the proactive organization: managing information for

2008 Doculabs, 200 West Monroe Street, Suite 2050, Chicago, IL 60606, (312) 433-7793, [email protected]. Reproduction in whole or in part without written permission is prohibited. Doculabs is a registered trademark. All other vendor and product names are assumed to be trade and service marks of their respective companies.

As organizations face heightened regulatory oversight, the technology to manage content has become a key part of how an organization approaches its compliance function. Effective management of content has also become increasingly critical for organizations facing litigation, as they seek to manage potentially discoverable information.

Today, an estimated 85 to 90 percent of the content created within an organization now exists electronically. Business operations are generating vast volumes of unstructured data – ranging from the content created in desktop applications to the web content and digital assets that are created and used in the course of business. Add to this the growing volume of digital communications – email, as well as the increasing use of instant messaging, PDAs, and voicemail – and it’s clear that today’s organization has many more sources of information to manage than the organization of even just five years ago.

The question for your organization is whether you are taking proactive steps to manage your content and make optimal use of the available technologies – not just to improve operational efficiency, but to facilitate both compliance and litigation discovery.

In this white paper, Doculabs has compiled the top ten questions our consulting clients are asking us about managing content to address compliance- and litigation discovery-related challenges, together with answers that will help you to begin a compliance initiative in your own organization.

Doculabs White Paper

The Proactive Organization: Managing Information for Compliance

2 Doculabs White Paper

Overview

Compliance has always been a part of the cost of doing business. But that cost has gone up considerably in recent years. Organizations are now subject to increasing oversight under a variety of government and industry regulations – with heavy penalties and potentially damaging public exposure if they fail to comply. Compliance requires management of a defined set of documents, ensuring they are retained and can be produced when requested by the applicable regulators.

But many of these organizations also face the possibility of litigation, with the obligation to preserve potentially discoverable information – much of which is likely to be electronic. In the absence of effective information management, an organization can face exorbitant costs for litigation discovery, given that this potentially discoverable information includes everything from word-processing documents and spreadsheets, to web content, engineering drawings, and digital assets, to email, instant messaging, PDA text messages, and voicemail – all of which falls into the category of electronically stored information (ESI).

No longer can an organization easily claim that searching for the requested information is an undue burden. With the issuing of amendments to the Federal Rules of Civil Procedure (FRCP) late in 2006, all that ESI is now subject to discovery, so long as “the information can be obtained, translated if necessary, by the respondent into reasonably usable form.” Factor in the hefty penalties and the risks of public exposure, and the costs of discovery have never been higher. Clearly, how an organization manages its electronically stored information matters now as never before.

Technology is part of the answer – particularly enterprise content management (ECM) technologies that manage unstructured content and enable appropriate management and retrieval of information. If, as in many organizations, your unstructured content is stored in multiple repositories, across multiple locations, you may be taking steps to consolidate and optimize your existing ECM platforms; you may also be looking into software solutions to address records management and email management.

But technology is not the whole answer. Meeting today’s compliance and litigation discovery challenges also involves process and people: policies and procedures to ensure compliance management; and people, as those policies and procedures related to records and information management are socialized throughout the organization. An effective approach to compliance requires a program that encompasses all three of these components.

Doculabs has consulted for many organizations that have sought to get their unstructured content under control. In this white paper, we have compiled the top ten questions our clients are asking us when it comes to compliance- and litigation discovery-related issues, together with answers that will help you take steps toward becoming a proactive organization.

Some industry statistics on ESI volumes:

� More than 97 percent of documents are electronic, and most of them will never become paper.

� North America sends more than 4 trillion emails per day.

� Worldwide, organizations create between 1 and 2 Exabytes of information annually (1 Exabyte = 1 trillion books).

(Source: AIIM – ARMA)

Some statistics on litigation trends:

� An estimated 90 percent of U.S. companies are involved in litigation.

� The average company is juggling 37 lawsuits.

� Larger companies (revenues > $1 billion) are juggling 147 lawsuits.

� For companies with revenues greater than $100 million, electronic discovery is the greatest concern.

� For companies with revenues below $100 million, compliance issues are the greatest concern.

(Source: Litigation Trends Survey, Fulbright & Jaworski)

• An estimated 35 percent of all corporate documents contain legally sensitive information.

(Source: Cohasset survey, 2005)

3 The Proactive Organization: Managing Information for Compliance

Doculabs’ Top Ten Questions

Following are the top ten compliance- and litigation discovery-related questions that organizations are asking Doculabs:

1. How does enterprise information management impact compliance and litigation discovery?

2. How should the new Federal Rules of Civil Procedure affect the way our organization manages information?

3. What’s involved in doing a repository inventory?

4. What are the pockets of electronically stored information that we may not have thought of?

5. We’re deploying an email management tool. Will that cover the email issue?

6. Where does records management fit into the compliance and litigation discovery picture?

7. How does enterprise content management technology serve as the foundation for compliance and litigation discovery initiatives?

8. Why do we need a program to address compliance and litigation discovery issues?

9. What does it take to develop and implement a compliance program?

10. What kind of governance structure will we need to support and maintain our compliance program?

Key Issues Related to Compliance and Litigation Discovery:

� Increasing costs: The cost of compliance within organizations is increasing rapidly (including both actual and opportunity costs).

� Exorbitant litigation discovery costs: The cost of litigation discovery is disproportionately high and rising rapidly in the face of increasing volumes of information.

� Increasing regulatory oversight: The number of statutory and regulatory requirements is increasing, requiring that organizations expend resources to respond.

� Uncertainty of settlement risk: There is a high degree of uncertainty in determining the level of the settlement that might be required in any litigation.

� Underutilized technology: Technology is not being effectively utilized to streamline compliance and litigation discovery efforts.

� Deficient policies, procedures, and processes: Many organizations fail to develop adequate policies, procedures, and processes and do not socialize those policies, procedures, and processes to ensure efficient compliance management.

� Poor information management: Unstructured information is poorly managed, thereby compromising the integrity, confidentiality, and accessibility of critical information.


1. How does enterprise information management impac t compliance and litigation discovery?

Discussion

According to industry research conducted by the Tower Group, businesses worldwide now create more than 7.5 billion Microsoft Office documents each year. Chances are, many of those documents are going largely unmanaged, stored in whichever repository is the most convenient, possibly duplicated on business users’ hard drives or in email attachments, with no expiration date (i.e. retention schedule) applied, and in formats that may be difficult to produce.

Many organizations had policies and procedures in place when their business processes ran primarily on paper documents, but they never quite got around to addressing the electronic counterpart. They’ve now had as much as 25 years in which to accumulate ESI, and the sources and formats of this information, not to mention the volumes, are only proliferating.

Figure 1: The Evolution of Discoverable Content

The result of this poor management of ESI is the compromise of the integrity, confidentiality, and accessibility of business-critical information. From the compliance standpoint, many organizations are unable to attest to the maintenance of business records that’s now required to demonstrate compliance with regulations such as Sarbanes-Oxley, HIPAA, or the many other requirements of local, state, federal, or international regulatory bodies. Nor can they easily produce the relevant records when requested (and failure to produce them in a timely fashion may be regarded as obstruction).

Likewise, from the litigation discovery standpoint, the absence of effective information management means a long, arduous, and costly process to retrieve and produce the specific ESI that’s requested in the discovery phase of litigation – a process known as e-discovery.

What are the major cost components of e-discovery?

� Information identification and collection

� Processing, review, and analysis of the collected information

� Production and presentation

� Hardware and software costs

� Third-party counsel and discovery vendor services

� Organizational impact of unfavorable rulings


Factors to Consider

Poorly managed ESI is leading to escalating costs for response to both regulatory actions and to litigation. Specific cost components include the costs associated with search and retrieval, information preparation, production and forensic costs, as well as the hardware and systems costs. Then there are the “miscellaneous” costs: the costs of hiring services firms to restore, search, and “de-dupe” (i.e. remove duplicate documents from) backup tapes. Consider, too, the cost of disruption to normal business processes during an ongoing search, as well as the opportunity cost – the money that could be put to other uses. Then there’s the business impact of unfavorable rulings. Companies that don’t have a handle on their ESI can pay for it twice: in the financial penalties, and in the loss of public and shareholder confidence.

For some actual dollar figures, consider that in 2002, several financial services firms were each fined $1.65 million for failing to maintain all business-related emails for three years as mandated by SEC rules. In 2003, another financial services organization was charged a total of $605,000 to restore, search, and de-dupe a total of 124 backup tapes (that’s almost $5,000 per tape). For the average mid-to-large enterprise, industry estimates for e-discovery costs range from $100,000 to $600,000 – per lawsuit. And organizations can no longer easily make the claim that searching through their ESI represents an undue burden (see Question 2).

In some industries, litigation costs have long been regarded as one of the costs of doing business. But the implications of e-discovery are far broader than the examples we’ve just cited from the financial services sector (see figure below). Consider that many organizations can face charges of liability, copyright or patent infringement, discrimination or harassment, or compliance or legal actions under the statutes of regulatory agencies such as OSHA or the Department of Labor. Discovery is also an important part of criminal investigations conducted by the Department of Justice and civil investigations conducted by government agencies such as the SEC. The bottom line is that organizations of all sizes should concern themselves with how they manage their ESI.

Type of Discovery

Type of Request

Predictable Unpredictable

Internal Scheduled Internal Audit Human Resources Issue

Regulatory Certification/Licensing; Market Conduct Exam

Due Diligence (Merger Review); Investigation

Litigation Lawsuit

Figure 2: Common Types of Discovery

Those “miscellaneous” costs can be significant.

E-discovery requires that you first identify the potentially discoverable information, then preserve and collect it, then review it and perform forensic analysis to assess the relevance of the information.

This forensic analysis can be very costly. Consider that the earlier stages of the discovery process – identification, preservation and collection, and some preliminary review – can be performed by services firms and by automated tools, all of which narrow down what could be petabytes of potentially discoverable information, to the relevant data set.

But it’s likely that data set will still be voluminous. Detailed sorting and forensic analysis is then required to determine which information is responsive and which is non-responsive, and to further sort the responsive information into privileged and non-privileged information. This analysis may well require the expensive expertise of in-house legal staff. It makes sense to use technology to manage your ESI, because it can reduce the costs and the time required for the earlier stages of the e-discovery process.


Doculabs’ Opinion

What’s striking about litigation costs in particular is that they are all repetitive, without leverage, on a per-litigation basis – which is to say that the above-mentioned costs will continue to be incurred until such a time as the organization has repeatable processes and systems built, implemented, and enforced to address the steps of the litigation discovery process. The absence of a repeatable process increases the likelihood that, faced with litigation, an organization will find it difficult to determine the level of risk and to decide whether to settle or to contest the suit. If the litigation proceeds, that organization could be sanctioned for failure to produce evidence in a timely fashion. Even worse, a company could face sanction for destruction of evidence, or spoliation – whether willful or inadvertent, because of inadequate records retention policies and procedures. And spoliation can lead to a number of sanctions, ranging from fines or payment of the other side’s attorneys fees, to refusal to allow testimony, to dismissals and default judgments.

What’s needed is a documented, repeatable process for addressing e-discovery – a process that’s consistent across the enterprise. Investing in the development of policies and procedures and the technology infrastructure for e-discovery will greatly reduce discovery costs, while also reducing your organization’s exposure to fines and adverse judgments (see figure below).

$-

$5,000,000

$10,000,000

$15,000,000

$20,000,000

$25,000,000

$100,000 $225,000 $350,000 $475,000 $600,000

15% 30% 35% 40% 50%

Exp

ecte

d A

nnua

l Sav

ings

Avg. Cost per Litigation without E-discovery

Expected Savings with E-discovery

Figure 3: Typical Annual Litigation-related Savings with E-discovery Program and Infrastructure


2. How should the new Federal Rules of Civil Proced ure affect the way our organization manages information ?

Discussion

Organizations could previously claim that searching through their ESI represented an undue burden. But the amendments to the Federal Rules of Civil Procedure (FRCP), enacted at the end of 2006, now make ESI subject to discovery, so long as “the information can be obtained, translated if necessary, by the respondent into reasonably usable form.” Moreover, “the request may specify the form or forms in which the electronically stored information is to be produced.” And the rules now require a pre-discovery conference in which both sides provide a list of the relevant ESI, including certain characteristics of the information and the repositories that house it.

Factors to Consider

The problem for most organizations is that their unstructured data cannot easily be searched; it tends to be stored not just on servers, but in places such as hard drives, a multiplicity of shared drives, tape, and personal email files (PST files in Microsoft Exchange and NSF files in Lotus Notes), all of which makes it difficult and costly to retrieve. But then the unstructured data must be analyzed for relevance, then compiled and produced in a format that will be usable by the regulators or by opposing counsel. Consider, too, the real risk that some of the content should not have been retained in the first place, or that large portions of the content may have been retained for periods that extend far past the legal retention requirements.

Doculabs’ Opinion

While the FRCP rules pertain only to federal court and are still relatively new, it’s likely that other jurisdictions will begin to adopt similar rules. Accordingly, we recommend the following basic guidelines to prepare your organization:

� Map out all places where electronic information is stored. This repository inventory is a first step toward determining the extent of your organization’s exposure with respect to ESI (see Question 3).

� Update your records retention policy to include all electronic information. This is a step that many organizations have yet to undertake, despite the fact that they may have detailed and effective retention policies for their paper records. Determine what is to be retained, and for how long.

� Ensure your “hold” policy (for retaining documents relevant to litigation) fully covers all electronic information, including backup tapes. Failure to do so could result in charges of spoliation, if backup tapes are the sole source of certain requested information.

� Establish systems that simplify the identification, retrieval, and production of potentially relevant data. This includes establishing systems of record, as well as records management and email management systems. It could also include system consolidation, to reduce the number of repositories in which ESI can be stored.

The challenges of dealing with ESI involve both technology and people.

Managing ESI involves the same duties as those for paper documents. The difference is that while ESI is very voluminous, it’s not as physically intrusive as boxes of paper files. Additionally, ESI can be poorly structured, and in formats that require some effort to manage.

From the “people” side of the equation, employees tend to resist efforts toward formal management of ESI, as well as policies requiring the purging of their electronic documents. Historically, people manage ESI very poorly, resisting even simple measures such as file-naming conventions or file management policies.


3. What’s involved in doing a repository inventory?

Discussion

One of the first steps toward proactive information management is to take an inventory of all of the repositories in which your organization’s unstructured content now resides. The purpose of the repository inventory is to identify content repositories in the enterprise (such as shared drives, applications, databases, systems), prioritize them, and recommend a strategy for each repository that determines the following:

1) The level of management necessary for the content in each repository (basic to advanced content management capabilities)

2) Where the content should reside (in-place system or migrated to another system)

3) How the content should be managed (by the in-place system or by an external system)

4) The kind of solution to use to manage the content (basic, advanced, specialized)

Depending on your organization’s size, these repositories could easily number in the thousands, when you consider all the Microsoft SharePoint sites, Lotus Notes databases, applications, and shared drives throughout the enterprise.

Factors to Consider

The repository inventory is more than just the basis for coming up with a strategy to address the management of repository contents. Remember that one of the requirements of the new FRCP is that both sides in a litigation matter meet in a pre-discovery conference to provide a listing of the relevant ESI, a listing that includes characteristics of the information and the repositories that house it (see Question 2). This means that your corporate counsel need to know how and where your organization’s ESI is stored – and where it is backed up. The repository inventory provides the basis for meeting these requirements.

Many organizations are now taking steps to develop some kind of inventory of where their unstructured content is now stored. But in some instances, the inventories are too shallow or too narrow to be effective in meeting the requirements of the FRCP – let alone for use in developing a repository strategy.

Doculabs’ Opinion

Following are the steps for performing a repository inventory:

Evaluate your organization’s document types. Do this first, because evaluating your document types helps you to determine the business requirements and the policies that the repository strategy must fulfill. It also gives you information about the relative importance (the value and risk) of the documents, as well as information about the level of effort (complexity) that will be necessary to fulfill the business requirements and policies. Note, however, that some document types may be “inventory resistant” (see Question 4).

The repository inventory is also part of an ECM strategy.

A repository inventory is necessary for planning the enterprise implementation of ECM in large organizations, where large subsets of the total content in the enterprise are candidates for management, and where such content may reside in many different repositories. A repository inventory provides a systematic, sound way to:

1. Prioritize repositories (among the thousands of shared drives, Microsoft SharePoint sites, Lotus Notes databases, and applications housing content)

2. Determine what approaches to take to manage the types of content in the various repositories – e.g.in-place (remote vs. federated repository); centralized repository management

3. Identify the repository capabilities and solutions that are required for the various types of content


You will likely have some information to use as the basis for this evaluation, such as enterprise or departmental taxonomies, or document inventories of your paper documents, which provide category information about the various document types. Also take a look at your organization’s retention plan and records management policy, including the record status for each document type (i.e. official record or non-record), as well as the rationale for record status (legal, litigation, vital, other) and the specific policies for retention, disposition, holds, security, and access for documents designated as records. In addition to distinguishing records and non-records, a best practice is to define a category consisting of the organization’s potentially discoverable information – i.e. all records, plus a subset of other non-records consisting of other business-related information that’s potentially discoverable (see Question 6).

Assess the risk and value of each of your document types to the organization. As part of the evaluation of document types (above), evaluate the level of risk and value associated with each document type. For example, vital records – the documents you need to run your business – are high risk, as are any documents containing confidential, proprietary, or personal identifiable information (such as social security numbers). Risk can be further subdivided into probability of risk, versus seriousness of damage. A best practice is to focus the first pass of the repository on high-risk records (particularly those records that are typically requested for litigation, which could include email and unregulated business records) and on those departments that produce the majority of these high-risk records, moving these documents into an ECM system with records management capabilities. Then define policies and procedures for PSTs/NSFs and for content on shared drives, hard drives, and USB drives, moving this content to a system with basic content management capabilities, such as Microsoft SharePoint.

Inventory your organization’s repositories. Inventory and document the characteristics of the repositories where unstructured data is stored throughout your organization. The inventory should include the following:

� System and technical information, such as the vendor, product, and the degree of customization or complexity; information on the volume of content stored and numbers of users storing content in each repository

� The current status and future trajectory of repository (growing, maintain, replace, etc.), to understand what the IT organization plans for the each of the associated systems

� A profile of your applications and content, noting whether it is transactional or collaborative, dynamic or fixed, actively accessed or inactive, regulated or not regulated

� The functional capabilities of each repository – for example, whether it serves consumers and/or contributors; whether it provides short- or long-term repository management; whether it has records management functionality; its categorization/indexing complexity and flexibility, etc.

� The technical capabilities of each repository (scalability, performance, reliability, security, integration, etc.)

Different approaches for managing different categories of content

Most organizations have a need for general-purpose, user-friendly content management – capabilities such as those provided by Microsoft Office SharePoint Server (MOSS) 2007. But for certain types of content (such as records and vital records), they also require the specialized capabilities of an advanced ECM solution for features such as records management functionality to meet regulatory requirements. What’s needed is a strategy that allows for the co-existence of both levels of content management functionality within the same IT environment.

For more information about how to leverage the advantages and the functionality of MOSS 2007 and advanced ECM solutions within your environment, see Doculabs’ white paper, “The Co-existence of Microsoft SharePoint and Advanced ECM Platforms: What You Need to Know.” See our web site at www.doculabs.com.


� An assessment of the “in-place” management complexity you require, based on capabilities of your candidate “master” system and the in-place system (capabilities such as JR 170 connectors, APIs, adaptors) to determine the feasibility of continuing to store information where it is currently housed, but using a master system to manage it remotely

Make repository strategy recommendations. For the content in each repository, recommend one of the following options:

� Leave in place – don’t manage: For content that you have assessed as low value and low risk (i.e. non-records that are not potentially discoverable information)

� Leave in place – manage with in-place system: For content such as transaction data that is archived effectively in line-of-business systems, or marketing materials that are being managed in a digital asset management system

� Leave in place – manage with remote system: For content that has more stringent records management requirements, deploy a remote system with sophisticated records management functionality that can issue “commands” to the in-place repository, directing tasks such as “classify,” “hold,” and delete,” thereby applying your organization’s retention schedule to the content stored in the in-place repository

� Migrate to and manage with remote system: For high-value or high-risk content that’s stored in a repository that lacks the functionality to allow its content to be managed with the remote system

For content in each repository, determine what kind of system to use. This could be an ECM system with advanced content management capabilities, an easy-to-deploy solution such as Microsoft SharePoint for basic content services, or a tool for specialized content services such as email management.

Repository Strategies

Leave in Place; Don’t Manage

Low-value, low-risk content

Leave in Place; Manage with

In-Place System

Content archived by line-of-business systems

Leave in Place; Manage with

Remote System

High-value, high-risk content stored in a

repository that can be integrated with remote

system to provide records management

Migrate to Remote System for

Management

High-value, high-risk content stored in a

repository that lacks the records management

capabilities to be managed with the remote

system


4. What are the pockets of electronically stored in formation that we may not have thought of?

Discussion

Most organizations are conducting repository inventories to identify where their ESI is now stored. However, make sure that your inventory doesn’t miss important items that leave your organization vulnerable. Beyond the more obvious locations and items of ESI, there are two categories of items organizations are likely to miss: those that can be called “inventory amenable,” and those that are “inventory resistant.”

Factors to Consider

The inventory amenable documents and data are those that can be captured in a thorough-going repository inventory; if you missed them, it’s probably because your initial “net” was too shallow or too narrow. Identify and manage such documents by broadening or deepening your inventory. Items in this category include application-embedded emails and documents.

But many ESI items are inventory resistant, because they don’t result from standardized, documented business processes. They may be ad hoc, highly variable, and unknown to higher layers of the reporting structure. These items are difficult to inventory, manage, discover, and produce, and there’s often little obvious cost justification to try to manage this content. The problem is that this inventory-resistant content is precisely the content that can get an organization in trouble. These items are potentially very damaging if they get into the wrong hands; plus, they demonstrate to a regulatory body or to a court that your company policy is not being followed in practice.

Doculabs’ Opinion

In the initial step of your repository inventory, assess the inventory resistance of document types. Process-embedded documents are more likely to have been captured in the initial inventory, so look in particular at places where ad hoc document types are likely to be stored. Those places are USB or “thumb” drives and other removal storage devices, PST and NSF files (see Question 5), instant messaging, discussion boards, and blogs – all channels for which many organizations have yet to develop effective policies and procedures.

But your organization is likely to have other inventory-resistant document types out there – types you may not have thought of. Consider the following:

The Audit business unit and systems. Large organizations typically have Audit units that are responsible for evaluating other business units, processes, and systems for various types of compliance. They may use Paisley or other compliance software to manage their audit process and document their findings. In addition to its own findings and documentation, the Audit unit may also store documents and emails relevant to compliance or noncompliance. The irony is that audit systems may be a good source of damaging ESI – moreover, ESI that’s easily discoverable and readily accessible.

The dangers of “rogue” repositories

Removal storage devices such as USB drives (also known as “thumb” drives) are, of course, unmanaged. Not too many disasters have happened yet, but the potential exists for a high-profile disaster – for instance, employees using thumb drives to move ESI between the office and home.

One behavior we’ve seen is the use of USB drives for storing archive files for email (because corporate policy sets individual mailbox quotas that employees find too low). These files, known as PST and NSF files, are a general vulnerability, typically “inventory resistant,” and thus represent a concern primarily as a general vulnerability, rather than directly relevant to FRCP.

But PST and NSF files can contain very high-risk ESI. Companies that allow the proliferation of PST and NSF files on laptops, USB drives, and home computers put themselves at great risk of exposure in litigation discovery, with the potential for very serious damage.


Repositories maintained by remote parties, agents, or third-party contractors. Many organizations understand the need for effective management of the ESI in the repositories that are under their direct control, but have little control over or visibility into the documents that may be held by their contractors, by remote employees, or (in the insurance industry) by captive and independent agents.

Typically, these parties aren’t required or motivated to follow the company’s internal records management or document management policies; for instance, they may be using multi-function devices to scan in documents and then storing those documents in an ungoverned manner. So take these remote and third parties into consideration when you do your repository inventory – and not just for inventory-resistant items, but also for content that’s generally inventory amenable within the home organization.

Attorney-client privilege. We see many organizations in which the common practice is to mark paper documents and ESI as “privileged” or “confidential,” when in fact they are not. Authors or reviewers of the ESI may believe the documents are covered by attorney-client privilege when they are not, either because no in-house counsel were involved in the transaction, or because in-house counsel were involved, but the transaction wasn’t actually privileged. Addressing this issue is important for properly addressing the FRCP requirements for privileged and confidential ESI.

Inventory-Amenable ESI Inventory-Resistant ESI

� Email in an email system

� Structured data

� Application-embedded documents

� Documents stored on USB drives and other removal storage devices

� PST and NSF files

� Instant messaging, discussion boards, blogs

� Audit systems

� Repositories maintained by remote parties, agents, third-party contractors

� “Privileged” or “confidential” documents that in fact are neither privileged nor confidential

Table 1: Summary of Potentially Vulnerable Electronically Stored Information


5. We’re deploying an email management tool. Will t hat cover the email issue?

Discussion

Among the most problematic of inventory resistant items we’ve seen are personal email files – PST and NSF files. PST (for Microsoft Exchange) and NSF (for Lotus Notes) files are archive files for email that employees use to offload extra, old, or special emails. Such files are common, and employees may even maintain multiple PST/NSF files – typically on their personal hard drives.

Another way that email may elude your email management tool is if it is embedded in business systems such as line-of-business systems or in the customer relationship management systems used by your sales, marketing, or customer service departments.

Finally, some organizations, particularly financial services firms, have deployed encryption technology for outbound emails – technology that can present problems if your organization is relying on discovery and production software products.

Factors to Consider

Let’s consider the implications of these email issues one at a time:

PST/NSF files. PST/NSF files are particularly rampant in organizations that do not have defined email policies, but we have found they are at least as common in organizations that have a well defined email policy – particularly if that policy restricts mailbox size or content, or automatically deletes email. The PST/NSF file is where users put that content, and the result is lots of unmanaged, potentially harmful emails.

PST/NSF files are frequently searched in discovery, but not always as part of an automated search approach. They may be backed up as part of an enterprise PC backup approach rather than the enterprise email system backup. In either case, PST/NSF files can account for a significant amount of email volume. These files may well be the highest area of unaddressed vulnerability for organizations trying to address litigation exposure.

Email embedded in business systems. In many organizations, incoming and outgoing email can be embedded in business systems (for example, emails received by customer service representatives in the company’s customer relationship management system). As such, it may be generated in a separate email system and never hit the enterprise email system, or it may be generated by the enterprise email system, but is then duplicated in the business system. The point is that the emails in these systems are typically not archived well, so they aren’t searched well for discovery – or the systems retain copies of emails that the company may believe to have been purged. Such systems are not inherently inventory resistant (see Question 4), as they result from a standard process, but most organizations don’t think of them as being a litigation risk or as relevant to disposition as part of the corporate retention policies.

An estimated 65 percent of companies don’t have an email retention policy, and 37 percent of employees say they don’t know which messages should be retained and which ones should be purged.

(Source: InformationWeek)


Encryption technology for outbound email. Many financial services firms apply encryption technology to outbound emails – for example, for communications regulated by the SEC ( which require filtering, quarantine, and review), but also for unregulated messages. A recurrent problem is that the tools used for discovery and production can’t search or view the contents of encrypted files, which have been encrypted for digital rights management purposes. (The same is true for any other encrypted files the organization may maintain.) The vendors don’t yet have solid answers for this problem.

Doculabs’ Opinion

For personal email files, a best practice is to first prohibit users from creating local archives/copies of mailboxes. Increasing the use of base Microsoft Exchange functionality in managing PSTs/NSFs is an approach that can work in the near term, but email management systems have specific functionality designed to manage PST/NSF files for compliance. Then you can begin finding and migrating old PSTs/NSFs to the archive, either manually or using automated tools from vendors such as IBM, EMC, Symantec, and Autonomy, among others.

If your organization has yet to deploy an email management solution, we suggest moving the PSTs/NSFs to the network, along with rollout of basic content services, such as Microsoft SharePoint – all mandated by relevant policies and supported by relevant procedures, training, and auditing to ensure that it happens.

As for email embedded in business systems, Doculabs recommends identifying these emails, extracting them from the business system, and then storing them in an ECM repository with other related content for those transactions.


6. Where does records management fit into the compl iance and litigation discovery picture?

Discussion

It’s true that compliance does not equal records management alone. However, records management is a key component of any compliance program – and is essential for managing potentially discoverable information in the event of litigation.

Regulatory compliance requires that you manage – and maintain – a fairly well defined set of documents. The ability to manage this set of business records according to a classification plan and retention schedule helps to ensure that those records can be recovered easier, faster, and at less cost to the organization when the regulatory authorities ask you to produce them. Thus management and retention are critical to meeting compliance requirements.

In contrast, litigation requires that you manage a broader set of documents – those documents that are considered “potentially discoverable information.” This information, while discoverable, may include document types that are not even declared as records (see Question 3 on assessing the risk and value of document types). Thus, discovery for litigation requires not just effective management and retention, but also destruction of documents according to the disposition rules of your corporate records retention schedule, as well as capabilities for hold and release to ensure that the relevant information is preserved – and preserved only as long as you need it to respond to a specific instance of litigation.

Factors to Consider

From a litigation discovery standpoint, there are some important distinctions to keep in mind among the various types of ESI – distinctions that have implications for how you manage your organization’s information.

Declared records: These are the business documents that the organization has defined (“declared”) as its corporate records – for example, contracts and policy filings. Declared records also include vital records: those records that contain information essential to business continuity or disaster recovery. Vital records are organization-specific, but might include accounts payable and accounts receivable records, customer files, and tax records. All of your organization’s declared records should be managed under the corporate records management policies and procedures, with a records retention schedule covering their respective lifecycles.

Other business-related information: These are business documents that your organization has not declared as records, but which contain content that could be relevant in the event of litigation. Examples include memos, agendas, and trip reports. These documents, while not declared or managed as corporate records, should be managed in a content management system to ensure they can be easily searched, retrieved, and produced if they become the subject of discovery in a legal action. Note that non-business related information, such as personal emails from family, should never be managed in the corporate ECM system – and your records management policies and procedures should make this clear to your employees.

Types of Electronically

Stored Information

Declared Records

Always manage, in a system with records

management capabilities

Example: contract, policy filing

Vital Records

Always manage, in a system with records

management capabilities

Example: final budget, final design

Other Business-related Information

Manage in a general-purpose content

management system

Example: memo, agenda, trip report

Non-business-related Information

Never manage in a content management

system

Example: email from spouse


Potentially discoverable information: In the event of litigation, this category of information encompasses portions of both categories above – i.e. certain of those documents your organization declares and manages as records, and that portion of your other business-related information which is potentially relevant to the litigation in question (see figure below). The documents in this category will be specific to each litigation; you need to be able to move the applicable “other business-related information” into the repository with your declared records in order to hold it and manage it for the duration of the litigation.

Figure 4: Potentially Discoverable Information within the Universe of ESI

Doculabs’ Opinion

Records management is not a plug-and-play proposition; it takes more than just deploying the records management module of a content management solution to ensure that all of your organization’s corporate records are being captured and properly managed throughout their respective lifecycles. Certainly the records management software products are now more mature and will go a greater distance toward helping you meet your compliance goals. But Doculabs advises that you develop an approach to records management that gives proper attention to process, people, and technology:

� Process: Define records retention schedules for the organization and its departments; develop foundational principles, definitions, and policies and socialize them throughout the organization.

� People: Create oversight committees or other bodies to coordinate all RM-related efforts and establish accountability for key aspects of records management across the organization; publish and promote retention guidelines and best practices for all types of records.

� Technology: Identify the system of record for each record and develop approaches for automating application of appropriate records management requirements, using relevant technologies such as ECM, workflow, email management, records management, enterprise search, portals, electronic forms, storage.

Evaluate the guidelines and practices of your records management program according to the following objectives:

� Do they ensure compliance?

� Do they reduce the cost of compliance?

� Do they reduce the impact of compliance on the organization?

� Do they impact performance or worker productivity?

� Are they consistent with your organization’s mission?


7. How does enterprise content management technolog y serve as the foundation for compliance and litigati on discovery initiatives?

Discussion

As we’ve already seen, effective management of ESI is essential to compliance and e-discovery.

Enterprise content management (ECM) technology, including components for records management, is a cornerstone of any compliance program. It provides the capabilities to manage unstructured content, such that it can then be searched and analyzed for relevance, then compiled and produced in a format that will be usable to the other party, whether a regulatory body in a compliance action or opposing counsel in litigation discovery.

The figure below shows the stages of the discovery process, along with the ECM technologies that can be used to facilitate the actions required within each stage.

Records

Management

Preservation

and Collection Production

Presentation

Processing,

Review, and

AnalysisIdentification

Manage business recordsIdentify physical location of data with a document inventory

Receive discovery requestDevelop search criteriaReview document inventory; conduct searchSend notification to record owners

Record owners place a hold on requested recordsRequested records are collected, indexed, stored

Deliver records on appropriate media and communication method to court hearing

Generate records with index and catalogue on appropriate

Review and catalogue recordsPerform forensic analysis

Enabling Technologies

Records Management, Email Management

Enterprise Search, Document Management, Email Management, Records Management, Workflow

Enterprise Search, Document Management, Email Management, Records Management, Workflow

Document Management, Workflow, eDiscovery Tools or Third-party Service

Document Management, Workflow, eDiscovery Tools or Third-party Service

Document Management, Email Management, Records Management, Workflow, eDiscovery Tools, or Third-party Service

Process follows the Electronic Discovery Reference Model – www.edrm.net

Figure 5: Stages of the Discovery Process, with ECM Enabling Technologies

Factors to Consider

Consider workflow or business process automation tools, which can be used to facilitate e-discovery.

Today, most large organizations rely on third-party service firms within the legal community to assist in discovery efforts. The process used is very manual – and very costly: crude searches are performed, and the results are reviewed one by one (open a document, scan through the content, and determine its relevance).

Using ECM to manage ESI

The components of ECM technology – records management, email management, document management, enterprise search, portals, and workflow – provide the capabilities that an organization needs to quickly find and produce records or other ESI. And ECM technologies can greatly streamline your organization’s ability to search, compile, review, analyze, and produce ESI in response to a compliance action or in litigation discovery. ECM technologies ensure that your organization’s content is appropriately managed, and that your corporate retention policies are being appropriately applied to that content.


Like other business processes, e-discovery has discrete triggers that initiate the process. It also has specific tasks and time dependencies, and defined roles for participants. Workflow or business process automation can help address these challenges. Best-in-class firms are recognizing this and are taking steps to leverage existing capabilities to lower their e-discovery costs, perhaps with the same tools they’ve been using to automate transaction-processing type tasks.

Doculabs’ Opinion

All of the above-mentioned components of ECM technology serve the objectives of compliance and e-discovery. The ECM system provides the repository – the means of control – for the unstructured content. But it’s also important to provide a logical structure for that unstructured content – a taxonomy to classify it within a common hierarchy for the organization. Deployed with an ECM system, a taxonomy allows your ECM system(s) to apply a consistent set of keywords and metadata to every piece of content, thereby ensuring more efficient retrieval of information, as well as search results that are more accurate and consistent.

Keep in mind that a taxonomy allows you to address where and how content is stored – in advance. Whereas a search tool attempts to locate information after the fact, a well-thought-out enterprise taxonomy defines the places for ESI and helps users put it in the right place the first time – an important consideration for faster and more efficient information retrieval for compliance and e-discovery. The bottom line is that implementing a taxonomy along with the content management capabilities of an ECM system provides a predetermined context that supplements the powers of the system’s search tools.

That’s why we recommend that you take on the upfront effort required to develop an enterprise taxonomy as part of any enterprise-wide ECM deployment. It helps you make sure that your ECM system provides not just control, but also gives structure to your unstructured content.

Taxonomy: providing structure for unstructured content

What does it take to create an enterprise taxonomy – a classification that reflects the business-critical documents of the organization as a whole?

Doculabs’ white paper, “Ten Questions on Taxonomy,” helps you understand the key concepts and the issues involved in creating and implementing an enterprise-wide classification of your organization’s information assets, and helps you plan a taxonomy initiative for your organization. Visit the Doculabs web site at www.doculabs.com.


8. Why do we need a program to address compliance a nd litigation discovery?

Discussion

In Question 7 we outlined the ECM technologies that we recommend as part of a compliance and e-discovery initiative: records management, document management, email management, enterprise search, portals, and workflow. But by now, it should also be clear that technology alone is not the answer. Becoming a proactive organization requires that you develop and implement a compliance program – a program that encompasses policies and procedures, governance, information organization, architecture and technology, processes, and communications.

Factors to Consider

An effective compliance program includes:

� Development of “rules” for the compliance program – developing policies, procedures, and guidelines

� Development of a governance structure – defining the roles and responsibilities for compliance (e.g. Legal, Compliance, Risk Management, Records Management) and how they should interact with the non-core-compliance functions (e.g. for ECM, for infrastructure, etc.)

� Information organization – including taxonomy development, development of records retention rules and records schedules, and the repository inventory (see Question 3).

� Development of an architecture and technology strategy – including an architecture strategy for compliance, selection of required capabilities (such as records management, email management, search, etc.)

� Process evaluation and strategy – defining processes for records lifecycle management, e-discovery, processes for records types with particular requirements (e.g. for structured data, for externally created information, etc.)

� Development of a communications strategy – defining approaches for “socializing” the compliance program and policies and procedures and for ensuring that policies continue to be effectively followed in practice

Doculabs’ Opinion

A successful compliance initiative involves not just IT and Legal; it involves executive commitment and end-user buy-in. Rolling out the specific parts that your organization needs to meet its compliance and e-discovery challenges requires a long-term plan that addresses process, people, and technology – a program that takes into account your current state in each of these areas and that also defines a future state, as well as a realistic road map for making that future state a reality.


9. What does it take to develop and implement a com pliance program?

Discussion

The development and implementation of a compliance program involves a considerable number of moving parts, not to mention the buy-in of a number of key individuals – and not just from IT, but from your legal, compliance, risk management, and records management functions.

Within your own organization, you’ll need to develop policies and procedures covering all forms of records and potentially discoverable information; you will also need to create a governance structure to support and maintain your compliance program. There may be various technology components of ECM technology to procure and deploy; you may also need to develop a taxonomy to organize your content within the ECM system. Finally, you will need a well-designed and communications and training program to ensure that users throughout your organization understand their own roles in the compliance process.

Factors to Consider

Consider whether you need outside expertise to provide an objective assessment of where your compliance program stands today, and to provide your organization with an understanding of best practices – from each of the relevant perspectives: process, people, and technology. Your consultant can then help you map out an approach that will help you achieve a near-term future state, with clearly defined priorities, as well as a long-term future state that addresses those initiatives that require longer timelines to complete. Beyond the definition of these future states, you may also need some assistance in developing the road map to help you achieve those objectives.

Doculabs’ Opinion

The figure on the following page shows potential initiatives and technology components of a compliance program. The top portion of the figure, the compliance summary, shows the categories of initiatives – Document Policies, Document Procedures, Taxonomy Development and Maintenance, Records Management Program, Organizational Structure, and Records Management Architecture and Updates – that Doculabs regards as the key components of a compliance program. The bottom portion of the figure, the technology summary, shows the technology components that an organization may require in order to implement an effective compliance program. These technology components include technologies in the categories of Content Creation/ Presentation/Access, Process and Collaboration, Data and Content Middleware, and Data Management.

Altogether, the figure provides a color-coded overview of how Doculabs might assess a hypothetical organization’s capabilities in each of these areas: red for basic, yellow for moderate, and green for advanced. It also indicates some of the specific types of projects that this organization would need to undertake, both from the program and the technology perspectives.


Figure 6: Potential Initiatives and Technology Components of a Compliance Program


10. What kind of governance structure will we need to support and maintain our compliance program?

Discussion

Governance focuses on accountability – including enforcement policies that reflect respect for the organization’s ESI as well as an understanding of its corporate culture. Keep in mind that many of the projects required for a successful compliance initiative are likely to change certain aspects of how people perform their jobs. Putting in place document policies and procedures, establishing a records management program, developing and implementing a taxonomy – all of these activities will require effective communications planning and change management in order to ensure acceptance and compliance at the end-user level.

Factors to Consider

Organizations change and grow; likewise, their compliance requirements change over time, as the regulatory environment evolves to meet new challenges and organizations themselves are held accountable to new standards. One of the major compliance challenges for organizations today is the evolving nature of these enforcement standards. A number of recent regulations – HIPAA, Gramm-Leach-Bliley, the USA Patriot Act, Sarbanes-Oxley – took time to evolve, creating considerable uncertainty from the standpoint of the regulated community, as the costs of compliance became far less predictable. Until recently, organizations could readily project their compliance costs. With ever-evolving standards to meet, many companies find they must develop new policies and procedures, which imposes costs that are difficult to predict.

Doculabs’ Opinion

Having effective governance mechanisms in place allows for the degree of long-term planning and the implementation of a cross-organizational program that’s needed to respond in this new regulatory environment. It provides the guidance and oversight to ensure that your organization’s processes and technology continue to enable you to produce the ESI that you need in order to respond to regulatory mandates and to legal actions in a timely manner – and at a lower cost to the organization.

Doculabs recommends the following structure for governance as part of a compliance program:

Oversight Committee: This committee includes representatives from the Executive, Legal, Tax, Risk Management, Compliance, Regulatory, and Human Resources functions; tasked with interpreting regulations, defining requirements, approving the overall compliance program and approving any amendments to the program.

Records Management Council: The council should include representation from the IT, Records Management, and Internal Audit functions; tasked with developing and implementing records management policies and procedures.

Training and Monitoring: Training and ongoing monitoring of the compliance program will be necessary – particularly for organizations where policies and procedures may have been less well defined.

The importance of training and monitoring

As your organization rolls out the various phases of your compliance program, training to educate users, as well as vigilant monitoring of the new processes, will be necessary to ensure that employees do not revert to previous ways of doing things, and that new employees understand the processes that you have put in place. Your Human Resources function should be involved in these aspects of the compliance initiative, as well as in defining and implementing the enforcement mechanisms that will enable compliance-related activities to become a non-intrusive part of daily operations.


Final Word

For years, the argument was that ECM technology made for greater efficiencies – making it easier for users to share information across the enterprise, thereby enabling an organization to better leverage its information assets. All of this is quite true. But today, organizations have even greater reason to find ways to get control of their unstructured content – for compliance and litigation discovery purposes.

It was the emergence of wide-ranging regulations such as Sarbanes-Oxley that first moved compliance concerns to the forefront. But the recent enactment of amendments to the FRCP upped the ante significantly, requiring effective management of ESI in order to conduct discovery efforts cost-effectively. Executive management took notice, and the result is that CIOs now have a mandate to find a way to manage their organizations’ unstructured content – both across the enterprise, and throughout the lifecycle of that content.

Clearly, ECM technology is the basis for beginning to address these compliance and risk management issues. But it’s no magic bullet. As we’ve argued throughout this white paper, these initiatives also involve non-technology efforts and clearly defined initiatives for moving forward. Depending on what’s now in place, it may also require a significant change management effort. But it’s an investment that many organizations now recognize needs to be made.

In the face of escalating costs, an organization that does not have a repeatable process for searching and retrieving ESI to meet compliance- and litigation discovery-related requests is at far greater risk of sanctions, not to mention at risk for incurring potentially hefty penalties – penalties that can be both hard-dollar and soft-dollar in nature. That’s why many organizations are now taking steps to develop strategies that will enable them to fulfill their regulatory and legal obligations – and to allow them to meet those obligations more easily, at far lower cost, with processes and systems that are repeatable.

This white paper makes the case for taking a strategic approach to compliance and litigation discovery – an approach that involves process, people, and technology. Taking the strategic perspective helps you make the long-term decisions that are necessary for an initiative of this magnitude. But in the face of today’s compliance and risk management challenges, the effective management of ESI should be the centerpiece of any compliance program – a prerequisite for the proactive organization.

Questions to ask as you begin a compliance initiative:

� What is the nature of the discovery: regulatory, litigation, internal?

� What are the frequency and predictability of litigation requests?

� Are discoveries scheduled or unpredictable?

� Are the majority of discovery requests internal or external (e.g. HR-related versus client-facing)?

� How is vendor management handled? What are the service-level agreements (SLAs), and how well are they adhered to and monitored?

� What is the investment distribution between litigation vs. the e-discovery infrastructure?

� What technologies can be applied to lower the cost of discovery?

� Who “owns” responsibility for the various technologies involved (IT Infrastructure teams, business unit application teams, etc.)?

� Is it just email that needs to be produced, or is there much more ESI involved?

About Doculabs

Doculabs, Inc., is a consulting firm that focuses on strategic issues associated with content management and related technologies. Founded in 1993, Doculabs recognizes that managing unstructured content is fast becoming a major business priority.

Doculabs has an established track record in helping its clients develop strategies for bringing content under control. Doculabs understands the technologies and the applications at both ends of the content management spectrum, from the simple to the complex. For more than 10 years, Doculabs consultants have helped clients identify their specific content management requirements and the technology applications of greatest business benefit. Most important, our recommendations are completely objective. Because Doculabs does not sell software or integration services, you can be sure that our content management recommendations will truly meet your specific needs.

Hundreds of leading organizations within the Fortune 1000, as well as federal, state, and municipal government agencies, have turned to Doculabs for assistance with their content management strategies, including ways to help them make effective use of ECM technologies as part of their compliance programs.

For more information about Doculabs, or for further information on the shared services approach referenced in this document, visit the web site at www.doculabs.com or call (312) 433-7793.

200 West Monroe Street

Suite 2050

Chicago, IL 60606

(312) 433-7793

www.doculabs.com

E-mail Doculabs at:

[email protected]