The following is a slightly modified version of four points I made recently to a records management professional, responding to the point that ‘many CIOs are rolling out Office 365 and SharePoint Online to replace traditional recordkeeping systems such as TRIM/CM etc’.
First, generally speaking, records managers have traditionally not had a strong technical knowledge and/or weren’t close to the IT team.
Even if they managed TRIM/CM/other EDRM it was usually as the front end admin, not the back end technical IT admin, which remained with IT. Conversely, IT people have generally never had much knowledge of how to manage records (it not usually part of their skill set).
There was almost always a gap (technical, organisational, communication etc) between the records area and IT; consequently, IT departments have rolled out SharePoint and more recently Office 365 without reference to (or the feeling they even needed to refer to) records managers, and often without a solid architecture and planning for implementing and managing SharePoint (or Office 365).
Into the space between IT and records (but usually closer to IT) are various vendors who offer products that they say does the records management they claim that SharePoint does not do.
This by the way is not a criticism of those vendors as such, but there has been a tendency to buy their products without really understanding what the base product can do. This has almost always been the case for many IT products – back in 2006/7 I was part of a team looking to acquire a major ECM product and was a trained system administrator. The product itself could do exactly what was required without any modifications, the problem was the client (the company I worked for) wanted modifications that required consulting work. Close to a million dollars later in consulting fees, the product was still unused.
I’m also concerned at the way some vendors pitch the suitability or ‘compliance’ of their products in relation to add-ons to SharePoint for managing records. I had one telling me in all sincerity that their product ‘complied with ISO 15489’, which was interesting to hear since their is no compliance framework. The same vendor’s salesman was not aware of ISO 16175 when I asked about it.
Second, from SharePoint 2010 onwards, Microsoft implemented a range of new records management functionality to meet minimum (mostly corporate rather than government) requirements for managing records.
That new functionality included a great deal more features than most people knew about. One Australian consultant (John Wise) identified that SharePoint 2010 met 88% of the requirements of the then ICA standard that became ISO 16175 Part 2. For most non-government organisations that didn’t need the level of information security found in government, it was closer to 95%, and the 5% remaining was not particularly important for most organisations. With the introduction of both retention/disposal policy management, and information security classifications, via the Security and Compliance Centre in the Office 365 admin portal, SharePoint meets almost all requirements listed in ISO 16175 that do not refer to legacy systems.
In many respects, by ignoring ‘traditional’ ways that other EDRM systems have managed records, Microsoft introduced a brand new paradigm for managing records, underlined by the idea that digital records do not work the same way as paper records.
In my view, many older EDRM products failed to adapt to the new digital world and continued to enforce the concept that records must be ‘moved’ (saved to) a container in the recordkeeping system just as paper records had to be saved onto a single subject file. As long as Exchange and network files shares remained completely separate, this meant (and continues to mean) that the original versions of those records always remained in Exchange/network files even after they were copied to the EDRM.
A much smarter model, which SharePoint Online offers via both the create and save processes, is to allow people to save non-email records directly to SharePoint, including in syncronised document libraries in File Explorer; the document libraries can have default metadata applied to content types, and retention policies can be applied to those libraries. Emails can be moved automatically via Flow, or retained in the mailboxes with Office 365 retention policies applied. Recordkeeping happens in the background, people don’t have to fill in a form every time they want to save a record to the system.
Microsoft have centralised records management across the Office 365 environment. For example, the creation and management of records disposal/retention classes (called ‘classification policies’) is now carried out in the Security and Compliance Admin centre of the Office 365 portal. Records managers need to be assigned specific roles to do what they need to do (and I would argue, the corporate records managers should also be Site Collection Administrators on every site, preferably via a Security Group).
It doesn’t matter if the record is in Exchange or in SharePoint (or some of the other Office 365 applications), a classification policy can be applied wherever it is. When implemented correctly (based on a good architecture model), classification policies can provide the recordkeeping context required to link records over time.
Third, just like a home subscription to Office 365 with cloud storage is more cost effective than buying the product as before, most IT organisations have seen the benefits of moving their enterprise agreement licencing from per-device licence (where the licence is based on the computer) to a per-user licence (where the user can use the product on multiple machines including mobile devices or from home). This has also allowed them to shift storage (and the costs of maintaining servers, including technical staff) from their own or hosted data centres to the Microsoft cloud (which, ironically, may be in the same hosted data centre).
One large organisation that I’m familiar with had around 30TB of storage in the data centre; by acquiring Office 365 E3/E1 licences, they had 45TB – PLUS, 1TB for each user’s OneDrive. I suspect this point is not known to most records managers (first point above), who simply see the CIO’s introducing or rolling out Office 365 for no obvious reason.
Fourth, SharePoint has traditionally been many things to different people because it has always had a dual nature – publishing/intranet and team sites.
This is no different in SharePoint Online but the options to customise are now fewer (thankfully). Communication sites are a simple and elegant way to publish information, while team sites (including Office 365 Group-based team sites) are more or less the functional replacement for network drives (OneDrive for Business replaces personal drives).
In my opinion, it is important for anyone getting involved with SharePoint to understand this – that SharePoint Online is NOT the same as the ‘old’ SharePoint on-premise that could be customised to do just about anything.
Keep it simple, using the very rich ‘out of the box’ options, and it begins to make more sense. Plus, as noted already, users can synchronise SharePoint document libraries to File Explorer and work from there, so their experience can be more or less exactly what it is now using network drives.
Can you manage records in SharePoint Online? Absolutely, keeping in mind that SharePoint Online is very much a part of the Office 365 ecosystem and should not be considered a standalone application as it was when installed in an on-premise server.
Records managers need to get up to speed (quickly, in my opinion, although I’ve been saying it for years) with not only the recordkeeping functionality already in SharePoint Online and be SharePoint System Administrators (to give them access to the SharePoint Admin portal) and Site Collection Administrators, but also really need to understand the Office 365 portal and the relevant parts of the Security and Compliance Admin Centre including classification policies, ediscovery options and audit options.
One thought on “Four observations about Office 365/SharePoint Online and records management”
Good insights Andrew. There is still a gap in your thinking about using a library like a network shared drive. Folders are the only way to navigate File Explorer. In CMS & ERM, folders are used for moving documents based on statuses that take documents out of active circulation.