Records management & compliance: making the connection: organizations must take a proactive and holistic approach to compliance that ensures the business, technological, and legal challenges of records management are addressed.

• Author: Kahn, Randolph A.
• Position: Information management compliance

At the Core

This article

* discusses the importance of a records management program to an organization

* defines the concept of information management compliance (IMC)

* examines the seven key elements of an IMC framework

* In response to the WorldCom bankruptcy filing, the Securities and Exchange Commission (SEC) takes swift and dramatic action to deal with what was perceived as a wholly inadequate records management program and imposes an $800-an-hour monitor on WorldCom (now MCI). The monitor's task is to ensure that the company "has developed document retention policies and ... has complied with these policies."

* A U.S. federal agency notifies a flight school six months after the September 11 terrorist attacks that two of the terrorists have been approved for student visas. The agency admits that its "current system for collecting information is ... antiquated, outdated, inaccurate, and untimely."

* The SEC fines five brokerage firms $8.25 million for failure to retain e-mail records. In addition to the monetary penalty, the firms are required to "review their procedures to ensure compliance with recordkeeping statutes and rules."

* The former CFO and sales manager of a defunct Internet company are indicted on charges of falsifying records, among other things.

* The CEO of a pharmaceutical company is found guilty, sentenced to seven years in jail, and forced to pay a $3 million penalty for obstruction of justice because he "directed another individual to ... delete certain computer files ... containing phone messages he received ... and documents evidencing [his] instructions."

Cases of records mismanagement, improper destruction, and falsification have cost billions of dollars, ended careers, decimated reputations, and caused some companies to wither away. Clearly, something is seriously broken. Although many records management programs probably never functioned as they should have to begin with, for most corporations it was not until the last few years that anyone took notice. Now everyone ostensibly cares about records. In reality, however, how many records management programs are effective enough to serve business objectives and protect the organization?

The Records Program as Business Facilitator and Insurance Policy

Records are the way that institutions "speak." Over time, employees transfer, retire, forget, die, or quit. Records, however, are and always will be needed to ensure that the organization continues to function and can protect its business and legal interests. More specifically, records allow organizations--among other things--to perform business planning, deal with customers' needs, protect legal interests, take care of business needs, and comply with laws, regulations, auditors, and courts. Records management is the process of managing the corporate memory in a way that makes trustworthy records readily accessible any time they are required.

While these business drivers and generalized legal needs are real, what increasingly drives the discussion today is the organization's goal to be perceived as a good corporate citizen. Corporate directors, executives, and investors all demand assurance that the records management program will not negatively impact them and will provide a degree of protection from claims of wrongdoing.

Just as they need insurance, companies of size and substance need a records program to ensure that they are covered if and when trouble strikes. In the records management context, that means an organization can demonstrate that it has an effective and institutionalized way to manage all records and to do what is expected of a good corporate citizen. At minimum, that means that an organization retains records based on sound business judgment and in conformity with legal requirements and considerations. It further requires that records management directives are written and consistently applied to all records and that all employees are taught to follow them. Finally, it requires that records do not get destroyed in anticipation of litigation and that the company can effectively search for all responsive records and make them available to their adversary or a regulator in the context of an audit, litigation, or investigation.

Is each organization's records management program properly developed for the new highly sensitive, high-profile use that seems to have taken center stage in today's business environment? When company executives inquire about the status of the records management program, they are probably not referring to file plans or scanning projects. They are asking at a high level whether the records management program has all the components in place today to insulate the company if and when it is subjected to records-related scrutiny. In other words, will their records management program "insure" against the reckless, intentional, or malicious acts of employees or others who have access to the company's in formation crown jewels?

E-Records Management: Ubiquitous and Flawed

Paper records get mismanaged, altered, and destroyed. However, underlying much of the concern around records management is the exponential growth of, universal reliance on, and commonplace mismanagement of electronic records. According to "How Much Information," a global study released last year by the University of California at Berkeley, in 2002, 800 megabytes of new information was created for each person on earth--with 92 percent of it stored on magnetic media, primarily hard drives. An IDC report, "Worldwide E-mail Usage Forecast, 2002-2006: Know What's Coming Your Way," predicted that the number of e-mail messages sent per day will grow from 31 billion in 2002...