Records Management & Compliance: Making the Connection

Information Management Journal, May/Jun 2004 by Kahn, Randolph A

Organizations must take a proactive and holistic approach to compliance that ensures the business, technological, and legal challenges of records management are addressed

At the Core

This article

* discusses the importance of a records management program to an organization

* defines the concept of information management compliance (IMC)

* examines the seven key elements of an IMC framework

* In response to the WorldCom bankruptcy filing, the Securities and Exchange Commission (SEC) takes swift and dramatic action to deal with what was perceived as a wholly inadequate records management program and imposes an $800-an-hour monitor on WorldCom (now MCI). The monitor's task is to ensure that the company "has developed document retention policies and... has complied with these policies"

* A. U.S. federal agency notifies a flight school six months after the September 11 terrorist attacks that two of the terrorists have been approved for student visas. The agency admits that its "current system for collecting information is... antiquated, outdated, inaccurate, and untimely."

* The SEC fines five brokerage firms $8.25 million for failure to retain e-mail records. In addition to the monetary penalty, the firms are required to "review their procedures to ensure compliance with recordkeeping statutes and rules."

* The former CFO and sales manager of a defunct Internet company are indicted on charges of falsifying records, among other things.

* The CEO of a pharmaceutical company is found guilty, sentenced to seven years in jail, and forced to pay a $3 million penalty for obstruction of justice because he "directed another individual to ... delete certain computer files... containing phone messages he received ... and documents evidencing [his] instructions."

Cases of records mismanagement, improper destruction, and falsification have cost billions of dollars, ended careers, decimated reputations, and caused some companies to wither away. Clearly, something is seriously broken. Although many records management programs probably never functioned as they should have to begin with, for most corporations it was not until the last few years that anyone took notice. Now everyone ostensibly cares about records. In reality, however, how many records management programs are effective enough to serve business objectives and protect the organization?

The Records Program as Business Facilitator and Insurance Policy

Records are the way that institutions "speak." Over time, employees transfer, retire, forget, die, or quit. Records, however, are and always will be needed to ensure that the organization continues to function and can protect its business and legal interests. More specifically, records allow organizations - among other things - to perform business planning, deal with customers' needs, protect legal interests, take care of business needs, and comply with laws, regulations, auditors, and courts. Records management is the process of managing the corporate memory in a way that makes trustworthy records readily accessible any time they are required.

While these business drivers and generalized legal needs are real, what increasingly drives the discussion today is the organization's goal to be perceived as a good corporate citizen. Corporate directors, executives, and investors all demand assurance that the records management program will not negatively impact them and will provide a degree of protection from claims of wrongdoing.

Just as they need insurance, companies of size and substance need a records program to ensure that they are covered if and when trouble strikes. In the records management context, that means an organisation can demonstrate that it has an effective and institutionalized way to manage all records and to do what is expected of a good corporate citizen. At minimum, that means that an organization retains records based on sound business judgment and in conformity with legal requirements and considerations. It further requires that records management directives are written and consistently applied to all records and that all employees are taught to follow them. Finally, it requires that records do not get destroyed in anticipation of litigation and that the company can effectively search for all responsive records and make them available to their adversary or a regulator in the context of an audit, litigation, or investigation.

Is each organization's records management program properly developed for the new highly sensitive, highprofile use that seems to have taken center stage in today's business environment? When company executives inquire about the status of the records management program, they are probably not referring to file plans or scanning projects. They are asking at a high level whether the records management program has all the components in place today to insulate the company if and when it is subjected to records-related scrutiny. In other words, will their records management program "insure" against the reckless, intentional, or malicious acts of employees or others who have access to the company's information crown jewels?