best practices in records management & regulatory compliance · cipline. it’s not a matter of...
TRANSCRIPT
Supplement to
Sponsored by
September 2003
Best Practices inRecords Management &Regulatory Compliance
Andy Moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 A Year for the RecordsThis was the year the writ hit the fan. Every sector you can name—financialservices, healthcare, securities, government—is faced with some new andominous set of regulations. . . .
Gillian Colledge & Michael Cliff,TOWER Software. . 4 The Implications of the Sarbanes-Oxley ActThe events of the past 12 months may result in the correct understanding ofrecords management by senior managers and industry analysts. The collapses ofEnron, Arthur Andersen and others are seen as examples. . . .
Hummingbird Ltd. and J. Timothy Sprehe . . . . . . 6 Enterprise Records Management StrategiesWhether it be businesses, government agencies, non-profit organizations,families or an individual person, it is essential that every human enterprise isable to provide recorded evidence of past events, transactions and decisions. . . .
Fios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Total Cost of Compliance (TCC)?Conversations about the missteps of highly compensated fast-moving corpo-rate executives have become cliché. Late night talk show hosts and “Gen Y”constituents have made references. . . .
Fujitsu Consulting and Documentum . . . . . . . . . 10 Scary, Scary, Scary: Legislated Records ManagementEveryone thinks they know about Sarbanes-Oxley, HIPAA, and similar new regulations like SEC 17a. What few people realize is how truly scary and far-reaching they can be. . . .
H. Harris Hunt, FileNet. . . . . . . . . . . . . . . . . . . . . . 12 Records Management: The Content, Process and Connectivity ChallengeUntil recently, records management programs have been dismissed as back-office cost centers with little or no business benefit. However, recent timeshave repositioned records management and corporate accountability. . . .
Amena Ali, LEGATO . . . . . . . . . . . . . . . . . . . . . . . . 14 From the Backroom to the BoardroomA key challenge facing senior management, and their IT departments, is legal compliance with recordkeeping. Information assets require recordsmanagement—policies, technology and management controls. . . .
David Armstrong, Autonomy . . . . . . . . . . . . . . . . 15 Creating an Automated Compliance SolutionNon-compliant and or unauthorized communications, such as e-mail, canresult in costly lawsuits, damaged reputations, and ultimately lost revenue. . . .
Brendan English, Mobius . . . . . . . . . . . . . . . . . . . 16 Ensuring Compliance with Automated ControlsA recent cartoon depicts a personnel director asking a pinstriped job applicant: “How do you feel about doing time?” And late-night TV comedianshave had a field day as regulators, legislators, lawyers and accountants. . . .
Sharon Hoffman Avent, Smead . . . . . . . . . . . . . . 17 Recordkeeping in Today’s Regulatory EnvironmentImagine yourself six years from today: Your organization has just received notice of a pending legal action. Are the records on paper? Werecorresponding e-mails sent?. . .
Greg Boyd, Results Engineering . . . . . . . . . . . . . . 18 Content Taxonomy—Reduce your exposureRemember when you first started implementing database systems? Before youknew it, one database had grown to five. Data consistency was in question.Years later, you found yourself wondering why you hadn’t implemented datamodeling and data dictionaries. . . .
cipline. It’s not a matter of size, by the way.We’ve seen telecom companies get into trou-ble. It’s a cultural issue.
DeBellis: Healthcare organizations, forexample, are having great difficulty. It’salways been difficult to get healthcareorganizations to invest in IT and they’redefinitely having a hard time now.
Cliff Sink: In the government world, thedemand for RM is being driven by the cus-tomers. They have very real requirementsthat they are legislated to meet, and they’veselected some standards and they are push-ing forward. On the commercial side, a lotof it is vendor-driven. Certain sectors arebigger targets, such as financial services andhealthcare. Not only are they large targets,but they have legislation hanging over theirheads. The fact is that you really don’t needtechnology to be compliant. The ads all say,‘If you don’t buy our product, you won’t beHIPAA or Sarbanes compliant.’ But youreally can be.
Grego Kosinski: There ARE segmentsmore prepared than others, but even inthose segments, some of the challenges arethrowing even the records managers for alittle bit of a surprise. There are now moreand different sets of records that need to bemaintained—e-mail is just one example. Insome ways, records managers are makingit harder on themselves by not being awareof the capabilities of the products thatcould be at their disposal.
Sink: For the last 18 months, recordsmanagers have been struggling withthings like e-mail, and how it fits into cor-porate records. They do it all the time withpaper, but electronic records represent aproblem they’d like to avoid. The reasonis: they haven’t been trained in IT. Thegreat hope of Sarbanes-Oxley was that theIT guys, who have the clout to makethings happen, would be forced to step in.In the pecking order of most companies,the IT group has a much better chance ofsucceeding than the records managergroup. They’ve had the business trainingto justify what they’re doing, why they’redoing it and how to sell it internally thatthe record managers haven’t historicallygotten. And for now, the IT side hasn’tseen enough of a risk to get involved. So,it’s an impasse.
Moore: Are records managers as con-cerned about all the compliance hubbub asthe press coverage would make it seem?
Neil Parrott: Compliance requirementsaffect senior levels much more than therecords managers and the IT professionals ...these new regulations absolutely are causingCEOs and CFOs to stay awake at night. Thetime has finally come for the records man-ager to move from the basement to theboardroom.
McKinnon: Even well-prepared com-panies see this ‘scandal era’ as a wake-upcall. Some records managers are almostgleeful, because it’s raising their disciplineto front-page status. They may have oncebeen hesitant to move because of fear oftechnology or crossing paths with IT direc-tor, but these regulations are propellingthem into a whole new level.
Rhinehart: There probably are compa-nies who will choose to pay the fines ratherthan be in compliance, but that just points outthat the decision process that customer organ-izations go through is a ‘risk vs. reward’proposition. There are certainly organizationsthat have more exposure than others. Therehave been fines levied by the SEC for theinability to produce records; whether thosecompanies made that risk/reward decisionand chose to pay the fine rather than be incompliance, I don’t know.
Sink: At this time, there are a lot ofconsultants and lawyers making money onthis! The IT community is waiting for theconsequences to become worse: They’rethinking: ‘Until somebody goes to jail,we’re not going to spend the money.’ Andso far no one has.
Moore: Besides the CEO in handcuffsthing, what other risks are organizationstaking by not preparing for compliance?
Brian Rose: Creating records manage-ment policies and business practices is apre-planned situation—you can pretty
Supplement to
A Year for the Records
This was the year the writ hit the fan. Everysector you can name—financial services,healthcare, securities, government—is facedwith some new and ominous set of regula-tions aimed at records and information man-agement. Are customer organizations ade-quately prepared for this increased pressureof governance? What steps are being taken,by users and vendors alike, to meet thisheightened demand?
We convened a panel of records man-agement vendors (see box for names andbios) to address these, and many other,pressing concerns surrounding recordsmanagement and regulatory compliance.
Andy Moore: Knowing what youknow about current regulatory pressureand your customers’ individual situations,do you think organizations are adequatelyprepared?
Michael DeBellis: There’s a lot ofconfusion and uncertainty as to just whatexactly do these new regulations mean. Idon’t think people completely compre-hend some of the risks they might beexposed to. People have been faced with‘the crisis of the month’ for a long time—like Y2K—and they’re a little bit skepti-cal, and rightly so.
Craig Rhinehart: There are organiza-tions with CRMs on staff and who are inregulated industries, such as energy andairlines, where there’s a high level ofscrutiny on back-office systems. I thinkthey’re very prepared. But there are cer-tainly other people who are just now com-ing into the world of advanced recordkeep-ing who are scrambling and are not at allprepared. And on top of that, they are nowbeing hit with Sarbanes-Oxley.
Cheryl McKinnon: That’s right; gov-ernment agencies and regulated industriesare by and large in reasonably good shape.The panic situation is with the small tomedium publicly traded companies—organ-izations that have grown up in the last 10years in industries where there hasn’t been aculture of recordkeeping discipline. The typ-ical high-tech company evolved in an erawhere nobody had a secretary, everybodydoes their own e-mail, everyone creates theirown quotes and proposals. That group is themost exposed, because they never had theCIO role or a traditional central recordsrepository run by someone who has RM dis-
September 2003S2
Andy Moore has heldsenior editorial andpublishing positions formore than 25 years. As atechnology writer andeditor, Moore speaks withdozens of seniorexecutives and industryexperts each month. Inhis role as EditorialDirector for the SpecialtyPublishing Group, Mooreoversees the
contributions to the series as well as conducting marketresearch for future topics of interest for the series.
Moore was the editor-in-chief of KMWorld Magazine andis now its publisher.
Andy Moore
By Andy Moore, Editorial Director, KMWorld Specialty Publishing Group
Supplement to September 2003 S3
much predict the costs of developing andmaintaining the records management sys-tem. But the situation most organizationsaren’t prepared for is the reactionary statetheir whole organization is thrown intowhen an ‘event’ (discovery motion, forexample) happens.
At that point, the organization mustquickly figure out how to respond. That’s amuch different situation and there are hugecosts associated with response, whether it’sbeen planned for or not. Certain componentsof compliance can be planned for upfront,such as the procedures for collecting dataand maintaining the chain of custody. Butthere are other components that cannot.
McKinnon: Our hope is that customerswould take a top-down perspective and cre-ate a cultural change that trickles down sothat users at whatever level become awareof their responsibilities and are constantlyaware of how they handle and treat corpo-rate information.
There is also the matter of privacy. Herein Canada, we have some very stringentprivacy laws that are going to take effectJanuary 1. Information must not only beshared and made available, but also pro-tected and controlled. That’s a flip side ofRM that we need to watch for.
Moore: If anything can be called a‘record,’ why isn’t the temptation to simplyretain practically everything indefinitely?
Rhinehart: In fact, the opposite istrue. Organizations must be even morediligent about retention policies, and keepthem in accordance with the prevailinglaw or regulation ...
Kosinski: ...and in accordance withyour own internal business practices. Thinkback a few years to the Justice Departmentcase against Microsoft when they found a‘smoking gun’ e-mail. If they had a busi-ness practice that properly disposed of thatemail—in accordance with regulations, ofcourse—that smoking gun might not havebeen found.
Moore: Are current document manage-ment systems adequate to function asrecords management tools?
Sink: A lot of the existing records man-agement vendors see RM from an ‘oldschool’ perspective—not one of recordsmanagement starting whenever you create atransaction that has anything to do with busi-ness. A lot of RM products only begin towork once someone ‘declares’ something arecord. You take a document and throw itover a magic wall, and from then on it’s arecord. So this view is that an e-mail that ref-erences a business transaction should havebeen logged and identified as a record fromthe moment is was generated.
Think about pure document manage-ment products. They were designed with
continues on page 19
Grego Kosinski is responsible for mes-sage development and marketing ofDocumentum enterprise softwareproducts,with a particular emphasison records management,applicationintegration and compliance solutions.Grego works closely with customersand Documentum product operationsstaff to ensure that Documentumproducts meet the demanding busi-ness requirements of customers,and
with distribution channels and partners to deliver Documentumsolutions to market.
Grego has more than 12 years experience in the technologysector, formerly with Lucent Technologies, the AmdahlCorporation and as senior industry analyst with the marketresearch firm, Dataquest.
The RoundtableOur Panel of Record
To develop a high-level view of the trendsand nuances of the records managementworld, we convened a panel of expertsfrom various vendor and consultinggroups for wide-ranging conversationscovering the records and document man-agement markets, and the impact of newregulatory pressures.
Craig Rhinehart has extensive expe-rience in records management, con-tent management and media assetsystems and solutions. Craig joinedFileNet in 2003 as a consultant tohelp develop the vision and a newsuite of products to address today’scompliance challenges. Prior to join-ing FileNet, Craig had a strategic role
in four successful corporate acquisitions, including IBM’s recentacquisition of Tarian Software, where he was vice president ofWorldwide Sales and Marketing. He has helped CNN, ExxonMobil, Disney, ABC News, the US Army and others to realizethe benefits of records management.
Neil Parrott is responsible for man-aging FileNet’s Image Managerproduct suite as well as providingproduct marketing direction for theUK, France, Benelux and Nordics. Neiljoined FileNet in 1998, responsiblefor regional product marketing andstrategy planning in the UK. Neil hassignificant content management
and business process management expertise, gained from hisexperience at major international information technologyvendors including Kodak, Origin and Olivetti.
Gregory P. (“Grego”) KosinskiSenior Product Marketing Manager
Documentum
Brian Rose has 20 years of engineer-ing,sales,marketing and strategicbusiness development experiencewithin technology and services mar-kets.Prior to Fios,as a member ofthe executive team of many emerg-ing growth companies,Brian wasinstrumental in driving profitablebusiness expansion within existingmarkets,while identifying and
developing new market opportunities.
At Fios,Brian’s focus is on the development of strategic partner-ships that extend market reach and visibility,while providingFios clients with solutions that empower them to more effi-ciently and cost effectively achieve their business objectives.
Brian RoseDirector of Business Development
Fios Inc.
Michael DeBellis leads FujitsuConsulting’s InformationManagement practice for the westregion. He has 20 years of experi-ence in the consulting industryand has worked for clients inhealthcare, financial services,media/entertainment and govern-ment. Michael has specialized inInformation Management and has
led distributed teams to deliver systems using Documentumas well as BEA, ATG,Verity and Interwoven. Mr. DeBellis hasbeen published in leading journals, magazines, and confer-ences such as IEEE Expert and OOPSLA, and speaks on WebServices, Enterprise Content Management, User-CenteredDesign, and Software Development Life-Cycle.
Michael DeBellisVP, Fujitsu Consulting
Information Management
Cheryl McKinnon is responsible forensuring Hummingbird productscomply with current and emerginggovernment standards,guidelinesand legislation covering electronicevidence,records management andprivacy/security issues.She alsoworks closely with Hummingbird’sworldwide partner channel andsales staff to assist in developinggovernment markets,solutions and
product awareness.Cheryl has worked in information manage-ment technologies for more than eight years and has severalyears of field consulting and technical training experience witha variety of public and private sector clients. She is activelyinvolved with AIIM and ARMA International.
Cheryl McKinnonProduct Manager
Government SolutionsHummingbird Ltd.
Cliff Sink,president of TOWERSoftware,joined the company in Julyof 2002 as VP sales and marketing,and brings to TOWER nearly 20 yearsof experience within the informationtechnology industry. Before joiningTOWER,Cliff was VP BusinessDevelopment for IKON BusinessImaging Services,and before thatran sales and marketing organiza-tions at Lanier Worldwide and
UNISYS.Cliff is involved strongly with several industry-relatedorganizations,having served as a Board Member with theInternational Information Management Congress (IMC) and as aBoard Member,Vice-Chair and Chairman of AIIM.
Cliff SinkPresident
TOWER Software
Craig Rhinehart Consultant
FileNet Corporation
Neil ParrottSenior Product Marketing Manager
FileNet Corporation
the hiring of record-keeping professionalsfor large companies.
The Current Scenario for Records Management
For too long, organizations have depict-ed records management as referring toinactive paper/physical records only. Thismay be partly because vendors continuallychoose to find new terminology to differ-entiate their product or service offerings.Documents produced in electronic formatwere seen as different and therefore “spe-cial” systems were required to managethem. Hence the birth of electronic docu-ment management systems. Knowledgemanagement, integrated document man-agement, content management and enter-prise content management have all fol-lowed since. Suppliers and industry ana-lysts can all accept some of the blame forthe confusion in the market place and theloss of recognition of the importance ofrecords management.
Until quite recently, the emphasis hasbeen mainly on document management.However, in the past five years, we havewitnessed large document managementcompanies purchasing records manage-
ment companies or attempting to developtheir own records management capabili-ties. The latest examples of these have beenDocumentum who purchased TrueArc andIBM who purchased Tarian. In additionthere have been many attempted integra-tions between document management andrecords management companies. Somerecords management companies chose notto develop the capability to manage elec-tronic documents but rather to consolidatetheir product offerings and enter intoalliances with other companies. An exam-ple of this arrangement is Foremost andMicrosoft Sharepoint. The result is thatconsumers continue to be offered a bewil-dering array of application options, themajority of which now include recordsmanagement.
Given the pace of change, not surpris-ingly, most organizations operate with amish-mash of document and records man-agement processes and procedures. Manyemployees very likely do not know whatconstitutes a record, or, even if they doknow, how and where it should be stored.The usual procedure in place is to print offa copy of a document that might (subjec-tively) be considered worth keeping andplace it on file. The result is, that althoughsome information is placed on file, evi-dence suggests that a far greater number ofelectronic documents never make it to thefile. Much electronic information, some ofwhich constitutes records, remains storedon the end user’s hard drive.
What is Modern Records Management?Before proceeding any further it is
important to have some idea of the distinc-tion between a document and a record.There are a number of definitions aroundbut we will take as a benchmark the one from the International Standard for Records Management ISO 15489.According to ISO 15489, a document is“recorded information or object which canbe treated as a unit.” Records, by contrast,have important additional qualities and aredefined as “information created, received
Supplement to
The Implications of theSarbanes-Oxley ActIt’s Time to Take Records Management Seriously
The events of the past 12 months may re-sult in the correct understanding of recordsmanagement by senior managers and in-dustry analysts around the world. The col-lapses of Enron, Arthur Andersen and oth-ers are seen as examples of organizationsnot managing their records in accordancewith legislation guiding good business,good business ethics and the best interestsof investors. The demise of a companyworth $9.3 billion (Arthur Andersen) as aresult of not maintaining records is a clearindication that correct corporate governancedoes not always have to be about increasingprofits or the company’s value on the stockmarket. Long-term survival and viability areequally important. But, will these eventschange corporate practice?
The Sarbanes-Oxley Act (2002) intro-duces compelling reasons for CEOs toimplement corporate records management.Non-compliance with the rules applying tothe maintenance of records is now aFederal crime and can result in a punish-ment of up to 20 years in jail. In addition,the Act governs accounting practices andspecifies retention periods for all audit andreview work papers, which it is mandatoryto maintain for five years. The penalty fornon-compliance in cases of retention fail-ure can be imprisonment of up to 10 years.While the U.S. is the only government, atthis time, to introduce such legislation, itshould be noted that most organizations,both public and government throughoutthe world, will have some legislation guid-ing their need to manage records.
Are CEOs interested? CEOs areexpert in risk analysis as it applies to busi-ness. Now, they must carefully weigh upthe costs and benefits of implementingstrategies that take account of the newAct’s requirements. If compliance isdeemed to be necessary, then perhaps wecan expect to see a rash of records man-agement implementations and a boom in
September 2003S4
By Gillian Colledge, Marketing Communications Officer & Michael Cliff, General Manager Marketing and Sales, TOWER Software
“The demise of a company worth $9.3 billion
is a clear indication that corporate
governance is not always about profits.”
Supplement to September 2003 S5
and maintained as evidence and informa-tion by an organization or person, in pur-suance of legal obligations or in transactionof business.” According to this definition,the majority of documents (regardless ofmedium) created in the course of businessare records.
Records management is not simplyabout the management of paper or otherphysical objects. It is about applyingphilosophies and business rules to the man-agement of information as dictated by thelegislative, audit, quality, regulatory andcorporate requirements to maintain andpreserve access to corporate information. Amistake of many organizations is to treatpaper and electronic documents as separateentities primarily because of their format.As far back as 1988 information specialistswere saying that we were about to enter apaperless society. This has yet to occur,and, if recent statistics are to be believed,the use of paper continues to expand.Vendors wanting to sell imaging and work-flow solutions, under the guise that itwould be a cheaper option than to imple-ment a system to store and find digitalrecords, have perpetuated this situation.
However, not tackling the issue ofmanaging digital records is a false econo-my as many companies are now ready torecognize. The cost of not implementingrecords management can result in the col-lapse of the company, huge fines, impris-onment, loss of investment monies andloss of jobs, for example, Andersen,Enron, Merrill Lynch, Prudential to namebut a few recent cases. If records havebeen destroyed, an organization mustprove it has applied appropriate businessrules approving their destruction.
Implementing Records ManagementImplementing records management
effectively is not a simple process. Itdemands significant business processchange and reengineering. It requires athorough analysis of the way a company
does business and recognition, at the mostsenior level, that records management ispivotal to the whole information manage-ment structure of an organization. Briefly,changes must begin with an analysis ofbusiness processes to identify activities andtransactions and to show where recordsoccur. Records critical to the organization,regardless of format, application or juris-dictional area in which they are produced,must be classified, security and access con-trols applied, and retention policies decidedupon. At the same time, internal legal andregulatory environment requirements mustbe factored in. This is where the Sarbanes-Oxley Act’s regulations come into play.And these decisions must be made beforerecords have even been created.
A system must be specified to meet allthe defined records requirements, includingthose of the Sarbanes-Oxley Act (2002).Complying with the Act requires that anorganization have the ability to produce, onrequest, authentic and reliable records andall supporting documentation. The man-agement of records, regardless of their for-mat, is enabled by an electronic recordsmanagement system that can support theapplication of the appropriate businessrules such as naming and filing standards,retention authorities, and cross-referenc-ing. Defining such a system is not an insur-mountable task but one which requires timeand resources, especially adequate training,a culture for embracing organizationalchange, professional staff and a fully sup-portive and cognizant CEO!
The Benefits of Records ManagementMeeting the requirements of the
Sarbanes-Oxley Act can provide indis-putable benefits to an organization. Besidesensuring the necessary protection and sup-port in the event of litigation, authentic andreliable records can:◆ Assist an organization to keep track of what
it has done and to conduct business in anorderly, efficient and accountable manner;
◆ Deliver services equitably;◆ Underpin accountability;◆ Provide a reliable and durable long-term
historical record;◆ Ensure that an organization meets leg-
islative and regulatory requirements;◆ Support document policy formation and
managerial decision making;◆ Protect the interests of the organization,
the rights of employees, clients and pres-ent and future stakeholders; and
◆ Maintain corporate, personal and culturalidentity.
The Future of Records Management In some industries modern records
management is already happening, evi-denced from sales of products such asTRIM. Companies that have modernizedrecords management practices are thosewith a powerful business reason for doingso. In the private sector these include drugcompanies and utilities where there may besignificant penalties for failing to meet thelegislative requirements to maintain certainrecords. Government departments are alsoimplementing records management totoday’s standards. It is clear that theSarbanes-Oxley Act is destined to have asignificant impact on accounting firms andinvestment analysts. In the wider privatesector it remains to be seen whether CEOsrecognize the benefits of records manage-ment and assess the risks of non-compli-ance as sufficiently tangible to opt for thenecessary business process changes toensure the integrity of corporate records. ❚
TOWER Software specializes in the development of software solutions,under the TRIM brand name, to assist customers better manage theirbusiness information.
Through our software solutions we are able to assist customers tomeet their Knowledge Management, Corporate governance, Legal,Legislative (e.g. FOI), Audit and Quality requirements.
Gillian is currently working within the Marketing and Sales of TOWERSoftware. She has worked within the InformationManagement field for 10 years and has experiencein both the Australian and European markets.
She holds a Graduate Diploma in Library andInformation Management and is completing aMasters in Information Management and Systems(Monash University).
Michael has extensive experience in developing marketing and salesstrategies for intellectual property based technolo-gies and has spoken at a number of events aroundthe world about information management.He wasinstrumental in the establishment of TOWERSoftware’s presence in the United Kingdom andcontinued management of partners in Canada,South Africa, Singapore/Malaysia and East Africa.
He holds a Graduate Diploma in Management(University of New South Wales, Australia).
Michael Cliff
GillianColledge
“Implementing records management is
not a simple process. It demands
significant business process change.”
mate and either preserved indefinitely ordestroyed after a given time period.
Contemporary enterprises already possessmany automated information managementcapabilities but have not automated RM,instead using manual systems in paper format.With the recognition that records are created orreceived at each stage of the information con-tent lifecycle, Enterprise eRM systems enablemore efficient and effective capture and man-agement of records at each stage than tradition-al RM systems.
To arrive at eRM capability, business, tech-nical and people strategies must be pursued:
1. Business StrategyBenefits: Upon eRM implementation, work-
er productivity will rise with records retrievablefrom desktops rather than searching paper files.Improved knowledge and control over recordand non-record holdings enhances customerrelations due to quicker access to informationresources while reducing the high cost of dis-covery, potentially allowing ready access to allsubpoenaed records if faced with litigation.Recovery from disasters is also quickened, sincevital business records can be easily retrievedfrom secure off-site backup facilities. A surplusin accrued savings can be realized due toreduced paper and physical storage costs.
Costs of eRM: Enterprises may require sub-stantial capital investment into the deploymentof eRM, including potential work processreengineering, desktop user training and man-agement restructuring. If the previous pRM pro-gram has been under-resourced, costs will arisein bringing the program up to date, as eRM sys-tems require traditional RM program data astheir basic input.
Business Decision: In contemporary enter-prises, where information is often “born elec-tronic” or retained in electronic form, the bene-fits of RM outweigh the costs, as records areessential to the survival, welfare, and prosperi-ty of an enterprise.
2. Technical Strategy. An enterprise eRMsystem typically cannot function simply by“plugging it in,” instead requiring modifica-tion before it is implemented.
Integration: During the integration planningprocess, IT planners must decide how aprospective eRM application will impact lega-cy systems and how many resources arerequired to integrate it with existing resourcemanagement systems. For example, manyorganizations are not capturing e-mail mes-sages and associated metadata that qualify asrecords. And many enterprises lack policies andprocedures governing Web sites as records as
well as eRM integration with web content-management systems.
Vital Records and Continuity of OperationsPlanning: Integrating eRM into IT architecturesand planning entails routine identification of theenterprise’s electronic vital records, ensuringthat steps are taken for easy record accessibilityin the event of emergencies or disasters.
Openness and Scalability: In acquiringeRM systems, special consideration must begiven toward their openness and scalability.Product suites must be able to work properly inboth small and large organizational settings andbe capable of handling various record formatsand mediums.
Auto-filing Systems: eRM products oftenrequire user involvement in deciding whetheran information object is a record, and uponconfirmation, where the record should be filed.The primary source of RM errors is oftencaused by poor decision-making, an indicationof inadequate training. Ideally, eRM systemswould be transparent to users, requiring nouser involvement, but doing so may requirehigh degrees of configuration.
3. People Strategy. Employees often lackunderstanding of the important role RM playsin an enterprise, largely due to its previousback-office function. In order to minimizeresistance to eRM system introductions, peoplestrategy must be applied.
User friendliness: It is critical that the use ofeRM at the client level be as user friendly aspossible to maximize user cooperation.
Pilot Programs and Business ProcessReengineering: It may be necessary to redesignaffected work processes in the deployment ofRM systems. Some enterprises find it useful toconduct pilot experiments with eRM systems in asmall business unit before implementing the sys-tem company-wide.
Training: Everyone who might be affectedby the eRM system may require routine train-ing. Records managers need training in order tosuccessfully make the transition from their tra-ditional role into the IT environment.Successful enterprises often find classroomprograms combined with computer-based train-ing (CBT) to be the most effective in reinforc-ing and applying what has been taught.
Challenges and SolutionsRM solutions may be approached from sev-
eral perspectives, depending on the media orrecord type being managed, how the records fitinto a business process and are accessed, andhow RM fits into the overall information man-agement strategy and IT architecture. The threeprimary concerns facing enterprises includerecord sources, the impact of business processon records, and record access:
1. Source of Enterprise RecordsPhysical Records: The transition to eRM
from a pRM system often includes the dilem-ma of whether older records should remain inphysical format or whether only future recordswill be electronic. Enterprises adopt pRM aspart of an overall Enterprise RM strategy dueto the high costs of converting into electronic
Supplement to
Enterprise RecordsManagement Strategies
Whether it be businesses, government agen-cies, non-profit organizations, families or an in-dividual person, it is essential that every humanenterprise is able to provide recorded evidence ofpast events, transactions and decisions. Funda-mental to both private and public sectors, partic-ularly in government-regulated industries, recordsmanagement (RM) has become a basic elementof modern enterprise life that is too often takenfor granted. Records ensure that an enterprise can:◆ Conduct its business in an orderly, efficient,
and accountable manner;◆ Deliver services consistently and equitably;◆ Document its policies, decisions, and out-
comes to stakeholders and regulators;◆ Meets its legislative and regulatory require-
ments, including audits;◆ Protect itself in litigation;◆ Function in a financially and ethically ac-
countable manner;◆ Protect corporate interests and the rights of
employees, clients, and other stakeholders;◆ Provide continuity of operations in an emer-
gency or disaster; and◆ Maintain its corporate and institutional
memory.
Enterprise Records Management in Context
Enterprise RM is categorized by two dis-tinct formats—physical RM (pRM) and elec-tronic RM (eRM). Although enterprises arebeginning to implement eRM, many will con-tinue to keep older records in physical formsfor the foreseeable future, making pRM anecessity as well. In today’s enterprise, RMoccurs within many IT application contextsand systems for managing documents, e-mail,databases, forms, imaging, workflow, web sitesand customer relationships. Unlike other elec-tronic documents and information objects,electronic records must bear characteristics thatcan be proven or demonstrated, includingauthenticity, reliability, integrity and usability.
eRM StrategiesThe information content lifecycle compris-
es a set of stages: Creation or Receipt, where a document is first created or a completed form first received; Active Analysis, Use and Dissemination, where data undergoes vari-ous transformations; and Retention andDisposition, where the record is declared legiti-
September 2003S6
By Hummingbird Ltd. and J. Timothy Sprehe, Ph. D
Supplement to September 2003 S7
format, as well as the fact that certain recordsmay be physical objects other than paper ormicrofilm (whose value lies partially in theirphysical form).
Transitioning from Physical Records Onlyto Physical-Plus-Electronic Records: When itcomes to converting physical records into elec-tronic format, an imaging solution providesmedia conversion capabilities and associatedindexing and retrieval functions.
Records Already in Electronic Format:For records “born electronic” or convertedfrom physical formats, an eRM solution isappropriate for enterprises that are adoptingeDM for productivity purposes by furthermanaging documents throughout the entireinformation lifecycle.
E-mail: Enterprises know that e-mail use israpidly increasing and that many e-mails con-tain record information not captured by IT sys-tems. Auto-filing with eRM systems, whenproperly configured and fine-tuned, provides anautomated, “back-office” method for capturinge-mails and attachments without requiring userinvolvement.
2. Business Processes and their Impacton Records
Many enterprises are automating the processthat determines whether a document is designat-ed as being “record worthy” through workflowsolutions.
3. Accessing Enterprise Records andOther Information Assets
Users find it most convenient when theycan access enterprise records from tools thatare intrinsically integrated into their workenvironment, where they are able to view and retrieve information assets from Webbrowsers, e-mail interfaces, various author-ing tools, Windows desktops, and WindowsExplorer. A corporate portal can also providea single point of access to organizationalknowledge and facilitates searches across allrepositories. This global approach to infor-mation access may appeal to enterpriseswhose information resources are variedenough to inhibit cross-repository searchingby allowing for wider search radiuses.
End Results: IT and RM Synchronized toMinimize Risk and Liability
Enterprises are recognizing that the inte-gration of RM into the “front office” func-tions of managing basic informationresources is not only desirable but essential to their very survival. Managers now under-stand the critical interdependence betweeninformation systems and the informationprocessed and stored in those systems, just asthe realization is dawning that informationholdings can no longer exist independent ofinformation systems. IT professionals knowthey must incorporate RM concepts and prin-ciples into the way they think about theirwork, while record managers should includeworking familiarity with IT among theirbasic skill sets. Lastly, both IT professionalsand records managers should recognize thatthe enterprise’s information resources are
In order to manage information as an asset andprovide excellent client service, HLB TautgesRedpath, Ltd. (HLB TR), a CPA and consultingfirm in St. Paul/Minneapolis, Minnesota, sought toreplace its outdated records management softwareand improve its document handling processes. Likeother accounting firms, it wanted to improve hard-ware and software, review internal processes, allo-cate more resources for training, and attract quali-fied staff.
“Any organization should be applying the prin-cipals of records management no matter what theindustry. Good records management starts at docu-ment creation and is particularly important duringactive use. Since documents can’t be separatedfrom the business process, it is vital to managethem from start to finish,” said Lynette Downing,Certified Records Manager at HLB TR.
Review of RecordsHLB TR’s original system of managing docu-
ments relied on a homegrown database used fortracking documents and applying retention sched-ules. The solution met HLB TR’s needs for quitea few years, but eventually the company started tooutgrow it. Consequently, HLB TR initiated afirm-wide process review to examine its recordsand document management needs.
“We wanted an end-to-end solution that man-aged the whole document lifecycle and took intoconsideration both document and records man-agement,” said Downing. Included in the processreview was a look at “paperless audit” applica-tions. However, they didn’t offer an enterprise-wide approach to information management.Implementing a new document management,records management and imaging system waspart of a strategic move to build on technologyinfrastructure improvements made over the pastfew years and position the firm for future effi-ciency gains.
After considering a number of alternatives, thefirm chose a solution from ADV DocumentSystems, Inc. that used Hummingbird documentand record management solutions as the core of itssystem. ADV, a Hummingbird premier partnerheadquartered in Minneapolis, MN, helped HLBTR select and configure the total solution. ADVprovides pre- and post-sale support and servicesincluding: ROI studies, project methodologyreports and developing organizational standardsfor capture and storage.
“We cost-justified it on the fact that theHummingbird DM front-end was going to greatlyimprove document retrieval to support our servic-es while the Hummingbird RM back-end followsright with our strategic plan,” said Downing. TheHummingbird solution uses one database to track
electronic and paper documents from creationthrough destruction, maintaining the completedocument history from start to finish.
One Database for All Information Needs“Everybody uses it from the receptionist on up
to the president,” said Downing. “What users reallylike is having all information, regardless of media,at their fingertips. We search for a client and bringup not only the electronic documents for that clientbut also what paper records exist and where theyare. It gives them one database to search for all ofthe information that supports their projects.”
Documents from various sources are profiledusing common classifications based on projects.For example, a client’s merger & acquisition projectmay contain documents such as an Excel workbookused to calculate the purchase price, a Word docu-ment of the purchase agreement received from anattorney, an e-mail from the client, a fax from theCPA representing the seller or the profile of a paperfile indicating where a file is located. These variedsource documents are all displayed in the searchresults list and are available regardless of theirsource. Even if the documents are “checked out”and in use by another employee, they are availablein a read-only format. The key to document sharingis getting them in the system as early in the processas possible. When a project is complete, all docu-ments are available on-line. ❚
HLB Tautges Redpath Accounts for Records and Documents
Industry: Accounting and ConsultingOrganization: HLB Tautges Redpath, Ltd. The Challenge:◆ Aging records management software needed to be
replaced;◆ Paper records and electronic documents were man-
aged in separate systems, costing time and money byinefficiently tracking record life cycles;
◆ Too much time wasted finding paper files and rout-ing them to staff; and
◆ The firm wanted industry-leading tools to recruitthe best and brightest talent to maintain the highstandards of service clients expect.
Hummingbird Solution:Records Management, Document Management,ImagingKey Benefits:◆ Enterprise-wide solution—one, company-wide, data-
base of information that allows efficient searching andcomplete life cycle management of documents andrecords;
◆ Improved client service and reduced number ofclient callbacks;
◆ Marketing tool to attract new clients as well asemployees;
◆ Secure systems with a full backup of records in theevent of a disaster; and
◆ Better records = better decision-making.
core valuables, and by protecting and proper-ly handling such information jewels, it is pos-sible to greatly reduce the enterprise’s finan-cial and legal risk and liability. ❚
J.Timothy Sprehe,Ph.D.is a records management authority noted for RMpolicy and research development for the United States Office ofManagement and Budget and NARA; chairing eRM conferences; and for
currently chairing the AIIM International Standards Committee onIntegrated Functional Requirements for eDM and eRM systems.
Hummingbird Ltd. is a global enterprise software company employing1300 people in nearly 40 offices around the world. HummingbirdEnterprise creates a 360° view of content with products that are bothmodular and interoperable, including Document and RecordsManagement, Portal and Knowledge Management, BusinessIntelligence,and Data Integration.Please visit:www.hummingbird.com.
In spite of their vigor, you have undoubtedlyquestioned the clarity of these mandates’“terms and conditions.” However, Sarbanes-Oxley does specifically outline the expecta-tions government regulators have for corpo-rate behavior. With this, your complianceofficer can now put a plan in place that en-ables adherence to the standard. The processesand costs associated with implementing andmaintaining such a (proactive) complianceplan are relatively predictable.
Recent reinterpretations of the SEC Act of1934 targeting data retention policies clearlyarticulate the processes and procedures thatyour company must employ to align with theseregulations. Again, the cost associated withthese types of initiatives is relatively transpar-ent. The penalties associated with non-compli-ance are also well documented. With this inplace, you can now develop an ROI and beginto implement a corporate wide, “proactive”compliance solution to address Sarbanes-Ox-ley, or any other regulatory mandate.
The cost impact of proactive compliance(or non-compliance) has become relativelypredictable.
Reactive ComplianceThe reality is that compliance goes be-
yond these “relatively well-defined and pre-dictable” mandates. This is not meant to triv-ialize the effort associated with thesecorporate initiatives. They can be wickedcomplicated and in most cases require sub-
stantial business re-engineering. The re-quirements are often foreign to those taskedwith implementation. The overhead can beburdensome, and the costs significant.Even if you follow the letter of the law,your company’s position as it relates tocompliance is in the “eye of the beholder”,since anyone can call it into question.However, ultimately, compliance withthese “known” mandates is a (relatively)predictable process with predictable costs.
A large portion of the costs associatedwith compliance (or non-compliance forsome) has to do with components of yourbusiness that are not predictable or well de-fined. These components have been aroundlong before Sarbanes-Oxley, and will re-main even after numerous reinterpretationshave been authored.
If your business operates in a highly reg-ulated sector, litigation or government inves-tigation is a constant presence. These events,or rather your response to them, quickly be-come the largest cost component associatedwith compliance. These events create a “re-actionary” environment that disrupt your busi-ness and cause your organization to focus onresolving issues otherwise unrelated to nor-mal business operations. This is the world of“reactive compliance.”
Reactive Compliance = UnpredictableCompliance
In the midst of a quarterly strategic plan-ning session your general counsel enters theroom. Seems an intellectual property in-fringement claim has been brought against thecompany by a competitor. As demonstrationof your competitors’ intent to pursue theclaim, computer forensic experts will arrivein 48 hours with a court order to begin exam-ination of many computers, including yours.All electronic correspondence related to thetechnology in question, from all related em-ployees, will be collected, reviewed and de-livered to the lawyers filing the suit. More-over, a preservation order has also beendelivered that requires your IT department toimmediately cease the OS upgrade critical toyour company’s next product release—so thatall systems will remain “as is.”
Supplement to
Total Cost of Compliance (TCC)?They ruined everyone else’s fun
Conversations about the missteps of highlycompensated fast-moving corporate execu-tives have become cliché. Late night talk showhosts and “Gen Y” constituents have made ref-erences to corporate swindling part of theirparlance. As we remain astonished by the au-dacity of these miscreants, we are hit with aharsher reality: The dastardly deeds commit-ted by these personalities have resulted in leg-islation and subsequent regulation to make ourcorporate lives—a little less fun.
We are, generally, a responsive society. Inorder to alleviate anxiety caused by upheaval,we respond rapidly and deliberately. To easeinvestors’concern over fraudulent accountingpractices and general mismanagement, ourgovernmental representatives have introducedcompliance oriented measures for many ofour nation’s companies. These measures havebecome looming risk management clouds foryour CFOs, CIOs and CEOs. They fear thepunitive measures associated with non-com-pliance. Additionally, undue burden has beenplaced on your operating managers to insti-tute processes, technology and employeetraining to ensure compliance. There is nobetter way to put the “un” in “fun.”
The topic of this paper is not “How to De-velop Corporate Strategies for Sarbanes-Ox-ley.” Strategies to best apply today’s knowl-edge- or records-management solutions towarda “proactive” corporate regulatory complianceinitiative will be left to other experts.
Instead, this paper will focus on a conceptcalled Total Cost of Compliance (TCC). Wewill explore the operational impact of compli-ance measures on your organization. The im-pact of proactive as well as reactive compli-ance measures and the cost of non-compliancein both scenarios will also be discussed.
Proactive Compliance = PredictableCompliance
Much noise has been made about the im-pact of compliance mandates such as Sar-banes-Oxley, even more about how to inter-pret and integrate them into business practice.
September 2003S8
By Fios, Inc.
“A large portion of costs associated with
compliance has to do with components that
are not as predictable as Sarbanes-Oxley.”
Supplement to September 2003 S9
This scenario, although hypothetical,could be an actual account from many For-tune 1000 companies. In this scenario, theintroduction of the lawsuit was not pre-dictable (or at least the timing was uncer-tain) and the scope of activities involvedwith complying with “requests” was evenless predictable. As a result, the process bur-den and therefore, cost burden on your or-ganization is extremely unpredictable.
Total Cost of Compliance (TCC)So, what is the point of the examples above?
Aside from demonstrating the difference be-tween compliance activities that are predictableand activities that are unpredictable, it is im-portant to understand the entire organizationalimpact of compliance. Since profitability is“top of mind” for corporations, the impact ofcompliance is best measured by its impact onorganizational costs—or the expense line of theincome statement. The formulas in Figure 1above outline the elements contained in a To-tal Cost of Compliance (TCC) and a Total Costof Non-Compliance (TCnC) calculation:
Let’s break down each formula into its “col-loquial” components. The TCC formula saysthat the Total Cost of compliance is the sum of:
◆ the proactive compliance (p) programs’technology (software/hardware/IT enabledservices) and people (employees and con-tractors) cost; plus
◆ the reactive compliance (r) technology (soft-ware/hardware/IT enabled services), people(employees and contractors) cost; and
◆ the opportunity cost associated with re-fo-cusing mission-critical staff on short turn-around time, unpredictable initiatives at theexpense of already planned initiatives.
The TCnC formula is equally straightfor-ward. This is the sum of:
◆ the civil and/or criminal penalties that canbe imposed if a company does not complywith proactive (p) mandates; plus
◆ the reactive (r) civil penalties associatedwith not complying with a discovery re-quest1 and the larger cost/risk associatedwith potentially compromising your com-pany’s position to defend itself in a lawsuit.
Predictability sometimes leads to disobedience
In the case of proactive compliance,some organizations choose to disobey thecompliance mandates. Why? It is not be-cause they are habitually disobedient.Rather, the costs associated with non-com-pliance are predictable. There are organi-zations that weigh the risks of being non-compliant with the (known) costs ofcompliance and choose to incur the costsof non-compliance. Also, there is a sensethat the compliance-happy environmentwill disappear once the equity markets andinvestor confidence rises to higher levels.Other organizations are resource con-strained, unaware, or believe that the worstwill never happen to them. Why not justwait it out and incur known costs withoutorganizational upheaval?
A reactive environment is usually cre-ated by a lawsuit or claim against yourcompany, or as a result of an investigationfrom a regulatory body, such as the fed-eral government. In cases like this, thecost of non-compliance could be a civilpenalty or worse, the loss of a lawsuitwhich could potentially be a “bet the com-pany” scenario. Increasingly, there are im-pacts to stock prices when correct infor-mation is not forthcoming, causing apublicity crisis. Non-compliance is usu-ally not an option in a reactive environ-ment. As a result, the operational costs as-sociated with reactive compliance areunpredictable, but inevitable.
Inevitable costs—Data CollectionIn the event of a discovery request, your
IT organization is immediately impacted.The discovery request will contain demandsfor information pertaining to timeframes,people, and topics. Your general counsel,with the assistance from your external lawfirm, will launch portions of this request intothe various organizations affected. In thecase of a discovery request associated withelectronic information, your IT organizationis tasked with locating and aggregating therelevant information. This phase is what isreferred to as data collection.
For those who are not well versed in thedynamics of a large IT infrastructure, this isno small feat. Even if you have deployed aknowledge management and data retentionsystem, you will learn that only a subset ofthe relevant data resides there. Much moreresides “live” on the network and on indi-vidual computers, while still more is storedon backup tapes. The process of aggregat-ing electronic information in response to adiscovery request resembles nothing thatyour IT team deploys on a typical day. Theprocess requires a scalpel type technique, asdata preservation (don’t throw the stuffaway) and non-spoliation (don’t tamper withthe stuff) rules mandate specific proceduresto be followed. Lack of adherence to theseprocesses can translate to immediate penal-ties, loss of good faith with the decisionmaker in the matter, or worse.
For this reason, you may choose to out-source data collection. Alternatively, you maytrain and deploy your own IT department. Inthe former scenario, the costs of external re-sources are significant. In the latter, the op-portunity cost of re-focusing your in-houseteam is significant.
TCC and TCnC are about perspective
Total cost of compliance and total cost ofnon-compliance are concepts that are meantto provide perspective. It is not the intent ofthis paper to suggest that you embark on aquantitative exercise to calculate your preciseTCC and TCnC and make decisions to com-ply (or not) on the basis of the results.
Rather, the purpose of this paper is tohighlight the fact that organizational costsincurred in a reactive compliance situationare unpredictable yet inevitable. In addition,organizations often ignore these costs be-cause the “cost of a lawsuit” is viewed pri-marily as the legal expenses related to thedefense of the suit. Furthermore, courts havenot made a habit of asking the requestingparty to fund the costs of producing activedata, because, by and large, it is assumedthat the data requested is easily accessible.Perhaps, but access does not translate to easeof extraction. As a result, for the foreseeablefuture, you will incur significant costs tocomply with a reactive compliance request.The key is to know what your costs are sothat you can proactively manage them. ❚
1 a request for information from the opposition to enable “discovery” of “what happened”
Fios provides IT enabled services to simplify electronic discovery andreduce the operational cost of reactive compliance.
TCC = ∑ (pTechnology +pPeople) + (rTechnology+rPeople+rOpportunityCost)
TCnC = ∑ (pnCCivilPenalties+pnCCriminalPenalties) + (rnCCivilPenalties+rnCLitigationExposure)
Figure 1.
right set of information on-demand, youmust have content-based records manage-ment that can handle all media types. Theimplications are far-reaching:◆ You have to decide what constitutes a
“record” based on content, and establishrules for how records are captured andstored;
◆ You need a common content infrastruc-ture that lets you see how all records fromall sources are related, and enables easyretrieval; and
◆ Your employees need to understand howand when a communication becomes arecord, which implies cultural changeacross the organization. Let’s look at each of these in turn.
What Constitutes a Record?For a good portion of their existence,
paper and electronic records fall into therealm of content authoring and manage-ment tools. At some point, which can bedefined by a user or by an automatedprocess, the content can be regarded asbeing “laminated.” The content thenbecomes unchangeable and must be treatedas a permanent asset that is retained tomeet regulatory as well as good businessrequirements.
Once an object becomes a “record,” it issubject to legal rules for regulatory compli-ance, retention, access control and eventu-al disposition—permanently archived,or destroyed. For example, under theSecurities and Exchange (SEC) Rule 17aand related regulations, financial servicescompanies must preserve electronic messages (e-mail and instant messages) in a non-rewritable non-erasable storagemedium, such as write-once, read-many(WORM) or equivalent, for the requiredretention period. In addition, a duplicatecopy of each record must be stored sepa-rately from the first copy (great news forstorage vendors.)
And here’s a truly scary thought aboutrecords: “In the end, a record is whatever aregulator, government investigator, auditor,or litigator says it is.”1
The Need for Common ContentInfrastructure
As several companies have found out totheir chagrin, “the judge” doesn’t care how
Supplement to
Scary, Scary, Scary:Legislated RecordsManagement
Everyone thinks they know about Sar-banes-Oxley, HIPAA, and similar new reg-ulations like SEC 17a. What few people re-alize—executives perhaps least of all,because they rarely have time to study thedetails—is how truly scary and far-reachingthese kinds of legislated changes can be. Asa CEO or CIO, you may need to take actionimmediately to avoid business disruption orsignificant fines.
The Sarbanes-Oxley Act of 2002, forexample, makes it clear that certainrecords, in any form, must be securelyretained and holds CEOs accountable forproducing specific, content-based subsetsof these records on demand, with stiff civiland criminal penalties for non compliance.And certain SEC rules state that electronicinformation, in any form, including e-mailand instant messaging, has to be logged,saved, indexed for search-and-retrieval,and securely retained for a specific numberof years, just like paper records.
So, if you’re a CEO or CIO, what doyou do?
First of all, take a good look at yourexisting records management systemsbefore breaking out in a cold sweat. Manycompanies have been routinely backing upand storing business-critical documents off-site in safe areas for years. And many morestarted doing so after 9/11. In addition, tosupport the compliance needs of legal,engineering and marketing, most largecompanies maintain document managementand e-mail archiving systems in the ITdepartment.
Unfortunately, just having such sys-tems in place does not necessarily ensurecompliance with the new requirements—as five top banks found out in December of2002 when they were assessed over $8 mil-lion in fines.
Backup and storage solutions, particu-larly those that “silo” information, simplywon’t do the job. In order to retrieve the
September 2003S10
By Fujitsu Consulting and Documentum, Inc.
To comply with legislative and regulatory requirements, you must first be able to declare content from any source as a “record.”
Supplement to September 2003 S11
and where content required for a case isstored. For example, in the Fen-phen (dietpills) product liability litigation, it cost a major pharmaceutical manufacturerbetween $1.1 and $1.7 million to retrieve e-mails from 15 selected individuals frombackup tapes. Even worse, some backuptapes had been overwritten, so the compa-ny couldn’t produce all the content thejudge asked for. As a result, the companywas forced to settle the case in favor of theplaintiffs.
To eliminate the potentially huge cost ofsuch ad hoc discovery and litigation, youneed a comprehensive, policy-based pro-gram of record retention, supported bytechnology that can be shown to properlyclassify and archive all records. The criticalsuccess factor for such a program is a com-mon content infrastructure with the follow-ing features2:◆ A universal content repository provid-
ing search and access control across allinformation types—paper and microfilm,images, revisable documents, and e-mail,common retrieval for all electronic types,and an audit log of all actions on storedcontent objects;
◆ A standards-compliant records man-agement application (RMA), tightly in-tegrated with the repository user interfaceand workflow, providing file plan man-agement, record classification and en-forced retention management;
◆ Automatic e-mail capture, consisting ofa system for automatically classifying asrecords all outgoing and incoming emailand instant messages meeting specifiedpolicy-based rules, based on messagemetadata and content; and
◆ Enterprise content management (ECM)software, to achieve consistency acrosscontent types and sources. All items relat-ing to a particular topic need to be searchedand retrieved through a single interface, in-cluding e-mail, word processing docu-ments and scanned images. Such itemsneed to be available in enterprise-widebusiness processes and workflows wheretheir value can be leveraged across proj-ects and departments. ECM software alsoallows efficient storage of large volumesof record data on a choice of media as de-manded by the particular application. By eliminating separate storage silos
based on data type, integrated RMA/ECMsoftware can help companies achieveeconomies of scale in electronic recordstorage and allow consistent retention anddisposition management.
You also want to eliminate storage ofwhat’s not required as well as what isrequired. The scary thought here is: If youstore everything, everything is open to discov-ery—even when you think it’s not relevant.
Cultural Change Across theOrganization
While penalties stemming from non-compliance with Sarbanes-Oxley, HIPAA,SEC Rule 17a, NASD 3010 and variousother mandates are enforced at the execu-tive or corporate level, it takes everyone inthe organization to assure compliance.Content-based enterprise records manage-ment, like any new business processes andapplications, requires cultural change.Specifically, it is very important to:◆ Make sure employees are records-aware.
Like any major business process change,you need to communicate the plan aheadof time, garner support and clearly iden-tify what people need to do. The last thingyou want is for the whole workforce to beparalyzed by fear that “big brother” iswatching over everything, whether theyknow it or not;
◆ Enable the right people with the righttools. Many employees will only be in-volved peripherally in records manage-ment. But people responsible for activedeclaration of financial records, medicalimage records, audit records, proposalsand pricing, etc., need to have the righttools at hand and be trained to use themappropriately; and
◆ Automate as much as possible. Besidesthe potential for human error, you don’twant records-management to becomeburdensome and interrupt daily routines.Enterprise Records Management Edition
is Documentum’s DoD5015.2-certified solu-tion that makes it easy to click a button ordrag-and-drop a file in Microsoft Word,Excel, Outlook or other applications to auto-matically “laminate” it as a record. In addi-tion, to make sure the content of the record isappropriately identified, Documentum’sEnterprise Content Management platformand Content Intelligence Services usesophisticated algorithms that “understand”what’s in the record and categorize it appro-priately. Finally, Email archival, completewith content analysis and classification, islikewise handled automatically, in the back-ground, without involving manual processesand bothering employees.
And what’s the truly scary thought aboutcultural change? According to The JL Group,legal advisors in electronic records manage-ment, “A program that allows any level ofemployee discretion in the assignment ofretention periods, destruction dates, or nam-ing and filing standards is extremely danger-ous and a lightning rod for review.”3
So What Should You Do?No magic bullets exist. Fujitsu Consulting
brings proven business and consulting expert-ise in this area, and Documentum has devel-
oped and integrated applications for end-to-end compliance. Fujitsu offers Documentum-specific applications expertise. Properlyimplemented and socialized within the organ-ization, the suite will ensure the authenticityof records and limit liability in regulatedindustries.
As the first step towards full confidencethat you are in compliance with any regula-tions that apply to you, Fujitsu Consultingwill conduct a two-week review andassessment of your content managementtechnology and business activities. Theassessment looks at search and retrieval ofe-mail as well as control of corporate dis-closure documents. You will receive a find-ings report identifying potential exposuresand risks, plus specific recommendations.Going forward, Fujitsu Consulting willmake sure you don’t just get a point solu-tion—which in this case, would defeat thewhole object of content-based recordsmanagement.
In the end, what you really want is thecapability to identify, isolate and protectimportant information throughout theenterprise, in any form, regulated or not.And that really isn’t all that scary—it’s justgood business. ❚
A trusted provider of management and technology consulting to busi-ness and government, Fujitsu Consulting is the global consulting andservices arm of the Fujitsu Group.Fujitsu Consulting integrates the coreexpertise of Fujitsu companies and its partners to deliver completebusiness solutions that drive business value.Through its industry-rec-ognized strategic approach, Macroscope, Fujitsu Consulting enablesclients to build more value into their investments and drive their lead-ership in the marketplace.
Documentum provides enterprise content management (ECM) solu-tions that enable organizations to unite information, tools and teamsneeded to manage business processes and associated content.Documentum’s integrated set of content, compliance and collabora-tion solutions support the way people work, from discussion andplanning through design, production, marketing, sales, service andadministration.
1 Bruce Silver Associates Industry Trend Report, “Answering theCall for Enterprise Records Management”, May 2003
2 ibid3 “Unenforced Records Management Is Too Dangerous to
Overlook,” www.jlgroup.com, 2002
As the President and Chief Executive Officer of Fujitsu Consulting,Michael J. Poehner provides strategic direction to a$900 million management and technology con-sulting business with more than 70 offices world-wide. Fujitsu Consulting is the global consultingarm outside Japan of Fujitsu Ltd.,the third largest ITservices group in the world, providing measurable,results-oriented information technology servicesand business solutions to the Fortune 1000 andsmaller companies.
Dave DeWalt,president and chief executive officer of Documentum,isresponsible for all aspects of the company’s busi-ness and has been the driving force behind thecompany’s development of a platform to manageall content types, enabling organizations toenhance operational efficiencies and reduce costs.
Dave DeWalt
Michael J.Poehner
responsible for establishing proper recordkeeping guidelines, policies and procedures.A cottage software industry has beenspawned to assist with records retention anddisposition challenges; however, accuraterecordkeeping has been difficult—if notimpossible—to enforce outside of therecordkeeping department.
The unprecedented attention that recordsmanagement is currently generating can beattributed to two main factors:◆ A recent epidemic of spectacular corporate
blunders resulting in newly introduced orupdated government and industry regu-lations which apply to every organiza-tion—from Fortune 500 corporations tosole traders; and
◆ An explosive growth in the volume ofelectronic records as a result of the wide-spread use of electronic documents, theInternet and, most of all, e-mail.
The Compliance Challenge
As organizations struggle to cope withtoday’s compliance challenges, it is clearthat structured and repeatable processesthat are backed by sophisticated and scala-ble automation must now drive corporaterecords management.
The quantity and complexity of new reg-ulatory requirements is staggering:◆ U.S. Federal Government’s Sarbanes-
Oxley Act alone requires public companiesto document all correspondence, transac-tions, policies and procedures that impacttheir financial models and controls. Further,
they must retain these documents (both pa-per and electronic) for audit purposes andany potential investigation or lawsuit. Notto mention, it also provides protection for“whistleblowers” at publicly traded com-panies and new criminal penalties (includ-ing jail time) relating to fraud, conspiracyand interfering with investigations;
◆ NASD (National Association of SecuritiesDealers) and SEC (Securities and ExchangeCommission) regulations require agents,broker/dealers and investment firms to cap-ture and retain all internal and external com-munication (including e-mail and instantmessages) that are related to a customerand/or transaction; and
◆ Every industry is affected, and often bymore then one regulatory statute. For ex-ample, a healthcare company can be subjectto both Sarbanes-Oxley and HIPAA1.
What Makes a Record?The term “Record’ can be applied to
any document, content or object that isimportant to your organization and musttherefore be recorded.
Records can be generated internally byemployees via personal computer desktopapplications, or received from othersources in a variety of formats includingpaper, microfilm and in the form of elec-tronic documents such as e-mail and e-mailattachments.
“Records Management” describes theactivity of ensuring that content is kept(retention) for the appropriate amount oftime and then destroyed (disposition) in
Supplement to
Records Management:The Content, Process and Connectivity Challenge
Until recently, records management pro-grams have been dismissed as back-officecost centers with little or no business benefit.
However, the highly publicized failuresand missteps of several notable companies in recent times have repositioned recordsmanagement and corporate accountability tocenter stage, particularly in the areas of elec-tronic records keeping and e-mail archival.
Industry and government regulationshave been created or revised to provide“real teeth.” Some examples include theSarbanes-Oxley Act in North America andvarious e-government policies in theEuropean Economic Community and AsiaPacific. Non-compliance can now lead tosevere financial penalties and jail terms forCEOs and CFOs.
On the upside, there are many advantagesto be gained from implementing a corporaterecords management program. The privatesector is beginning to recognize that, proper-ly implemented and enforced, records man-agement can reduce business risk, increaseoperational efficiency and save money.
Despite all of the recent media attention,records management is not new. Fordecades, the care-taking of important docu-ments, files, contracts, films and physicalobjects has been largely taken for granted.Over the years, businesses and governmentagencies have relied upon traditional toolssuch as filing cabinets, file folders and off-site archives to meet their basic records man-agement requirements.
Guided by law, regulations and businesspolicy, the Corporate Records Manager is
September 2003S12
As director ofinternational productmarketing at FileNetCorp., the leadingprovider of EnterpriseContent Management(ECM) solutions, H.Harris Hunt overseesthe corporation’sinternational productmarketing efforts andits Image Managerproduct suite.
Hunt joined FileNet in 1999 to lead the development ofFileNet’s Content Management and Business ProcessManagement solutions. His areas of expertise consistof business operations with a background in variousaspects of organizational management, includingmergers and acquisitions. He possesses in-depthknowledge about both software and mechanicalengineering. In addition, he is adept in specific andoverall business benefits of utilizing ECM solutions, aswell as addressing industry trends and strategy behindECM implementations. Hunt graduated from CornellUniversity with a Bachelor of Science degree inMechanical Engineering.
H. Harris HuntBy H. Harris Hunt, Director of International Product Marketing, FileNet Corporation
“An electronic records management solution must
employ process enforcement to ensure that records
are destroyed (or archived) at the right time, for
the right reason, and by the right person.”
Supplement to September 2003 S13
accordance with corporate policy, which isdetermined by law in most cases.
Many FileNet customers are already usingFileNet repositories to store vital companyrecords. Many of these systems includeretention and disposition rules held withinworkflow procedures and document classproperties.
With the company’s recent introduction ofits new ECM architecture, FileNet P8, FileNetprovides new and existing customerswith a platform upon which to develop a corporate records management strategy.FileNet’s Records Manager solution inte-grates records management into the FileNetP8 architecture, adding value to the cus-tomer’s overall ECM implementation. Thiscreates the ability to leverage ECM contentand process management capabilities, andprovides a framework to integrate with exist-ing FileNet repositories, third-party reposito-ries and other business systems.
FileNet Records Manager serves twodistinct groups of users:
Business Users: Those responsible fordeclaring and classifying records. A keyobjective here is to minimize business-userintervention so these activities may be par-tially or fully automated; and
Records Managers/Administrators:Those responsible for administering the fileplan and managing retention schedule,reporting and security requirements.
The Business Process ChallengeRecords management is more than just
managing content. Enforcement and proofare two of the most important aspects
of recordkeeping. WorldCom and Enronhad business policies in place to properlycare for their records. The problem was thatthese polices were overridden or ignored.Records were altered or destroyed. Theseactions were not properly authorized—therewas no enforcement! An electronic recordsmanagement solution must employ processenforcement to ensure that records aredestroyed (or archived) at the right time, forthe right reason, and by the right person.
Gartner believes that Business ProcessManagement (BPM) technology is key toenforcing records management policies and retention periods, typically the mostchallenging aspects of corporate recordsmanagement programs.
For example, FileNet’s Records Managerleverages the FileNet BPM suite, which pro-vides a critical records management elementby supporting content destruction, based onlifecycle status and disposition approvalprocesses. And FileNet BPM provides pre-defined workflow operations (or compo-nents) that can be used in custom applicationsto automate the records declaration process.
In addition to managing the content prop-erly, records management necessitates theimplementation of business process manage-ment with defined records declaration andclassification rules to drive the entire contentand records management lifecycle.
Records Manager helps solve regulatorycompliance and record management issues by:◆ Reducing the risk of litigation and pro-
viding business continuity;◆ Enforcing corporate compliance proce-
dures;
◆ Organizing, securely storing and quicklyretrieving essential company records;
◆ Storing only records that are required foras long as they are required; and
◆ Ensuring that expired records are de-stroyed in a legally acceptable manner.
In the current highly regulatory environ-ment, organizations across all industries arefacing unique and highly fluid compliancechallenges. To satisfy both current and futurechallenges, organizations require a highlyextensible architecture to capture, declare,classify, store and dispose of both electronicand physical records according to their fiscal,legal and regulatory requirements.
A single-system architecture assistsorganizations in achieving records manage-ment compliance through the managementof content, business processes and connec-tivity to existing systems.
Content: Securely storing electronic con-tent within a repository is a requisite for any records management program. WithFileNet’s P8 architecture, records can bestored in FileNet or other external reposito-ries. Connectors to other external repositoriesensure that customers can leverage their exist-ing investment. FileNet Records Manageralso allows customers to manage their physi-cal records management requirements.
Process: BPM provides a solution towhat is considered the most challenging ele-ment of a compliance program: enforce-ment. BPM ensures that content designatedto be declared and classified as a record canbe done so automatically as part of a busi-ness process. Disposition approval processescan also be automated to ensure that recordsretention policies are followed.
Connectivity: Out-of-the-box connectiv-ity to leading e-mail systems, desktop appli-cations and existing repositories can ensurethat no matter where records are created ordeclared, information can be captured andmanaged as a record. ❚
FileNet Corporation (NASDAQ: FILE) helps organizations make betterdecisions by managing the content and processes that drive theirbusiness.FileNet’s ECM solutions allow customers to build and sustaincompetitive advantage by managing content throughout their organ-ization, automating and streamlining their business processes, andproviding the full spectrum of connectivity needed to simplify theircritical and everyday decision-making.
Since the company’s founding in 1982, more than 3,900 organiza-tions, including 80 of the Fortune 100, have come to depend onFileNet solutions for help in managing their mission-critical contentand processes.
Headquartered in Costa Mesa,California,FileNet markets its innovativesolutions in more than 90 countries through its own global sales, pro-fessional services and support organizations, as well as through itsValueNet Partner network of system integrators, value-added resellersand application developers.1 The Health Insurance Portability and Accountability Act of 1996(Public Law 104-191), also known as HIPAA, was enacted as part ofa broad Congressional attempt at incremental healthcare reform.The “Administrative Simplification” aspect of that law requires theUnited States Department of Health and Human Services (DHHS) todevelop standards and requirements for maintenance and transmis-sion of health information that identifies individual patients.
FileNet's Enterprise Content Management offering enables a holistic view of records management through its focus on content,process and connectivity to other applications,databases,and systems.
a moment’s notice—it is what regulatorswant and what best business practicesrequire. For example, with respect to e-mail in U.S. businesses, 14% of companieshave been ordered by a court or regulatorybody to produce employee e-mail, often onshort notice. Legal demands like this willcontinue to increase with the explosivegrowth of e-mail.
Records come in traditional formats, aswell as any number of newer data sources.Electronic documents, e-mail and instantmessages (IM), video, engineering drawings,X-rays and even audio files need to beretained. A critical part of doing businessincludes capturing, organizing and intelli-gently accessing all of this information as“content”—no matter the original format ofthe data. The downside of poor, or no, recordsmanagement is well documented, both in thelegal and business operations sense. For
instance, the Sarbanes-Oxley Act can imposefines as well as criminal penalties.
Compliance: A New Facet of RecordsManagement
Compliance isn’t just a technical solutionfor storing and managing information, butalso a set of rules and practices based onbusiness goals and regulations. This is evi-denced by the many regulations in place,such as SEC Rule 17, which governs securi-ties firms, or the Health Insurance Portabilityand Accountability Act (HIPAA) that appliesto healthcare providers and insurers. Toensure that compliance is an integral part ofthe records management program, recognizethat all enterprise data has a lifecycle.
The information lifecycle approach is aholistic view that considers information ashaving a “living, breathing” existence with abeginning, middle and end. As a result, anenterprise should implement appropriatepractices that recognize that not all data iscreated equal. For example, regulationsrequire public companies to retain certain e-mails and IM for at least three years, andthen also be able to retrieve them quickly.Using an information lifecycle strategy helpsensure compliance.
An information lifecycle approachshould drive today’s records managementstrategy. As information is created in a myr-iad of formats, it must be captured andindexed, then stored, protected and madeaccessible. Subsequently, after its useful orlegal lifespan, information needs to be dis-posed of. Everything can’t be retained for-ever, nor do you want it to be—again, that’swhere the information lifecycle comes intoplay. Proper disposition eases the burden byreducing storage volumes and limits riskpertaining to future legal liability.
Driving Strategic ChangeOrganizations must manage data accord-
ing to its legal and business value—notaccording to its method of creation. Todaythe threat of non-compliance with regula-tions is compelling many businesses torevisit their approach, making records man-agement a new priority. Create a compre-hensive information lifecycle managementstrategy based on the business value of yourinformation. The ultimate goal is to opti-mize costs and improve management effec-tiveness, to leverage your investments, andto meet compliance requirements. ❚
LEGATO is a global provider of enterprise-class Content Managementsoftware for Information Lifecycle Management (ILM). Through achannel of strategic partnerships and alliances, LEGATO delivers aunique combination of content, storage and availability managementsoftware solutions that provides organizations with operational effi-ciency, improved productivity—and regulatory compliance—cou-pled with substantial ROI and cost savings opportunities.
Supplement to
From the Backroom tothe BoardroomCompliance Drives a New Era in Records Management
A key challenge facing senior manage-ment, and their IT departments, is legalcompliance with recordkeeping. Informa-tion assets require records management,which is defined as the policies, technologyand management controls for that informa-tion. More and more, compliance with in-dustry and government regulations relatingto the access, protection and storage of con-tent is prompting a closer look at recordsmanagement.
Records in the Digital AgeWhy the current focus on compliance
and records management? The well-beingof an enterprise or government agency maydepend upon their ability to managerecords effectively. Today, data manage-ment includes having access to the rightinformation and being able to retrieve it at
September 2003S14
By Amena Ali, Vice President Marketing, LEGATO Systems, Inc.
LEGATO’s Information Lifecycle
Supplement to September 2003 S15
financial reporting while the Basel AccordII will mandate that banks supply detaileddata to assess risk. The executive controlrequired to better avoid dangerous materialmisstatements, and the analysis needed toidentify the risks associated with businessprocesses, demand total visibility of thecontent found in telephone calls, e-mailand instant messages. Given that theseaccount for more than 80% of daily trafficinside an organization, automated analysisof this content in real time is a necessity.
Aungate, a division of Autonomy, hasdeveloped a software technology specifi-cally tailored to help enable compliancewith these and other procedures, whilefacilitating financial reporting processesincluding the assessment of risk. UsingAutonomy’s Intelligent Data OperatingLayer (IDOL) technology, Aungate enablescompanies to avoid regulatory risks andprotect corporate interests by forming anunderstanding of all types of communica-tions, identifying critical information andautomatically alerting the right people inreal time.
With the Aungate solution, humans are nolonger required to manually read through,tag and distribute such communications
as e-mails, internal docu-ments and voicemails. Atthe same time, customerand employee privacy issafeguarded and respected.
For example, in thecase of financial services,many CEOs and CFOsare now personally re-sponsible for their organizations’ account-ing operations and facesevere penalties if theircompanies do not meetaccepted accounting practices and standards.Executives and their cor-porate interests can beprotected by aggregatingall corporate communi-cations and automatically
breaking them into information clustersbased on the content. Executives can spottrends in communications and easily pin-point misuse of financial data.
Autonomy’s unique Intelligent DataOperating Layer (IDOL) integrates unstruc-tured, semi-structured and structured infor-mation from multiple repositories throughan understanding of their content.Autonomy grants enterprises the flexibilityto use advanced information retrieval orlegacy-based approaches. At the heart ofAutonomy’s software is its ability to process
text, voice and video and identify and rankthe main concepts within them. It then auto-matically categorizes, links, summarizes,personalizes and delivers that information.Autonomy’s technology also drives collabo-ration across the enterprise and enablesorganizations to effectively leverage expert-ise. Autonomy’s infrastructure technology isused to automate operations within enter-prise information portals, customer relation-ship management, knowledge management,business intelligence and e-business appli-cations, among others. ❚
David Armstrong joined Autonomy in 1999 to start and manage thecompany’s OEM business program.With more than 10 years experi-ence in enterprise software, David has built strategic alliances withtechnology vendors throughout Europe and the United States. UnderDavid’s direction,more than 55 other software companies now licenseand embed Autonomy’s technology within their own applications toautomate the handling of unstructured information.David holds a B.A.from the University of Wisconsin.
To find out how Aungate can help protect you, contact us at877.692.8866, or visit the website at www.aungate.com.
Creating an AutomatedCompliance Solution
Non-compliant and or unauthorized com-munications, such as e-mail, can result incostly lawsuits, damaged reputations and ul-timately lost revenue. In fact, recent corpo-rate scandals involving fraudulent account-ing and conflicts of interest within financialservice institutions have raised awarenessabout the significance of internal corporatecommunications. Today, organizations arerequired to comply with numerous regula-tions from the SEC and NASD. As enter-prises struggle to manage the overwhelm-ing volume of electronic communicationsgenerated by their workforce—in formssuch as e-mail, instant messaging, knowl-edge sharing and management systems, cor-porate intranets and electronic documents—executives must look to new developmentsin technology to manage the informationand minimize risk.
It has been reported that an alarming80% of financial institutions do not yetmeet existing SEC compliance regulations,such as the newly legislated Sarbanes-Oxley Act of 2002 and the Basel II Accord.The Sarbanes-Oxley Act requires execu-tives and auditors of public companies todocument and certify the effectiveness ofinternal controls and procedures related to
By David Armstrong, Vice President of Business Development, Autonomy Inc.
Aungate’s Total Compliance Solution
Elements of Total Compliance Aungate’s Total Compliance Solution
encompasses the following areas:◆ Aungate E-mail and Instant Com-
pliance—Accurate monitoring and de-tection of email and instant messagingcontent, as well as automatic routing ofnon-compliant content.
◆ Aungate Voice Compliance—Auto-mated call understanding, clustering ofcontact trends and automatic alerting ofnon-compliant calls.
◆ Aungate Web and Spam Filtering—Industrial-strength network protectionthrough automatic filtering and detec-tion of unwanted content.
◆ Aungate Investigation Manager—Automatically monitors employee-to-employee communications and pro-vides high-level analysis tools to enablemanagement to really understand whatcommunications have taken place.
Preparing for Compliance:Automating Controls
Section 404 makes dependence on man-ual processes riskier than ever. To ensureadequate controls, Finance and IT mustcoordinate efforts to acquire or develop asystem that automates the collection, veri-fication, audit, balancing and reconciliationof financial information across all corpo-rate applications and platforms. Keyrequirements for this system include theability to:◆ Transform human logic into audit, bal-
ancing and reconciliation rules. It is endusers in the finance organization—in-cluding the CFO—who know the balanc-ing rules and, not incidentally, who are re-sponsible for the accuracy and validity ofthe data. The system must capture theuser’s understanding of the required bal-ancing logic and transform that logic intorules that then automate—and docu-ment—the process. The tool must be easyenough to use for users at any level to“teach” the system the business rules thatgovern financial reporting.
◆ Perform cross-application and cross-plat-form balancing and reconciliation. Cor-porations typically support many appli-cations across several platforms, from alegacy general ledger system on OS/390to an enterprise resource planning systemin a Unix environment to customer rela-tionship management and human re-sources applications on Windows NT. Buthow do you know if the HR system ispassing the right information to the gen-eral ledger or if the reports generated bythe ERP system are correct? It is criticallyimportant that your system be able to bal-ance, reconcile and verify data within andacross all applications, data types, data-base structures, operating environmentsand platforms.
◆ Trigger corrective action and notification.What do you want to do when an out-of-bal-ance condition occurs? You must be able to
set these actions conditionally and for a widerange of measures. For example, if today’saccounts receivable is out of balance by $5,you may want to simply report the error andkeep processing. If it is out of balance by$10,000, you may want to start an item rec-onciliation process in which the underlyingdetail transactions are verified and trigger aworkflow process that incorporates the orig-inal documents along with the exception re-port. If the same rule is out of balance by$1,000,000, you may want to invoke thoseprocesses and also send an immediate e-mailalert to the manager responsible for that lineof business.
◆ Link values back to the document of record.The system must be able to drill back intothe originating financial document and gen-erate a hard audit trail of the entire businessprocess. Just as important as having thecontrols and proving that they have beenproperly applied is the ability to easily ac-cess the original documents and dynami-cally link them to the process that producesfinancial reports. This creates a closed loopthat fulfills the requirements of the Sar-banes-Oxley Act.
There are tools available today that enablecompanies to easily and cost-effectively auto-mate the controls and processes mandated bythe Sarbanes-Oxley Act. One example is theViewDirect Compliance suite of productsfrom Mobius Management Systems, Inc.These solutions enable corporations to lever-age their investments in financial systems andIT infrastructure and meet the new require-ments with confidence. ❚
Mobius is a leading provider of integrated solutions for total contentmanagement.The company’s ViewDirect TCM suite includes an inte-grated repository, a facility for accessing content across disparaterepositories, and a broad range of solutions that meet all contentrequirements.
Supplement to
Ensuring Compliancewith Automated Controls
A recent cartoon depicts a personnel di-rector asking a pinstriped job applicant:“How do you feel about doing time?” Andlate-night TV comedians have had a fieldday as regulators, legislators, lawyers andaccountants have scrambled to restore con-fidence in corporations and markets rockedby accounting scandals.
The Sarbanes-Oxley Act, passed in July2002 and designed to restore that confi-dence, holds responsible both the corpora-tions whose financial information is criti-cal to the economy and the audit industrythat attests to the accuracy of that informa-tion. The Act holds CEOs and CFOs ofpublic companies personally responsiblefor the accuracy of the financial informa-tion their companies report and imposesstiff penalties for false certifications.Based on charges of document shreddingin several high-profile cases, the Actincludes a stringent document retentionpolicy and mandates a comprehensive sys-tem of internal controls.
It is this last item, embodied in Section404: Management of Internal Controls,that will have the most impact on the day-to-day lives of CFOs and CIOs. It requiresmanagement to establish and maintainadequate internal controls and proceduresfor financial reporting, and to assess theeffectiveness of those controls. The idea isthat the increased focus by management oninternal controls will reduce the possibilityof errors and fraud in financial reporting.
It sounds simple. But the internal con-trols for financial reporting in most U.S.companies are currently lenient at best. Inmany companies, the information is col-lected from multiple systems and consoli-dated into spreadsheets for planning, budg-eting and reporting. Spreadsheets are, bydefinition, handled manually and prone tohuman error. Numerous studies show thatthe average human attention span is only15 minutes, after which errors such asnumber transposition increase dramatical-ly. No matter how well-defined and well-documented the rules that produce thedata, once it is imported into a spreadsheetfor further manipulation, control is lost andwith it the ability to ensure accuracy.
September 2003S16
Brendan English hasmore than 20 years ofexperience helpingmajor corporationsimplement systemsthat ensure theaccuracy and integrityof enterpriseinformation. He has ledteams proficient in allaspects of balancing,automated controlsand best business
practices related to data verification, reconciliation andregulatory compliance.
Brendan can be reached at [email protected].
Brendan English
By Brendan English, Vice President, Compliance Solutions, Mobius Management Systems, Inc.
to manage the classification, preservation anddestruction of paper records. Document man-agement applications focused on the storageand retrieval of scanned documents and elec-tronic records. The fundamental differencebetween the applications was that recordsmanagement software applied a lifecycleapproach to managing records (records reten-tion and destruction), while document man-agement applications were primarily managedthrough the IT department, whose focus wason efficient storage and retrieval, with limitedor no understanding of the records lifecycleand records management controls. Eachprocess or methodology managed some of theinformation on some of the media (paper orelectronic) some of the time.
Recent corporate scandals have rede-fined the role of records and informationmanagement. Arthur Andersen, Enron andWorldCom are just a few examples thathave made corporate management aware ofthe importance of records management.Regulations such as Sarbanes-Oxley, CFR21 Part 11, and HIPAA have now put sub-stantial consequences to the mismanage-ment of information.
Corporate accountability, regulatorycompliance and legal risk managementhave become driving forces for recordsmanagement in today’s organizations. Nowmore than ever, the lack of managementcontrols over business records meansincreased legal risk.
In today’s regulatory environment, it isconsidered both unwise and risky fororganizations to implement informationmanagement solutions without recordsmanagement controls.
Recordkeeping Revolution
The bottom line is this: organizations,in order to be compliant with today’s regu-lations, must manage their information inan accountable manner, ensuring the relia-bility and trustworthiness of corporaterecords. Regardless of the media on whichrecords are stored (e-mail, paper, PC file,etc.), all records must be managed consis-tently, according to corporate policies and
legal requirements. The new revolution ininformation management is recordkeeping.
Recordkeeping combines proven recordsmanagement controls with document man-agement solutions and includes:◆ Records classification;◆ Records retention;◆ Audit trail;◆ Records security;◆ Version control; ◆ Management of paper records;◆ Management of electronic records/desk-
top files;◆ Management of document images; and ◆ Management of e-mail.
The benefits of a recordkeeping solu-tion include:◆ Regulatory compliance;◆ Corporate accountability;◆ Reduced legal risk;◆ Improved access to information;◆ Improved efficiency and productivity;◆ Reduced costs;◆ Reduced storage space requirements; and◆ Improved decision-making.
A Recordkeeping SolutionIt is important to remember that soft-
ware does not make an organization com-pliant. The organization’s recordkeepingpractices, policies and procedures do.While regulatory compliance is a highlycompelling reason to implement a record-keeping solution, it isn’t the only reason.Every organization, regardless of size,can benefit from a recordkeeping solution.And ... a recordkeeping solution doesn’thave to cost a bundle. ❚
Smead is uniquely positioned to apply over 97 years of records man-agement experience into recordkeeping solutions.Committed to provid-ing innovative solutions for the management of information,Smead hasdeveloped a comprehensive line of recordkeeping software.
Supplement to September 2003 S17
Recordkeeping in Today’sRegulatory Environment
Imagine yourself six years from today:Your organization has just received noticeof a pending legal action. You’ve been or-dered to produce all records related to thecase issue, dating back five years. Are therecords on paper? Saved as images? Werecorresponding e-mails sent? Do theserecords still exist? Where do you start?Would your existing records managementpractices stand up in court?
History of Records and Information Management
The truth is, organizations have alwaysstruggled with the management of theirinformation. As society moved into the infor-mation age, the amount and types of infor-mation grew at an exponential rate, causingorganizations even more information man-agement discord. Many large organizationsand government agencies adopted recordsmanagement principles to gain control oftheir paper records; however, far too often,organizations chose to ignore their recordsuntil a crisis took place.
Advancements in technology introducedrecords management and document manage-ment applications, oftentimes running parallelto one another, but both implemented toimprove the efficiencies of organizations.Records management software was designed
Sharon Hoffman Aventis the owner, Presidentand CEO of SmeadManufacturingCompany, Hastings,Minnesota. Aventjoined the family-owned business in1965 as an hourlyemployee, and wasnamed president andCEO in 1998. SmeadManufacturing
Company has been woman-run since 1955, and Avent,just as her mother before her, continues on with thecompany’s legacy of providing high qualityorganizational products. Founded in 1906 in Hastings,Minnesota and still headquartered there today, Smeadgrosses over $500 million annually and has 2,600employees worldwide.
Sharon Hoffman Avent
By Sharon Hoffman Avent, President and CEO, Smead Manufacturing Company
“Now more than
ever, the lack of
management
controls over
business records
means increased
legal risk.”
Oxley, and concerns over possible sharehold-er and other litigation, will result in gridlockover any future document destruction.
Most organizations skip formal taxono-my development and rush into deploymentby building their classification systemaround index keywords for retrieval. Thisis not a complete taxonomy and will causemany problems later with their documentmanagement system, as well as missingmany reengineering and process improve-ment opportunities. Taxonomy incorporatesthe practice of characterizing the context andrelationships among documents and theirretrieval aspects.
Without a consistent taxonomy acrossall areas of the enterprise:◆ Isolated silos of information systems and
processes expand, causing significantcost, duplication of effort, and liabilitiesto the organization. How many times doyou have to give your personal and in-surance information to different depart-ments of the same hospital?
◆ One group calls a form or report onename, another group another name. Bothgroups file them. Retention rules are ap-plied to the form under one name, but notthe other. When litigation occurs and adiscovery action results, the informationwhich was properly destroyed in one sys-tem is discovered in another and becomesa liability.
◆ One department creates a business formwith many data fields. Another form al-ready exists with the same fields in a dif-ferent layout. A third version exists as anelectronic web form.
◆ Different courts, social services agencies,and prison systems file the same paper
documents. Most of this paper is createdby other government agencies. Whencourts or other agencies request the in-formation, it is copied and exchanged onpaper. 90% of this paper was originallygenerated electronically, yet a half-dozenagencies each undertake the labor to scanand index or file this paper in their ownsystems—and then exchange the data onpaper.
◆ A bank forecloses on someone’s unpaidmortgage, while that same bank issuesthem a new credit card.
The Anatomy of a Taxonomy
A complete document taxonomy typical-ly includes: the document source, creator,owner or control point, version number, fre-quency of update, retention period, effectivedate of the document for retention calcula-tion, related documents in a process, whichversion is the official legal copy, indicationof content subject to regulatory compliancesuch as Sarbanes-Oxley, HIPAA, EPA, FDA,personal privacy acts, company confidential-ity, and indication of information whichpotentially could be used in identity theft orcorporate fraud.
We do not recommend all of these prop-erties be stored in the document manage-ment system for each document, since thisadditional information overhead could createperformance and labor cost issues. Instead,many of these properties are assigned to por-tions of the classification. For example, mostaccounting records are subject to a 7-yearretention period, based on IRS guidelines,i.e., the retention property is applied to agroup of records.
Results Engineering stores these attributesin Contax, our web-based document taxono-my system. This system is used to mine rela-tionships in documents, discover duplicateforms, seek process improvement opportuni-ties, assess risks, and avoid compliance penal-ties. Once the relationships, linkages, andrules are defined, the metadata in Contax isloaded into Records Management, ElectronicDocument Management, and Workflow sys-tems. It is also used as an on-going referenceas active documents evolve, new processesare defined, and new regulatory and compli-ance requirements arise.
An Enterprise Content Taxonomy facili-tates the development and evolution of anorganization’s Content Management sys-tems, while reducing redundancy, error,labor, and legal exposure. Like doing theoccasional inventory, it’s a prudent, neces-sary, and insightful process. ❚
Results Engineering is an industry leader in implementing ECM andWorkflow Automation solutions.Our professional staff has been develop-ing tools, techniques, and integrated systems (such as Contax) since the1980's.Contact:[email protected]:www.ResultsEngineering.com.
Supplement to
Content Taxonomy—Reduce Your Exposure
Remember when you first started imple-menting database systems? Before you knewit, one database had grown to five. Data con-sistency was in question. Years later, youfound yourself wondering why you hadn’timplemented data modeling and data dic-tionaries before the problem got out of hand.A Document Taxonomy is the proper archi-tectural first step, and will easily pay for it-self, across the organization, through smarterdocument creation, storage, retrieval, and re-tention—and decreased audit, compliance,and litigation exposure.
A taxonomy is a classification scheme.Content Taxonomy is a classification of allunstructured content (email, documentimages, HTML, XML, PC files, computerprintouts, audio, and video) into a series ofcategories. This information is metadatadescribing an enterprise’s unstructuredinformation.
Many organizations build purpose-spe-cific document taxonomies focused on oneapplication or department. Few carry it farenough to fully encompass today’s signifi-cant knowledge management, workflow,productivity, audit, control, and compli-ance issues. As a result, organizations areconstantly re-examining their own docu-ments and making the same mistakes overand over. Users spend too much timesearching for information and not enoughtime finding.
Why Taxonomy is VitalCurrently, most public companies are
undergoing internal controls, workflow, anddocument management assessments offinancial records and document retention forcompliance with the Sarbanes-Oxley Act of2002. If a proper content taxonomy existed,this effort would not have to be done. Also,the information being collected is often sofocused on Sarbanes-Oxley that opportuni-ties for process improvement and betterknowledge management are missed.
Without an up-to-date Enterprise ContentTaxonomy database to understand the inter-relationships, controls, and potential liabili-ties of structured and unstructured content,we suspect regulations such as Sarbanes-
September 2003S18
By Greg Boyd, President, Results Engineering
“Users spend too much
time searching for
information and not enough
time finding.”
Supplement to September 2003 S19
the front-end creation process in mind,the collaboration it takes to create andthen publish a document. Once it’s pub-lished, they really don’t do anythingexcept retain a copy. Retention schedules,varying levels of security, etc., came laterin most cases.
We take the approach that it’s a docu-ment management problem, and youshould begin managing it from the momentof creation. It’s a matter of product philos-ophy. Recently we’ve seen a lot of recordsmanagement functionality being added toDM products, which suggests to me thatthose products weren’t formerly equippedto handle records.
Kosinski: A lot of customers havelegacy, homegrown records managementprocedures for physical documents, suchas boxes of paper or microfilm. Butthey’re discovering they need a consistentmethod for managing all their recordableassets—electronic, e-mail, instant mes-saging, even rich media and voice. We’retrying to provide a platform that canaccommodate all those content types, andthen a records discipline that can regardall of those—when appropriate—asrecords. This would unify the recordsmanagement approach for those cus-tomers who have varying formats, andallow them to be maintained in theirnative state, which is required by certainregulations. That broad platform approachis what customers are demanding.
McKinnon: It’s more than just the abil-ity to automate the retention and dispositionschedules. It’s also the ability to put thebackup business rules behind the activities;for example, being able to justify that youcan delete this document after seven yearsbecause of Section 802 of Sabanes-Oxley—being able to apply those authorities andcitations or internal guidelines to the deci-sions you’re making with regard to infor-mation management. Traditional docu-ment management wouldn’t really havethat extra layer of business logic. I’ve seenpeople build this from core DM systems,but if you can get it out of the box for min-imal additional cost and training, there’s agreat advantage in moving toward a recordsmanagement module.
Rhinehart: There are plenty of goodphysical-records software products thathave grown up over the years, and havemoved into electronic records, and havecreated a sort of cottage industry. Butprocess management is critical to anyrecords management solution. Particularlywith Sarbanes-Oxley, where—through anauditing process—you have to proveadherence to compliance, ultimately it’s theability of the organization to enforce theprocess and enforce adherence to policies
that will get them through any future com-pliance entanglement. It’s not just theenterprise content management piece, it’sthe enterprise content piece PLUS processmanagement that’s important.
Parrott: Many companies now usedocument management tools that havebeen available for years for records man-agement. Workflow capabilities, class-of-document designation, processes for howand when documents need to bedestroyed. But those have been built up ona departmental level. What’s happeningnow is a ‘coming of age’ for records man-agement. Disposition decisions need to bemade at a corporate level rather than adepartmental level.
Rose: The other issue that arises fromdisparate data types is this: you’ve got tofigure out how to collect it all, and that’snot a trivial task. It’s a huge task that oftenfalls upon people in the organization forwhom it is a very foreign thing.
The other factor is that the request fordata format is often made by outside counsel.Regardless of how it’s stored inside yourenterprise, Fios has seen requesting lawfirms request paper! You may be compelledto provide it in a format of the opposingcounsel’s choice. So you’re obliged to main-tain data in its native format, but in litigationthe outside counsel may drive the way inwhich they want the data delivered.
Kosinski: And sometimes it’s theinternal practice of the organization.We’ve had customers who archive recordselectronically, but also print much if it outand save the paper also. My reaction is,‘Well, OK, we can do that, if that’s whatyou really want...’
Rose: There are many law firms—notall, but still many—that adhere to the oldways of doing things.
Parrott: These cases represent oppor-tunities for us as vendors and analysts toeducate the market on how things couldbe done better. Instead of printing out e-mails, they should store them on unalter-able media with a full audit trail to docu-ment everything that happened to thatrecord along the way. By doing so, thesedepartmental solutions that have theirown disparate processes and methods forstoring records, such as microfilm orpaper or whatever, could scale up to theenterprise level. The only way you can dothat is to provide consistency, commonformats and standard processes to man-age it all.
Moore: What effect is all this consoli-dation having on the marketplace at large?
DeBellis: The need to catalog and trackall these different types of content fits rightinto what’s happening in the marketplace.Smaller, niche vendors are being swal-lowed up by larger vendors who empha-size enterprise content management over
point solutions such as document manage-ment or web content management. Anenterprise point of view provides a unifiedrepository for all the different types ofcontent you need—that includes enterpriserecords management.
And it’s not just the various content andrecords management systems that are beingintegrated, but the larger vendors will beable to also provide the integrated portal atthe front end. We’re still seeing mostlytwo-vendor situations—one with the portaland one for content management. But evenin those cases, there have been pre-pro-grammed plugs to allow for the, say, BEAand Documentum systems to work togeth-er with the integration figured out inadvance. So more and more consolidationis happening.
Rhinehart: Every day you hear aboutanother acquisition of a records manage-ment company. Everyone is trying to capi-talize on the opportunity. How long thisperiod will last depends on whether thereare any more corporate meltdowns. Theebbs and flows of Wall Street will havemuch to do with how the ‘fear, uncertaintyand doubt’ factor plays out. But the smartcompany is looking at how they can man-age the ongoing cost of compliance.
McKinnon: We’ve always had cus-tomers that used their DM system forrecords management. It’s harder, andthere’s more work involved for the CIOor the records manager. Typically thestrength of records management has beenin the enhanced handling of paper andphysical storage, and the ability to setmuch more stringent and automatedretention and disposition rules. So therecertainly is a lot of advantage to havingrecords management functionality. Butthere’s definitely a blurring in the mar-ketplace of document and records man-agement practices and technologies;they’re coming much more closelytogether. The market is asking for a muchmore holistic approach.
Moore: Is there a value proposition to bemade for RM? Or is it simply a necessaryevil?
Sink: Records management is not mere-ly a cost of doing business. If deployed cor-rectly, there is an upside in terms of workefficiencies and other costs of doing busi-ness. It’s not as startling on the top line as itis on the bottom line, but it can reduce youroverall costs of getting there.
To learn more about records managementand regulatory compliance, subscribe orrenew your subscription to KMWorldMagazine at www.kmworld.com/subscribe. ❚
continues from page 3
www.infotoday.com
Produced by:
KMWorld MagazineSpecialty Publishing Group
For information on participating in the next white paper in the “Best Practices” series. contact:[email protected] or [email protected] • 207.338.9870
Kathryn Rogals Paul Rosenlund Andy Moore207-338-9870 207-338-9870 [email protected] [email protected] [email protected]
For more information on the companies who contributed to this white paper, visit their Web sites or contact them directly:
www.kmworld.com
Autonomy Inc.301 Howard StreetSan Francisco CA 94105
PH: 415.243.9955Fax: 415.243.9984E-mail: [email protected]: www.autonomy.com
FileNet Corporation3565 Harbor BlvdCosta Mesa CA 92626
PH: 800.FileNet or 714.327.3400Fax: 714.327.3490Web: www.filenet.com
Documentum, Inc.6801 Koll Center ParkwayPleasanton CA 94566
PH: 925.600.6800Fax: 925.600.6850E-mail: [email protected]: www.documentum.com
Fios, Inc.921 SW Washington Street, Suite 850Portland OR 97205
PH: 877.700.3467 or 503.265.0700Fax: 503.265.0001E-mail: [email protected]: www.fiosinc.com
Fujitsu Consulting333 Thornall StreetEdison NJ 08837
PH: 800.882.3212 or 732.549.4100Fax: 732.549.2375E-Mail: [email protected]: us.fujitsu.com
Hummingbird Ltd.1 Sparks AvenueToronto ON M2H 2W1
PH: 877.FLY.HUMM or 416.496.2200Fax: 416.496.2207E-mail: [email protected]: www.hummingbird.com
LEGATO Systems, Inc.2350 West El Camino RealMountain View CA 94040
PH: 650.210.7000Fax: 650.210.7032E-mail: [email protected]: www.legato.com
Mobius Management Systems, Inc.120 Old Post RoadRye NY 10580
PH : 800.235.4471 or 914.921.7200FAX: 914.921.1360E-mail: [email protected]: www.mobius.com
Results Engineering130 Wetherby LaneWesterville OH 43081
PH: 614.899.2950Fax: 614.899.2249E-mail: [email protected]: www.reeng.com
Smead Software600 Smead BoulevardHastings MN 55033
PH : 800.216.3832 or 651.437.4111Fax: 800.216.3837E-mail: [email protected]: www.smeadsoftware.com
TOWER Software11490 Commerce Park Drive, Suite 120Reston VA 20191
PH: 703.476.4203Fax: 703.476.4371E-mail: [email protected]: www.towersoft.com