Regulations are influencing records-management practices even at exempt organizations. For the Church Pension Group, a nonprofit organization that manages the pensions of Episcopal Church employees, Sarbanes-Oxley has been a factor in its decision to set up an ERM program. CFO Daniel Kasle knows it is only a matter of time before a similar law is passed for nonprofits. And, he says, “even if there were no new law on the horizon, Sarbanes-Oxley has set a new standard for operating a business. We might as well work toward that.”
Reaping Multiple Dividends
A good ERM program can go a long way toward making compliance easier. Just ask Florida Department of Health CIO David Taylor. Florida’s “Sunshine Law” opens all public records, including E-mail, to public inspection. When Taylor started his job two years ago, the department’s E-mail retention policy relied on employees to remember not to delete E-mails before nightly tape backups took place. Records requests came in once or twice a week, and each time staff members had to hunt down and restore what they hoped were the appropriate tapes before the tedious search for E-mails could even begin. The whole process took hundreds, if not thousands, of man-hours.
Today, an E-mail archiving system that uses KVS Enterprise Vault software, EMC Centera storage hardware, and an AltaVista search engine has cut the time needed to find a given E-mail by 90 percent. And by storing messages older than 30 days centrally, rather than on desktops and local servers, the department has improved E-mail system performance for its 17,000 users and reduced its local server needs. Because of those factors, the new system should pay for itself within two years.
To be sure, there is room for ERM technology to improve. Joseph Steffan, director of technology compliance at Lehman Brothers, is a proponent of E-mail archiving tools, but he notes that on some systems, one search can still take an entire day. “Performance has been a big issue,” he says. “We are pressing vendors very hard to achieve order-of-magnitude improvements.”
Finding Your Way
Despite the imperfect technology, many experts advise companies to explore ERM now rather than wait, particularly if the nature of their businesses makes a legal or regulatory matter likely. To approach such a project efficiently, keep the following things in mind:
For starters, the job is best handled by a multi-disciplinary team. Legal services, compliance, records management, lines of business, and IT all need to be represented. The first task is to determine a retention policy stipulating what to keep and for how long. “An organization needs to understand confidently what its retention policy is going to be,” says Steffan. “That mixes legal obligations and operational preferences.”
Regulations will sometimes dictate policy. HIPAA, for instance, requires health-care providers to keep all customer information for six years. But coming up with retention rules in gray areas is much harder. You don’t want to trash something that could help you in court one day, but saving everything devours expensive storage space and requires more time to search through. Too much information can also be a liability in court, making the matter of what to save and for how long a particularly vexing one.