Fostering a compliance culture: the role of The Sedona Guidelines: the guidelines offer a practical framework for organizations to reassess and amend existing codes of conduct, training programs, and corporate policies and procedures to create a culture of compliance.

• Author: Allman, Thomas Y.
• Position: Setting Standards

Management of electronic information and records must reflect requirements emanating from the litigation process. This has become as much an area of focus in compliance efforts as accurate financial reporting, avoidance of employee misconduct, and antitrust matters. Anecdotal evidence shows a strong upsurge in self-examination by all types of organizations in order to meet the higher expectations.

Against this backdrop, the Sedona Working Group has published The Sedona Guidelines: Best Practice Guidelines and Commentary for Managing Information and Records in the Electronic Age. The guidelines are designed to promote effective approaches to addressing the key issues of electronic records management. Unlike the recent ANSI/ARMA or ISO standard-setting efforts, The Sedona Guidelines focuses on legal imperatives that are driving the issue. Compliance with these new requirements can best be fostered by adopting the approach underlying the five Sedona guidelines.

The New Expectations

The explosive growth in electronic communications and related e-discovery failures has energized courts to impose their own priorities in the absence of guidance from higher courts or legislatures. These court decisions touch on fundamental aspects of information management previously thought to lie solely in the realm of good business judgment. For example, in Danis v. USN Communications, a court fined a chief executive officer for improperly delegating to others (who were deemed by the court to be unqualified in records management) the responsibility for ensuring that information in hard copy and electronic form was reliably made available for future use. In In re Prudential Ins. Co. of Amer. Sales Practices Litig., a court imposed a records management system after concluding that the "haphazard and uncoordinated" treatment of records in various sales offices threatened the litigation process. Misconduct in regard to information handling has resulted in severe criminal penalties for both entities and individuals under federal law. In a dramatic recent example, Arthur Andersen's conviction for destroying documents in the face of investigation was affirmed despite the fact that participants thought their own conduct was in compliance with existing records retention policies. Another recent example was a prominent Wall Street trader's conviction (now on appeal) for endorsing a records retention approach to cleaning up files under inappropriate circumstances.

It is clear that this new emphasis on strict compliance will not go away. It reflects what the court in Rambus v. Infineon Technologies called "the societal need to assure the integrity of the process by which litigation is conducted." Further, Zubulake V cautioned that those that ignore this new paradigm "act at their own peril." (Editor's note: See the January/February 2005 issue of The Information Management Journal for articles on the Zubulake decisions.) Congress has confirmed the shifts lasting nature by increasing fines and penalties for obstruction of justice as part of The Sarbanes-Oxley Act of 2002.

Necessity for a Culture of Compliance

Effective detection and prevention of law or ethics violations require publicizing the values and imperatives deemed important by an entity's leadership. Most corporations have promulgated codes of conduct and provide training in the entity's significant values. Nonetheless, recent corporate governance lapses led many to conclude that more effort must be devoted to involving all entity levels in such training. The U.S. Federal Sentencing Guidelines now explicitly require promoting an "organizational culture" that "encourages ethical conduct and a commitment to compliance with the law." Most corporations also understand that core values must include an effective information and records management program that meets all legal requirements, including those of the litigation process. Senior executives, chief compliance officers, audit committees, and general counsels should therefore reassess and amend existing codes of conduct, training programs, and corporate policies and procedures to reflect the new emphasis. The Sedona Guidelines offers a practical framework for this reappraisal.

Guideline One: Adopt a Practical and Reasonable Approach

The key to the effort is a "reasonable" approach to managing electronic information. Structured information involved in non-desktop applications, such as...