Fostering a Compliance Culture: The Role of The Sedona Guidelines

Information Management Journal, Mar/Apr 2005 by Allman, Thomas Y

The guidelines offer a practical framework for organizations to reassess and amend existing codes of conduct, training programs, and corporate policies and procedures to create a culture of compliance

Management of electronic information and records must reflect requirements emanating from the litigation process. This has become as much an area of focus in compliance efforts as accurate financial reporting, avoidance of employee misconduct, and antitrust matters. Anecdotal evidence shows a strong upsurge in self-examination by all types of organizations in order to meet the higher expectations.

Against this backdrop, the Sedona Working Group has published The Sedona Guidelines: Best Practice Guidelines and Commentary for Managing Information and Records in the Electronic Age. The guidelines are designed to promote effective approaches to addressing the key issues of electronic records management. Unlike the recent ANSI/ARMA or ISO standard-setting efforts, The Sedona Guidelines focuses on legal imperatives that are driving the issue. Compliance with these new requirements can best be fostered by adopting the approach underlying the five Sedona guidelines.

The New Expectations

The explosive growth in electronic communications and related e-discovery failures has energized courts to impose their own priorities in the absence of guidance from higher courts or legislatures. These court decisions touch on fundamental aspects of information management previously thought to lie solely in the realm of good business judgment. For example, in Demis v. USN Communications, a court fined a chief executive officer for improperly delegating to others (who were deemed by the court to be unqualified in records management) the responsibility for ensuring that information in hard copy and electronic form was reliably made available for future use. In In re Prudential Ins. Co. of Amer. Sales Practices Litig., a court imposed a records management system after concluding that the "haphazard and uncoordinated" treatment of records in various sales offices threatened the litigation process. Misconduct in regard to information handling has resulted in severe criminal penalties for both entities and individuals under federal law. In a dramatic recent example, Arthur Andersen's conviction for destroying documents in the face of investigation was affirmed despite the fact that participants thought their own conduct was in compliance with existing records retention policies. Another recent example was a prominent Wall Street trader's conviction (now on appeal) for endorsing a records retention approach to cleaning up files under inappropriate circumstances.

It is clear that this new emphasis on strict compliance will not go away. It reflects what the court in Rambus v. Infineon Technologies called "the societal need to assure the integrity of the process by which litigation is conducted." Further, Zubulake V cautioned that those that ignore this new paradigm "act at their own peril." (Editor's note: See the January/February 2005 issue of The Information Management Journal for articles on the Zubulake decisions.) Congress has confirmed the shift's lasting nature by increasing fines and penalties for obstruction of justice as part of The Sarbanes-Oxley Act of 2002.

Necessity for a Culture of Compliance

Effective detection and prevention of law or ethics violations require publicizing the values and imperatives deemed important by an entity's leadership. Most corporations have promulgated codes of conduct and provide training in the entity's significant values. Nonetheless, recent corporate governance lapses led many to conclude that more effort must be devoted to involving all entity levels in such training. The U.S. Federal Sentencing Guidelines now explicitly require promoting an "organizational culture" that "encourages ethical conduct and a commitment to compliance with the law." Most corporations also understand that core values must include an effective information and records management program that meets all legal requirements, including those of the litigation process. Senior executives, chief compliance officers, audit committees, and general counsels should therefore reassess and amend existing codes of conduct, training programs, and corporate policies and procedures to reflect the new emphasis. The Sedona Guidelines offers a practical framework for this reappraisal.

Guideline One: Adopt a Practical and Reasonable Approach

The key to the effort is a "reasonable" approach to managing electronic information. Structured information involved in non-desktop applications, such as databases, Web sites, and the like require active management, although their dynamic nature makes this no easy task. An inventory and assessment of each application's characteristics and uses should be promptly undertaken with an emphasis on identifying the predictable role each plays in business and litigation contexts. However, it is the unstructured or user-managed desktop applications those involved in creation and management of e-mail, documents, shared spaces, and similar data types - that demand special attention. Practical solutions that balance competing considerations can best be achieved by calling on the collective wisdom of ad hoc or standing committees formed with representatives of information technology, business units, records management, and legal, along with tax, audit, finance, human resources, and other functional groups operating within the financial constraints imposed by the entity's nature and mission. The legal department should provide leadership and guidance in this effort with strong management support. One suggestion is for the top executive to issue a specific charge providing specific deadlines and designating authority to undertake necessary steps to all affected units.