One of the more nerve-wracking topics that compliance professionals are called upon to address is records management. One reason it can be so daunting is the sheer volume of records at a typical company. Consider how many personnel records, purchasing records, management records, financial records and business records your firm generates in a year.
Managing retention timelines is another complicated task when it comes to developing a records management process. Keep a record for too long and it has a litigation impact -- large numbers of records add to the e-discovery workload. But discarding a record too soon can make you noncompliant with important regulatory requirements.
For compliance professionals, it's tempting to resist developing a records management strategy since it's rarely a direct compliance responsibility. This is the wrong perspective. Records management, when done well, is a significant help to compliance: A well-organized process will help you stay compliant and streamline audit efforts. A poorly managed process, however, will not only make you noncompliant but will also increase audit overhead.
Because of these factors, it's important that compliance professionals both understand their firm's records management process and help champion more disciplined recordkeeping. Although it may not be immediately evident on the surface, compliance has a major stake in this process. Be sure, though, to address your firm's unique compliance needs when approaching organizational recordkeeping.
The compliance-targeted approach to records management
Records are the authoritative source documenting the "who, what, when, where, why and how" of organizational activities. The records management process governs how these artifacts are tracked throughout the whole lifecycle: how they're stored and organized, when and how they're eventually disposed of, and how they're handled along the way.
How this is accomplished directly impacts compliance when record retention is specifically mandated by regulations. The Health Insurance Portability and Accountability Act, PCI Data Security Standards and the Sarbanes–Oxley Act, to name just a few, specifically require that we keep certain types of records. They also indirectly impact compliance because of the role they play in an audit scenario. During an audit, you'll likely be asked to produce records in an evidentiary capacity. This means you not only must retain records appropriately but also make sure they're accessible to the compliance team for internal and external audits.
All these factors mean it's important to represent compliance interests during updates to the records management process (or the automation of the process). Compliance officers should negotiate a seat at the table during discussions around changes to processes and tools, and these officers should have direct communication with the records management "owner" in the organizational hierarchy. A worst-case scenario is one where decisions are made (for example, the selection and deployment of a records management system) without compliance involvement. Issues like retention, accessibility and integrity of records are all vitally important to regulatory compliance.
More on records management strategy
The keys to late-stage records management strategy implementation
A decision maker's guide to organizational records management strategy
Organizations have unique needs, so no two specific scenarios will be identical. Here are some things that compliance teams should think about during any change to their firms' records management process, such as adoption of a new tool or process:
Retention timelines. A typical response firms have when implementing or changing a records management strategy is "keep it all." Because of the vast amount of data involved (particularly in electronic communications like email and IM), many organizations are inclined to keep everything forever (or close to it). That means every email, every document, every log file. Compliance teams should be skeptical of this retention approach. First of all, doing this adds greatly to overhead required to locate the audit artifacts. In addition, whatever you keep is discoverable in a litigation context. Keeping records long enough to comply with regulations is obviously mandatory, but keeping them forever is not always the most prudent approach. A careful balance should be struck with input from compliance, legal and other stakeholders examining proposed scenarios.
Keeping records long enough to comply with regulations is obviously mandatory, but keeping them forever is not always the most prudent approach.
Classification and organization. The ability to classify records based on their type and content is critical. Many firms use backup tapes or other media as a vehicle for archiving documents. From a compliance standpoint, this is seldom useful because getting access to a particular record to support an audit is challenging. Keep in mind that there's no organization to a backup tape, which makes enforcing retention timelines difficult, especially when different timelines are enforced based on type or content of record.
Integration with policy. Whatever mechanism you choose to manage organizational records, be sure it dovetails with corporate policy. For example, if you have a policy that restricts access to certain records, build a process (or deploy a product) that enforces these policy constraints. If you have a policy that requires certain workflows for creation, approval or release of documents, the process should facilitate those workflows. Define a mechanism for discovering and tracking policy violations and ensure that that the process can support notification when those violations occur. What if you don't have a policy that sets management expectations and intent for records? Write one and get it approved. This will be critical when auditors come to evaluate your recordkeeping efforts.
There are obviously many other factors to consider in making sure your firm's records management strategy process runs smoothly. But for compliance professionals, having these few in your back pocket during records management strategy discussions can help significantly to ensure your interests are represented.
Ed Moyle is a founding partner at New Hampshire-based information security and compliance consulting firm SecurityCurve. Moyle previously worked as a senior manager with Computer Task Group Inc.'s global security practice and prior to that served as a vice president and information security officer at Merrill Lynch Investment Managers.
This was first published in August 2012