Corporate records management is not about policies, procedures, retention schedules and inventory and email control software.
It's about enforcement that is consistent, systematic and defendable.
With the rapid and very public evaporation of the venerable Arthur Andersen company, we have seen how a multi-billion dollar firm can be put out of business because of lapses in corporate records enforcement — lapses that are actually very commonplace in most companies.
Stepped Up Accountability
Since the passing of the Sarbanes-Oxley Act, the federal government has stepped up the accountability for consistently enforced records management programs. Executives can no longer ignore or delegate records management responsibilities to staff and shield themselves from fines or prison if records are selectively retained or destroyed.
Many companies may already have records policies and retention schedules in place. And many also have responsible staff members assuring the executives that everything is fine, that the program is solid and there is nothing to worry about.
Andersen had people who assured their executives of the same thing and they were wrong.
If you have people making those claims to you, remember that they are not the ones accountable. The Sarbanes-Oxley Act clearly puts personal responsibility and liability on senior management — a definition which is still loosely defined.
However, the penalties for records management lapses are not undefined — prison for up to 20 years and substantial fines.
Corporate Records Vulnerabilities
Records programs break down in predictable places.
Inadequate Policies
Often the records policies are inadequate for a variety of reasons. They can be too far-reaching, too complicated or too lengthy to be absorbed by employees who — quite honestly — couldn't care less about records.
Employee Discretion
Procedures, which are supposed to support the intentions outlined in the policies, often run counter to the corporate intentions and allow employee discretion in how they file or store records, how long they keep them, and whether they "authorize" or activate destruction.
Complex Retention Schedules
Retention schedules are often outdated, incorrect or written in confusing ways. The false security of an extensive and complex retention schedule is one of the biggest problems in program enforcement.
Lack of Notification Procedures
Companies usually do not have an efficient or sufficient way to notify employees when records need to be placed on a legal "hold" status and — of course — the high level of employee discretion in other aspects of the program makes comprehensive "hold" control very difficult.
Failure to Monitor
Generally, companies do not have appropriate automation in place to ensure strict compliance and consistency. Overwhelmingly, we see companies that do not have the ability to monitor compliance violations. They often become aware of their violations when it's too late.
Record Management
Often companies can't provide demanded records because they have been destroyed prematurely. Sometimes records simply cannot be found because they have not been filed or stored under standardized names that are reflected on the retention schedules.
Inconsistency
And, of course, most litigating attorneys have first-hand knowledge of the frustration and expense related to research — expenses directly tied to retaining too many records that were stored under inconsistent naming standards, making efficient research impossible.
The Circle Of Enforcement
Records management is a legal requirement and the four components of enforcement for legally required programs are universal — they apply to every area of corporate governance.
Auditing
Auditing current operations and practices to identify areas of risk exposure, excessive costs and streamlining opportunities.
Documentation
Policies, procedures and retention schedules must be updated and corrected in a manner that enables enforcement.
Implementation
Your finalized program requirements must be seamlessly linked and connected to your records practices. Your employees should be trained and provided with ongoing support. But that's not the end of the line. If you stop there, your program will fall apart and — as we've discussed — that's not feasible in the new paradigm of enforcement.
Enforcement
Enforcement is critical to ensure the corporate records program remains in compliance with your corporate intentions. All aspects of your records program must be enforced consistently just as you impose other areas of corporate governance. Enforcement automation must be put in place to eliminate all user discretion and protect your company and executives.
The circle of enforcement revolves again. No compliance or legally mandated program is stagnant. Periodic auditing, adjustments to documentation, implementation of necessary changes and ongoing enforcement of the new standards are simple, necessary steps.
Corporate governance is never static — neither is your records program.
Companies need to shift their focus from legalistic document writing and move rapidly towards simplifying their records programs, setting sensible standards and — most critically — putting the automation in place to ensure systematic and non-selective enforcement of the program in the normal course of business.
This column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.
No comments yet