join a bowling league, go to the Moose Lodge, and make a Holy Name Society meeting from time to time. (And, by the way, those organizations are probably struggling as much as, or more, than professional associations.) Going to a monthly association meeting means taking three hours out of the office -- which will have to be made up somewhere. And that becomes another value calculation.

"Value", it was once said to me, "is getting more from something than what you put in." So if you're the sort of person who goes to a conference and comes back with a raft of business cases that immediately generate savings far in excess of the cost of the conference, I can pretty well guarantee that you'll be going to that conference in the future. If you're paying for a meeting out of your own pocket and going to the meeting yields a business contact that becomes a mentor to you, you might just keep going to those meetings. If you're a vendor and the conference booth yields sales that profit far in excess of the cost of the booth, you're going to keep buying booth space.

For professional associations to grow and prosper, they have to add value for members, their employers, and the vendor / sponsor communities.

I have opinions about ARMA and AIIM and where they fall short for me. I don't want to bash these organizations. They have hard-working, earnest employees, and many, many dedicated volunteers. But they aren't adding enough value.

ARMA

(Most of you know that I'm a Fellow of ARMA and a former International Treasurer. I've been a fairly frequent speaker at the ARMA Conference and Chapter meetings. I have a long list of volunteer activities with ARMA, so I have some insights and biases. )

ARMA's struggles come, in my opinion, from having to serve three constituencies: 1) The Old Guard. These are the bulk of members who "grew up" in records management and remember the days when the records manager's goal was to have the million dollar budget and 40 staff members. A high school diploma and some basic management training was enough to advance you up the career ladder. Paper is still king and this technology stuff can be managed just like paper, but nobody listens. 2) The Masters. They've broken through the cardboard ceiling, have all the certifications, make the "big bucks", get decent visibility, and understand technology, but desperately need more than ARMA offers. They're bored with ARMA but come to Conference to see their friends and network in the hallways and bars. They want to give back to the profession, but get frustrated a lot.  3) The Solutions Seekers. They got stuck with an assignment to "fix" records management, but come from other disciplines. They want a solution so they can be a hero and move on to the next challenge. They are befuddled by the secret societies and cliques within ARMA. They can't find a good guidebook or recipe. They drift over to consultants to fix the problem. They'll be gone in a couple years and someone else may or may not take their place.

The big problem with ARMA is that no one ever took the time to develop a standard body of knowledge about records management. Sure, there are standards out there, bust most deal with some small sliver of the profession. ISO 15489 has no teeth. There's no COBIT, no ISO 17001. The CRM lacks a Body of Knowledge similar to the CISSP. So we point to the ARMA Bookstore, which contains a lot of good information, but it is often dated, or conflicts, or isn't relevant. So we muddle around. "How long do you keep email?" is the question -- and fistfights break out. "How do you manage records in a database?" and shoulders get shrugged.  No standard or requirement says that when you build an application, you must build in retention and disposition. Everyone invents a solution for their situation. Or not. We fussed over The Principles, created a great foundation, and saw them land with a dull thud that was then savaged by folks who further fussed over how they came to be and whether or not they had any validity. So the really hard work of building controls and standards on top of The Principles never happened. The organization latched on to Information Governance, but never really set a definition of the space. The IGP is about building a vague program and not much about what the components of the program should be -- or what actual subject matter knowledge is required. Oh, it's there to some extent, but it's not leading the definition of the profession. So many of us are left to our own devices.

AIIM

I'll admit that AIIM and I have never seen eye to eye, outside of a brief period when I needed to understand imaging in a hurry. AIIM, in my opinion and perception, has two problems. 1) It is driven by vendors. That's not a horrible thing, but it hurts the organization. While the vendor members leading AIIM have always had a decent business sense and a good nose for new opportunities, they have tended to force the organization to chase trends. The dominance of vendors led to the practice of using educational sessions as sales opportunities.  2) It chases buzzwords. To an outsider, it always seemed like AIIM was reinventing itself as the flavor of the month and I couldn't expect to find solid ground or a consistent direction of travel. Once the microfilm industry started to crash, AIIM had a major problem. It rightly shifted to imaging, but as the Internet took off and the need to convert paper to electronic images began to fade, it had to latch on to something new. I forget all the buzzwords. Then it became a certificate factory. Then it dabbled in a certification, but never put much effort into it. AIIM's strength was in generating true industry standards, but that seems to have fallen by the wayside. Granted, some of those standards were to the benefit of the vendor members, but they made the effort to actually output real standards.

When I've gone to AIIM events, I knew that sales calls would dog me for the next several months, whether or not I ever talked to an exhibitor. I reminded myself that "when AIIM offers a free lunch, you're the main course". That approach -- and very naked sales pitches in AIIM conference sessions (that I paid to attend) drove me away.

I'm not sure if I really know what either organization wants to stand for. Right now, I know they both share one goal -- survival. ARMA has always had a strong chapter network, but the chapters suffer from leadership burnout and little direction from ARMA HQ on topics of interest to the membership and truly competent speakers. They also lack shared technology to reach members who don't want to travel to meetings -- or technology to enable multiple chapters to share speakers by video or audio conference. Few chapters use social media effectively. They struggle to find good venues at low cost. AIIM's chapters are fewer and suffer the same problems. The leadership of both organizations face declining revenues, declining conference attendance, and member ambivalence. That's a potential (and probable) death spiral.

Both organizations are run by association professionals. I would expect they have plenty of options to consider to rebuild their organizations -- but what both need is clear identity and mission. That can only come from the people who choose to belong. Fistfights be darned.


Enter Information Governance

If you browse back through Above The RIM, you'll see that I've been using the term "Information Governance" to describe the scope of what I do for some time. (I had a brief flirtation with "Information Overlord" on my business card at one time and I am very glad I didn't follow that impulse.) Anyway, I have poked at the various definitions that are out there in Gartner, the newly sprouted IG organizations, and even Wikipedia, but nothing quite matched what I do and what I define as my space. A couple years ago, I had the opportunity to keynote a lawyer's conference on e-discovery and information governance and I decided to throw my own definition into the ring. It goes like this:

Information Governance​
A system of policies, controls, procedures, and tools governing the lifecycle of an organization’s data that matters. This system ensures appropriate ease of access to data when needed and defensible disposition of data when no longer needed. This system limits business disruption, while maintaining appropriate security, within an auditable framework in line with the organization’s risk appetite and regulatory environment.​
It's not a far stretch from historical understandings of records management. But it encompasses a lot more -- e-discovery, data privacy, risk, audits, security, and so on. The core is "data that matters". While I recognize that some might see this as a fancy way to say "records" in the technology age, I think it is broader than "records", yet narrower than "information".

Foundationally, you better understand the basics of records management. Knowing what data is in the organization -- and whether or not (and how) it matters -- is critical.  And this definition presupposes knowledge of how risk-adverse an organization might be and what legal guardrails constrain the organization. It further expects that the data is maintained securely and that everything can be subject to real audits.

A proper IG team encompasses a variety of professionals. My team holds -- or has held -- the following certifications: CISSP, CISM, CISA, CRISC, CRM, CIPP, CIP, CGEIT, EnCE, PMP, among others. The six members of my team also all hold Master's degrees. I even have one staff person who sought out a paralegal certificate. They represent professional competencies in IT Risk, Data Privacy, IT Audit, Business Continuity, E-discovery, and yes, Records Management. In the past, I have had computer forensics experts as part of my team.

Where I'm going with this is that Information Governance is a whole lot more than Records Management 2.0 or 3.0 or whatever. The various disciplines that work together all have their own professional organizations and certifying bodies. IG is not just a rebranding of records management. It's more powerful than that. Parallel to my organization is an IT Architecture team that drives data management -- the platforms for our IT systems, the underlying technology, the means of storage, and the connections to the users. There are some people who might think this should be in scope for Information Governance -- some call it "Data Governance". Arguably, with the right leadership, the two areas could come together, but IT Architecture has far different skillsets. So I don't worry about the technology how -- I worry about how long data gets retained, what regulatory standards need to be met, the risks incurred, the mitigations required, and how we ensure that standards, regulations and controls are being met. And we adapt as the organization evolves.


Where Do We Go from Here?

What I would call for is that ARMA extends and expands The Principles into a Body of Knowledge that truly couples with the ICRM to ensure that there is a consistent foundation for records management. If ARMA (or AIIM, for that matter) wants to truly define the Information Governance space, then the organization has to understand that it can't define the space in a vacuum. It has to partner with other professional and certifying organizations to integrate a consistent and defined space that is Information Governance, then cooperatively build an ecosystem that supports knowledge sharing and networking.




Powered By Blogger