Managing document risk to protect the company's reputation: financial executives must have confidence in the content of documents created for legal and regulatory submissions, and today's software applications permit organizations to put in place a set of controls for many of the common document vulnerabilities.

• Author: Thomas, Norm
• Position: Document Risk

Today's regulatory and legal environments necessitate far more scrutiny of documents prepared for regulatory agencies, investors, business partners, customers, prospects and employees. Regardless of which software or systems financial executives use they must be confident that the content of their public documents will not jeopardize their organization's reputation or lead to damaging legal and regulatory repercussions.

The lack of a document accountability process exacerbates the situation. The most important documents, such as the 10-K and 10-Q, for example, cross many desks and are constructed in a collaborative, iterative environment, usually in a time-sensitive manner that exponentially increases risks.

The following identifies content lifecycle risks for finance-related documents, typical procedures (controls) in place and the weaknesses inherent in those controls (residual risk).

Content risk exists for a vast majority of documents being used by corporate America including engagement letters, audit papers, policies and procedures, financial statements, requirement documents, planning and strategy documents, proposals, investor relations news releases, customer/partner communications, legal documents, regulatory reporting and training documentation.

Standardization Risks

Specific regulations require that safe harbor or legal notices are included with all communications including emails and letters. Other regulations require that sensitive or private information not be included as part of these communications. Still other industry or company-wide standards are required for certain document types.

There are four major standardization risks that must be addressed. First, the safe harbor message must be correct, stored in a document or email template that is easily accessible and used when appropriate. Assuming the correct template or safe harbor message is used, the message must not contain hidden data (metadata, for example), which can range from neutral to reputation-damaging, to illegal in scope.

Typically the compliance officer approves the safe harbor messages and stores them on a shared drive or in a document management system. For email messages, individuals are sent the safe harbor message with instructions to include them in the signature area of the email messages. Staff is trained on use of the templates and what is appropriate or not appropriate to include in the message.

Staff is even required to sign a form yearly indicating they have been trained and understand the policy relating to/governing confidential information. Occasionally, random audits of communications are performed to verify that the policies are being followed.

Since a majority of these processes are manual in nature, it can lead to potential compliance problems. First, change control on the templates is usually less than adequate...