Knowledge Centre

Insights for Document-Intensive Organisations

Practical guidance on digitisation, ECM, retention, outsourcing and chain of custody.

Articles

Open an article to read it on this page

Document Imaging for Malaysian Organisations: A Practical Starting Guide

Document imaging is often described as a scanning project, but that description is too narrow. A useful digitisation programme is an information-control exercise that begins before the first page reaches a scanner. The organisation must decide which records matter, how people will search for them, what evidence is needed after conversion, and what should happen to the originals. When these decisions are left until production has started, the result is usually a large volume of digital files that are expensive to correct and difficult to use.

1. Start with the business outcome

Define why the organisation is digitising. Common objectives include reducing retrieval time, freeing physical storage, supporting branch access, protecting fragile archives, preparing for an ECM implementation, improving audit readiness, or enabling a business process to move online. A project can have several objectives, but each should be measurable. “Scan the archive” is not a sufficient outcome. “Allow authorised staff to retrieve a complete customer file by account number within two minutes” is clearer and gives the team a basis for designing metadata, access and acceptance tests.

2. Build an inventory before setting a price

Estimate the volume by cartons, files, pages and document types. Record where the material is located, whether it is active or archived, how it is arranged, and whether it contains staples, bindings, photographs, receipts, oversized sheets or fragile originals. Sampling is essential because carton counts alone do not show page density or preparation effort. A representative sample also reveals blank backs, duplicate forms, torn pages, faded ink and mixed paper sizes. These factors affect throughput, staffing, equipment and the risk allowance in the schedule.

3. Prioritise instead of digitising everything blindly

Not every record has equal value. Start with material that is frequently retrieved, operationally critical, vulnerable to damage, distributed across locations or required for a defined compliance purpose. Low-value duplicate material may be excluded under an approved rule. Records that are already scheduled for lawful destruction may not justify conversion. Prioritisation reduces cost and helps the organisation prove value through an initial phase before committing to an entire archive.

4. Agree the image specification

The project specification should state resolution, colour mode, duplex handling, file type, compression, blank-page rules, rotation, de-skewing and treatment of poor originals. A common baseline is 300 dpi with searchable PDF output, but the correct setting depends on the source and intended use. Technical drawings, photographs, faint carbon copies and documents with small annotations may require different treatment. The team should also decide whether the deliverable is one file per page, one file per document, or one file per folder, and how separators will be detected.

5. Design metadata around real retrieval behaviour

Metadata is what turns images into a usable collection. Choose fields that staff genuinely use, such as reference number, document type, department, customer, property, case, date range or retention category. Avoid collecting dozens of fields simply because they are visible on the page. Each field adds data-entry effort and creates another opportunity for error. Controlled lists, validation rules and database lookups can improve consistency. Accuracy-critical fields may require double-key entry or an independent verification step.

6. Define chain of custody and security

Confidential records should be traceable from the client location to the processing facility and through every subsequent movement. The handover should identify cartons or batches, quantities, collection time, authorised parties and transport references. Within production, batches should be assigned to controlled work areas and reconciled at each stage. The project should also define staff confidentiality obligations, access control, CCTV coverage where applicable, device restrictions, incident escalation, backup arrangements and approved delivery methods. Security claims should be supported by current evidence rather than generic marketing language.

7. Pilot the workflow with representative material

A pilot is not merely a demonstration. It is a controlled test of preparation, scanning, enhancement, indexing, quality assurance, delivery and client acceptance. Use material that represents the difficult parts of the archive, not only clean standard pages. Review image quality, naming, metadata, retrieval performance, exception handling and production rates. The pilot should produce a written list of decisions and changes before full production. That record prevents different teams from applying different interpretations later.

8. Make quality assurance measurable

“Checked” is not an acceptance criterion. Define what constitutes a missing page, unreadable image, wrong orientation, duplicate, incorrect split, metadata error or batch mismatch. State the sampling rate or full-review requirement for each control. High-risk records may justify complete image and index verification, while lower-risk collections may use statistically designed sampling. The process should identify who can approve rework, how defects are recorded, and how the final output is reconciled with the source volume.

9. Plan delivery, access and final disposition

Decide how files will be transferred and where they will live. Options may include encrypted drives, secure transfer, direct EDMS upload or a managed ECM platform. Confirm folder structures, permissions, backup ownership and the process for correcting records after delivery. The originals must also have a defined route: reassembly and return, secure storage, or authorised destruction after acceptance. Destruction should never be assumed merely because scanning is complete; it requires a valid retention decision and documented approval.

10. Treat the first phase as an operating model

The strongest digitisation projects leave the organisation with a repeatable method, not only a set of files. Document the scope rules, metadata dictionary, quality criteria, security controls, reports, exception routes and responsibilities. These become the basis for future intake, procurement and audit. A practical starting point is therefore a scoped pilot with clear outcomes, representative samples and an agreed acceptance process. It is slower than sending cartons directly to a scanner, but far less costly than rebuilding an unusable archive.

Close article and return to list

ECM vs. Simple Cloud Storage: What’s the Difference and Why It Matters

Cloud storage and Electronic Content Management are often discussed as if they are interchangeable. Both can store digital files, but they solve different problems. A shared cloud drive is mainly a place to keep and exchange content. An ECM environment applies structure, rules and evidence to the way documents are classified, found, accessed, changed, approved and retained. The distinction matters because an organisation can have all its files online and still have poor information control.

Storage answers “where”; ECM answers “how”

Cloud storage answers a basic question: where can a file be kept so authorised users can reach it? That may be enough for small teams working with a limited number of current documents. ECM adds questions about how the file should be named, what record it represents, who may view or alter it, which version is authoritative, what workflow it follows, how long it must be retained and what evidence remains after an action. These controls are important when documents support regulated, contractual or high-volume operations.

Folders are not the same as metadata

Shared drives rely heavily on folder paths and file names. Those structures become difficult to maintain when departments use different terms, staff move files, or the same document relates to several categories. ECM systems use metadata fields such as account number, case, department, document type, status and date. A single record can therefore be found through several business views without creating uncontrolled copies. Metadata also supports validation and reporting in ways that a folder name cannot.

Search quality depends on structure

Cloud platforms may offer full-text search, but search results are only as reliable as the content and naming discipline. Scanned images without OCR may not be searchable at all. Common words can also return hundreds of irrelevant results. ECM combines full-text search with controlled index fields, filters and security rules. Users can search for a specific customer, transaction or case rather than opening folders one by one. For document-intensive organisations, this difference directly affects service time and staff productivity.

Version control protects the authoritative record

In a shared folder, users may create files called “final”, “final revised”, or “final latest”. Multiple copies can circulate through email and chat, making it unclear which one governs. ECM version control keeps a managed history under a single record, identifies the current version and can preserve previous versions for review. Check-in, check-out and approval controls can prevent two users from overwriting one another. This is especially relevant to policies, contracts, technical documents and records that change over time.

Workflow turns documents into managed work

Simple storage does not normally understand whether a document is awaiting review, rejected, approved, expired or incomplete. ECM can route records through defined stages and assign tasks to roles. A submitted form may move from capture to verification, supervisor approval and final filing. Each stage can have deadlines, mandatory fields and exception rules. The document is therefore connected to an operational process rather than sitting passively in a folder.

Permissions need more than a shared link

Cloud storage can provide useful access controls, but organisations often configure them at broad folder level. Shared links may be copied beyond the intended audience, and permissions can become difficult to audit across a large structure. ECM can apply role-based controls by document type, department, case or sensitivity. It may also restrict printing, downloading or editing while still allowing secure viewing. The right model depends on the platform, but the design should begin with information classification rather than convenience.

Audit trails provide evidence

For many records, it is not enough to know that a file exists. The organisation may need to know who viewed it, changed metadata, downloaded it, approved it or deleted it. ECM audit logs are designed to provide that history and support governance reporting. Cloud platforms may also log activity, but the depth, retention and business context vary. Before relying on any platform, confirm what events are captured, who can alter logs, how long they are retained and how they can be exported for investigation or audit.

Retention and disposition require rules

A shared drive tends to accumulate files because deletion feels risky. ECM can associate a record with a retention class, trigger review at the end of the period, preserve a legal hold and record authorised disposition. Technology does not decide the correct retention period; the organisation’s approved schedule and legal advice do. However, a controlled system can make the policy operational and prevent both premature destruction and indefinite retention.

Integration determines whether users adopt the system

An ECM environment should not become an isolated archive that staff avoid. Consider how records enter the system from scanning, email, forms, line-of-business software and bulk imports. Consider also how users retrieve documents from the applications they already use. Integration may involve APIs, watched folders, database lookups, single sign-on or direct links from a business record. Good integration reduces manual filing and duplicate storage. Poor integration simply creates another place that users must remember to update.

When simple cloud storage may be enough

A small team with low document volumes, limited sensitivity, simple collaboration and short-lived working files may not need a full ECM platform. A well-governed cloud drive can be appropriate if naming, access, backup and ownership are clearly managed. The warning sign is when staff cannot find records, create repeated copies, rely on personal folders, need formal approvals, face audit requirements or retain large collections over many years. At that point, the problem is information governance rather than storage capacity.

Choose based on requirements, not labels

Products use terms such as document management, content services, collaboration and digital workplace inconsistently. Evaluate capabilities against actual needs: metadata, OCR, search, permissions, versioning, workflow, audit, retention, integration, reporting, portability and administration. Run a pilot using real documents and user tasks. The practical question is not whether ECM is “better” than cloud storage. It is whether the chosen environment provides enough control for the value, volume and risk of the records being managed.

Close article and return to list

What Happens to Your Records After the Retention Period Ends?

A retention period is not a countdown timer that automatically authorises deletion. It is a governance rule that should trigger a controlled review. When the stated period ends, the organisation must confirm that the record is eligible for disposition, that no legal, audit or operational hold applies, and that the authorised method is followed. The process should produce evidence strong enough to explain what was destroyed, who approved it, when it happened and how exceptions were handled.

Retention begins with classification

A record can only follow the correct schedule if it has been classified properly. Contracts, personnel files, invoices, technical records, customer correspondence and statutory submissions may have different retention requirements. A folder called “old documents” is not a retention category. The organisation needs a controlled schedule that links record classes to a retention trigger, period, responsible owner and final disposition. The trigger may be creation, case closure, contract expiry, employment termination or another business event.

Check whether the period has actually started

Confusion often arises because people count from the document date when the approved schedule counts from a later event. A seven-year period measured from financial-year close is different from seven years measured from the invoice date. Likewise, a case file may remain active for years before the retention clock starts. Before disposing of a collection, confirm the trigger and calculate eligibility consistently. Where the record has incomplete metadata, the safest answer is not always indefinite storage; it may require a remediation exercise and a documented conservative rule.

Apply holds before approving destruction

Records may need to be preserved beyond their standard period because of litigation, investigation, audit, complaint, regulatory inquiry, contractual dispute or internal review. A hold temporarily overrides normal disposition. The process should identify who can issue and release a hold, how affected records are located, and how the restriction is communicated to storage and system administrators. Destruction vendors should receive only authorised material; they should not be expected to determine whether a hold applies.

Prepare a disposition list

The business owner or records function should prepare a list describing the proposed material. Depending on the collection, this may identify cartons, file ranges, record classes, date ranges, system batches or unique references. The list should be specific enough to review and reconcile, but should not expose unnecessary personal data. Approvers need to know what they are authorising. Broad descriptions such as “miscellaneous archive” create risk because they make it difficult to confirm whether protected records were included.

Obtain the correct approval

Disposition authority should be defined in policy. It may require the record owner, records manager, legal function, compliance team or another delegated role. A vendor quotation or collection request is not a substitute for internal approval. The approval record should reference the applicable retention rule, confirm that holds were checked, state the authorised method and identify exceptions. For recurring destruction, a standing procedure can simplify administration, but each batch should still be traceable to an approved decision.

Choose a method suited to the information

For paper records, cross-cut shredding is commonly used because the output is difficult to reconstruct and can be recycled. Other media may require different treatment. Optical discs, magnetic media, drives and backup devices should not be placed into a paper process without a method designed for them. The contract should define acceptable particle size or destruction standard where required, segregation, witness options, treatment of non-paper material, environmental route and the point at which custody transfers.

Maintain chain of custody during collection

Eligible records remain confidential until destruction is complete. Collection should use sealed containers or controlled cartons, signed handover, batch references, authorised transport and a clear receiving record. Quantities should be reconciled at pickup and arrival. Where the client requests witnessing or CCTV evidence, the scope and privacy controls should be agreed in advance. A camera should prove the process without exposing readable information or unrelated client material.

Close the process with evidence

A Certificate of Destruction should identify the service provider, client, date, authorised batch or reference, method and completion confirmation. It should connect back to the disposition list rather than stand alone as a generic certificate. Supporting records may include collection orders, delivery records, weight tickets, exception logs and recycling acknowledgements. These documents should be retained according to the organisation’s governance needs because they may be the only proof available after the originals no longer exist.

Remember digital copies and derivatives

Destroying paper does not dispose of scanned copies, exported data, email attachments, backups or temporary processing files. The disposition decision should state whether the digital record is the authoritative copy and how long it must be kept. If both physical and digital versions are eligible, system administrators need an approved deletion process that addresses backups, replicas and audit logs. Conversely, if paper is destroyed after digitisation, the organisation should first confirm image quality, completeness, metadata and acceptance.

Handle exceptions openly

A batch may contain material that is not on the authorised list, a carton count may differ, or a record may be too damaged to identify. The correct response is to isolate and report the exception, not to make an informal assumption. The procedure should define who can resolve discrepancies and whether the affected material must be returned, reclassified or added to a revised approval. Exception records demonstrate control and help prevent the same problem in future cycles.

Move from occasional clean-outs to a managed programme

Large emergency disposal exercises are usually a sign that retention rules are not operating routinely. A managed programme reviews eligible records at scheduled intervals, applies holds, obtains approval and produces consistent evidence. This reduces storage cost and risk while avoiding rushed decisions. The end of the retention period is therefore not simply the moment a record may be destroyed. It is the point at which a governed decision must be made and documented.

Close article and return to list

Choosing a BPO Partner for Records-Heavy Government and GLC Projects

Choosing a BPO partner for a records-heavy project is not the same as buying standard scanning equipment. The provider will handle information, physical custody, production deadlines and quality decisions on the client’s behalf. A low unit price can be misleading if the scope excludes preparation, exception handling, index validation, secure transport or rework. Government and GLC teams should evaluate the operating model behind the proposal, not only the promised output volume.

Begin with procurement eligibility, then move beyond it

Registrations, ownership status and contractor grades may be necessary for a supplier to participate in a particular procurement. They are useful evidence of eligibility, but they do not by themselves prove that the proposed team can deliver a document programme. Verify that credentials are current and relevant to the scope, then assess production capability, security, governance and references separately. Avoid treating a certificate as a substitute for a project plan.

Demand a clear statement of scope

A credible proposal should explain what happens from collection to final delivery. It should state assumptions about page condition, carton density, bindings, oversized material, colour, duplex pages, OCR, indexing fields, file structure, system upload, reassembly and final disposition. It should also identify exclusions. If the price is based on “standard documents”, define standard. Ambiguity creates variation claims later and makes competing proposals impossible to compare fairly.

Test whether capacity is real

Ask how throughput was calculated. Scanner speed ratings do not equal project output because preparation, rescanning, indexing, quality assurance and exceptions constrain the line. Review the number and type of scanners, working shifts, operators, supervisors, indexing workstations and backup equipment. Ask how capacity is shared with other clients and what happens when equipment fails or absenteeism rises. A production plan should show balanced stages rather than one impressive machine specification.

Examine the quality model

Quality needs definitions, checkpoints and ownership. The provider should explain image-quality checks, page-count reconciliation, document splitting, metadata validation, sampling, double-key entry where relevant, rework and final acceptance. Ask for a redacted sample quality report and an example of how exceptions are logged. A proposal that promises “100% accuracy” without defining the test is weaker than one that explains measurable criteria, tolerances and corrective action.

Follow the chain of custody

Map every handover. Who packs and labels the cartons? Who signs at collection? What vehicle and route controls apply? Who receives the batch? How is it assigned inside production? Where are originals held during processing? Who can authorise return, storage or destruction? Each transition should have an owner and record. For multi-location work, the controls should be consistent across branches and allow the client to reconcile outstanding material at any time.

Review security as an operating system

Security is more than CCTV and locked doors. Consider staff screening and confidentiality, visitor management, workstation controls, removable media, internet access, mobile devices, printing, temporary files, backups, incident response and secure delivery. Confirm whether processing is performed locally or subcontracted. If subcontractors are used, the client should know their role and controls. Request evidence that is current and relevant rather than generic policy statements.

Check governance and reporting

A large project needs named decision-makers, regular reporting and escalation paths. The proposal should identify the project manager, operations lead, quality owner and client counterpart. Reports may cover received volume, preparation, scanned pages, indexing, QA, completed batches, outstanding cartons, defects, rework and risks. Agree the reporting frequency and cut-off rules. A dashboard is helpful only if its figures reconcile with batch records and acceptance certificates.

Assess business continuity

Records projects can run for months or years. Ask how the provider handles equipment failure, power or network disruption, facility incidents, staff shortages, data loss and transport delays. Review backups for digital work-in-progress and the recovery process for batch status. Physical originals may be irreplaceable, so continuity planning must address both information systems and the actual archive. The plan should state recovery priorities and who communicates with the client during an incident.

Confirm system and delivery compatibility

The final output must fit the client’s technology and information-governance model. Test file naming, folder structure, metadata format, character sets, OCR quality, permissions and import requirements. Where delivery is into an EDMS or ECM, run a representative import before full production. Confirm responsibility for failed imports, duplicates and field mapping. The cheapest scanning price has little value if the output requires months of manual correction before users can retrieve it.

Use a pilot to compare providers

A controlled pilot gives procurement teams evidence beyond presentations. Use the same representative sample, specification and acceptance criteria for shortlisted providers. Include difficult pages and realistic metadata. Measure preparation effort, output quality, index accuracy, reporting, exception handling and communication. The pilot should not be so small that every page receives special attention; it should be large enough to reveal how the proposed workflow behaves under production conditions.

Evaluate the commercial model carefully

Understand whether pricing is per page, image, document, file, carton, field, hour or milestone. Identify charges for collection, preparation, repairs, rescanning, indexing, storage, return, media, system upload and destruction. Define how rejected output and rework are treated. Volume bands can be sensible, but the client should retain visibility of actual counts. A commercial model is strongest when it aligns payment with accepted, reconciled output rather than raw scanner activity.

Look for warning signs

Warning signs include unverified throughput claims, no named project team, vague security answers, reliance on a single machine, inability to explain quality metrics, refusal to provide a pilot, unclear subcontracting, and a price that excludes most preparation. Another warning is a provider that agrees to every requirement without identifying risks or assumptions. Competent partners challenge unclear specifications because they understand the cost of ambiguity.

Select the operating partner, not the brochure

The right BPO partner should be able to show how people, process, technology and governance work together. Procurement eligibility matters, but reliable delivery depends on scope clarity, realistic capacity, measurable quality, chain of custody, reporting and continuity. A disciplined evaluation may take longer at the start, yet it protects the organisation from rework, disputed volumes and information risk throughout the contract.

Close article and return to list

Chain of Custody: Why It Matters When Outsourcing Document Handling

Chain of custody is the documented history of who had control of a record, when control changed, what happened during that period and how the next party acknowledged receipt. It is familiar in legal and forensic settings, but it is equally important in document outsourcing. When an organisation sends cartons, files or digital media to a service provider, it temporarily gives another party physical or logical control over information that may be confidential, regulated or operationally essential.

Why ordinary delivery records are not enough

A courier receipt may prove that something moved from one address to another, but it may not identify the exact cartons, document ranges, seals or exceptions. Chain of custody connects the transport event to a controlled inventory and an authorised purpose. It should allow the client to answer: what left, who released it, who collected it, what arrived, where it was stored, which process it entered, what was returned or destroyed, and whether any discrepancy occurred.

Start with a controlled batch identity

Every movement should refer to a batch, carton or other unique identifier. Labels should be readable, durable and reconciled against a manifest. Sensitive descriptions do not need to appear on the outside of a carton; a coded reference can link to a protected list. Seal numbers may be used where appropriate. The important point is that both parties agree on the identity and quantity before custody transfers.

Record the handover

A handover record should state the date, time, location, releasing party, receiving party, batch references, quantities, condition and any exceptions. Signatures may be physical or electronic depending on the approved procedure. If a carton is damaged, unsealed or missing from the list, note it immediately rather than resolving it later from memory. Photographs can support the record if they do not expose readable personal or confidential information.

Control transport and receipt

The transport model should match the risk. Consider authorised drivers, vehicle security, route planning, unattended stops, overnight holding, incident contact and proof of arrival. At the processing facility, receipt should be performed by an authorised person who reconciles the manifest and records the storage location. Custody has not been properly transferred merely because cartons were left at a loading area.

Extend custody into the production floor

Chain of custody does not end at the facility door. Batches move through preparation, scanning, indexing, quality assurance, reassembly, storage and delivery. Internal assignment records should show which team or controlled area had the batch. Work-in-progress should not be mixed without traceability. If pages are removed from bindings, the process needs separators, batch sheets or another method to preserve sequence and document identity.

Manage digital custody as well

Scanning creates new copies and temporary files. The organisation should know where images are written, who can access them, whether local caches exist, how backups work, and how files move to indexing or delivery. Transfers should use approved encrypted methods, and receipt should be verified through counts, checksums or system import reports where appropriate. Temporary production files should have a defined deletion route after acceptance, subject to contractual and retention requirements.

Define exception handling before an exception occurs

Common exceptions include missing cartons, count differences, loose pages, damaged seals, documents outside scope, unreadable originals and files that cannot be matched to a manifest. The procedure should state who is notified, how material is isolated, who may authorise continued processing and how the final record is corrected. Informal fixes undermine the chain because they create gaps between what happened and what the documentation shows.

Separate authorisation from execution

The party performing scanning, storage or destruction should act on a documented instruction. It should not decide that records are obsolete, change the approved scope or destroy rejected material without authority. Clear separation protects both client and provider. The client retains responsibility for disposition decisions, while the provider demonstrates that it executed the approved instruction against the identified batch.

Close each possible route

After processing, originals may be returned, stored or destroyed. Return requires a delivery record and acknowledgement by the receiving party. Storage requires an inventory location, access history and retrieval controls. Destruction requires an authorised list, completion evidence and a certificate linked to the batch. Each route should close the open custody record. An unexplained “completed” status is not enough if the physical material cannot be accounted for.

Use reconciliation, not assumptions

Good chain-of-custody reporting compares expected and actual quantities. The units may be cartons, files, documents, pages, images or media items depending on the project. Differences should be explained through approved rules such as blank-page removal, duplicate exclusion or rescanning. Reconciliation is particularly important when the source count is estimated. The report should distinguish an estimate from a verified quantity rather than presenting false precision.

Audit the system periodically

Controls weaken if nobody tests them. Periodic audits can sample batch records, access logs, facility locations, signatures, transport records, exception handling and final certificates. A useful audit follows a small number of records from client release through the entire process and back to final disposition. Findings should lead to corrective action, training or procedure changes. The purpose is not to create paperwork for its own sake, but to ensure that the documented chain reflects reality.

Make chain of custody part of the contract

The contract or statement of work should define identifiers, handover documents, authorised contacts, transport, facility controls, reporting, incident notification, subcontracting, return, storage, destruction and record retention. It should also state how evidence will be provided and how long the provider must keep it. When these points are agreed only after an incident, the parties often discover that they assumed different responsibilities.

Trust is created by traceability

Outsourcing always involves a transfer of control. Trust should not depend on verbal assurance that the records are “safe”. It should be supported by an auditable trail showing where the material was, who controlled it, what action was authorised and how completion was confirmed. A strong chain of custody protects confidentiality, reduces disputes, supports investigations and gives management a reliable answer when asked to account for a record.

Close article and return to list

Need advice for an actual records project?

Use these guides as a starting point, then scope the specific volume, risks and operating requirements.

Contact SYSB