The sheer chaos of electronic records makes them high risk, and the probability of consequences is high. Well-respected companies have been scandalized by errant e-mails or fortuitous file cleanups. The resulting reputation damage, and its negative effect on stock value, riles shareholders, rocks the boardroom and has repercussions throughout the C suite.
Electronic records pose an enterprise risk that is pervasive, affecting operations in every line of business. Possible exposures include legal discovery, regulatory inspections, industry investigations and privacy rule violations. In each instance, proof of guilt or innocence resides in records made and maintained using information technology.
CIOs, as the guardians of corporate data processes, increasingly find themselves adding records management to their list of expanding responsibilities. CIOs and IT organizations are routinely tapped to provide solutions to compliance, legal and regulatory challenges involving electronic records, according to a Forrester Research survey conducted for Arma International (www.arma.org), a records and information management association.
Although responsibility for implementing records control is usually delegated many levels below the CIO, its oversight and effectiveness are not. Here are 10 things every CIO should know about managing electronic records:
- E-records management is about control, not access. Basic control elements are the ability to identify a record, attach a retention rule, keep the record unalterable for as long as required, enforce the retention rule through reliable destruction and, alternatively, suspend destruction if investigation or litigation is pending or imminent. Retrofitting control to systems designed for information access is difficult and imposing requirements on users is not popular.
- Policy infrastructure is key. Managing e-records requires corporate policies, consistent retention rules, defined procedures, employee training and audit capability. This approach to keeping and eliminating records in the ordinary course of business assures that records needed as evidence are preserved. It also demonstrates an expectation of consistency, responsibility and accountability that has a better chance of standing up to outside challenges.
- Clout is important for practical and political reasons. Effective records management requires a mandate from the highest levels. Thanks to the Sarbanes-Oxley Act, executives are now personally accountable for governance lapses, facing jail, sanctions and out-of-pocket settlement payments, so obtaining buy-in is not difficult. Beyond this, most companies put three levels of structure in place:
- An oversight committee of legal, compliance, tax and corporate management executives who sign off on all policies and rules.
- A records council -- consisting of IT, legal, compliance, finance, records management and human resources -- that develops the policy infrastructure, obtains oversight committee approval and recommends changes over time.
- A liaison group of process and system owners responsible for day-to-day activities regarding electronic records.
The offset is cost avoidance. A DuPont study conducted over five years found that half of all materials reviewed for discovery were past retention and could have been safely destroyed under a records program. But because they weren't, and they were discoverable, the company spent $11 million more than necessary responding to discovery requests.
Without question, information management is a high stakes game. The paper trail is now digital, and its first stop is the CIO's office. Managing e-records risk pro-actively makes sense for business entities and the CIOs who routinely lead people, processes and technology in strategic enterprise efforts.
Julie Gable is Principal of Gable Consulting and Associate Executive Editor of the Information Management Journal, a publication of records and information management association ARMA International (www.arma.org). Reach her at email@example.com.