The principles of good record keeping have not changed significantly throughout history: Prioritize information based on its value, carefully preserve the important information, and discard the rest when it is no longer relevant. While these standards remain intact, modern SAP customers find themselves wrestling with increasing data volumes and more complicated questions concerning enterprise information management. Three new dynamics are forcing them to reconsider their methods for enterprise information retention:
Expanding compliance requirements. Increased regulation in nearly every industry and geography (such as the EU Data Protection Directive, Dodd-Frank Act, and REACH [Registration, Evaluation, Authorization, and Restriction of Chemicals]) requires controls to be placed on increasing percentages of enterprise information. Almost all business functions now produce information that requires a retention policy, and this in turn requires a flexible, systematic retention management infrastructure.
A mandate to destroy. By adding compulsory destruction requirements, the EU Data Protection Directive is the start of a paradigm shift. Previous regulations required that information be retained for a minimum period, so compliance simply required storing the information securely until that deadline had passed. Under the EU Data Protection Directive, organizations are now obliged to destroy personal information (transactional or content) as soon as the legitimate purpose to store the information has ended. This is a more complicated requirement because each individual’s record may have a different retention window based on a complex set of criteria, so destruction should be carried out on a highly granular level.
Interconnected data and content. Whereas previous regulation emphasized retention of unstructured content (such as internal documents, presentations, email, faxes, images, and engineering plans), emerging rules now require that associated structured data (such as ERP, customer relationship management, or other enterprise application data) and metadata be managed under the same terms. This requires the unification of previously disconnected retention systems.
Classes of Information
Although a discussion of enterprise retention policies is beyond the scope of this article, it is a critical first step for every organization: Before evaluating technical solutions, organizations should have a clear set of business goals and requirements for not only retention, but information lifecycle management in general. These requirements should take into account at least three important classes of information (see Figure 1):
SAP data. These are the Archive Development Kit (ADK) files that are generated by SAP data archiving functionality and include structured data stored in the SAP database. Customers frequently archive this data to move it out of their production environment and improve performance; this data is foundational for demonstrating the compliance of critical processes.
SAP-attached content. Many SAP processes attach documents or other content to the SAP business object in order to keep a complete record of a transaction. Examples include invoices attached to an accounts payable transaction, human resources documents attached to an employee object, or maintenance work orders attached to a functional location. These attachments are enabled by the SAP ArchiveLink protocol and are central to the system of record.
Unstructured enterprise content. Lastly, every enterprise also has significant content that is not associated with an SAP process. Examples include legal, strategy, and partnership documentation, as well as emails, videos, photos, and paper records. Enterprises also commonly use records management systems (often as part of broader enterprise content management systems) to manage this type of content, whether it is in physical or digital form.
4 Deployment Scenarios
Although every organization must sort out its own specific requirements, almost all want to manage these three classes of information holistically. The imperative is to develop a long-term strategy for retention and invest in a future-proof infrastructure that prevents siloed, disconnected systems.
SAP’s solution in this area combines two related products: SAP Information Lifecycle Management (SAP ILM) and the SAP Extended Enterprise Content Management (SAP Extended ECM) application by OpenText (see Figure 2). SAP ILM manages SAP archived data by putting retention rules on individual ADK files based on company policies and the underlying SAP archiving object. SAP ILM can also manage the retention and destruction of content attached to the ADK file and offers complete legal hold and audit functionality. Note that SAP ILM requires that the underlying repository be certified “ILM-aware.” This means that the underlying repository must be configurable to let SAP ILM control the retention and disposition of data and content stored therein. SAP Extended ECM is certified ILM-aware.
SAP Extended ECM is an enterprise-grade content management platform, deeply integrated with SAP systems. It includes complete records management functionality for both physical records and digital files. Like SAP ILM, it also offers legal hold and audit functionality. It can manage both SAP-attached content and other unstructured content, but cannot manage the life cycle of SAP data without SAP ILM.
With hundreds of customers now deploying these two solutions, SAP has market experience with four common deployment scenarios: a scenario for each application on its own, and two scenarios that feature both applications. Let’s briefly review these approaches.
Scenario 1: SAP ILM Alone
In this scenario, SAP ILM manages both SAP data and SAP-attached content through archiving and destruction. Customers need to deploy an ILM-aware repository to store both SAP data and the attached content (SAP’s preferred solution is the SAP Document Access application by OpenText). This approach is adequate if the primary goal is the retention or destruction of SAP data, but it is not a holistic solution. If you need another enterprise content management platform to manage unstructured content, be careful that this system doesn’t inadvertently create overlapping retention schedules for some SAP-attached content.
Scenario 2: SAP Extended ECM Alone
Here, SAP Extended ECM manages SAP-attached content and other enterprise content through its records management capabilities. Retention rules for SAP-attached content can be determined based on the underlying business object, but there is no guarantee that relevant transactional data will still be in the system in the event of an audit or lawsuit. For organizations only focused on the retention of a small set of important documents, this can be adequate. However, the SAP system is commonly the system of record, so keeping content without process context diminishes its value and can create legal liabilities.
Scenario 3: Both Applications, with SAP ILM Managing Attached Content
This combination offers a holistic retention and destruction capability. SAP ILM manages the life cycle of SAP data and all attached content. Because SAP Extended ECM is certified ILM-aware, it defers to the ILM retention and destruction policies and does not destroy any attached content until SAP ILM indicates it is appropriate to do so. SAP ILM, managing both SAP data and all attachments, ensures that the retention schedules of both information classes are kept in synch and neither class of information is ignored. Legal holds that originate from SAP ILM are transferred to SAP Extended ECM as part of ILM-aware certification. Legal holds placed via SAP Extended ECM are extended to SAP data because that data cannot be deleted as long as the related content is intact. This is a common deployment approach for organizations using the SAP system as the official system of record.
Scenario 4: Both Applications, with SAP Extended ECM Managing Attached Content
This deployment scenario involves the same products as the third scenario, but is configured differently. Instead of SAP ILM managing the SAP-attached content, SAP Extended ECM does so. For customers that require DoD5015.2 compliance, this is the recommended approach because SAP Extended ECM (which is DoD5015.2-certified) manages retention and destruction of all documents, while SAP ILM ensures that relevant SAP data is retained as long as its SAP-attached content is still in the repository. SAP ILM does this by performing a simple check as part of its destruction cycle, requiring that if a document is attached, it does not delete the underlying SAP data (ADK file).1
Benefits of a Holistic Approach
Whether operating under the third or fourth scenario described in the previous section, bringing together the retention and destruction of the three classes of information has several important benefits:
Integrated retention management prevents data or content from being accidentally destroyed if retention engines are out of synch.
Destruction is fully automated and primarily driven by an underlying SAP business object, and thus enables the very granular retention and destruction required by the EU Data Protection Directive.
Legal holds for electronic discovery are supported across both content and data.
Physical records management (such as bar coding, space management, or physical check-in and check-out) is supported by the same engine and policies.
The systems create a permanent audit trail for data and content.
For more information, please contact me at firstname.lastname@example.org, or explore our solutions at www.sap.com.
1 For information about configuring SAP ILM to interoperate with SAP Extended ECM, see SAP Note 1820740. [back]