Document management may not immediately excite everyone’s interest, but there’s nothing more effective at focusing the mind than survival. Make no mistake, today’s compliance landscape is harsh and getting harsher – and the key to business continuity is the ability to manage risk, maintain resilience and ensure recovery. With regulatory regimes and the penalties they can levy expanding to meet the explosive growth in information flow, neglecting document management can be a very expensive and damaging oversight.
There are four factors that combine to threaten business continuity for the unwary in document management. The first is the exponential growth of information in modern enterprise, generated and required by businesses, by customers and by regulators. The second is the regulation of information itself, which in recent years has become ever-more wide ranging and ever-more aggressive. The third is that as information flows between various electronic and physical formats, it is increasingly vulnerable, difficult to manage and protect. Finally, information has to be easily accessible (for business and regulatory needs) while also robustly protected.
It’s an enormously complex and often contradictory equation: better management of more information that has to be totally secure while at the same time being immediately accessible. Regulation is the key component in this equation and the impetus for the need for effective document management. With the raft of legislation currently on the books and just around the corner, this is hardly surprising.
There are key regulatory regimes that impact upon a company’s ability to survive, including Basel II and the Safe Harbor Act. To take some specific examples, the EU’s Markets in Financial Instruments Directive (MiFID) requires the reconstruction of the complex variables of market conditions on any given transaction – to satisfy what is known as ‘best execution’ companies need to gather together the incredibly complex strands of electronic and paper data, including email, as part of the formal business record.
Sarbanes-Oxley in the US is one of the most important pieces of legislation affecting corporate governance, financial disclosure and public accounting – important because it makes corporate executives far more accountable for their companies’ financial affairs. The buck now stops with individuals as well as with companies. Also US based but with global implications is Rule 26 of the Federal Rules of Civil Procedure. This covers ‘Electronic Discovery’, whereby electronically stored information relevant to litigation should be available to US courts at a very early stage, wherever in the world it is held. This means that companies must know where their data is kept, how it is stored and how the retention schedule applies to them – or be in breach of the rule.
Government organisations are sharing in the strain of the regulation revolution too. The UK’s Data Protection and Freedom of Information Acts demand that public bodies square the circle of heightened information security with significantly increased rights of access to that information, within stringent timescales.
The UK’s Financial Services Authority (FSA), the independent regulator of the financial services sector, has an extensive arsenal of powers that can be ranged against any companies that don’t meet its standards. Once again, the time limit given to companies to provide their secure information for scrutiny is exacting, with the FSA classifying ‘readily accessible’ as being a mere 48 hours. The FSA levied over £68 million in fines for compliance breaches between 2002 and 2006. Failures in effective record keeping accounted for over £12 million of this total and 44 per cent of fines over £750,000 related to records management lapses.
It is safe to say that compliance is very much on government, board room and media agendas. The regularity of breaches from organisations large and small shows how easily reputable organisations can inadvertently fall foul of information legislation. So what can they do?
The complexity involved at this level of document management is understandably daunting for companies, simply because it isn’t a core part of the business. Intelligent document management is a highly specialised discipline and not something that can simply be appended to an existing employee’s job description. Businesses need a strategic partnership with a company with extensive expertise. Use of the word ‘partnership’ is deliberate, because a document storage solution simply isn’t enough – enterprises need a partner that truly understands their business and tailors solutions to specific needs.
Records management should be seen as a component of a comprehensive corporate compliance strategy, which will help to reduce legal and financial risk and, importantly, safeguard a business’s reputation. A record management programme must include effective policies and procedures, retention schedules, disposal routines, communications, proof of training and enforcement. Attack is the best form of defence.
With over 50 years of document management leadership experience, Iron Mountain knows that companies need a 360⁰ perspective to deploy a comprehensive and integrated roadmap for compliance. To put it simply, aggressive regulation calls for aggressive compliance:
• Organise a solid infrastructure that will encompass determining the scale of the programme, the creation of effective programme governance, business area specific task groups and sufficient administrative resources.
• Assess and plan with a thorough records inventory, evaluation of existing document management systems, risk assessments, analysis of legal access and retention requirements and the development of a strategic plan.
• Develop key components and metrics which will include a realistic retention schedule and company-wide policies to provide the foundation for a credible, consistent and compliant programme.
• Implementation is critical – the success of the programme will be based on delivery, not its design. As with any project, implementation needs to be applied as a formal exercise containing tailored communication and training components.
• Manage the programme because, no matter how successful the implementation, if it isn’t enforced it will fail.
• Audit and accountability are essential to ensure that everything is working well and the business is consistently compliant.
Let’s go back to the complex equation mentioned earlier to see how a strategic partner can resolve the contradictions that regulation imposes. Electronic information can be stored in a safe online digital records centre – quickly retrievable only by authorised staff from any internet enabled computer – so that it is both secure and rapidly accessible. Physical documents can be held offsite in secure data storage facilities, freeing up expensive office space, data security resources and archive staff – increasing the capacity to manage, store and exploit growing information resources. These documents can then be scanned cost effectively, as they are needed, and accessed with the speed and accuracy of electronic documents – delivering true integration of varying storage formats.
Today, more than ever before, records management compliance is a strategic priority. Document management is often seen as a necessary evil but the expertise of a strategic partner can take away the pain by reducing costs, simplifying business practice and ensuring continued compliance. Enter this environment unprepared and companies will pay the price, but if they enter with a strategic partner with the right expertise they will not only survive, they will thrive.