Records Management: Beyond the Quick Fix

There’s a movie playing at my multiplex that warns against placing blind trust in technology, because it’ll getcha in the end. I haven’t seen it yet. But as I talk to vendors about records management, I go back a few years to another cautionary sci-fi flick: “Men In Black.”

In it, the redoubtable Agent Kay (played by Tommy Lee Jones) makes one of the most astute observations in recent literature: “A person is smart,” he says, “but people are dumb.”

Each of us can grasp the concept that the many e-mails, documents and reports we create might be construed as having some kind of importance, not only today, but also further down the line. I have more Outlook folders than Doan’s has little pills. “You never know when you might need that thread regarding a three-year-old expense report,” I reason. I keep things for reasons that are all my own.

But few of us think about recordkeeping as a corporate responsibility. We assume that someone else is taking care of that. There is only the vaguest awareness that systems exist to properly retain and dispose of business documents and communications. But we are extremely familiar with how we file and recall the things we need to do each of our jobs. I would be lost without Outlook folders, but I couldn’t care less about records management. So, as Agent Kay knows, each of us can be trusted to do the right thing. But all of us can’t.

Here are two ways to overcome this basic human flaw: 1. Make it mandatory, or 2., make it easy. There’s a carrot, or there’s a stick. The stick has hit home recently in the form of strict regulatory compliance pressures from governing bodies that have the means to enforce them. Threats of substantial fines and worse punishment can certainly be effective. “Sternly worded rebukes” from federal judges are increasingly common. And it’s my guess that the average office worker doesn’t give a rat’s tail about them. “Someone else takes care of that.”

The records management systems vendors are smart enough to take the other route: make it easy.

“What’s brought e-mail to the forefront is the threat of litigation that can result from finding e-mails that people used to think were innocuous,” says Stellent’s Del Zane. “And there are two ways to deal with e-mail. One is to store it all, and try to deal with it later. I don’t want to say that’s irresponsible, but it’s not really the solution.

“What will come more into the forefront,” Zane continues, “is autodeclaration, or automatic classification.”

So, one asks, the future of e-mail management is an intelligent software that automatically captures, classifies and applies retention rules to every e-mail that arrives in your server?

“Well, when I say ‘automatic,’ that’s kind of a stretch,” admits Zane. “You need a very high degree of intelligence for it to be truly automatic. The idea that users can take care of their e-mail ... well, that sounds really nice. But you need a good records management system to make it as automated as you can get it.”

Which is nice if you can get it. But formal records management is not a universal application. A recent AIIM study found that most companies DON’T have a reliable system for records, in particular electronic records. Mike House of Exact Software agrees: “Many small- to mid-sized companies don’t have a formal program for records management, but they DO keep records. Everyone keeps their own records. What’s missing has been the process of coupling the records with the processes that bring you into compliance. Things have been ‘loosely coupled’ via procedures, checklists and inspection records. What’s coming to the forefront now is the need to bundle all that into a package that can be easily assessed by an outside governing organization,” says House.

Hummingbird’s Andrew Pery agrees that the promise of a hands-off technology solution—while attractive—is somewhat unrealistic. “There should be automated means to classify and apply predefined business and disposition rules to incoming e-mail and attachments,” Pery explains. “But there has to be flexibility. Some organizations, particularly law firms, are very reluctant to use automated classification techniques. They want to be able to drag-and-drop e-mails into predefined matter-folders, for example. “E-mail is a particular challenge,” Pery continues, “because e-mails are so widely used to share mission-critical information that there HAS to be a predefined disposition plan.” But as any current records management professional will tell you, there’s more to it than merely having a plan. “The organization must meet three criteria in all. They have to demonstrate that they have: one, well-defined policies; two, that those policies have been articulated and promulgated throughout the organization; and, thirdly, that the policies are being enforced.”

“Money IS starting to be spent on e-mail management,” agrees Cliff Sink of TOWER Software. “But it’s being spent in the wrong way. Typically, corporations see e-mail as an IT problem. The products that people are buying now are what I call ‘server scrapers.’ When an e-mail hits your server, they make a copy of it and dump it into a bucket that has a retention schedule. And after three years they delete it. Because there’s no business logic applied at the time of capture, they’re keeping things they shouldn’t keep. So they are exposing themselves to unnecessary risk by keeping all internal AND external e-mail,” says Sink. “You should give the power to the end users to comply. Users can make a decision whether each e-mail is a record. There are easy ways to accomplish this; for example, mapping users’ Outlook folders to the records management system. Everyone uses those folders anyway, just to organize their lives. So by dragging an e-mail into a folder, the records management system can then automatically categorize it by type of record, apply the retention schedules, etc.”

Denise Reier of Legato adds that sensitivity to the unique nature of e-mail is becoming common among her corporate customers. “Because e-mail is such a volatile and conversational application, and because it’s so difficult to put controls around, AND because it can introduce the most risk, that’s where a customer usually starts,” she says. “From a PR perspective, that smoking-gun e-mail that’s communicated outside your organization can wreak havoc ... as we’ve seen.”

I was wondering when someone would mention Martha. But interestingly, in all the conversations I had with the vendor community, that’s the closest to an overt reference to the domestic diva I heard. Much to my relief, too. I like Martha and all, but I’m kinda over her for now.

Market Realities

Last year, regulatory compliance was the buzz, but there was very little actual market activity. Now, it’s a different story: “The actual market adoption rate has grown even higher than the analysts predicted,” says Legato’s Reier. “Gartner predicted a year ago that in 2003 it would be a $33.7 million software opportunity. They adjusted that in the past year to $54 million.”

Dean Berg of Stellent agrees there’s been a noticeable shift. “The market has changed toward the other direction. Has it come full swing? Probably not, but after Enron and Worldcom and then Sarbanes-Oxley, all of a sudden people were concerned about regulatory compliance.

“The vendors didn’t see any uptick for quite a while, but the consultants were sure making a lot of money,” Berg points out. This year has been better, he thinks. “Customers definitely have a better handle on the problem, and they’re looking at technology as a key component.”

Berg adds: “If they were using technology at all (for compliance), they were probably using first-generation point solutions, maybe provided by their auditor, as a kind of stop-gap. Now they’re looking for a second-generation tool that’s going to help with not only Sarbanes, but with the broader compliance picture. People are strengthening their compliance practices ... that’s the next big wave. Sarbanes was the wave last year, but broader, more general compliance is next. By that I mean having a compliance plan that understands not just SOX, but multiple compliance initiatives, like HIPAA and JACO and Basel II. And further, deploying technology that can be leveraged across the enterprise.”

Taking the time to take in that broader picture has indeed had an impact on the adoption curve.

“We’ve certainly seen increased demand for compliance solutions,” says Hummingbird’s Pery. “Not just for increased compliance pressures brought on by things like Sarbanes-Oxley, but for things like productivity, overall efficiency improvements in managing corporate records, especially in light of the enormous proliferation of digital content. Organizations realize they need better control over their digital assets. If they don’t they’re subject to both litigation AND to increased costs,” explains Pery. “This leads to a view of records management that is more than a ‘records’ solution, but instead involves a larger, enterprise-wide content management platform. They’re extending their existing content management infrastructure to implement electronic records management practices corporate-wide. There already are specific, departmentally focused document and content management solutions in place. Those applications are being leveraged to become part of corporate-wide electronic records best practices.”

“A lot of traditional records management vendors DO focus on specific requirements, such as a government agency that has a DoD 5015 regulatory obligation,” agrees Legato’s Reier. “What we’ve found in the last year is that organizations want more stringent recordkeeping practices across the board. The C-level execs want to be certain they are implementing good policies and best practices across their entire companies.”

Of course, merely having an automated and documented policy is a far cry from uniformly following it across the corporation. A discovery motion will not be satisfied with merely “a documented plan.” A motion demands results.

“A policy that not only archives, but also audits, the authenticity and accuracy of the archive is also a good best practice,” says Reier. “If you’re ever investigated by the NYSE, or a court of law, being able to prove that you not only have a policy, but you’re executing to that policy, is very favorable.”

TOWER’s Cliff Sink expands on that a little: “A viable defense can be: we had a program that the executives sponsored for e-mail management. We gave it to IT to implement. They evaluated products and implemented a product and applied a retention schedule. If they got it all wrong, it’s their fault; executives are responsible for ensuring there’s a policy, and that it’s been transmitted to the people, and that there’s checking up that the policy’s being enforced. If they do that, and someone beneath them screws up, the senior people may get their hands slapped ... but who’s going to get fired?”

Where DOES The Buck Start?

Cliff Sink’s comments got me thinking about the responsibility factors at work in electronic (especially e-mail) records management. I mean, who decides on the system? The product? The file and retention policies? It strikes me that the involved parties—IT, records management, line-of-business, legal, executive management—all have a stake in the decision, and have almost entirely conflicting agendas.

Exact’s Mike House comments: “IT has become very sensitive to regulatory mandates. Management may sympathize with the IT agenda, but also insists that compliance be part of their charge. A significant portion of our customer base (in manufacturing and life sciences) is bound by some kind of regulatory compliance, be it FDA or ISO. If the company is in an industry that requires compliance, the executive team is painfully aware of it. They don’t necessarily know the nuances of each departmental requirement, though, and that’s where the consultative side comes in. Taking a comprehensive systems look across the organization and figuring out how to bring it all together is where they need the help.”

“I don’t think it’s a tug of war,” says Denise Reier, “but it IS an educational process for all constituents. IT, legal counsel and the business owners are sometimes disconnected, and it is a good idea to get them together to learn from each other.

“IT drives the project, but it’s definitely a committee,” Reier continues. “IT may take in requirements from the legal or compliance officer, but they’re the ones who implement the technology. But it’s the role of the records manager that will expand the most, as the kinds of document required for records retention move beyond just paper documents—things like advertising, memoranda, Web pages, e-mails, even voice. The records manager will thus become part of a larger consortium in charge of all recordkeeping practices,” Reier predicts.

Dean Berg from Stellent agrees: “There’s a new visibility for records managers. They’ve gone from the backroom to the boardroom. And that visibility comes from the board, who are now looking for answers: “Hey let’s ask Joe, the records manager, what he thinks about all this.” He’s right about one thing: this is a BIG change. I would have been shocked last year to learn that the board even knew Joe’s name.

It’s a matter of balancing cost versus risk,” says Reier. “The IT folks want to get rid of e-mail as fast as possible. The compliance officers have a different agenda; they recognize those e-mails may contain content that is subject to some kind of regulatory recordkeeping requirement.”

Stellent’s Del Zane thinks it’s the vendor’s job to tailor the consultative work according to the needs of the individual. “We have two kinds of demo,” he says. “One is for the records manager. It takes three hours and goes deeply into the inner workings of the system. The other is for end users; it takes three minutes for us to say ‘don’t worry about it, this is how your document gets automatically classified into your records system. ’ ”

He’s only half kidding. “Records managers don’t traditionally have control of electronic documents,” he says. “They’re taken care of by the IT department. But we were gratified to see recently (at the MERS Conference in Chicago) that the attendees came in teams consisting of the records managers, their IT people AND their legal representatives.

“One piece of advice we give,” says Zane, “is not only to take the team approach, but put somebody in charge of that team—call him or her the Chief Compliance Officer—and make sure that person involves all segments: records, IT and the business owners. The extent to which somebody can be tasked with the role will help tremendously.”

“Technology is only one component,” adds Hummingbird’s Pery. “You also have to make sure there are effective policies in place, and that there are mechanisms in place to enforce those policies. You can have the best content management in the world, but if employees are not incented, or are not provided sufficient training, then information will not be effectively managed.

“There are huge implications if you don’t,” warns Pery. “For one, if you don’t have effective retention and disposition rules, you may be subject to a default judgment, and unable to defend yourself. If a company destroys e-mail—deliberately or inadvertently—and has no policies in place, the company is subject to significant fines.”

Pery goes on: “Even if you DO have a published policy, but it can be shown that you don’t follow it, you may be required to produce records that SHOULD have been destroyed, but weren’t. There can be staggering costs associated with this, and it’s no excuse to plead that the costs would be exorbitant.”

So we’re back to Agent Kay—your people can be informed and trained, but can they be relied upon? “Nobody will do anything until they’re forced to,” points out Exact Software’s Mike House, quite accurately. “But deadlines are now—or about to—drive the decision to deploy records management systems. The thing you have to realize: The technology upon which to build a regulatory compliance framework is not meant for a select few...it’s meant for everybody. Whether you have an active participatory role in the mechanics of the compliance technology on a day-to-day basis is irrelevant. As a member of the organization, you MUST be aware if it. You never know when someone—anyone—will pick up a document that qualifies as ‘controlled data.’

“E-mail is a wide open pit of quicksand when it comes to compliance. It’s an open-loop system, and you really don’t have any control. The best you can do is bring e-mail from the open loop into a controlled system, such as a document management system, where you have visibility and can apply business rules—who’s touched it? who’s modified it?”

There’s no easy answer. But after reading the essays in this White Paper, you’ll definitely begin to formulate your own strategy for getting your “people” to think like “a person.”

---

Andy Moore is a 25-year publishing professional, editor and writer who concentrates on business process improvement through document and content management. As a publication editor, Moore most recently was editor-in-chief and co-publisher of KMWorld Magazine. He is now publisher of KMWorld Magazine and its related online publications. As Editorial Director for the Specialty Publishing Group, Moore acts as chair for the “KMWorld Best Practices White Papers” and the “EContent Leadership” series, overseeing editorial content, conducting market research and writing the opening essays for each of the white papers in the series.

Moore has been fortunate enough to cover emerging areas of applied technology for much of his career, ranging from telecom and networking through to information management. In this role, he has been pleased to witness first-hand the decade’s most significant business and organizational revolution: the drive to leverage organizational knowledge assets (documents, records, information and object repositories) to improve performance and improve lives.

Moore is based in Camden, Maine, and can be reached at andy_moore@verizon.net.