Tip

A new framework for records management and compliance programs

A rash of recently proposed reforms aimed at fulfilling the requirements of federal regulations has underscored an accelerating shift in the balance between government and private

    Requires Free Membership to View

companies. But these new rules, in various states of review and public comment, reveal a governmental shift toward wanting to become an active and direct customer of companies' business systems and a consumer of the information they produce. Thus, both records management executives and compliance officers should pay close attention.

Traditionally, records management has been a reactive function, created to meet governmental requirements dictating that companies retain important business records for extended periods of time. The emphasis was on the preservation of periodic requests for availability and, in the long term, the disposition of the records. The formal obligations under the law focused on the preservation of the record and its content and gave little attention to the systems or processes employed.

But in the past 25 years, regulators have taken an increased interest in assuring the quality and integrity of records management programs and systems. This is particularly in defense-related industries, where a strong internal infrastructure is considered key to successful records management.

Meanwhile, compliance with the law has always been the duty of any business, but compliance as a dedicated business function is a new function that has matured rapidly. For most companies, compliance focuses on building and enforcing processes that ensure that certain conduct does or does not occur. But only recently have compliance programs become inherently evidential, meaning the records must prove that the processes and controls have been effective.

New records management and compliance proposals

Three new proposals by government regulators could have a significant impact on records management and compliance. Whether any one of these proposals is adopted is less important than the trends they portend.

This April, the U.S. Sentencing Commission proposed amendments to the Federal Sentencing Guidelines. The guidelines provide instructions to judges on factors to consider when imposing criminal sentences, including those for corporations. As most records management and compliance managers know, these guidelines influence both of their programs.

The proposed amendments indicate that if criminal conduct is detected, it is not enough for a company to identify and report the conduct. Instead, an effective ethics and compliance program must include the mechanisms for a company to act appropriately in order to prevent further criminal conduct.

Detecting potential criminal conduct is itself often a function of records and information management. When information that may signal misconduct is accessible, available and reliably delivered to those who can intervene and terminate the conduct, company officials are more likely to catch improper behavior. In this case, compliance clearly relies on active, dynamic records management, which can serve as an engine for fulfilling current, real-time investigative functions.

The government's proposed rules push the synergy further. Records should help companies demonstrate that their ethics and compliance programs have improved following instances of criminal conduct by charting changes and preserving assessments, reports and related documentation.

Records management also plays a role in regulators' calls for continuous improvement to business processes. The risk assessment/continuous improvement matrix embraced by the Sentencing Commission is not a new management concept. The same concept is found in standards from the International Organization for Standardization (ISO) on IT Service Management (ISO 27000) and Information Security Management (ISO 27001/27002). Under both standards, compliance certification hinges on records demonstrating continuous improvement.

But the proposed rule directly ties together compliance, records management and continuous improvement, placing prosecutors and judges in the role of evaluating whether a company has taken the appropriate steps. This potentially signifies a regulatory push toward requiring records management in businesses where continuous improvement is considered mandatory. No longer can company leadership neglect records management; instead, like any business function, it must improve, and a company must document those improvements.

Business transaction records on demand

The 20th century model for producing records to government agencies was based on physical record archives and reactive, historical deliveries. But now, companies are using IT to reduce the lag between an event of regulatory interest, the creation of related records and the furnishing of those records to regulators.

For example, a number of years ago, regulated companies with controlled emissions would report their particulate emissions to the Environmental Protection Agency (EPA) on a monthly or quarterly basis. Then, the EPA embraced technology that allowed sensors installed on smokestacks to immediately detect and report particulate levels to the EPA. Enforcement officers were then able to respond and seek swifter corrective action.

While similar evolution is occurring in all regulated sectors, a recent Securities and Exchange Commission (SEC) proposal is particularly intriguing. 

In response to the impact of large traders on the marketplace, the SEC has suggested a fascinating shift in how broker-dealers create and maintain their transaction records. Under the new proposal, the SEC would create and assign to “large traders” a unique identifier (essentially a trading license) that broker-dealers then must integrate into their transaction record systems. This would allow the SEC to rapidly identify and obtain the trading records of specific large traders during investigations.

Historically, within the securities industry, records management regulations defined the minimum number of records to be retained. Those rules also supported the preservation and archiving of records, largely for long-term investigatory use or to be reviewed in periodic site inspections. But this new proposal introduces some important shifts:

  • The creation of unique identifiers, which significantly inhibits the ability of large traders to establish and maintain multiple accounts;


  • The mandatory use of those identifiers in trading systems, which imposes standardization into how transaction records are created and maintained;


  • The requirement that trading records can be rapidly identified, accessed and delivered to a regulatory agency.

Thanks to these compliance-oriented rules, the SEC has significantly improved the portability and utility of corporate data. The standardized and unique identifiers enable SEC-controlled systems to receive, electronically process and evaluate corporate data more quickly, allowing for faster enforcement and other corrective actions.

But this also positions the SEC as a real-time user of corporate information and systems -- a meaningful shift for how records management and compliance function together. It is likely that other agencies, with similar enforcement mandates, will pursue similar directions.

Federal standards for data content

The SEC proposal described above is a good example of government officials specifying the structure and technical specifications for recorded data. But there is another initiative that potentially has even broader implications.

The National Information Exchange Model (NIEM) is undertaking an effort to develop standards that enable a more rapid exchange of information. Based on the open XML standard, NIEM is already having an enormous influence on governmental systems for financial regulation and law enforcement, as well as private-sector systems that must create and manage information in which the government has a regulatory interest. Driven originally by the need for agencies to exchange information in emergency situations, NIEM is also transforming how data moves among private and public sector entities. For example, in health care, the Office of the National Coordinator is pursuing new contract awards through which the health information exchange definitions and standards, based within NIEM, will be developed.

Many enterprises are already mandating continuous improvement in compliance and records management, establishing data specifications for uniform identifiers and creating detailed rules for availability and real-time access. Now we are seeing an assertive awakening in the government’s expectations as a consumer of corporate records and information. It remains to be seen if these new proposals prevail in their modified form, but records managers and compliance officers can count on increased connections between their business missions, programs and budgets.

Jeffrey Ritter is the founder of Waters Edge Consulting in Reston, Va. Write to him at editor@searchcompliance.com.

This was first published in November 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.