The Compliance Imperative
To be "compliant" can mean a dozen things. Regulated industries and government are accustomed to being regulation-driven; that's a Thursday for them. General private-industry companies...not so much. In fact, many of the companies that have launched since the past 15 years or so have absolutely no "corporate memory"—or any other kind—of filing cabinets, copy centers or storage rooms.
They'll soon wish they had. In December, 2006, new federal rules regarding civil procedure will close the final loop regarding records management—the feds now have an interest in controlling how companies respond to civil law suits and legal discovery motions, and punishing the ones who do it wrong. Can the end-days be far behind?
On a positive note, companies are starting to view compliance in the context of a new, ethically driven governance attitude. Granted, the visibility of corporate scandal and its resulting disastrous effect on investment support and customer loyalty probably is the self-interest behind it, but still...it's nice to see top-down directives that expect excellence rather than reward malfeasance.
So in this atmosphere, I sat down on the phone with several—10 altogether—executives from within the records, retentions, storage and compliance markets (see "Cast of Characters," below) for a few chats about best practices in records, compliance and the new corporate attitudes toward information management in general.
Andy Moore: What are the basic motivations behind the demand for records and compliance management among your customers? Is it fear? Uncertainty? Doubt? And don't say "all the above," please. It's not that funny anymore.
Lubor Ptacek: There are certain industries where record retention is very well ingrained into the processes of the company. Take life sciences, pharma or insurance companies, where every piece of paper has always been retained in some fashion. Electronic records retention is not such a radical change for them. It requires some IT investment and some thinking about how to do it, but it's not an earthshaking process change.
Whereas in other companies, it is such. For example, there are companies in services that don't have any specific requirements. There is no regulatory body requiring them to retain records. So, they are now establishing this practice as a result of Sarbanes-Oxley, or they are establishing it simply to protect themselves against lawsuits.
Corey Meitchik: As content grows exponentially, the decision-making as to what should be done with content or records is becoming much more complex. You quickly get beyond standard compliance issues that are regulated by government; you get into business compliance—what the business feels it needs in order to mitigate risk moving forward. And that's an ever-changing target.
That's one of the biggest challenges moving forward; as businesses evolve, what are the internal regulations going to be? What are the internal demands, and as those change, how do you adapt to those changes? If there's a corporate policy that all business units have to do it the same way, or if it's a compliance or regulatory issue, that's just how it is—you have to suck it up and do it. If it's a financial decision, or if it's a technology decision, you have some options open to you.
I wouldn't say it's simple, but it's fairly easy to follow mandated federal, state and local regulations. It's much more difficult when all of a sudden a new CEO comes to your company and says, "We have a new direction we're taking this organization." That has an impact on records management, on content management and on risk mitigation.
Simon Wiltshire: Risk has acted as a catalyst for renewed interest in compliance overall. And Sarbanes-Oxley has caused a lot of people to rethink their siloed approach to dealing with individual compliance issues, to think about it more holistically, and to getting it less engaged with IT and bring it much closer to the senior levels of the company.
Cheryl McKinnon: At last things are starting to change. The role of the "records manager in the basement" or corporate librarian has morphed over the last few years. I credit organizations like ARMA and AIIM for propelling that profession into the 21st century. One of the benefits of this whole specter of compliance is that it has raised records management to a necessary part of doing good business. It has taken a good five, six years for that message to trickle up into some of those senior management suites, and to trickle over to the IT group as well. But it's certainly not a completed journey, by any means.
Moore: Besides the obvious prison-aversion, does the typical CEO care about records management?
Wiltshire: Are you asking: Is the CEO aware of records management? Other than intellectually, no. It's a very detailed, very intensive discipline in and of itself. The CEO is doing two things: Accelerating growth and reducing risk. In the late '90s, the pendulum swung too far toward "growth at all costs," and we saw the consequences of that. We're now dealing with a pendulum arguably swinging back too far the other way. We're in a very risk-averse economy right now and a very risk-averse global environment. Tie that to outsourcing and off-shoring, mergers and acquisitions and risks incurred by acquiring a company that you can't possibly know everything about, and any given CEO has less and less ability to control really what's going on in his environment.
What the CEO doesn't know is all the things he doesn't know. Risk comes from rogue employees, or people not following policies and procedures. A guy in the Thailand office hands a bribe over to a foreign government official, and all of a sudden I'm on the hook for that...
BUT, a CEO can mitigate his or her own personal risk and risk for the company with the right due diligence of process. If you can show demonstrably and defensively that you have the policies, procedures and training, you can insulate yourself from the impact of the action of a rogue employee pretty effectively. The judges and regulators all look reasonably kindly on that.
Meitchik: As for C-level executives, the involvement is not 100% there. It depends on the company, but they're really relying on staff below them to handle things. Probably less than 20% really get heavily involved in records management, in risk management, as it relates to content.
Janice Anderson: Executives' expectations are that it is a much more straightforward, easier, less complex task than it really is. Their expectations in terms of dollars spent and elapsed time are usually way too low.
Who's in Charge?
Moore: Who is shaking out to be the decision-maker in RM implementations and compliance. Because, I hear all kinds of people taking credit...
Anderson: From a risk management and overall requirements perspective, you have to have hard-core business representation. Legal has to be there. IT has to be there, and certainly more traditional records management, or someone who's know-ledgeable about the RM processes. But, if business is not there, ultimately solutions will fail because they won't align properly with what the organization really needs.
Jan Rosi: If you're talking to lawyers, all they're worried about is keeping in compliance. But if you're talking to the business owners, they're concerned about finding information. They want to be able find it, reuse it and make sure it's the authoritative version of the document. Business owners want to be efficient and effective. Business owners aren't particularly worried about retention schedules until the lawyers turn up.
The challenge for records management is presenting the value to the different areas and not being perceived as "just doing it for the organization." Because the business owners might say that's nice, but I need to get on and do my job. Organizations can leverage the need for compliance to drive efficiency and effectiveness, and that's really when you deliver value to the business. It's like year-2000 issues; in some cases people just replaced systems in a very ad hoc fashion. Others said, "We've got to spend the money. So let's do it right and implement a new IT infrastructure that is 2000-compliant, and, at the same time, create one that will actually improve our efficiency and effectiveness."