Records management is often viewed simply as a matter of convenience and organization: “proper documentation of records will allow our employees to find them at a moment’s notice.” It is true that when a company is looking to increase efficiency, the value of records management cannot and should not be understated. Yet there is arguably a more pertinent benefit that comes from proper records management. This benefit lies in the value of mitigating risk within the organization.
Employees may see managing records as an inconvenience or a technicality, but they need to understand it as a method of prevention against real and significant risks. These include compliance issues, disaster recovery, public-relations crises, confidentiality breaches, and reputation and security threats. A well-executed records-management program helps mitigate these risks in much the same way that legal counsel or an insurance policy does: by acting as a safeguard against unexpected future events.
Organizations retain legal counsel and sign insurance policies because of the financial risk associated with not doing so. When everything is going well — which is typically the majority of the time — these may seem like unnecessary costs. On those occasions when things do go wrong, however, organizations quickly realize that these are the best investments they could have made. An organization’s records-management program should be seen through the same lens.
To fully understand the benefits, it helps to put the concept into perspective. Imagine for a minute a large food manufacturer without a records-management program in place. Somewhere buried deep in boxes of unorganized records is a decades-old, long-forgotten insurance policy that protects the company against legal action requiring it to clean up a site in which toxic materials are found.
Knowing the company was potentially at risk for such litigation, a concerned records manager pushed the company to audit, organize, and manage its records and put an advanced records-management program in place. Shortly after implementing the program, the company was notified that it was being charged with a class-action lawsuit totaling several million dollars. Because of the records-management best practices that were established, the company was able to produce the insurance policy within days. And that paid for nearly the entire settlement amount at virtually no cost to the company.
Now consider a large energy and commodities company called Enron. Of course, there were many issues with the company’s business policies that I won’t discuss here. But besides problems with the company’s core business practices, Enron had problems with its records-management policies. Employees were instructed to shred large quantities of documents immediately prior to Enron’s legal proceedings, further incriminating the company in wrongdoing.
It’s probably true that Enron still would have been dissolved even with a less-questionable records-retention policy. But there’s no doubt that a thorough program can mitigate potential risks. The two primary areas where an organization can expect records management to act as a safeguard are compliance and disaster recovery. It should be noted, however, that risk mitigation through records management is in no way restricted to these two areas.
It’s no longer simply an industry best practice to retain vital records as part of a sustainable business continuity and efficiency plan. There is now legislation issued specifically for records-management compliance.
When organizations, and specifically CEOs and CFOs, fail to enact a thorough records-management policy, they risk severe penalties for not producing valid information when requested. This could then lead to liability issues if damages are suffered by the corporation or any third party who relied on the documents. This failure to maintain substantive procedures can also end up causing severe financial pain and damage to corporate reputations. For example, under certain legislation such as the Sarbanes-Oxley Act, formidable monetary fines could be levied on anyone who knowingly or inadvertently alters, destroys, falsifies, or covers up entries in records or documents.
CEOs and CFOs should put processes in place to educate their employees about their company’s records-retention strategy. If an employee unknowingly fails to retain an important document, that employee will not be held liable. It is senior management that will be held ultimately responsible and, if the mistake is egregious enough, prosecuted.
Unfortunately, compliance with all of the laws and regulations pertaining to records management is not always simple. Although most of the compliance risk comes from documents that have been destroyed prematurely, there is equal risk in keeping documents too long. Files can and should be destroyed after a certain number of years, depending on the kind of file. For instance, if a file is retained beyond a certain date when it legally could have been destroyed, it can be used against an organization in legal proceedings.
Furthermore, with the digitization of multitudes of data, the compliance equation becomes even more complex. An example of this arises with social media and mobile communications. When it comes to deciding whether to store documents physically or electronically, how to archive text messages and Tweets, and when to archive e-mail sent from a personal account for business purposes, the protocol becomes rather unclear. Once an organization factors in the different federal, state, county, and even city regulations, managing the intricacies becomes just as complicated as navigating a complex legal dispute or insurance plan.
A company is only as good as the proprietary information it owns, and that information is only as secure as the records-management solution that an organization has deployed. There is much discussion around the security of cloud-based and virtual storage solutions, but the larger conversation should be held around the security of paper-based solutions. Paper-based documents can be lifted off of a desk, lost on a train, or burned in a fire, with no option for recovery.
When it comes to true information security, the faster documents are digitized, the better. A records-management program should digitize documents immediately, not when employees find time after everything else has been completed. This includes digitization of invoices, incoming mail, contracts, and all other records into a digital and searchable archive as soon as they are received.
This level of attention to creating a digital archive of records, when paired with a secure IT system, is the only way to truly ensure data security. The technological training and operational complexities of records management can be daunting, however, and as a result, many IT professionals are left in the dark about how to proceed. When handled properly, though, information and records-management programs can be entirely symbiotic. They can improve an organization’s operational efficiency, help contain costs, and, most importantly, better enable the organization to meet its compliance and disaster-recovery needs.
Gregg Bieri is manager, new records development, for Océ Business Services.