In-Depth
Reconciling with Records Management: Top 10 Requirements
Records management, in the words of the related ISO 15489 standard, is the "creation, receipt, maintenance, use and disposition of records." An increasing number of regulations have driven companies to put their records management programs in order. Learn the top 10 best practices for ensuring the integrity of your records.
Does your records management program meet current regulatory requirements?
Through such regulations as Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act (GLB), not to mention the Freedom of Information Act in the public sector, regulators and courts are paying more attention to organizations' records—in both their paper and digital forms.
Legally speaking, however, few organizations today actually comply with existing records management requirements. "Most organizations are way behind in setting enterprise records management programs into place," says Barry Murphy, a Forrester Research analyst. "The Federal Rules of Civil Procedure (FRCP), which were amended in December of last year, however, are driving organizations to implement broader retention programs because they are now responsible for the management of all electronically stored evidence."
As that suggests, simply retaining records—for example, storing all of a financial institution's customer-facing e-mails and IMs for seven years to comply with GLB—is insufficient. Rather, based on the FRCP as well as recent court decisions, including the Zubulake v. UBS Warburg and Coleman v. Morgan Stanley cases, experts say stored records must meet more stringent requirements. Namely, "the court doesn't care if it's a paper document or an e-mail; you have the same responsibility when called upon to produce it, and to produce it in a legally authentic way," notes Craig Rhinehart, who's part of IBM's electronic content management (ECM) practice.
In short, unless companies properly store, authenticate, and retrieve all required records, they risk steep punitive damages. "This is where the problem is," he says, "since most corporate systems, and certainly e-mail systems, don't have the [required] controls and capabilities."
Accordingly, how can organizations create a records management program which meets current regulatory and legal requirements? Experts recommend pursuing these 10 steps.
1. Start With Policies
When it comes to better managing records, don't begin with technology. Rather, start by defining required corporate processes and procedures. Of course, different regulations demand different types of records retention. "So, mapping all these regulations to the internal processes of identifying and determining what constitutes a record is pretty much step number one," says Liz Kofsky, a records management program manager at Open Text.
Also create your records management taxonomy. Known as a "file plan" in the pre-digital era, the concept remains the same: how will information be classified; what's the retention schedule (based on events, the calendar, or a combination), how will hold management be applied (to freeze objects and prevent them from moving to the end of their life), and how will records be audited?
2. Assemble the Right Team
To ensure the success of a records management program, secure executive project sponsorship, and create a steering committee with representation from the appropriate departments to help design the relevant policies, says Kofsky. "You must have representation from records management, IT, legal, and from one or more business knowledge workers—the actual departments."
3. Check Policies For Freshness
For organizations with existing records management policies, be sure to reconcile what's on paper with reality. "Organizations build up flexibility over time," says Keith Mawhinney, an ECM project-delivery specialist at Meridio. Accordingly, he starts any project by asking when a company's records management policy was last updated. Anything less than three years old is typically pretty current. Even so, "if you take it down into the departments and see if they actually use it, you're lucky."
4. Define a Record
According to Mawhinney, organizations must answer these questions when crafting policies: "What is a document or record; how do you deal with versioning; how do you deal with paper—scan or batch scan; and which e-mail do you keep?" Answer carefully: companies must retain vital information, and likewise avoid the costs and decreased productivity associated with managing non-essential information.
Relatively speaking, some industries have it easy. For example, hospitals have patient records, banks have loan-application forms, and lawyers have contracts. Even so, question all assumptions. "Is each piece of information absolutely necessary, and if it's absolutely necessary, show me where it's used," says Mawhinney. "There's a great tendency to capture information because it might be used in the future, or because it might be useful."
5. Utilize Change Management Practices
Implementing new records retention policies in a top-down fashion is a recipe for project failure. Instead, be flexible. In particular, utilize change management techniques to gradually introduce records management tools. Mawhinney also recommends using a "model office" concept: work with a small group of actual users, and refine policies and approaches until they meet requirements without adversely impacting user productivity. Then expand the program to other employees.
6. Be Transparent
When it comes to records management, what's in it for users? The answer, typically, is very little, other than lost productivity. One IBM study of insurance adjusters found manual records management consumed 2.5 percent of an employee's workday. Naturally, users tend to resist such demands. For example, in a National Archives and Records Administration test program which asked users to manually classify records, 56 percent of participants either wouldn't declare the records, or found the process burdensome.
Accordingly, rely on technology to help classify records as automatically and transparently as possible. "If you rely on people to do all this extra work, and there's nothing really for the people except for being good corporate citizens, the general sense is, you're probably heading for a failed corporate deployment," says Rhinehart. Numerous studies also highlight the fact that the average user simply won't classify information correctly; they're not professional records managers.
7. Target Existing Workflows
Rhinehart advocates "that records management should have zero clicks," meaning ideally it doesn't impact users' productivity. To achieve this, organizations must begin by embedding records management into preexisting workflows, to capitalize on known context and metadata. Given the popularity of Six Sigma and continuous business process refinement, many organizations can take advantage of this strategy to minimize or eliminate manual classification.
8. Offer a Carrot
For companies that do require employees to manually classify or flag records per corporate policies, offer enticements. "The point [companies] want to get to is everybody that should be contributing to the system should be contributing to the system, and that won't be appealing unless you offer file management or document management," notes Tom Grant, vice president of product management for Xythos Software.
9. Don't Say "Records Management"
When user intervention is required in a records management process, also make it attractive and understandable. For example, say, "Here's a special folder, if you put a document or e-mail or reference to a document in this folder, you can know for sure that seven years from now, you'll get a message to destroy it," says Grant. "Just saying that is better than getting into the argot of records management or compliance with users."
10. Keep Revisiting Policies
Once written, retention policies can quickly become out of sync with organizational realities. For example, say a UK bank adds European driver's licenses to the list of acceptable types of identification for meeting UK anti-money-laundering regulations. A records management program would have to ensure the bank captured these driver's license numbers, to prove the bank's compliance with the regulation.
One trigger for revisiting retention management policies, then, is whenever an organization creates a new type of form, contract, or other standardized record. "If you start working with new types of forms, it implies new types of information," notes Mawhinney.
Selling Records Management
Need to sell a compliance-related records management program overhaul to ROI-obsessed members of the executive suite? Quote this: according to Gartner Group, the average Fortune 500 company must respond to 6-10 discovery requests per year, at an average cost of about $1.6 million per request. With statistics like that, "organizations are beginning to realize that you can quantify the risk" of ignoring records management, says Jim Till, chief marketing officer of Xythos Software.
Remember, however, that an effective records management program is not predicated on using so-called e-discovery software. True, such software can help search through unstructured information for records related to court-ordered discovery requests. Yet just using this software alone is a short-term, reactive strategy—the "Band-Aid on the bullet problem," according to IBM's Rhinehart.
By contrast, an effective records management program will ensure—proactively—that all current and future records are stored in a structured, contextualized, and easily retrievable manner. Simply put, "if you do records management correctly, then you make your e-discovery burden a million times less," he says.