Accelerate Compliance

Compliance in today’s Corporate Climate

With the demand for good corporate governance becoming more pervasive in business today, a Compliant Records Management strategy can help executives gain control over their critical physical and digital data.

Maintaining compliance is about much more than adhering to an escalating number of local, state and Federal regulations. With increasingly severe risks and penalties for noncompliance – including multimillion-dollar fines, customer and shareholder class-action lawsuits, and even executive imprisonment - accountability for records management has never been more critical.

Former SEC Chairman William Donaldson cautions that with some 20,000 laws related to records management already on the books, compliance needs to become part of a company’s DNA. Yet, he suggests, “If companies view the new laws as opportunities to improve internal controls, improve the performance of their boards and improve their public reporting, they will ultimately be better run, more transparent and therefore more attractive to investors.”

Executives need serious tools to gain control over their more critical physical and digital data. One strategy, Compliant Records Management (CRM), is especially valuable for any organization that must not only preserve corporate records but also manage the costs and risks associated with retrieving corporate information.

What Brings On the Executive Ulcers
What makes digital records access and protection so difficult for companies to manage? “I think the hardest part is that companies are trying to transition from paper records to electronic records, and they’re trying to fit digital content into paper record processes,” says Brian Babineau, an analyst with the Enterprise Strategy Group. “And that’s not going to work.”

Babineau adds that companies need to realize that information created electronically manifests itself in many formats and many applications, and that it is copied multiple times during the backup process. They also need to understand this life cycle - where and how in the process they want to capture a record.

Disposal is another challenge. Relatively few people may invest in shredding services, Babineau says, and most of them store their paper documents “forever.” He warns against taking this tack with electronic data, saying that if it isn’t necessary for any future purposes, it should be deleted on a pre-set schedule. The best way to do that, he asserts, is via an easily repeatable disposition cycle.

John Webster, founder and senior analyst at the Data Mobility Group, cites the potential for litigation as one reason many companies might have to access pertinent records in a hurry. “Companies may need to find various records and personnel documents - definitely email,” he states. “And you have to do it within a reasonable amount of time, as far as the court is concerned.”

For the latest information on electronic records and legal discovery, visit the New eDiscovery Rules Center.

Regulatory mandates have begun to blanket everything from electronic documents and digital images to audio and video media, email and instant messages, as well as paper and other physical records.

At the same time, corporations have to prove that they can quickly find and share corporate information with the government in compliance audits and with the courts in litigation. Equally important, under the Sarbanes-Oxley Act, publicly held companies must be able to verify financial and business integrity for investors.

For more information, about legislation, view a Summary of US Regulations that require compliance.

First Steps Toward Compliance

1. Continue to automate your manual processes
2. Increase the sophistication of your controls, processes and IT systems
3. Improve the integrity and quality of your transaction information
4. Speed up the flow of information to meet real-time data demands
5. Resign yourself to the necessary evil of ongoing compliance reporting

Moving Records Management from Cost Center to Strategic Initiative

Compliant Records Management Program Development:
Six Stages to Success

Stage 1: Get Organized: This includes determining the program scope, gaining commitment not only at the executive level but also throughout the company, and then allocating the right resources and responsibilities to ensure the program’s timely implementation.

Stage 2: Assess and Plan: Evaluate the current program status, identifying the most substantial gaps, and creating a master plan to address and close those gaps.

Stage 3: Develop a Retention Schedule, Policies and Procedures, and Audit Metrics: These are the foundations for credible Compliant Records Management. Companies need one universal records retention schedule that captures all of the records, regardless of media, that the organization creates or receives. This includes:

• Creating a universal records scheme that covers all records in all formats
• Identifying any applicable legal retention requirements
• Assigning retention periods to all record classes

Policies and procedures should provide governing advice for the creation, management, access, retention, and disposal of records.

Stage 4: Implement: In the final analysis, a CRM program will be judged on the quality of the implementation, not the design. To ensure proper deployment:

• Take a phased approach by implementing a base program first and then adding programs for specific applications where the organization is most at risk, (e.g., email)
• Design and roll out training that is tailored to each specific audience within your organization
• Implement technology to assist with program management and measurement

Stage 5: Manage and Enforce: To ensure that the program stays current with the latest law, it’s important to:

• Enforce classification and destruction reviews using timely reports and periodic formal reviews
• Maintain training, communications and certification programs
• Update retention schedules, policies and procedures
• Plan and budget for program maintenance, enforcement, audits and enhancements

Stage 6: Audit: Accountability necessitates regular audits.
Industry experts recommend incorporating CRM into the standard internal audit process, regularly benchmarking it against audit metrics to identify areas that need improvement, and securing corporate commitment to take corrective actions.

Benefits of Compliant Records Management

Foremost among the benefits of a CRM program is a lower risk of noncompliance penalties. Second, by optimizing the program to retain valid records and dispose of unnecessary ones, you can achieve significant savings in storage costs. Third, with the tighter organization of records management, consistent retention schedules, and appropriate policies and procedures, you’ll improve your ability to retrieve records. And fourth, your company will be in a better position to proactively manage discovery costs and risks.

Why CRM and Why Now?

Iron Mountain’s McDaniel, notes that organizations need CRM because they have more information and regulations than ever, as well as more mandates to produce data and more risks associated with it.

“For most companies, this is an overwhelming challenge,” she says. “A tightly structured CRM program will enable businesses to reduce the cost, complexity and risk associated with records management. When implemented properly, a good CRM program represents responsible records management practices that keep a company in line with both the letter and the spirit of the law.”

Bruce Hoard is a contributing writer for Digital Authority. He is based in Maine.

This article is based on the cover story of the same name originally printed in the Autumn 2006 issue of Digital Authority, published by Iron Mountain, Inc.

> Premium Knowledge:
Get the full Autumn 2006 issue of Digital Authority online