|
|
|
Features
< Back
Sarbanes Oxley : Technology : Email
Email Management and Sarbanes Oxley Compliance
Failure to manage e-mail can carry a costly penalty for corporate executives
By
Craig Rhinehart
|
|
Craig Rhinehart
Director of Compliance Product Marketing
FileNet
|
U.S. Companies will spend upwards of $15 billion on technology products and professional services this year alone in order to adhere to new compliance regulations, according to AMR Research, Boston. Spending on Sarbanes-Oxley compliance will account for about 40 percent of this total, or about $6.5 billion.
The Sarbanes-Oxley Act of 2002 (S-OX), passed in reaction to highly-publicized corporate scandals, requires high levels of accountability from companies and their senior executives to verify the policies, process and procedures behind each companies financial reports and even business operations.
S-OX compliance represents a massive undertaking of implementing new policies and procedures, but also new technology systems and software. Many companies are beginning to realize that Sarbanes Oxley compliance is not a one-time endeavor or expense like managing the Y2K problem. Instead, S-OX compliance represents an ongoing effort to put technology and policies in place for full compliance.
To meet compliance requirements, organizations are automating their business and information processes. Developing these critical systems with compliance in mind represents a costly and time-consuming undertaking for many organizations.
Each organization must map out and test processes for internal controls and have a demonstrable means of proving that the process in place was the process followed.
Building solid models for business processes, which can be continually optimized for more efficiency and better performance, represent a key for S-OX compliance.
For companies seeking S-OX compliance, the biggest challenge is managing the enormous amounts of content employees create daily from word processing documents to presentations to basic data entry to generating and receiving e-mail messages.
According to the Radicati Group, a Palo Alto-based market research firm that covers security, e-mail archiving, and regulatory compliance, the average corporate user generates and receives about 84 e-mails per day which require about 10 MB of storage needed daily. Radicati believes that by 2008, e-mails will require about 15.8 MB of space daily to handle the work load. Without question, e-mail is the most widely used software application in virtually every corporate enterprise.
According to IDC, 35 billion e-mail messages are generated every business day; up from 10 billion e-mail messages daily just five years ago. And with new compliance-driven regulations, like S-OX, corporate e-mail messages have achieved the same status as other commonly used business documents.
Corporate e-mail represents a litigious ?gold mine? of information for discovery in the event of a lawsuit. Depending on the records management, content management and storage systems in place, producing e-mail evidence for discovery represents a time-consuming and expensive proposition for many organizations.
Organizations seeking to be fully compliant with new corporate governance requirements must find ways to optimize their records management, storage and retrieval, as well as security and access control for a broad range of information management issues.
According to the Gartner Group, the content management market is expanding by about 11 percent annually. Forrester Research says market growth includes adding records management and e-mail archiving into the ECM market due to compliance factors. With compliance requirements looming, many organizations are scrambling to add more storage capacity and build information silos to house the growing number of daily e-mails created at their firms.
One short-sighted approach is to continue increasing data warehouses and storage subsystems to be able to hold more and more business records. But, without the means for easily categorizing business records for easy retrieval or classifying key e-mail messages as business records from basic non-critical communications, organizations are, in effect, creating ?digital landfills? where every record is stored but no record is very easy to find.
A digital landfill effectively means every e-mail message is backed up daily on large storage subsystems. The problem for senior management and corporate IT personnel occurs when basic records need to be located. Many organizations simply don?t convert e-mail messages into business records and they vastly underestimate the time, energy and expense required to locate the e-mail records needed in the event of litigation. This storage approach to email management is actually a violation of a provision of S-OX that states records retrieval must be accomplished in a timely fashion.
New e-mail management products are emerging that specifically address regulatory requirements for S-OX to be able to review and hold both incoming and outgoing messages based on key words that might trigger a compliance concern. The courts and regulators will not accept arguments that e-mail messages or business records couldn?t be found or were purged. Regulators must determine what is reasonable based on the frequency of corporate back-up systems, retained records, and e-mail retention policies. And the burden of proof still lies with the organization entrusted to store and secure corporate content including corporate e-mail.
Destroying or deleting e-mail messages which are considered business records, also can result in legal liability for companies, all the way up to the senior corporate executives. Rulings from regulatory agencies encourage organizations to regularly disclose policies for e-mail management and Instant Messaging (IM) services, but many popular software applications aren?t equipped with features for enforcing compliance, which leads some organizations to neglect or ignore their own policies. This practice can create enormous regulatory risk for the organization.
Failure to manage e-mail can carry a costly penalty for corporate executives. Last year, former CSFB banker Frank Quattrone was sentenced to 18 months in jail for sending a single e-mail urging his staff to ?clean up? their files. At a large software publisher, company policy required the destruction of e-mail messages older than seven days and the storage/archival of e-mail messages were kept to a minimum. Corporate e-mail is playing a role in evidence at several high profile trials dealing with corporate scandals. And the New York State Attorney General?s office is following e-mail trails at several Wall Street firms suspected of wrongdoing.
Legacy systems without a dedicated content management platform are in for trouble. Effective e-mail management solutions must support the entire e-mail lifecycle including the creation, retention, auditing, management and retrieval, as well as timely purging of e-mail, through integration with electronic records management systems. If not properly managed, the sheer volume of corporate email generated daily can dramatically impede an organization?s growth and even threaten its ongoing viability.
Once a user sends an e-mail, they have almost no control over its future. The contents of any message can be printed, forwarded to others, edited, and changed dramatically, all without the knowledge or consent of the sender. By setting policies in place that capture outbound e-mail messages as a business record, an organization can protect itself against unwarranted claims by providing a ?digital original.? As regulators and the courts weigh e-mail messages with the same scale and protection of written documents, managing e-mail messages as records assures that they meet the burden of proof for S-OX compliance.
S-OX regulators are not just satisfied with archiving e-mail messages. Corporate Instant Messages (IMs) are also considered critical business documents, and these simple written communications, with all their electronica shorthand, must also be stored as business records in order to adhere to S-OX requirements.
With compliance issues aside, there is a very positive flip side to adding e-mail management and records management in an organization?s ECM platform. The content captured in corporate e-mail messages is used in the ECM platform to accelerate decision-making and drive business processes. There is a wealth of business intelligence in corporate e-mail systems that are under-utilized when it comes to driving business decisions. By integrating e-mail management solutions into an ECM platform, the captured content can optimize business performance by using the content in corporate e-mail messages to make better decisions even faster, all while adhering to S-OX compliance regulations.
Incorporating e-mail management into a comprehensive corporate ECM initiative helps ensure that all data and content relating to a particular issue can be easily saved as business records or put into action to launch a business process like adding new prospects to a sales database or updating customer records to send relevant product enhancements or drive geographical dispersed new customers to an online training session.
E-mail messages can be part of an organization?s content repository directly from the organization?s e-mail client. Then, e-mail metadata is captured and automatically managed in the organization?s enterprise content repository. Corporate e-mail messages that adhere to an organization?s records management and content management policies are defined, profiled, and stored in content management repositories by threaded discussions, attachments, subject matter, or date.
These new e-mail management applications can capture e-mail messages and attachments automatically based on e-mail policies that are designed for S-OX compliance and advanced rules engines that analyze e-mail content for key words, phrases, lists or values to effectively map business communications to specific content management and business processes. Searches can be conducted by e-mail message threads, e-mail address pairs and by underlying BPM such as applications residing in a corporate ERP system.
By taking a content-centric approach to e-mail, e-mail management products can integrate with popular e-mail applications and content management platforms and serve as mediator between these applications. E-mail management makes it easy to declare e-mails as formal business records which eliminates a processing step and reduces the chances for errors.
Once preserved as a record, access and retrieval of e-mail content is simplified. This can help significantly reduce litigation costs, offering companies the opportunity to realize a return on investment of their e-mail management solution with the first legal discovery challenge they face.
Craig Rhinehart
Director of Compliance Product Marketing
FileNet
Craig Rhinehart is an expert in email management and is veteran in the enterprise content management industry. He currently serves as an advisor/board member on the ARMA Electronic Record Initiative. Rhinehart has played a role in four successful corporate acquisitions, including IBM?s acquisition of Tarian Software where he was vice president of Worldwide Sales and Marketing.
|
|
|
|
|
