Managing Documents of Record in Information-driven Businesses

The recent and increasing drive of regulatory agencies and government legislation to mandate corporate compliance has generated substantial requirements for organizations to manage their records. Some of the records management mandates are directly defined in regulations (e.g. FDA 21 CFR Part 11, SEC 17(A)) and laws (e.g. Sarbanes-Oxley) while in other cases (e.g. communication with employees as defined in the Equal Employment Opportunity Act of 1972) the only way of meeting the regulations and laws is to implement some form of records management.

Records management attempts to assure that an organization manages its

documents of record, whether physical or electronic, in accordance with business, regulatory and/or legal requirements. Specifically, the requirements include:

Documents of record are maintained in a manner such that it can be proved that they were not modified;

Documents are destroyed in accordance with the organization's retention schedule, which is mandated by a combination of laws, regulations and business practices;

Documents can be found when requested by regulatory agencies, the courts or for business reasons; and;

Documents can be placed under disposition hold. As has been seen in numerous cases documented on the front page of almost any newspaper, organizations must have a mechanism to assure that if the potential of litigation or regulatory review exists, all documents must be placed under a hold.

Records management is not just a feature set or a technology. Rather, it is a combination of policies and procedures specifically tuned to the requirements of an organization, often best implemented in cooperation with software that is specifically designed to meet records management requirements. The software is often necessitated by the sheer volume of information that must be managed and the complexity of the records management requirements.

This white paper will define records management best practices; how these relate to records management software requirements; and how this will aid an organization in meeting its corporate compliance requirements.

What is Records Management Best Practices?

At the heart of implementing any records management system, especially one specifically mandated by regulatory and/or legislative compliance, is records management best practices. This assures that any system, whether manual or electronic, encompasses those policies and procedures that assure that records are correctly managed. Unfortunately, some organizations are installing software products without sufficient best practices in place, leading to "check-box" implementations that will leave the organization open to substantive liability.

In order to understand what policies and procedures must be created, an organization must first define the "WWH" of records management ("what, when and how"):

WHAT

1. What legal and regulatory requirements are specifically applicable to the organization? One must not only look at the major regulatory agency for the industry in which the organization does business, but also all other federal, state and local agencies and any international laws and regulations that may be applicable. The requirements in some states or countries may be contradictory (e.g. US and UK privacy laws as they relate to e-mails are very different), therefore policies and procedures will be specific per locality or department.

2. What documents need to be managed as records for business or organizational efficiency reasons? It is very important to understand that an organization's documents of record are generated by virtually every department within the organization and encompass a wide range of formats from physical documents (e.g. forms contracts, correspondence, plans, microfilm) to a diverse set of electronic documents (e.g. spreadsheets, graphics, voice mail) and electronic communications (e.g. e-mail, instant messaging, mobile text messages). Some of these may be a record in one department while constituting a communication or non-record in another (e.g. instant messaging of a broker/dealer is considered a record under NASD 3010 but instant messaging within IT may not be a record).

3. What defines a document of record as it specifically relates to the organization? An explicit definition of what constitutes a document of record within the organization is critical and must be communicated throughout the organization in order to assure compliance. This will, in fact, aid in any future regulatory review or litigation. The definition must relate to the information garnered in the two previous items (e.g. as stated earlier instant messaging may be a document of record in one organization or one department but not in another).

WHEN

1. When can documents of record be destroyed? Please note that keeping records for too long can be as damaging to an organization as destroying the documents before their time. Furthermore, the document destruction process must be sufficient to assure that "destroyed" documents are not recovered as part of discovery. Audit trails may also be required to prove that the document(s) existed and were destroyed based on the organization's retention schedule and not as a response to potential regulatory review or litigation, which could be damaging.

HOW

1. How are documents of record created and managed? Documents of record are created throughout the organization and must be managed throughout their lifecycle within the organization. When documents of record leave the organization as part of the business process, records must be created and maintained to assure compliance. All of this must be charted and defined in order that the processes correlate to reality.

2. How will the organization easily find documents of record in order to meet discovery requirements? This is very important considering the cost of regulatory or legal discovery. If the organization needs to search separately in many different systems then the costs will increase, and furthermore the potentiality exists that documents will not be found by the organization leading to potential adverse claims against the organization (e.g. Zubalake v. UBS Warburg LLC). In the event that the discovery process is found to be inconsistent or inaccurate, the additional fines and liability could increase the costs many times over.

3. How will documents of record be placed under disposition hold? This is the corollary to item 2 above, since when there is the potential for regulatory or legal investigation an organization is bound by compliance requirements to assure that the documents under investigation are not modified or destroyed. Holds must be placed on all records relating to the subject matter under investigation.

Once an organization has researched these seven key points, the next step is to develop the policies and procedures to assure that all of the organization's documents of record are correctly managed throughout their lifecycle. The policies should be in written form and fully document the WHAT, WHEN and HOW of records management. A key component of this will be the organization's retention schedule which, depending on the industry, states and countries that the organization operates within, can be very complex. Procedures can then be created to assure that the policies and retention schedule are implemented, maintained and enhanced based on changes in regulations and laws. Together this becomes the backbone of the organization's records initiative. For this initiative to be effective, management buy-in is a must, not only at the beginning, but throughout the project and beyond. Employees must understand that this is a critical organizational initiative and that following outlined procedures is mandatory.

On-going training is also required in order to ensure continued compliance. This is most evident in United States v. Arthur Andersen where training was a key element in the jury's verdict.

Best Practices and Software

Concurrently with determining its records management best practices policies and procedures, one must consider how these will best be implemented. Since most organizations have substantial volumes of both electronic and physical documents of record, specialized software is virtually mandated. It is key that the software selected is powerful and flexible enough to meet the varied requirements that will be developed during the best practices process. Software must contain the following components:

The software must be capable of managing all of the organization's documents of record. This includes physical files, mixed media, electronic documents, images, e-mails and any other form of record. Otherwise the organization will not consistently manage all records, leading to a lack of compliance and future liability for the organization. It is important to note that even though organizations are attempting to move to a paperless environment, paper records are going to exist and may in fact be mandated by regulations and laws.

A wide range of information needs to be managed relating not only to the documents of record but also other related information pertinent to meeting the different regulatory requirements and laws. Therefore the system must be highly flexible and extensible to allow the easy addition of substantial data and metadata.

Flexibility is key to a smooth implementation and meeting changing requirements. The software product must meet the organization's requirements rather than having the organization attempt to change its processes and procedures due to limitations in the software product.

Retention requirements will be complex and will change over time. This necessitates a time and event based retention rules engine that encompasses the following requirements:

Rules can be tied to any date or event (e.g. employee retirement, contract completion, invoice date);

Rules must be easily modifiable and must scale across large volumes of records as applicable. Since there can be millions or billions of records, scalability is key; and

Rules should be created for all lifecycle actions (e.g. archive, review, destruction).

Since organizations create and maintain records in multiple applications, or silos, of knowledge, the software product must be capable of managing records within the different silos. This means that the system must be tightly integrated or capable of integrating with the organization's e-mail system, existing document management systems (DMS), potential DMS, archiving systems and anything else that the organization uses to create or manage future documents of record. Installing a records system that only manages the records within a single document management, content management or archiving system will not allow the organization to manage all of their records without substantial initial and on-going costs as well as productivity losses while systems are replaced, information is migrated or employees manually perform searches, etc.

With software in place, providing the appropriate functionality, records management best practices can be implemented to assure that an organization manages its assets in accordance with business, regulatory and/or legal demands.

Conclusion

Records management is not simply a set of features within a software product. Rather it is a combination of policies and procedures that assure that the organization meets it legal, regulatory and business requirements for managing documents of record. Software automates and assists in implementing these policies and procedures and for virtually any organization is going to be a mandatory component of implementing records management.

Since records management is key to meeting legal and regulatory compliance requirements, a careful and complete process must be used to assure that all requirements are defined and then implemented in conjunction with a sufficiently powerful and feature-rich records management product. Fully defined policies and procedures, combined with the appropriate technology, will assure that your organization is prepared for its compliance challenges of today, but just as important, well prepared for the ever-changing challenges of the future.

MDY, Inc. is the leading provider of records management innovation. MDY FileSurf® integrates all physical and electronic files—including e-mails—regardless of media type, source of origin or storage location, into a single, scalable and extensible enterprise-wide system. MDY FileSurf tightly integrates various repositories of content, including many e-mail and document management systems, and provides a server based rules engine, that combined with flexible schedule creation tools and powerful discovery and disposition hold capabilities, assures that all content is managed according to government regulations and organizational policies. MDY FileSurf is certified under the U.S. DoD 5015.2 Std. for records management applications (Ch. 2/4). The MDY Best Practices Consulting Group is comprised of former records managers from Corporations, Law Firms and Government agencies as well as numerous Certified Records Managers who are available to assist clients in Best Practices consulting on records policies, procedures and retention schedule development. For more info visit MDY Inc.

Free

for qualified subscribers

Subscribe Now Current Issue Past Issues

KMWorld 2024 Is Nov. 18-21 in Washington, DC. Register now for Super Early Bird Savings!

Managing Documents of Record in Information-driven Businesses

How Knowledge Graphs Make Generative AI Consumable in Enterprise Environments

Building a KM Foundation for Enterprise AI

TRANSFORMING ENTERPRISE KNOWLEDGE: THE JOURNEY TO SAFE, SECURE, AND TRUSTWORTHY AI

More

Intelligent Content Management: Game-Changing Technologies and Strategies

Optimizing LLMs with RAG: Key Technologies and Best Practices

What's Ahead in Search: AI, NLP, Knowledge Graphs, and More

Rethinking KM for Agility, Efficiency, and Innovation

More Webinars