Sarbanes Oxley. The Health Insurance Portability and Accountable Act (HIPAA). Enron. Arthur Andersen. These are some of the names that you hear these days when people talk about regulatory compliances. Since 2001, and the collapse of Enron, a US-based multinational company that concealed its massive debt, and the subsequent trial against its auditor, Arthur Andersen, compliance regulations have changed. The Sarbanes-Oxley Act of 2002 (SOX) was created as a preemptive measure against accounting inconsistencies, and as a result organizations are faced with a whole new business aspect within their organization.
SOX was created to protect investors by improving the accuracy and reliability of corporate disclosures. Compliance regulations have a close relationship with information technology (IT). Financial reporting processes are deeply imbedded in different IT systems and most data (approximately 70 percent) is in digital format. Under SOX, executives are now liable for the security, accuracy, and reliability of the financial data within their organization.
Standards and Governing Organizations
Records governance, however, predates the events of Enron and Arthur Andersen. The Association of Records Managers and Administrators (ARMA) is a non-profit association and the leading authority on managing records and information, both in electronic and paper format. This organization develops standards and publishes guidelines related to records management and was a key contributor to the international records management standard, ISO 15489, which was created by The International Organization for Standardization (ISO). The ISO is the world's largest developer of standards and is comprised of a network of the national standards institutes in 156 countries. ISO's main focus is on standards for the technical industry, but its standards also have important economic and social repercussions.
ISO 15489 provides guidance on the tracking requirements and metadata used for records, including information on what actions should be taken for a particular record, where a record should be located throughout its life cycle, who has access to the record, and what final disposition activities are permitted. This standard consists of two parts. The first part of ISO 15489 describes how to establish responsibilities within an organization to ensure that records are maintained safely and in a manner that meets legal compliance. The second part involves technical documentation describing what procedures personnel should follow to ensure compliance.
Organizations implementing this standard must be aware that ISO is only one approach. They must also take local and national compliance and regulations into consideration, which have been put in place because organizations increasingly rely on electronic documentation, yet, lack solid processes to manage these documents as corporate records. Organizations must also take into account their own business goals and ensure all requirements are met within a record management system.
Nationally, companies must deal with a whole set of new regulation and enforcement initiatives. Examples of US governance compliances include SOX, the Securities and Exchange Commission (SEC) Rule 17-a, and HIPAA. In Europe, there is Basel II, as well as a wide range of governmental and environmental anti-trust regulations.
Consequently, records management (RM) systems are becoming more important for organizations to manage their documentation and to make their records available. Records management is the practice of identifying, classifying, archiving, and destroying records in a controlled and traceable manner. Previously, RM involved hardcopy paper documents and images. Later microfilm was used. Currently, RM involves digital records. Within the enterprise content management (ECM) space, RM is seen as the life cycle of records and information, from their creation to destruction.
However, not all documents and information are records, and within an organization, there is a lot of information and documentation floating around that does not need to be kept within an RM system. Records are proof of what is going on within an organization and they capture business activities and transactions. Moreover, records can be in a variety of formats, including hard copy documents, such as contracts, marketing materials, and reports, and in electronic formats, including e-mails and their attachments, instant messages, and web content. Documents can also be in stored on personal digital assistant (PDA), laptops, and within document management systems or databases. These make archiving a tremendous task for record managers. Companies are starting to realize that the information they have stored in a wide variety of locations must be managed properly, because they can be held civilly and criminally liable for the storage or destruction of these records.
How Record Management Systems Can Solve These Problems
Given these factors, organizations are facing critical problems in terms of RM:
- Records are being stored too long, too short, or not at all
- Information is being lost
- The security for records is not managed properly
- Finding or reporting the right information takes too much time
- Executives are not taking responsibility for the correctness of content
Because records hold information that is valuable to the organization (not just to an individual), companies need to have a solid RM system in place that will allow them to retrieve information that is accurate and authentic. An effective RM system requires an entire organization to be responsible for the management of information, and that means every employee must work according to the organization's procedures. This system impacts the creation, use, retrieval, and disposal of an organization's records.
RM falls within three major areas: people, processes, and technology. To satisfy compliance, certain responsibilities that govern each area must be defined and put in place. The organization must frame an RM policy and make sure it is communicated throughout the organization. These policies must consider legal and regulatory factors, as well as internal and industry specific factors and cover all paper and electronic documents.
When discussing records, informal personal documents and data should not be considered (however, documents containing personal information, such as employment history and health insurance claims, are considered records, because naturally they are relevant to a company's operations). Therefore it is important that employees are educated about their professional responsibilities for maintaining, using, retrieving, and deleting company records.
Educating employees requires communication throughout an organization, which can be a task of its own for larger companies. Because some rules can be complicated or burdensome, in-depth training for key employees within sensitive positions may be required.
As there are many aspects to record management legislation, it is important to define certain roles and responsibilities to one's employees, especially in the legal department. RM is not just an IT department responsibility, but it involves employees throughout the company. The IT department often thinks solely in terms of storage and back up, but all data cannot be treated equally and it is important that the right people take ownership of the records and that retention policies are put in place. The appropriate people must also to have the access to those records as needed.
In addition to adhering to national and international standards, RM policies should also include retention policies and schedules describing how long records should be accessible before their disposal or destruction. Other information that should be describe in these schedules include the
- Name of the department that created the records
- Name of the record
- Retention periods (either in days, weeks, months, etc.)
- Department or person who has to review the document, by law, or check for corporate policy compliance
- Review dates
- Disposition dates
Setting up schedules is not an easy task, but laws and regulations can be the same for a range of industries, and scheduling procedures may already be pre-defined. That is why it is useful to check into using external sources for these schedules and use their knowledge to help set up an RM retention policy.
These days, most records are electronic, therefore looking into a software solution for an organization's RM is a smart thing to do. There is a wide range of vendors that offer RM solutions, either embedded in their enterprise solution such as FileNet, Documentum, Hummingbird, and Interwoven, or that specialize in RM systems such as Objective, Tower Software, and eManage.
Organizations dealing with legislative and regulatory mandates must ensure that their RM systems are order. When implementing a system, keep in mind what the key selection criteria are for your RM solution and see if it is not possible to upgrade your current solution to meet regulatory standards. Start by making sure the right processes are in place within your organization. Then when you decide to use an RM solution, don't try to meet and incorporate all your requirements at once, but start with the basic RM functionality and continue to develop your system when the processes are in place and working.
In the last three years, RM has received an enormous boost in the market due to compliance regulations and legislations. Organizations, by law, have to improve their RM processes. ECM vendors are jumping on this opportunity as they incorporate RM as part of their solution or set up whole departments that only focus on compliance. RM is more then just a tool being used by the IT department—RM has become a vital part of many corporations.