The Compliance Imperative
Galina Datskovsky: Business owners just want to get on with doing business, making money for the company. For them, compliance has to be really simple. Not only that, but they also don't want to be forced into the repository you chose for them, or into the methodology you chose.
Bill Forquer: The question becomes: Where do you need to spend your next level of energy? Everybody is at a different state of maturity in terms of their information management discipline. If you've been in the nuclear industry or in pharma, you already have established practices and disciplines. Now, all of the executives of companies that are complying with Sarbanes-Oxley have started SOX oversight committees. These committees generally constitute the entire executive team and some key staff positions. They have quarterly and annual reviews and, over time, information management and records management will get visibility to those.
Moore: So a "team" approach is typical...?
Datskovsky: IT is very often leading the charge. They are always at the table. But the "old-school" records managers have been re-thinking their roles. They are quite aware that they better get with the program.
A large investment banking house I work with wanted to hire a compliance officer. And they hired what you would have thought about as an old-school records manager—with a masters of library science degree, yet somebody who's very savvy with electronic records. Now, that particular person realized where the value proposition was—leveraging both worlds. So, the records managers are coming to the table.
Dave Campbell: IT, the guys that are in charge of the messaging infrastructure, the guys that are charged with storage and backups, the records managers, folks from the legal department and even the chief financial officer and the compliance officers need to come together, because they each hold a piece.
McKinnon: In meetings I've had with various SOX committees, records retention is not necessarily the first agenda item they bring to the table. The first thing they typically want to do is to have a solid understanding of the core business activities...activities that affect things like the gathering and publication of financial information, or how they treat customer data, or how they handle inputs into the manufacturing or R&D process. Step number one is to have a clear understanding of these processes, and assure that they're fully documented from start to finish.
Joe Romanowski: Records management and information lifecycle management have many moving parts that are confusing and highly difficult to execute. Many CIOs have taken steps to enact an RM or ILM strategy and found that they have been undermined by changing requirements or overcome by trying to deploy what some consider a "boil the ocean" strategy that requires buy-in by too many constituents to achieve in a timely manner.
Forquer: Sometimes it's a grassroots effort, where people get together because they know they should. Other times it's actioned at higher levels in the organization.
A very important constituent is "legal." I see it more as a triumvirate of traditional records management, IT and legal. Legal provides the overall assessment of risk that is associated with all forms of regulation, all forms of content, and where are the process improvements that should be focused on.
Meitchik: The changes in records management are revolutionary. Keeping up is more than just one person can handle. That's why there's involvement from all these different individuals. It's not that the ARMA folks or the librarians of the world don't have the capabilities. It's just that the scope of things has changed so dramatically that it really requires a team effort.
Moore: What about the old-school records managers...the ARMA-show delegates and the library-sciences folks? Seems to me these would be your go-to groups when faced with challenges in this arena...
Datskovsky: There are some who are afraid of electronic records, and frankly are not making any effort to learn or bring themselves to the table. There's not going to be any room for them. There'll be a new breed. Last year's ARMA had about a 30% attendance by legal professionals and compliance officers. Many more people are concerned with electronic records and focusing more on general compliance and legal issues.
McKinnon: It's sector-specific. Within the kinds of organizations that have been around for decades and have been subject to regulations, the awareness of information retention is not new. But organizations that have evolved in the new economy, in the last 20 or 25 years, typically don't have that heritage of good solid record-keeping best practices, because they never really had that as a goal. They grew up in the electronic age. They don't have boxes and pallets of papers and historical records. So there is a demographic or generational shift. On the other hand, records managers coming into the industry now and in the last 10 years have a very clear understanding that they will be expected to interact with their IT peers on a regular basis. The majority of their corporate content is born electronically, and it dies electronically.
Anderson: There are some folks within the traditional space who will see the light, and step up to the plate. And there's certainly enough in the literature and in conferences that they should have an opportunity. But until organizationally, and as individual workers, we become more comfortable with electronic content and integrating electronic records management and traditional physical records management, there will continue to be a schism between the two worlds. There will be more folks who come out of IT disciplines or process management.
Library information science and traditional records management bring a lot to the table on the process side, but if they aren't properly communicated and shared and modified where needed, then you have a total disconnect between the folks who are helping deploy the systems, and the tools and the processes that need to feed into them.
Ptacek: Some organizations tried to copy the old world of physical records management, and implement the same processes electronically. They failed, because there are specific new requirements. People do records management for various reasons. If it's compliance-related, having the knowledge of regulations and understanding the processes that come from traditional, ARMA-certified people is very valid. Whether it's the FDA, FTC, FAA or FCC...they all require more or less the same processes. However, a lot of customers are using records management specifically as a defense mechanism against lawsuits and audits. In that case, it's less important to adhere strictly to certain standards.
Forquer: There is an awful lot that the records managers and library science and information science disciplines have to offer. But it's the change agents within an organization that are going to drive new processes that are fundamental to taking the old-school RM processes and bringing them forward into this new generation that would involve IT, legal and the records center.
Romanowski: The truth is, an RM or ILM strategy doesn't have to be that complicated. By phasing in key building blocks that are flexible enough to evolve as requirements change, success can be much more attainable than it might seem. Or said slightly differently, by building a RM or ILM from the foundation up (vs. starting from the top) with components that can solve real problems today and can be easily modified to meet future requirements, an organization can more efficiently achieve the retention management objectives they have identified.
Stacking Chairs to the Moon
Moore: Is technology necessary? You can go to the moon if you stack enough chairs high enough...
Rosi: You have to have technology to do it, because of scale and volume. All information is a business record. It's not just "conversation"—emails are kept as records. Therefore the volume is growing exponentially. And you need tools to help you manage in that electronic environment. If you were to keep everything in a paper world, you may be able to achieve it, but you really are hampering your organization's competitiveness and the speed in which they can work.
The ideal environment is to have compliance as part of the business process, and have it linked in so that the end user doesn't have to do anything extra. If you expect people to do filing, they'll do it at the end of the week, or the end of the month, when they get time. And we all know that doesn't often happen.
Campbell: As you know, our historical customer base is full of security officers, information management professionals, back-up professionals and messaging and filing storage professionals. But we're starting to talk to the folks who are holding the risk and setting retention policies, so more and more we are talking to legal departments and IT liaisons who work specifically within the legal organization.
Romanowski: Companies are trying to leverage their existing investments by deploying software that manages data in the system of record. There is no need to install a large ECM system while an archive and retention system can manage the data in place. In addition, companies are looking to leverage tools for multiple areas versus deploying point solutions. This is why we are feeling increasing demand for legal discovery tools on top of their content archiving and compliance solution.