RM For The Masses
Records Management: Coming Soon to an SMB Near You
For the world's largest, highly regulated industries—pharma, financial services, food distribution—managing business records to comply with regulatory requirements is just a day at the office. It’s another Thursday; no big deal, been doing it for years. But corporate scandal, and (let’s face it) predatory litigators have pushed the demand downward and outward.
Now smaller companies and those in traditionally less regulated industries are being faced with emerging regulations—here and abroad—as well as the ugly threat of litigation and scandal. Finding ways to justify the investment in records management systems and policies (and professionals—more on that later) is becoming the subject of a lot of water-cooler chatter as well as serious strategic planning. And there’s more to it than initially meets the eye, as records management professionals are quick to tell you.
I convened an impressive and articulate cast of just such experts recently to discuss the changing face of records management (RM) in business, and how RM might be changing the face of business itself. I wanted to know a number of things, but we started by addressing whether the "hype" surrounding regulatory compliance was overblown... or whether, as the comic book said, "When everyone’s really out to get you, paranoia is just good thinking."
Andy Moore, editorial director, KMWorld Specialty Publishing Group: The dangers of regulatory NON-compliance have been amply—maybe overly—described in the press. Guilty as charged. But is it really all that bad? Should organizations be in panic-mode over compliance?Krista Curtiss, marketing director North America, TOWER Software: The risk is certainly there, but you can stay up all night worrying about that and it still happens. People still have businesses to run, and customers to keep happy. A lot of companies are turning a blind eye to risk management; they’re more interested in how to do the company’s work better.
Marko Saarinen, senior director, product and solution marketing, Fast Search & Transfer (FAST): Many companies are spending more money than they need on IT-related compliance work, because they haven’t truly defined the scope of what is necessary and sufficient for being compliant and for disclosure. Some organizations believe the way to ensure compliance is to increase their investment in IT aimed at complying with specific regulations. But that’s wrong. Organizations need to explore how they can meet compliance requirements across the enterprise, not just in terms of point solutions for very specific regulations. The challenge for CIOs is to find a balance between IT work that is truly essential for compliance, and for other IT work that is necessary for the business.
Krista Curtiss: You’ve got to build a business case. It isn’t just ‘What if we get sued?’ because it’s not an ‘if’ it’s a ‘when.’ The question to ask is: ‘What is the cost of doing nothing?’
Whether it’s a lawyer or your boss who’s asking for information, there’s a cost attached to that. So being able to capture information in a different type of accounting system can really help build a business case. There are ways to associate the costs of information capture to the job at hand... not to the cost of ‘archiving’ or ‘records management.’ If you think of it that way, you can calculate costs to very easily determine a return-on-investment justification. This is never going to be in somebody’s budget; this has to be part of overall strategic planning, and there has to be executive support behind it.
Cheryl McKinnon, director, collaborative content management, Open Text: The most valuable thing that has come out of this age of compliance—going back to 2001, when things started to hit the fan—is that the new set of regulations, specifically financial regulations, has significantly raised the profile of records and information management as a critical business practice.
But where the perception has been skewed is that organizations equate compliance and records management. While RM is an absolutely fundamental piece of compliance, and in turn, compliance is absolutely a fundamental driver for records management, it has taken some of the attention away from the other benefits that a solid records management practice and program can bring to an organization. We tend to focus on risk mitigation, and how to avoid fines or having your executives thrown into jail...we focus a lot on the negative. But we should look at the positive contributions that records management brings, such as productivity enhancements or the ability to manage corporate memory... these are the things we haven’t talked about consistently.
Galina Datskosky, senior vice president, development, business service optimization, CA: The new Federal Rules of Civil Procedure (FRCP) have piqued interest in governance and compliance. There’s nothing like a court decision to drive compliance! (laughing). Customers are definitely coming to us because they are worried about these rules. No question about it. They want to know how to respond, and whether they need to respond.
Dodging the Bullet?
Andy Moore: Are there companies trying to skirt the regulations, hoping they don’t get caught, or ignoring preparations for litigation, hoping they don’t get sued?Dave Campbell, senior product marketing manager, Symantec: If it happens at all, it’s in the non-regulated industries, and the FRCP rules are bringing that to light. In most of the cases that are making headlines, it’s not for bad deeds; it’s for bad processes.
In certain regulated industries, like financial services, energy or healthcare, they have compliance officers that deal with these issues every day, and they’re paid to think about that. But there are a lot more constituents involved. Besides records managers, you have IT, which is often the facilitator of the implementation. What it comes down to is whether they (IT) understand what’s at stake. When we talk to an IT person in a non-regulated industry, I would say they’re aware of compliance because of the Wall Street Journal, but I wouldn’t say it’s something that’s driving them.
Dr. Johannes Scholtes, president and CEO, ZyLAB North America: The companies who are not prepared probably won’t go bust tomorrow, or even next year, but if they DO get in trouble and they don’t have their records under control, it can make the difference between a company surviving in crisis or not surviving.
Forget compliance... if you want to have a good company, you need to have your records in order. It’s just part of doing business. You can run a company by pretending everything’s fine. Then one day, you come to work and your desk is filled with skeletons.... and the skeletons keep on coming and coming. It can take a very long time to solve that problem.
Records management is about far more than compliance. ISO 9000 and 9001, for example, is not about quality, it’s about having happy customers. Your customers know that if you’re ISO-certified, and if they register a problem with you, that someone will take responsibility and take care of it. That makes them happy and comfortable to do business with you. In order to do so, you need to have access to records.
Another example: If a customer provides confidential information to you, they should be comfortable that it will be well taken care of, and destroyed at the proper time in the proper way. So there are all kinds of customer-pleasing aspects to a records management plan.
Krista Curtiss: There are four characteristics to a record (this is going way back to the ISO standard): authenticity; reliability; integrity; and usability. The ‘usability’ part refers to the value that the record has to the organization.
When you calculate a return on investment, you can’t do it based on scare tactics; there needs to be a business driver. For example, during the Y2K panic, a lot of people simply threw band-aids onto their systems. They didn’t take it as an opportunity to make their organizations more efficient. I think this ‘compliance scare’ is another opportunity to motivate people to go beyond simple repair, and to really leverage the opportunity to make their organizations function better. Compliance adds to the return-on-investment calculation, but it shouldn’t be the main driver. And they certainly shouldn’t be panicking about it.