Key Findings
It should not be assumed that end-users realise the implications of deleting e-mails - which could ultimately be a large fine for the organisation or a prison sentence for the CEO.
Compliance is not just about retaining e-mails, it is about having the ability to retrieve them.
A high proportion of an organisation's knowledge capital is contained within e-mails, and yet is largely unavailable to support business decision-making.
A healthy e-mail system is vital to the wellbeing of the organisation.
Transmitting sensitive information over the Internet by the equivalent of a digital postcard could lose you your job or even worse your business.
E-mail is a person-to -person communication channel, which is a valuable business tool, but it needs the appropriate policies and management technologies in place to manage it effectively.
E-mail should not be regarded simply as an IT problem, yet organisations are throwing IT solutions at a business problem, which is a short-term fix for a long-term problem.
Hotmail accounts do not equate to an e-mail disaster recovery plan.
Theft of sensitive corporate information via e-mail is rife in organisations.
Butler Group believes that few organisations have an effective strategy in place for e-mail management, and are therefore exposing themselves to a major but preventable source of risk.
Introduction
E-mail has become a business critical application without which the organisation cannot function thanks to its integration with many enterprise applications, and its use as a form of communication.

Despite the fact that e-mail is now the most commonly used form of business communication, is used in many contracts, and is widely accepted as evidence in litigation, control over the way in which it is used has not, in most organisations, reflected this growth in importance. It is the belief of Butler Group that the majority of organisations do not have an effective e-mail management strategy in place, and are therefore putting themselves at risk from litigation, non-compliance, and the theft of information from their own employees.
Business Issues
Butler Group regards e-mail management to be very much a business rather than an IT issue, but sadly this view is not shared by many organisations, which continue to simply throw technology at the problem. We believe that the approach they should be taking is to examine the business reasons behind the problem and to investigate the business implications of any proposed e-mail management solutions.

Sadly, while realising that e-mail has become a business-critical application and a valuable tool, most Boards fail to realise that it can also be highly dangerous if used inappropriately. E-mail is now accepted as evidence in litigation, and most large organisations are asked to retrieve historic e-mails on an almost daily basis for litigation or regulatory purposes. There is a general failure to appreciate that the buck ultimately stops at the top of the organisation and it may be the Chief Executive Officer (CEO), Chief Information Officer (CIO) or Chief Technology Officer (CTO), who will be held responsible for non-compliant or illegal e-mails. The punishment for misdemeanours is at best a fine, or at worst a prison sentence (in the case of Sarbanes-Oxley), brand damage, and possibly a loss of job.

One way to assess the level of awareness amongst the Board is to ask the members whether they are aware of the nature of the e-mails being sent by their employees. Butler Group believes that very few would be able to provide an accurate answer. It is therefore imperative that e-mail management is taken out of the hands of employees.

Acts of non-compliance have to date been treated with fines by regulators, which have been well within the budgets of the organisations involved, but there are indications that the authorities are going to become much more stringent. Butler Group believes that it is only a matter of time before a fine is levied that will harm the organisation involved, or worst still that someone will face a custodial sentence due to content that is discovered within an e-mail. It is inevitable that as the punishments for non-compliance become harsher, heads will roll.

It is interesting to note that many non-compliant actions involve e-mail, and it is our opinion that this is because e-mail retention is a requirement of many different pieces of legislation and regulation (some explicit, and others implied). These include The Data Protection Act 1988, The Freedom of Information Act 2000, Basel II (Capital Adequacy Directive), Companies (Audit, Investigations and CE) Bill, SEC 17a-3/4, NASD 3010/3110, Dept of Defense Directive 5015.2, and Sarbanes-Oxley Act. In addition, the Financial Services Authority (FSA) demands the retention of e-mails for six years.

There are numerous examples of breaches of non-compliance related to e-mail, and to date most of these have occurred not because of the content of the e-mails themselves, but due to the fact that the organisations involved were unable to retrieve the e-mails requested within the timescale demanded. Examples of non-compliance include:

Five US banks that were fined US$1.25 million each for being unable to retrieve e-mails that were demanded of them - they were stored on back-up tapes.
One Fortune 500 company had to spend US$750,000 to locate e-mails from an archive in response to a subpoena for discovery.
In the UK, Norwich Union was forced to make an out of court settlement of UK£450,000, after it was found that staff had been sending defamatory e-mails about a competitor. By the time the writ had been issued the e-mails had been deleted.
Ciba-Geigy, the pharmaceuticals company, was forced to search through 30 million e-mails for a court case, after arguing that the task would be too onerous and time consuming.
Stuart Rose the Marks and Spencer CEO will have his personal e-mails inspected by the FSA as part of its investigation into insider dealing.
In other cases organisations have preferred to pay the fine rather than search through millions of e-mails.
Most worrying in our opinion are the results from a recent survey of IT Directors from 100 UK-based companies by Vanson Bourne for Adaptec, which found that 47% of IT Directors would not be able to retrieve an e-mail more than three years old. In the financial sector, where e-mail needs to be retained for six years, this figure was 25%.

If Board members are not aware of the content that is being sent by employees in e-mails, they will certainly not know that the theft of corporate information via Web-based e-mail accounts is rife within organisations. Orchestria implemented a pilot using its policy management application for a potential client, and discovered hundreds of instances of staff sending corporate information outside the company via Web-based e-mail accounts.

The most common time for employees to steal information is just before handing in their notice, with the major beneficiary being the new employer. In Butler Group's opinion, this shows a terrible lack of awareness at board level of the actions of employees in causing security risks at the least and competitive damage in the worst cases. It also demonstrates a total lack of control of the e-mail system.

E-mail is a very powerful tool, but used incorrectly it is a highly dangerous weapon, which can ultimately destroy an organisation.

Technology Issues
Although the business nature of e-mail management has been stressed, there is a role for technology as well, and Butler Group believes that it is imperative that the CIO/IT Director is involved with a business nominee in the management of e-mail. In our opinion, e-mail management is a mix of business strategy supported by technology.

Although the corporate e-mail system is now regarded as a business-critical application, being an integral part of so many different applications, it is often not treated in the same way as other business-critical systems.

Although the business may not grind to a halt immediately if users cannot send e-mails - there are other forms of communication - it may not be able to function if the e-mail system is integrated in business processes, or the e-mail client is used as the user interface of another application, or as a ‘to do ‘ list.

Butler Group believes that it is vital that the e-mail system is accorded the same type of treatment as other business-critical applications with high availability measures put in place such as clustering and failover, as well as disaster recovery provision. It should also be included as part of the business continuity planning.

Too many organisations are relying on Hotmail or other Web-based accounts as a back-up contingency to send e-mails should the corporate e-mail system go down. This is dangerous both in terms of the lack of accountability of the content sent via these accounts, and also because it does not address the wider issue of support for applications that require the e-mail system.

The functionality of corporate e-mail systems is expanding as new features are added to provide, for example better collaboration, but Butler Group regards these systems to be lacking in what we feel to be fundamental functionality. This includes basic security features such as anti-virus protection and anti-spam filtering, and some form of content control to limit the content of e-mails delivered to the vulnerable. Therefore in order to create an e-mail management solution, organisations need to implement additional functionality. This includes security products such as anti-virus, anti-spam, and content control measures, an e-mail archive if e-mails are to be retained, and possibly policy management solutions.

There are also other technology elements to take into account such as storage. In the past organisations tended to throw IT solutions, in the form of additional storage resource, to solve what is really a business issue of the growing size of mailboxes. Attempting to limit the size of mailboxes will not work in an environment where an increasing number of organisations will be required to retain e-mails. It cannot be assumed that employees realise the implications of deleting e-mails, or even which e-mails need to be retained, and this task must not be left in their hands. Butler Group believes that organisations must turn to a combination of technology and business policies to manage the problem of growing mailbox sizes by implementing Information Lifecycle Management (ILM).

ILM is about implementing policies to manage the lifecycle of information from creation to deletion to ensure that it is stored on the medium most appropriate to its value and age. This may involve moving e-mails from on-line storage, to near-line storage, and finally an archive, with retention periods and disposal schedules put in place if appropriate.

Market Issues
There are a number of different approaches to implementing e-mail management. The first is to purchase all of the applications required taking a best-of-breed approach, using the solutions from the vendor in each category that provides the functionality that best meets the needs of the organisation. Another approach is to use a bundled solution from a single vendor that provides functionality in more than one category. Alternatively outsourcing e-mail management is another option, and one that is more affordable for some organisations.

Because of the sheer size of their respective markets, the two predominant players for corporate e-mail systems, and therefore e-mail standards will be IBM and Microsoft.

E-mail is no longer just a communication tool, it is now recognised as part of the information eco-system. In addition, the compliance and litigation agendas are defining e-mail as constituting records. Thus e-mail needs to be managed as all other content with a lifecycle. This provides the opportunity for the large ECM vendors to be the major players in the lifecycle of e-mail. IBM and Documentum are already playing a leading role in this market, but Microsoft needs to strengthen its ECM capabilities if it is to catch up.

To provide a resilient e-mail management solution, organisations need to implement a selection of applications to support the corporate e-mail system. This will most likely involve implementing solutions in three categories:

Policy Management - most likely a dedicated solution that allows policies to be implemented to manage the content of e-mails and block non-compliant messages.
Security Management - including anti-virus software, anti-spam filtering, content control, and possibly image control.
E-mail archiving - either a dedicated e-mail archive or a Records Management solution if e-mail needs to be retained with other information.
We feel that the failure of the corporate e-mail vendors to provide a holistic solution for e-mail management is providing the ECM vendors with the opportunity to step in and provide much of the missing functionality required for a total e-mail management solution. For this reason Microsoft and IBM will be the only guaranteed survivors in the corporate e-mail system market.

IBM, Microsoft, and Oracle are moving to store e-mail directly into relational databases rather than a proprietary format, and this will be another clear opportunity for ECM vendors to use their tools to manage all content, including unstructured e-mail, within one environment.

Organisations need to regain control of their e-mail systems, and it is our belief that it will be the vendors that provide e-mail management as part of a total information management approach that will ultimately own the corporate e-mail systems.
Section Two - Introduction
The Introduction looks at the business drivers for using electronic communication, assessing some of the most important benefits, problems, and issues surrounding the topic. The potential threats created by e-mail misuse (spam, viruses, and legal problems) are covered here in depth. Regulatory issues are also covered in this section, as e-mail plays a vital role in moving organisations towards compliance.

Section Three - Corporate E-Mail Systems
This section describes the business issues and benefits of deployment, as well as establishing the features of an ideal E-mail Management system. A comparison of the leading e-mail systems is provided here, and the Report authors highlight the areas where corporate e-mail systems are lacking.

Section Four - E-Mail Policy Management
A range of requirements designed to support the enforcement of an effective e-mail policy are examined in this section, including: Blocking non-compliant e-mails, Client management policies, corporate administration policy, and end-user policy, and whether policies should be imposed at the individual or corporate level. Other topics that contribute to the success of an e-mail policy include issuing warnings if e-mails do not conform to company standards or automatically inserting missing content, and e-mail monitoring.

Section Five - E-Mail Security
Because e-mail represents one of the easiest ways to attack an organisation, it is essential to deploy security measures that integrate well with the e-mail system of choice. Although this is as much a policy problem as a technology issue, a range of solutions (Anti-virus, anti-spam, and content filtering to name but three) exist that complement the management of e-mail.

Section Six - E-Mail Archiving
This section of the Report takes account of the issue that e-mail is corporate information that must not only be stored for later reference, but must also be retrieved when needed. This is very important in connection with legislation and compliance issues, and requires specific technologies, including search and retrieval tools, to ensure effective operation.

Section Seven - Knowledge Management and Collaboration
E-mail is a very fast medium, and can connect knowledge workers in several countries with ease. Used in conjunction with workflow tools, e-mail can be a useful support to extended project teams, but must be deployed according to strict requirements if it is to be a secure and reliable system.

Section Eight - Management Strategy for E-Mail Management
This section provides Butler Group's viewpoints on the most effective methodologies that can be used to draw together all of the points previously defined, and how to position the organisation's e-mail as a corporate asset rather than a dangerous risk or resource-hungry drain.

Section Nine - Futures
The Report authors state their views on how the e-mail market will continue to evolve, for example, by noting the growing interdependency with the Enterprise Content Management (ECM) market.

Section Ten - Case Studies
The Report features four case studies, spotlighting organisations that have faced some, or indeed all, of the problems and opportunities in this market. Studies include ABB Ltd, Fujitsu Systems, Irwin Mitchell, and the University of Central England.

Section Eleven - Vendor Profiles

Section Eleven contains brief profiles of a number of relevant vendors and solutions.

Butler Group's industry-leading Technology Management and Strategy Reports deliver Butler Group's thought leadership, opinion, and illustrate best practices through in-depth strategic analysis, supported by comprehensive End-User Case Studies and Product Profiles for the most relevant vendors.