Business Matters: Minimizing Risks Through a Corporate Information Compliance Initiative

The Enron scandal that involved shredding of documents in anticipation of a government investigation and the subsequent passage of the Sarbanes-Oxley Act of 2002 (SOX) – which makes corporate executives accountable for certifying the accuracy of their organization’s records – have dramatically heightened organizational awareness of the need to manage information properly.

Ellie Myler, CRM

In this new era of corporate accountability, many organizations are establishing corporate governance programs for managing records and information as part of their risk management and compliance strategies. In fact, although the final numbers had not been reported when this magazine went to press, an AMR Research report earlier last year projected that the total governance, risk management, and compliance spending in 2007 would exceed $29.9 billion – with about 20 percent of that allocated to SOX compliance.

While SOX holds executives accountable, organizations have begun to recognize in this technology-enabled world that every employee has responsibilities surrounding records and information. With the exploding volume of electronic records they are generating, employees must adhere to the controls provided by an information management policy to ensure the integrity, accuracy, and reliability of their organizations’ information assets, intellectual property, and capital. Developing such a program begins with creating a formal policy statement.

Creating a Policy Statement for Corporate Governance

As a first step, it is essential to get senior management support for the initiative. If senior management is vested in the effort, they will direct management to dedicate time, resources, and budgetary funding to it.

The next step is to write a policy statement. According to ISO/TR 15489-2:2001 Information and Documentation – Records Management – Part 2: Guidelines, “A records management policy statement is a statement of intentions. It sets out what the organization intends to do and, sometimes, includes an outline of the program and procedures that will achieve those intentions.”

The policy statement defines the charter for the program and should include:

  • Purpose, scope, and applicability
  • Roles and responsibilities
  • Ownership, legal status, access rights, and privacy
  • Goals, objectives, and principles
  • References to other and related program documentation

It is imperative that senior management clearly communicates the policy statement to all levels of the organization so all can see that the initiative is being taken seriously. The message can be further supported with recent news items about the consequences suffered by organizations because of their faulty recordkeeping. To find internal examples to support the need for the program, consult the legal department about discovery actions and the audit department to find out how the program initiatives can be integrated with the organization’s compliance initiatives.

Defining Important Terms in the Policy

In today’s electronic world, the concept of managing “records” (evidence of business transactions) is expanding to include managing “content,” which can be anything from free-floating virtual text in cyberspace to official language contained in corporate acquisition duediligence work papers.

How an organization defines “content” is key to managing it, so those definitions must be clearly articulated in the organization’s corporate governance policy. For example, some organizations may consider works-in-progress (drafts) to be just “documents” and only final transactions to be “records” (evidence of business transactions). In other organizations, documents, records, information, and data may all be considered evidence of business transactions. How these terms are defined will affect how an organization’s content is captured as final documentation for business transactions.

The definitions for many of the terms that will be included in the policy can be found in the Glossary of Records and Information Management Terms, 3rd edition. Terms in this publication also can be looked up individually at www.arma.standards/glossary/index.cfm.

Outlining Retention Requirements

High-level records retention program requirements must also be outlined. Clear definitions around what records retention is and how it is implemented are essential so all employees understand their recordkeeping responsibilities. The policy must define:

  • Content, records, documents, data, and information
  • Classification principles
  • Business classification scheme and auxiliary master file plan
  • Records series
  • Document type
  • Records retention
  • Records retention periods
  • Records retention schedule
  • Legal records hold process

Identifying Common Denominators, Tasks, and Resources

Establishing and implementing a corporate governance program for information management demands a team approach. A successful implementation requires a leader with tenacity and an ability to work with a variety of stakeholders. In addition to records management personnel, many facility managers, librarians, and information technology (IT) personnel are often trying to accomplish information-related tasks as part of their overall responsibilities. Other stakeholders may include legal, internal audit, corporate compliance and ethics, tax, business owners or departmental managers, and individual employees.

Common denominators for each stakeholder depend on that person’s piece of the process, as illustrated in Figure 1.

Conducting and Documenting the Content Inventory

Once the stakeholders have been identified and common denominators outlined, the organization’s content must be inventoried and documented. The inventory will provide a detailed understanding of the content’s locations, quantities, and naming characteristics. Ideally the inventory will also connect with business processes and ultimately be correlated with the systems within which the content is created. Inventory information can be harvested through shared server files and individual desktop inspections as well as the paper collections stored in active filing cabinets or in offsite storage.

Although detailed inventories are most comprehensive, they should be integrated with interviewing employees to learn how business processes are being conducted and what kind of information is being created to provide evidence of business transactions. Interviews serve two other purposes. First, they create an open dialog atmosphere that promotes information gathering and provides an opportunity to discuss challenges, issues, and specific problems associated with current processes. They also provide an opportunity to promote the records and information management program and a forum for collaborating with program stakeholders and users.

One note of caution: An interview is not the time to criticize processes or suggest solutions. It must be kept neutral and allow users a chance to vent and share their concerns. The stakeholders in charge of coordinating this effort are there to listen, take copious notes, ask relevant questions, and set the stage for returning to work with users.

The importance of program documentation cannot be overemphasized. Documenting the inventory and interview results should be completed rapidly and sent back for review to all involved with the process. This allows users to validate their own data, provide clarification and additions, and agree to documented results.

Program documentation captures everything from high-level vision and strategy formulations to detailed departmental records processes and procedures. This documentation not only creates historical evidence of the program, it provides the relevant information needed for program creation, updates, and growth over the years.

Developing a Retention Schedule to Better Manage Information Resources

After completing the content inventory and interviews, analyze and summarize the information. From this analysis, develop a functional business classification scheme that will place content into a manageable and organized format that correlates to business functions and form the foundation for the retention schedule that will inform everyone about what content must be kept and for how long.

A good analogy for developing a functional classification system is collecting a stack of playing cards (inventorying content) and then sorting them into specific categories (functions), such as “red cards” and then into subcategories, such as “diamonds” and “hearts.”

See Figure 2 on page 63 for an example of a classification scheme for the legal function of an organization and a correlating scheme for the playing card analogy.

Researching Retention Requirements

After developing the functional classification system, conduct extensive research into regulations that mandate records maintenance, reporting, and retention requirements for each classification. Sources for locating the laws relevant to an organization include:

  • United States Code
  • U.S. Code of Federal Regulations
  • State statutes
  • State administrative codes

Most research is available online through governmental websites, as well as in hard copy that usually can be located in legal library collections. Organizations that have international locations and operations must also consider regulations and trans-border recordkeeping issues. Although international regulations are not as numerous as in the United States, they are often times not easy to find and must be translated from their respective languages.

Maintenance, reporting, and retention requirements are not always clear or easy to find in the citation language of the regulations. Often, they are embedded and hidden in various clauses and sub-clauses.

Organizing Retention Requirement Data

While conducting research, organize the data into a regulatory guideline matrix that captures the following information:

  • Source (for the regulation)
  • Title, subtitle, chapter, part, actual citation number, and title
  • Impacted industries
  • Impacted records
  • Summarized maintenance, reporting, and retention requirements
  • Actual quotation language for the regulation

Determining Operational Requirements

Once research has been completed, determine the organization’s operational requirements for its information resources. This usually pertains to how long information must be retained for current and future reference needs. However, it is essential to question excessive long-term retention values when they are the norm rather than the exception. The vast majority of information that is stored away is not actively referenced again, which means it ends up in an electronic black hole and consumes unnecessary server and physical space.

Retention periods should be determined for each records series (a group of related records filed/used together as a unit and evaluated as a unit for retention purposes). Although this task seems daunting, it is the only way to build a records retention schedule that has integrity, captures all the details, and is easy to use.

Meeting Application and Implementation Challenges

Ultimately, implementing the corporate governance program for information management is the process that causes the most pain and consumes the most time. Although creating the program’s foundational documents is not easy, supporting the program’s standards with lots of training, education, and follow-up meetings is an even greater challenge.

Meeting the challenge, though, allows organizations to make sound business decisions, compete and enhance marketplace position, provide better customer service, and demonstrate ethical values in business transactions and within the workplace environment. With a new culture that embodies information management activities as part of daily operating procedures, an organization will soon realize a substantial return on this risk management investment.

Ellie Myler, CRM, CBCP, can be contacted at emyler@accesssciences.com.

 From January - February 2008