In his book The Tipping Point, Malcolm Gladwell says, "Crime ... isn't a single discrete thing, but a word used to describe an almost impossibly varied and complicated set of behaviors." Ironically, the same thing can be said of compliance.
Compliance is the name given to multi-faceted programs designed to ensure that an organization's culture and collective processes meet legal, regulatory, and ethical requirements. At present, compliance is a binary state--a company either is or isn't compliant--and there are, as yet, no objective measures of progress to assess whether a firm is 50 or 80 or 90 percent compliant. Companies find out whether their compliance programs are adequate through highly publicized investigations or court cases that have devastating effects on corporate reputation, stock price, and shareholder loyalty. In one recent example, a J.P. Morgan Chase subsidiary was fined $2.1 million for failing to keep e-mail communications for three years as required by New York Stock Exchange (NYSE) and National Association of Securities Dealers (NASD) regulations. In short, in the compliance arena, it is easier to see failure than it is to measure success.
Any and all compliance events, whether routine inspections, examinations, or regulator reviews, pose huge risks to corporations and the officers and directors who oversee them. (See sidebar.) Records can either mitigate or worsen those risks, so records management has become integral to compliance efforts. Compliance concerns are often the motivating force behind electronic records management programs and the chief source of funding for such efforts. In compliance, stakes are high, consequences are harsh, and records are pivotal, so it pays for records and information management (RIM) professionals to understand the compliance landscape in more depth.
Fear, uncertainty, and doubt surround compliance and for good reasons.
It can be hard to determine what regulations apply. Those involved with compliance efforts often rely on published articles and conference presentations to become familiar with various mandates. Reliance on secondary sources of compliance information, however, can give false impressions about what is actually required. Most published articles are limited by space constraints, and all articles are routinely edited for clarity and brevity. The content that remains varies in detail and depth. In addition, some white papers and presentations are produced by those with vested interests in selling compliance-related products or services. For example, much has been made about the need for write once read many (WORM) media in financial services, but a closer look at U.S. Securities and Exchange Commission (SEC) rule 17a-4 reveals that other media are also acceptable.
One way to assess a secondary source's compliance expertise is to look for distinctions between mandatory and optional requirements. (See chart: "Mandatory vs. Optional Requirements.") For example, compliance materials often list DoD5015.2 and ISO 15489 as compliance concerns. Neither is exactly true: DoD5015.2 is a standard and certification program for records management software products that applies only to software vendors who wish to sell to the National Archives and Records Administration (NARA) and federal agencies; ISO 15489 is an international standard for the development of records management programs. Neither is a mandatory compliance requirement.
Another telling sign is the claim of a compliant product. The fact is that businesses are compliant, products are not. Software products that have successfully passed DoD5015.2 testing will declare themselves "certified" rather than compliant.
The point is, published pieces and web materials might provide interesting background, but the only sure way to know what regulations actually say is to read them.
Compliance is not one-size-fits-all. The regulations that apply to a given company depend on factors such as the industry in which it operates, whether it is a public or private entity, whether it is national or multinational in scope, and so on. The best known and most ballyhooed regulation is the Sarbanes-Oxley Act (SOX), a grab-bag of provisions governing public accounting firms, corporate boards, whistleblowers, financial statements, insider trades, internal controls, changes in operations, and records falsification or destruction. SOX applies to all publicly traded companies in the United States and to foreign companies that list on U.S. stock exchanges.
Beyond SOX, other regulations...