How A Robust Records And Information Management Program Can Protect Your Intellectual Property And Information Assets

Tuesday, May 31, 2011 - 01:00
Maura Dunn
Jeff Pierantozzi

The latest engineering breakthrough, the newest green technology, the next generation software, the killer app, the last 100 years of blood, sweat, and toil - all examples of extremely valuable intellectual property assets that represent your company's competitive advantage - and they must be protected. In today's age of electronically stored information, in which information can be transmitted at the click of a button from just about anywhere to just about anywhere, your information assets require proactive, comprehensive and adaptable management. Managing your information assets allows you to protect those assets from inadvertent or malicious release to your competitors or the public. It also provides protection from manipulation and corruption of your information, which is a requirement in today's regulatory environment.

In today's world, most of your firm's intellectual property exists in electronic format. The electronic information that represents your intellectual property is an asset that must be managed and protected just like other more tangible assets in your organization. With data breaches on the rise, and information sharing becoming easier with each new wave of technology, the manner in which you protect your information assets must be a high priority for your organization. Before the advent of email - and long before the advent of text messaging, wikis, blogging, microblogging, and social networking sites - protecting information assets could be accomplished through physical security protocols, effectively applied technology and a small group of intellectual property attorneys to litigate the most serious attacks on your intellectual property.

Times have changed. With all of the information technology available to your enterprise and your knowledge workers, protecting information assets requires a comprehensive program that manages and safeguards your information throughout its lifecycle (from creation through use and maintenance into long-term storage and final disposition, which is permanent storage or destruction). In order to protect your information assets effectively, the program must address a number of requirements, ranging from who has access to intellectual property to how it is to be stored or transmitted. At a minimum, your intellectual property protection program must answer some basic questions:

• What information and intellectual property do we create and need to protect?

• Who creates the information? Who has access to it? Who is responsible for managing it?

• Where is our intellectual property stored?

• When is our intellectual property created? How long does it need to be protected?

• How do we organize our intellectual property to maximize its use and ensure adequate protection?

A records and information management (RIM) program that fits into a broader information governance and compliance program is a powerful tool for answering these questions and managing and protecting your information assets. A RIM program provides a systematic method for identifying and managing information assets within your organization. The RIM program comprises a number of key tools that provide visibility into the information assets that your organization creates, receives and uses to conduct business, and accounts for the regulatory and reporting environment in which your business operates. Some of the key components of a robust RIM program are described below.

A corporate taxonomy identifies the business functions and business processes within your organization, and links them to the types of information that are used or created in each of those processes. These information types include your valuable intellectual property. The taxonomy provides a starting point for identifying all of the information assets within your organization, including those information assets which qualify as intellectual property and have more stringent security requirements. The taxonomy also provides a starting point for organizing your information assets, as it reflects the actual work that your business performs. This natural and intuitive organization makes it easier to link specific types of intellectual property with specific processes and functions within your organization. It also makes it easier for your staff to manage their information according to the taxonomy, minimizing the tendency of people to save extra copies of their documents "just in case."

The records retention schedule is a tool that balances legal requirements for maintaining information with both operational requirements and intellectual property management requirements. For instance, a jurisdiction may require that you keep engineering drawings for five years, but your chief engineer needs them far longer than that to maintain your products. Depending upon the regulatory environment for the industry in which your organization operates, there may be a large number of regulations governing how long you must maintain information. The number of locations, both domestic and international, where you do business also impacts the set of regulations that apply to your organization. The records retention schedule provides a basis for determining the length of time to protect your intellectual property, incorporating both operational and legal or regulatory requirements.

The governance structure and organization defined within the information management program identifies the governing body, its responsibilities, and its processes for identifying, evaluating, and addressing risks to your organization's information and intellectual property. The governing body is typically made up of senior leaders of the organization, representing a cross-section of back-office (e.g., HR, Legal, RIM, IT) and front-office (business lines) departments. The RIM governing body is responsible for ensuring that the RIM program addresses the information needs of the organization, such as determining if the RIM program has appropriate safeguards for intellectual property and that those safeguards are effective.

An information management policy identifies the responsibility of each employee within your organization to manage and protect the company's information and intellectual property. The policy typically consists of statements defining the organization as the owner of information assets and intellectual property and outlining the general strategy for managing and protecting information throughout the organization. The policy also addresses topics such as the appropriate use of information assets and the responsibility of each employee to manage information from creation through final disposition.

Information management processes define how employees comply with the information management policy. Information management processes define the activities that must be performed to manage and protect the information assets of the corporation. When information management processes are embedded into existing business processes transparently, they provide protection for intellectual property while minimizing the administrative burden and daily disruption for employees.

An information map links the information types from the corporate taxonomy, as well as record categories from the records retention schedule, to the information systems and information repositories that store your vital intellectual property. The map provides a visual representation of your information system landscape and layers in important details, such as which systems contain what types of intellectual property and how intellectual property flows throughout your organization's information architecture.The information map typically identifies the electronic information systems that contain the organization's information but also may identify hardcopy and other information assets that are not stored electronically. The information map provides a high level of visibility into the location of intellectual property. It also allows the appropriate process and technology safeguards to be designed and implemented to protect those assets.

All of these RIM tools provide your organization with a means for proactively identifying, managing and protecting your information assets and intellectual property.They also provide a basis for bringing together all of the parts of your organization that generate, manage, or protect your intellectual property (e.g., business lines, Legal, RIM, IT).For instance, the information map provides a means for discussing technology safeguards with your IT organization. The governance structure provides a forum in which the key stakeholders in your intellectual property protection program can collaborate to review the effectiveness of safeguards placed on information assets and intellectual property.

Together, these tools provide a powerful defense for your intellectual property, but only if you apply constant and consistent monitoring to ensure compliance throughout your organization. To monitor your information management program, it is necessary to link key performance indicators to all aspects of your program, from policy to technology. A key performance indicator (KPI) is a way to measure your progress toward your information management goals. For example, the degree to which your organization knows about and understands your information management policy may be a KPI for the health of your information management program. KPIs should be easily measurable through the use of clearly defined metrics, which are individual data points that contribute to a higher level KPI.

Developing a system of compliance monitoring, through the use of KPIs and metrics, for a RIM program can be a difficult proposition, compounded by the ease with which today's knowledge worker can create, receive, disseminate and destroy information. However, the very technology that makes monitoring RIM compliance so difficult provides an avenue for gathering detailed metrics in support of the key performance indicators for your RIM program. Information systems, email and other information technology can be configured to collect a broad range of data points related to protecting intellectual property. Specifically, you can configure your systems to capture and report on everything from lists of where emails are being sent from your organization to the number of times a user accesses a system containing high value intellectual property.

In summary, identifying and protecting intellectual property in today's world of electronically stored information is a daunting task. It is a task that requires tools like the components of a robust records and information management program to provide a measure of control and security to your information assets. Proper protection of your assets also requires constant vigilance as you leverage the available tools to secure your information assets. Designing and executing a system of compliance monitoring that complements your information management program creates a powerful combination that serves as a basis for protecting your information today and into the future.

Robert Kirtley is a Managing Director, Legal Management Consulting, of Duff & Phelps, LLC; Maura Dunn, CRM, PMP, is a Director of Duff & Phelps, LLC and Jeff Pierantozzi, CRM, PMP is a Vice President of Duff & Phelps, LLC.

Please email the authors at, and with questions about this article.