Sarbanes Oxley : Technology : Records Management
Leveraging Enterprise Records Management
March 26, 2009 12:00 PM
Risk management and Enterprise Records Management (ERM) are increasingly becoming intertwined in today’s business world. New laws, regulations and court rulings – combined with the challenges of living up to Sarbanes-Oxley rules – present significant risks to companies in terms of compliance laws, market performance and strategic goals. This is particularly true when you consider the escalating challenge of managing electronic records and unstructured content.
VP Business Processes for Xerox Global Services
A recent survey by the enterprise content management association, AIIM, found that roughly 50 percent of respondents said they are less than confident that, if challenged in court, their organization could demonstrate that their electronic information is accurate, accessible, and trustworthy. Only now are organizations realizing the complexity and compliance requirements associated with e-records, including electronic documents, data, e-mail and instant messages. Another survey by CFO.com found more than one-third of top-level executives say their companies don’t have a disciplined way to deal with electronic discovery issues. And according to Politico.com, other countries are starting to look to Sarbanes Oxley as a model for their own new regulations, a development that could have broad consequences for multi-national enterprises.
The law now considers electronic data to be just as important as paper records when it comes to legal discovery, but electronic information raises a different set of issues from paper records. Many organizations apply outdated policies and procedures originally developed in an era when virtually all important records existed in hard copy form. Others have trouble navigating through the world of “unstructured” corporate data such as digital images, email and instant messages. This poses a huge risk when courts will often only give an organization 90 days present relative documents for an upcoming trial. ERM, inclusive of e-records management, has not just become a business need - it’s the law.
Assessing the Risks
As with any strategic plan, before steps can be taken to improve an ERM system, a formal assessment must take place. Understand that what you can’t see can hurt you. A lack of a process to store and locate emails, or the lack of centralized storage policies or ineffective ways of meeting regulatory deadlines can all lead to the creation of documents and records that are hidden from company view. And those records are the ones that can lead to potentially unpleasant surprises.
A key element of an assessment should include the evaluation of what will happen to a company should they not meet Sarbanes-Oxley regulations-- including fines up to $1 million and 10 years in jail. In addition to compliance risks, while preparing an effective ERM strategy, companies must also consider potential financial and strategic risks. A comprehensive assessment should keep these categories in mind:
The legal and regulatory risks associated with noncompliance of Sarbanes-Oxley laws and other government regulations, can lead to costly penalties and judgments. Noncompliance exposes the enterprise not only to fines but can also lead to a tarnished reputation, reduced corporate value, limited business opportunities and reduced expansion.
Negative public opinions can create barriers that make it difficult to bring new services to market and can potentially impact earnings, limit access to credit markets, and derogate future growth potential. Mitigation efforts include the responsibility to exercise diligence in dealing with customers, shareholders, the community and other key stakeholders.
Effective ERM strategies can have a positive impact on strategic business decisions, allowing an organization to adapt quickly to market or industry changes. Timely access to critical information and allow an organization to react more quickly than its competitors.
Organizations should also consider the strategic nature of capturing and storing new documents upon creation. Effectively capturing documents related to sales concepts, product designs, and other R&D initiatives can help organization protect and patent new ideas, as well as enable organizations to defend against patent infringement claims. Without proper practices in place, a company has a lot less control over intellectual property or trade secrets that may be included within these documents – and that means there’s the potential for this proprietary information to make its way out of the enterprise into the hands of competitors. Always consider the strategic ramifications of how your documents are managed.
Step by Step Solution
While it can be difficult to justify a return on investment on avoiding compliance costs or defending lawsuits that may or may not be incur, there are practical ways to approach the problem that help reach important records management goals. The best solution to mitigate records management risks is to develop a holistic ERM strategy that includes policies, work processes, training, and technology. Key steps companies can use to mitigate the risks in their records include:
Step 1 – Create a Risk Profile
A risk profile serves as a systematic, high-level identification of the assessed risks above that adversely impact the enterprise. Typically, this profile contains areas perceived as the greatest risk, including record retention policies, litigation preparedness and disaster recovery. Ongoing management support and the establishment of an audit committee for active oversight both will help to shepherd this process through its implementation.
It is important to take the following actions to create a basic risk profile for the enterprise:
• Identify the issues and develop a clear understanding of the management framework
• Define top-priority risk exposures and develop criteria for each risk
• Establish an audit committee from high-level management to monitor the integration
• Recommend only the most effective risk mitigation strategies
By completing the risk profile, it is easy for the enterprise to identify important trouble spots in the risk playing field. With this narrowed focus, significant enterprise-level risks related to compliance, reputation and corporate strategy can be prioritized.
Step 2 – Use Heat Mapping to Prioritize Risks
Heat mapping is an effective evaluation tool. Based on qualitative and quantitative data, the information is organized on a risk-by-risk basis on a color scale that suggests a range from “hot” to “cold.”) This creates three tiers of risk to help facilitate internal discussion and focus on top priorities.
• Tier one represents the most critical threats and the highest priority. Top level management should consider these opportunities to improve strategic objectives and continued value.
• Tier two contains risks that have the potential to significantly impact the enterprise. These risks can typically be managed at the business unit or organizational level, knowing that corporate officers are responsible for escalation issues.
• Tier three risks should be considered moderate priority. These risks usually fall within the scope of unit level risk management functions.
Step 3 – Plan & Improve
With the top priorities in mind, the final step is to develop a disciplined process to guide the development of the improvement. The diligent use of best practices can help create a well-managed implementation.
It is vital once the priorities are in place to identify all records, both paper and electronic. With a precise view of the current state, an enterprise can then develop a comprehensive implementation plan. A cross-functional improvement team can engage employees on all levels in training and procedures. Since electronic records are increasingly the source of risk-related activity, it’s especially important to get IT actively involved in developing, implementing and supporting improvements. Many companies use a pilot program to test business areas with prominent vulnerabilities in order to implement them right away. It’s best to continue to carefully monitor the impact of these improvements, collect feedback and make the proper adjustments.
The Ultimate Result: ROI
As most professionals realize, there is no precise way to calculate the value of prevention, but ERM improvements dramatically minimize the risks associated with noncompliance of Sarbanes-Oxley and other government regulations. However, the sooner a company starts the process, the greater the savings can be. The return on investment can be in the millions in terms of staff time and cost savings associated with avoided penalties. Proper preservation and improved access to records will enhance an organization’s accountability, guard against unauthorized alteration of documents and increase responsiveness to litigation demands. The value of taking early and effective action will be clearly visible where it counts the most – the bottom line.
VP Business Processes for Xerox Global Services
Rich Baily is a Xerox Thought Leader and vice president of Xerox Business Processes for Xerox Global Services.