|
|
|
Features
< Back
Sarbanes Oxley : Thought Leader
Five Easy Pieces of Records Management for Compliance Officers
By
Julie Gable
|
|
Julie Gable
Principal
Gable Consulting
|
Compliance programs, and the officers who lead them, face several challenges. First is the need to meet multiple, disparate and sometimes contradictory requirements that vary widely by industry sector. Some regulations dictate what to keep – for example, Sarbanes-Oxley’s evidence of controls. Others tell what to discard, such as Graham-Leach-Bliley’s rules on personal information.
While broad implementation guidelines exist, specific advice is relatively rare, so each company must interpret requirements for itself, customizing responses that will work within the firm’s unique culture. The effort is expensive and time-consuming. A survey done by Financial Executives International, of companies with revenues above $2.5 billion, found each spent an average of $3.1 million on Sarbanes-Oxley 404 compliance alone.
The return on investment in compliance efforts is not an award for excellence, but the avoidance of consequences. In the realm of enterprise risk, compliance has enormous potential for adverse effects on corporate reputation, financial condition and shareholder value.
Up to now, emphasis has been on documenting internal controls and processes to meet regulatory deadlines. But as compliance test cases and investigations get underway, focus shifts from program implementation to evidence of enforcement. The new challenge will be to provide proof of compliance, an issue that has become a board-level concern according to an article by ARMA International for Director’s Monthly, a publication targeted to corporate board members.
The common thread in regulations – whether Sarbanes-Oxley, HIPAA, or Basel II – is information and how it’s managed. Proof of compliance lies in records created as part of business processes. Manage the records and the likelihood of producing solid evidence of compliance increases. The difficulty is that compliance involves proof at an enterprise level, while relevant records are most often managed at function or departmental levels.
Compounding the issue is the fact that at least 90 percent of business records are electronic and responsibility for maintaining them is not clear cut. According to a survey by Forrester Consulting commissioned by ARMA International, 67 percent of business people think IT is responsible for e-records policies, while 56 percent of IT respondents think the compliance function is in charge. In some companies, process owners dictate how long to keep e-records based on limited views of operating needs, rather than legal or compliance requirements.
Today evidential records needed to prove compliance likely reside in technology-based systems that weren’t designed to protect or preserve evidence. In addition, factors such as available disk storage or database performance statistics are more likely to influence e-records retention decisions than the chief compliance officer’s need to convince investigators that the company takes compliance seriously.
What’s needed is a collaborative approach to managing information that considers all of the company’s needs – regulatory, legal, fiscal, operational and evidential. Records management programs can deliver exactly that, providing a strong framework to support compliance objectives.
The time is right to establish new records programs or update existing ones, and many firms have moved responsibility for records to the compliance function. Here, then, are five things compliance officers should know about records management:
1. The whole is more than the sum of its parts. Records management programs consist of documented policies, procedures, and retention rules designed to assure that needed information is protected and preserved. Through regular training and audit activities, there is a clear message of internal standards operating to meet the letter and spirit of requirements. (See sidebar) In short, records programs contribute to the appearance – and substance – of ongoing control that is so important to regulators.
2. Faster finding means less looking. Standards for organizing material relevant to compliance means that auditors, examiners and inspectors find exactly what they need quickly, conveying the impression of order in the ordinary course of business. Companies’ ability to deliver proof under pressure alleviates investigators’ need for extensive exploration of boxes, shared drives or tape libraries. Uniform methods and organizing principles go a long way toward expediting search and retrieval efforts. Finding what’s needed is the mark of a tight ship and the byproduct of good records management.
3. Destruction is fine, as long as it can be stopped. Although SOX amended Title 18 of U.S. Code, increasing penalties for willful destruction if investigation or litigation is imminent, keeping everything is not the answer. With a program in place, systematic destruction of records is permitted, as long as it takes place at regular intervals under controlled circumstances. What’s crucial are policies governing how and when to stop destruction and fixed responsibilities for communicating the need to do so.
4. Procedures require pragmatism. In the electronic realm, there is a gap between what should be done and what can be done to manage records. Content management applications create, store and retrieve documents, but the ability to monitor retention or compliance varies widely and may require more intervention than resources allow. Enterprise resource planning systems – actually database applications that store forms and structured data – generally have no records management capabilities without add-on products. While technology shouldn’t dictate procedures, it makes sense to determine what can realistically be executed. Otherwise, procedures are unenforceable and the program’s credibility suffers under outside scrutiny.
5. Conflicts are common. People see records from different perspectives. Legal’s chief concern is response to discovery requests. IT’s purview is backup and storage volume. Process owners and workers have productivity goals. An oversight committee composed of high-level legal, IT, records management and compliance representatives should convene to arrive at a common understanding of records issues and arrive at solutions that consider all uses for records. Proving compliance involves systems and functions over which CCOs have no direct control, so the ability to influence practice is essential, and an oversight committee provides the right forum.
Compliance programs demonstrate commitment to doing the right thing – an important objective in an era of mistrust. Records programs deliver proof that compliance is an integral part of corporate practices – an important prospect in a period of investigatory zeal. Successful CCOs recognize the synergy and exploit the value of both.
Julie Gable
Principal
Gable Consulting
Julie Gable is Principal of Gable Consulting and Associate Executive Editor of the Information Management Journal, a publication of ARMA International. Reach her at juliegable@verizon.net.
|
|
|
|
|
