A Year for the Records

This was the year the writ hit the fan. Every sector you can name—financial services, healthcare, securities, government—is faced with some new and ominous set of regulations aimed at records and information management. Are customer organizations adequately prepared for this increased pressure of governance? What steps are being taken, by users and vendors alike, to meet this heightened demand? We convened a panel of records management vendors (see box for names and bios) to address these, and many other, pressing concerns surrounding records management and regulatory compliance.

Andy Moore: Knowing what you know about current regulatory pressure and your customers' individual situations, do you think organizations are adequately prepared?

Michael DeBellis: There's a lot of confusion and uncertainty as to just what exactly do these new regulations mean. I don't think people completely comprehend some of the risks they might be exposed to. People have been faced with ‘the crisis of the month' for a long time—like Y2K—and they're a little bit skeptical, and rightly so.

Craig Rhinehart: There are organizations with CRMs on staff and who are in regulated industries, such as energy and airlines, where there's a high level of scrutiny on back-office systems. I think they're very prepared. But there are certainly other people who are just now coming into the world of advanced recordkeeping who are scrambling and are not at all prepared. And on top of that, they are now being hit with Sarbanes-Oxley.

Cheryl McKinnon: That's right; government agencies and regulated industries are by and large in reasonably good shape. The panic situation is with the small to medium publicly traded companies—organizations that have grown up in the last 10 years in industries where there hasn't been a culture of recordkeeping discipline. The typical high-tech company evolved in an era where nobody had a secretary, everybody does their own e-mail, everyone creates their own quotes and proposals. That group is the most exposed, because they never had the CIO role or a traditional central records repository run by someone who has RM discipline. It's not a matter of size, by the way. We've seen telecom companies get into trouble. It's a cultural issue.

DeBellis: Healthcare organizations, for example, are having great difficulty. It's always been difficult to get healthcare organizations to invest in IT and they're definitely having a hard time now.

Cliff Sink: In the government world, the demand for RM is being driven by the customers. They have very real requirements that they are legislated to meet, and they've selected some standards and they are pushing forward. On the commercial side, a lot of it is vendor-driven. Certain sectors are bigger targets, such as financial services and healthcare. Not only are they large targets, but they have legislation hanging over their heads. The fact is that you really don't need technology to be compliant. The ads all say, ‘If you don't buy our product, you won't be HIPAA or Sarbanes compliant.' But you really can be.

Grego Kosinski: There ARE segments more prepared than others, but even in those segments, some of the challenges are throwing even the records managers for a little bit of a surprise. There are now more and different sets of records that need to be maintained—e-mail is just one example. In some ways, records managers are making it harder on themselves by not being aware of the capabilities of the products that could be at their disposal.

Sink: For the last 18 months, records managers have been struggling with things like e-mail, and how it fits into corporate records. They do it all the time with paper, but electronic records represent a problem they'd like to avoid. The reason is: they haven't been trained in IT. The great hope of Sarbanes-Oxley was that the IT guys, who have the clout to make things happen, would be forced to step in. In the pecking order of most companies, the IT group has a much better chance of succeeding than the records manager group. They've had the business training to justify what they're doing, why they're doing it and how to sell it internally that the record managers haven't historically gotten. And for now, the IT side hasn't seen enough of a risk to get involved. So, it's an impasse.

Moore: Are records managers as concerned about all the compliance hubbub as the press coverage would make it seem?

Neil Parrott: Compliance requirements affect senior levels much more than the records managers and the IT professionals ... these new regulations absolutely are causing CEOs and CFOs to stay awake at night. The time has finally come for the records manager to move from the basement to the boardroom.

McKinnon: Even well-prepared companies see this ‘scandal era' as a wake-up call. Some records managers are almost gleeful, because it's raising their discipline to front-page status. They may have once been hesitant to move because of fear of technology or crossing paths with IT director, but these regulations are propelling them into a whole new level.

Rhinehart: There probably are companies who will choose to pay the fines rather than be in compliance, but that just points out that the decision process that customer organizations go through is a ‘risk vs. reward' proposition. There are certainly organizations that have more exposure than others. There have been fines levied by the SEC for the inability to produce records; whether those companies made that risk/reward decision and chose to pay the fine rather than be in compliance, I don't know. Sink: At this time, there are a lot of consultants and lawyers making money on this! The IT community is waiting for the consequences to become worse: They're thinking: ‘Until somebody goes to jail, we're not going to spend the money.' And so far no one has.

Moore: Besides the CEO in handcuffs thing, what other risks are organizations taking by not preparing for compliance?

Brian Rose: Creating records management policies and business practices is a pre-planned situation—you can pretty much predict the costs of developing and maintaining the records management system. But the situation most organizations aren't prepared for is the reactionary state their whole organization is thrown into when an ‘event' (discovery motion, for example) happens.

At that point, the organization must quickly figure out how to respond. That's a much different situation and there are huge costs associated with response, whether it's been planned for or not. Certain components of compliance can be planned for upfront, such as the procedures for collecting data and maintaining the chain of custody. But there are other components that cannot.

McKinnon: Our hope is that customers would take a top-down perspective and create a cultural change that trickles down so that users at whatever level become aware of their responsibilities and are constantly aware of how they handle and treat corporate information.

There is also the matter of privacy. Here in Canada, we have some very stringent privacy laws that are going to take effect January 1. Information must not only be shared and made available, but also protected and controlled. That's a flip side of RM that we need to watch for.

Moore: If anything can be called a ‘record,' why isn't the temptation to simply retain practically everything indefinitely?

Rhinehart: In fact, the opposite is true. Organizations must be even more diligent about retention policies, and keep them in accordance with the prevailing law or regulation ...

Kosinski: ...and in accordance with your own internal business practices. Think back a few years to the Justice Department case against Microsoft when they found a ‘smoking gun' e-mail. If they had a business practice that properly disposed of that email—in accordance with regulations, of course—that smoking gun might not have been found.

Moore: Are current document management systems adequate to function as records management tools?

Sink: A lot of the existing records management vendors see RM from an ‘old school' perspective—not one of records management starting whenever you create a transaction that has anything to do with business. A lot of RM products only begin to work once someone ‘declares' something a record. You take a document and throw it over a magic wall, and from then on it's a record. So this view is that an e-mail that references a business transaction should have been logged and identified as a record from the moment is was generated.

Think about pure document management products. They were designed with the front-end creation process in mind, the collaboration it takes to create and then publish a document. Once it's published, they really don't do anything except retain a copy. Retention schedules, varying levels of security, etc., came later in most cases. We take the approach that it's a document management problem, and you should begin managing it from the moment of creation. It's a matter of product philosophy. Recently we've seen a lot of records management functionality being added to DM products, which suggests to me that those products weren't formerly equipped to handle records.

Kosinski: A lot of customers have legacy, homegrown records management procedures for physical documents, such as boxes of paper or microfilm. But they're discovering they need a consistent method for managing all their recordable assets—electronic, e-mail, instant messaging, even rich media and voice. We're trying to provide a platform that can accommodate all those content types, and then a records discipline that can regard all of those—when appropriate—as records. This would unify the records management approach for those customers who have varying formats, and allow them to be maintained in their native state, which is required by certain regulations. That broad platform approach is what customers are demanding.

McKinnon: It's more than just the ability to automate the retention and disposition schedules. It's also the ability to put the backup business rules behind the activities; for example, being able to justify that you can delete this document after seven years because of Section 802 of Sabanes-Oxley—being able to apply those authorities and citations or internal guidelines to the decisions you're making with regard to information management. Traditional document management wouldn't really have that extra layer of business logic. I've seen people build this from core DM systems, but if you can get it out of the box for minimal additional cost and training, there's a great advantage in moving toward a records management module.

Rhinehart: There are plenty of good physical-records software products that have grown up over the years, and have moved into electronic records, and have created a sort of cottage industry. But process management is critical to any records management solution. Particularly with Sarbanes-Oxley, where—through an auditing process—you have to prove adherence to compliance, ultimately it's the ability of the organization to enforce the process and enforce adherence to policies that will get them through any future compliance entanglement. It's not just the enterprise content management piece, it's the enterprise content piece PLUS process management that's important.

Parrott: Many companies now use document management tools that have been available for years for records management. Workflow capabilities, class-of-document designation, processes for how and when documents need to be destroyed. But those have been built up on a departmental level. What's happening now is a ‘coming of age' for records management. Disposition decisions need to be made at a corporate level rather than a departmental level.

Rose: The other issue that arises from disparate data types is this: you've got to figure out how to collect it all, and that's not a trivial task. It's a huge task that often falls upon people in the organization for whom it is a very foreign thing.

The other factor is that the request for data format is often made by outside counsel. Regardless of how it's stored inside your enterprise, Fios has seen requesting law firms request paper! You may be compelled to provide it in a format of the opposing counsel's choice. So you're obliged to maintain data in its native format, but in litigation the outside counsel may drive the way in which they want the data delivered.

Kosinski: And sometimes it's the internal practice of the organization. We've had customers who archive records electronically, but also print much if it out and save the paper also. My reaction is, ‘Well, OK, we can do that, if that's what you really want...'

Rose: There are many law firms—not all, but still many—that adhere to the old ways of doing things.

Parrott: These cases represent opportunities for us as vendors and analysts to educate the market on how things could be done better. Instead of printing out e-mails, they should store them on unalterable media with a full audit trail to document everything that happened to that record along the way. By doing so, these departmental solutions that have their own disparate processes and methods for storing records, such as microfilm or paper or whatever, could scale up to the enterprise level. The only way you can do that is to provide consistency, common formats and standard processes to manage it all.

Moore: What effect is all this consolidation having on the marketplace at large?

DeBellis: The need to catalog and track all these different types of content fits right into what's happening in the marketplace. Smaller, niche vendors are being swallowed up by larger vendors who emphasize enterprise content management over point solutions such as document management or web content management. An enterprise point of view provides a unified repository for all the different types of content you need—that includes enterprise records management.

And it's not just the various content and records management systems that are being integrated, but the larger vendors will be able to also provide the integrated portal at the front end. We're still seeing mostly two-vendor situations—one with the portal and one for content management. But even in those cases, there have been pre-programmed plugs to allow for the, say, BEA and Documentum systems to work together with the integration figured out in advance. So more and more consolidation is happening.

Rhinehart: Every day you hear about another acquisition of a records management company. Everyone is trying to capitalize on the opportunity. How long this period will last depends on whether there are any more corporate meltdowns. The ebbs and flows of Wall Street will have much to do with how the ‘fear, uncertainty and doubt' factor plays out. But the smart company is looking at how they can manage the ongoing cost of compliance.

McKinnon: We've always had customers that used their DM system for records management. It's harder, and there's more work involved for the CIO or the records manager. Typically the strength of records management has been in the enhanced handling of paper and physical storage, and the ability to set much more stringent and automated retention and disposition rules. So there certainly is a lot of advantage to having records management functionality. But there's definitely a blurring in the marketplace of document and records management practices and technologies; they're coming much more closely together. The market is asking for a much more holistic approach.

Moore: Is there a value proposition to be made for RM? Or is it simply a necessary evil?

Sink: Records management is not merely a cost of doing business. If deployed correctly, there is an upside in terms of work efficiencies and other costs of doing business. It's not as startling on the top line as it is on the bottom line, but it can reduce your overall costs of getting there.

The Roundtable Our Panel of Record

To develop a high-level view of the trends and nuances of the records management world, we convened a panel of experts from various vendor and consulting groups for wide-ranging conversations covering the records and document management markets, and the impact of new regulatory pressures.

Grego Kosinski is responsible for message development and marketing of Documentum enterprise software products, with a particular emphasis on records management, application integration and compliance solutions. Grego works closely with customers and Documentum product operations staff to ensure that Documentum products meet the demanding business requirements of customers, and with distribution channels and partners to deliver Documentum solutions to market. Grego has more than 12 years experience in the technology sector, formerly with Lucent Technologies, the Amdahl Corporation and as senior industry analyst with the market research firm, Dataquest.

Craig Rhinehart has extensive experience in records management, content management and media asset systems and solutions. Craig joined FileNet in 2003 as a consultant to help develop the vision and a new suite of products to address today's compliance challenges. Prior to joining FileNet, Craig had a strategic role in four successful corporate acquisitions, including IBM's recent acquisition of Tarian Software, where he was vice president of Worldwide Sales and Marketing. He has helped CNN, Exxon Mobil, Disney, ABC News, the US Army and others to realize the benefits of records management.

Neil Parrott is responsible for managing FileNet's Image Manager product suite as well as providing product marketing direction for the UK, France, Benelux and Nordics. Neil joined FileNet in 1998, responsible for regional product marketing and strategy planning in the UK. Neil has significant content management and business process management expertise, gained from his experience at major international information technology vendors including Kodak, Origin and Olivetti.

Brian Rose has 20 years of engineering, sales, marketing and strategic business development experience within technology and services markets. Prior to Fios, as a member of the executive team of many emerging growth companies, Brian was instrumental in driving profitable business expansion within existing markets, while identifying and developing new market opportunities. At Fios, Brian's focus is on the development of strategic partnerships that extend market reach and visibility, while providing Fios clients with solutions that empower them to more efficiently and cost effectively achieve their business objectives.

Michael DeBellis leads Fujitsu Consulting's Information Management practice for the west region. He has 20 years of experience in the consulting industry and has worked for clients in healthcare, financial services, media/entertainment and government. Michael has specialized in Information Management and has led distributed teams to deliver systems using Documentum as well as BEA, ATG, Verity and Interwoven. Mr. DeBellis has been published in leading journals, magazines, and conferences such as IEEE Expert and OOPSLA, and speaks on Web Services, Enterprise Content Management, User-Centered Design, and Software Development Life-Cycle.

Cheryl McKinnon is responsible for ensuring Hummingbird products comply with current and emerging government standards, guidelines and legislation covering electronic evidence, records management and privacy/security issues. She also works closely with Hummingbird's worldwide partner channel and sales staff to assist in developing government markets, solutions and product awareness. Cheryl has worked in information management technologies for more than eight years and has several years of field consulting and technical training experience with a variety of public and private sector clients. She is actively involved with AIIM and ARMA International.