Governance, Risk & Compliance

Governance, Risk & Compliance

September 17, 2012

Records Management: The Path to Un-Risky Business

By TMCnet Special Guest
Gregg Bieri, Manager, New Records Business Development, Oce Business Services ,

Records management is often seen by employees as a matter of convenience and organization – “If we manage our records properly, our employees will be able to find them at a moment’s notice.” Indeed, an argument can certainly be made for the value of records management based on efficiency alone. The time savings can be tremendous, especially considering the vast number of virtual and physical records that most companies have. However, most companies undervalue the risk mitigation benefits of records management. 

Organizations retain legal counsel and sign insurance policies because it would be incredibly risky for them not to do so. When everything is going well– which is typically the vast majority of the time - these may seem like unnecessary costs. However, on those occasions when things do go wrong, organizations quickly realize that these are the best investments they could have made. 

An organization’s records management program should be seen through the same lens. Employees may see properly managing records as an inconvenience or a technicality, but they must understand this is a safeguard against real and significant risks such as compliance issues, disaster recovery, public relations crises, confidentiality breaches and security threats. A well-executed records management program helps mitigates these risks, in much the same way as does legal counsel or an insurance policy. 

Imagine for a minute a large food manufacturer without a records management program in place. Somewhere buried deep in boxes of unorganized records is a decades-old, long-forgotten insurance policy that protects the company against legal action requiring it to clean up a site in which toxic materials are found. Knowing that the company was potentially at risk for such litigation, a concerned records manager pushed the company to audit, organize and manage its records and put in place an advanced records management program. Shortly after implementing the program, the company was notified that it was being charged with a class action law suit totaling several million dollars. Due to the records management best practices that had been established, the company was able to produce the insurance policy within days, which paid for nearly the entire settlement amount at virtually no cost to the company.

Now consider a large energy and commodities company called Enron. There were clearly many issues with its business policy that we won’t discuss in detail. However, in addition to problems with its core business practices, there were problems with its records management policies. Employees were instructed to shred large quantities of documents immediately prior to Enron’s legal proceedings, further incriminating the company of wrongdoing.

It’s probably true that Enron still would have been dissolved even with a less-questionable records retention policy, but there is no doubt that a thorough program can’t mitigate potential risks. The two primary areas where an organization can expect records management to act as a safeguard are compliance and disaster recovery, although it should be noted that risk mitigation through records management is in no way restricted only to these two areas.


It is no longer simply an industry best practice to retain vital records as part of a sustainable business continuity and efficiency plan. There is now legislation issued specifically for records management compliance.  

When organizations, and specifically CEOs, fail to enact a thorough records management policy, they risk severe penalties for not producing pertinent information when requested. This could then lead to liability issues if damages are suffered by the corporation, or any third party who relied on the documents. This failure to maintain substantive procedures can also end up causing severe financial pain and damage to corporate reputations. For example, under certain legislation such as the Sarbanes-Oxley (SOX) Act, formidable monetary fines could be levied on anyone who advertently or inadvertently alters, destroys, falsifies or covers up entries in records or documents.

CEOs should put processes in place to educate their employees about a company’s records retention strategy. If an employee innocently or unknowingly fails to retain an important document, that employee will not be held liable. It is management who will be held ultimately responsible and, if the mistake is egregious enough, prosecuted.

Unfortunately, compliance with all of the laws and regulations pertaining to records management is not always simple. Although most of the compliance risk comes from documents that have been destroyed prematurely, there is equal risk in keeping documents too long. Files can and should be destroyed after a certain number of years, depending on the kind of file. For instance, if a file is retained beyond a certain date when it legally could have been destroyed, it can be used against an organization in legal proceedings.

Additionally, with the digitization of multitudes of information, the compliance equation becomes even more complex. An example of this arises with social media and mobile communications. When it comes to deciding whether to store documents physically or electronically, how to archive text messages and Tweets, and when to archive email sent from a personal account for business purposes, the protocol becomes foggy. Once an organization factors in the different Federal, state, county and even city regulations, managing the intricacies becomes just as complicated as navigating a complex legal dispute or insurance plan.

In order to navigate these murky waters, organizations should consider highly trained and qualified records management professionals, or even third-party vendors, to ensure compliance. Although the investment may be higher than what they are accustomed to, it will help mitigate tremendous legal risks from potential criminal allegations.

Disaster Recovery

A company is only as good as the proprietary information it owns, and that information is only as secure as the records management solution that an organization has deployed. There is much discussion around the security of cloud-based and virtual storage solutions. However, the larger conversation should be held around the security of paper-based solutions. Paper-based documents can be lifted off of a desk, lost on a train, or burned in a fire, with no option for recovery.

When it comes to true information security, the faster that documents are digitized, the better. A records management program should digitize documents immediately, not when they find time after everything else has been completed. This includes digitization of invoices, incoming mail, contracts, and all other records into a digital and searchable archive as soon as they are received. This is yet another reason to hire a dedicated records management professional or a use a third-party vendor.

This level of attention to creating a digital archive of records, when paired with a secure IT system, is the only way to truly ensure data security. The technological training and operational complexities of records management can be daunting, however, and as a result, many information technology professionals are often left in the dark about how to proceed. When handled properly however, information and records management programs can be entirely symbiotic. They can improve an organization’s operational efficiency, help contain costs and most importantly, better enable the organization to meet its compliance and disaster recovery needs.

Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO West 2012, taking place Oct. 2-5, in Austin, TX.  Stay in touch with everything happening at ITEXPO (News - Alert). Follow us on Twitter.

Edited by Rachel Ramsey

blog comments powered by Disqus