Disaster Recovery Journal

To be sure, legal precedents and record judgments in the past few years have placed heavy burdens on both sides of lawsuits to produce documents for audits, litigation, or discovery matters. Even so, only a relatively small percent of businesses and organizations are administering enterprise records management correctly, or at the minimum, are on the right track.

When an enterprise or government agency employs a proper digitization process for turning their hardcopy records and documents into e-files, the result is greater access to once hard-to-find files, streamlined management of those files for future use and reduced risk. If those digitized documents are stored and managed in a secure (and often hosted) electronic repository, companies also gain a robust disaster recovery system in addition to having this information immediately available for production, audit, and search.

In practice, solid records management enables faster, flexible, complete, and more secure organization-wide location, retrieval, and use of information, regardless of geography, medium, or system type. These principles must support business needs, privacy issues, and other security considerations. Further, these systems and processes support and ensure preservation of an authoritative record of enterprise decisions and actions.  These records will be required to support research and program needs, protect customer or public rights, and safeguard the enterprise accountability – which in some instances requires very long-term preservation of hardcopy and electronic records.

Leveraging technology to improve services, reduce costs, improve security, and reduce physical-based information silos (paper, microfilm/fiche, etc.) is a way of life within many enterprises. But with this shift, new concerns have arisen. These concerns include the lack of tools for centralized discovery, a shift toward use of electronic systems like e-mail as the primary medium of communications by businesses, and a general lack of consideration within the systems for comprehensive management of the business records created.

This current state has been maintained by unchanged practices. And this has led to the emergence of business environments characterized by the following:

• Increased copying, modification, and storage of electronic records and hardcopy versions across organizations, applications, and media with higher costs associated with storage and use.
• Difficulty in locating and identifying authoritative versions of a document. This is often associated with absence of data that enables users to determine a given record’s origin, level of approval, or whether it’s the latest, most complete or relevant version.
• Lack of a common repository to show what records and data exist and where. Records are often inaccessible on users’ hard drives or buried in individual or corporate file systems – all with absence of authoritative directories of information at the enterprise, line of business, or even working group level.
• Requiring separate and distinct search processes for structured data, desktop records and hardcopy records, associated with a tendency to manage information resources according to their physical form rather than as information.
• Utilizing manual processes to prevent the uncontrolled deletion of electronic records by users and unauthorized disposal of hardcopy records.

Records Management
The areas of focus for a records management program will impact areas where the enterprise perceives the greatest amount of risk and business continuity. The risk profile for determining records requirements will provide guidance for current and future needs. In general, a risk profile is a systematic and thorough identification of records-related risk, enabling a measured approach to business continuity.  It is a sound approach to scoping the boundaries of the problem, determining the issues within those boundaries, and making decisions about solving the problem. Three general areas have been identified: compliance, reputation, and strategic. A risk profile approach to records management – inclusive of retention and compliance, litigation preparedness, disaster recovery, and business continuity – employs a broad, systematic, and rigorous approach: 

• Determine issues and establish a management framework
• dentify and characterize exposure and vulnerabilities and develop evaluation criteria
• Profile and evaluate risks
• Identify, evaluate, and recommend risk mitigation strategies

The Costs of Avoidance
For many organizations, existing processes have not yet addressed the risks associated with improper records management, nor will redesigned manual processes enable efficient and effective management of records. Too few enterprises enable consistent and enforced processes, procedures, or information technology tools that allow them to ensure information resources are accessible by staff, subsidiaries, and business partners.

Enterprises also need to apply systematic rights of access to ensure the most appropriate use of individual resources – protecting the evidentiary integrity of official records and reducing the costs associated with accessing, managing, and storing resources. It’s also important to assign appropriate management accountabilities to help ensure that records with ongoing value are protected against premature disposal and transfer to off-site archives for records with permanent value.

The reality is that most enterprises don’t have comprehensive plans for the systematic management of physical and electronic records, leading to concerns such as:

• Inability to manage alteration issues due to decentralized electronic recordkeeping.
• Unable to proactively or defensively locate “smoking gun” content, possibly within e-mail systems.
• Lack of accountability and recordkeeping requirements when systems are designed or upgraded.
• De-centralized shared drives/repositories of electronic records with various degrees of quality control and access.
• High costs and difficulty in meeting regulatory, discovery, and litigation deadlines.
• Limited focus on an enterprise-wide strategy for records that potentially have greater business, legal, and research value.

Critical Success Factors
A holistic approach to enterprise records management is recommended, taking into consideration business culture, process, and technology to create a valuable program. Overall, it’s important to remember that records support business and the way people conduct business, not the other way around.

Sound processes built on easy-to-understand, accessible policies and procedures are key for ensuring compliance and mitigating risks. Moreover, while technology is important, it only accounts for a portion of what’s required to implement and maintain a records management program.

The scope of most risk-management projects is to create a policy for the enterprise that will comply with all regulatory requirements, meet the organizations’ business needs, and provide overall accountability. The program must include all media defined as a record, which may include paper, electronic records, and all other relevant forms such as microfilm.

There are a number of goals of any integrated system of processes and technology that support business records. By automatically ensuring that these goals have been embodied in the solution, enterprises can dramatically improve the consistency and effectiveness of their records management program. These critical requirements help to ensure that: 

• Efficient storage and retrieval of recorded information under control or custody
• Recorded information is protected from unauthorized access, alteration, removal, or destruction
• Unnecessary collection and maintenance of stored and/or recorded information is eliminated
• Timely transfer or disposal of recorded information in accordance with enforced retention schedules and enterprise-wide standards

With Risk Comes Rewards
You may think of all this as a cost of doing business, and certainly that’s one way to look at it. But implementing sound records management policies, procedures, and technologies on both a strategic and infrastructure level can demonstrate a return on investment. Such programs can reduce response costs and access, create a single point of entry for all corporate records, minimize data and records stored in multiple systems, and improve overall business if addressed strategically.

By adopting best practices and creating a culture of risk awareness, enterprise records management will help enterprises:

• Reduce the costs associated with management and use of your enterprise’s paper-based information resources and improve the capture, preservation, and sharing of critical information.
• Enhance enterprise accountability and transparency through improved access to, and preservation of, such records.
• Increase reliability through authoritative versions, while preserving and assessing the authenticity and relevance of records, and protection against unauthorized or undocumented alteration.
• Avoid risk through ensured preservation of records required to document rights, liabilities and responsibilities, and demonstrate the content and rationale for decisions.
• Enhance information security through comprehensive, secure, and precise assignment of access permissions.
• Improve consistency and responsiveness to audit, litigation, and discovery demands.

Many enterprises are playing catch-up to ensure that risk specialization – including records management – joins the ranks of other business functions, such as IT, operations, ethics, compliance, audit, and finance. We’re learning that we already have risk management practices within our organizations, but they’re highly specialized and not necessarily well coordinated.
Let’s kick the silos to the curb and get on track with a better records management practice and enjoy the additional benefits and cost savings included in the process.

About The Author: Charles Brett, managing principal and thought leader for Xerox Global Services, is an industry-recognized expert on enterprise content management, archival and storage strategies, records management, and compliance issues.  Before joining Xerox Global Services, Brett served as principal analyst for META Group on regulatory and compliance issues related to SEC, NASD, HIPAA, Sarbanes-Oxley, and other compliance standards.