The Chilling Effect: How Records Management is Changing the Way We Work
The Cast
Dean Berg
director of business development,
StellentMichael Cliffgeneral manager of sales and marketing, TOWER Software
Harald Colletprincipal product manager, records management and compliance support,Oracle
Dr. Galina Datskovskyfounder and CEO, MDY
Mark GilbertVP and general manager, compliance solutions, Vignette
Peter MojicaVP product strategy and management, AXS-One
Andrew Perychief marketing officer and senior VP, Hummingbird
Jens Rabedirector of compliance solutions, Open Text
Dr. Johannes C. Scholtespresident and CEO, ZyLAB North America
Not that long ago, the only "records management" I knew anything about was alphabetizing my Monkees LPs. And I am not alone. Records management (RM), once the domain of a specialized, trained population of information experts, has intruded into the mainstream with unexpected and disruptive consequences.But—good news ahead—the panel of experts I recently convened believes there is more value to be derived from records management than you'd think. Join me for a more-or-less transcript of our talk:
"Before Sarbanes-Oxley, confidence was shaken...quite shaken," says Dr. Galina Datskovsky founder and CEO of MDY. "Congress felt it had to push legislation through quickly, because without it, it could undermine the US economy. And they did it! I think it has had a great effect on restoring confidence."
"In year-one of Sarbanes (was it only last year?) businesses didn't want to chance that the legislation didn't have teeth. So they went a little overboard, and now they're trying to cut back, and figure out how to reduce the number of controls, eliminate redundant controls...the pendulum is starting to swing back," adds Dean Berg, director of business development for Stellent. "I've seen both extremes," says Datskovsky."Those who don't go all-out, or perhaps doing the minimum, as well as those who are reacting very strongly. That's because Sarbanes is uncharted waters. And records management is only one component of compliance. Sarbanes does have stringent record management requirements, but only for a small subset of your records. Records programs in general are more driven by risk avoidance. The people buying Sarbanes solutions and the people buying records programs are two very different groups," insists Datskovsky.
"There's a lot of trepidation because of the volume of new regulations...from the SEC, from the states, internationally..." says Harald Collet, principal product manager, records management and compliance support for Oracle. "That's tangible. People are looking for commonalities among all the regulations, and there ARE some common requirements. These affect our customers' basic IT architectures. They were already thinking about service-oriented architectures (SOAs), but now they're looking at ‘compliance architectures' that extend much further than records management, but include business process management, specific compliance applications, the ability to provide data security and encryption...all of these are being lumped together into a set of compliance requirements. We are not just talking records management; we're talking about records management connected with these other key areas into a long-term strategy," says Collet.
Isn't there a portion of the market that is making a cost/benefit evaluation, and hoping to skate under the radar of the investigators? I ask. "There have been two kinds of customer, and they have reacted differently from year-one to year-two," says Stellent's Berg. "One wants to just ‘get by' with the bare minimum. But there's another group that knows it has to invest to comply, so it's looking for ways to get additional business benefit from its investment."
And that concept—gaining business value from an obligatory investment—set off bells among the panel:
"The process of documenting your business processes, identifying risks and documenting your controls helps you locate redundancies, which you can reduce or eliminate, and better understand your processes and optimize them," insists Berg.
"Records management is document management on steroids," says Mark Gilbert, VP and general manager, compliance solutions for Vignette. "Specifically, that is the addition of lifecycle management." That would be the steroids, I'm guessing. "When you add electronic documents, e-mails, even video clips, into a records and document management environment, you create—many times for the first time in corporations—a single source of the truth. The ability to associate data from all these different environments, add a bulletproof audit trail in a hierarchical file structure and then apply a lifecycle to it, is very valuable."
Gilbert continues: "What does it take to get a comprehensive view of a prospect or a customer? How many systems do you have to touch? Our largest customers have to touch 30-50 different systems in order to get a comprehensive view. But if your RM is an integrated repository for key information, you can reduce the number of systems you need to reach out to. That efficiency—avoiding the labor costs of managing multiple touchpoints—is one of the hidden benefits of RM."
Basement to the Boardroom
"Records management has gone from the basement to the boardroom," says Dr. Johannes C. Scholtes, president and CEO of ZyLAB North America LLC. "I used to talk to facilities managers. Now I talk to CFOs, compliance officers, CEOs and legal counsel. They make decisions much faster and there's more money available. At first they see it (RM) as a burden, but once it's up and running, they suddenly understand the long-term benefits," says Scholtes.
Andrew Pery, chief marketing officer and senior VP for Hummingbird, agrees: "Everyone is now cognizant of the importance of managing electronic records. As organizations have implemented RM to be compliant and manage risk, they also recognize the inherent value in managing enterprise content. Even though records management is the primary motivation, the real benefit comes from efficiency improvement and responding more effectively to customers. It is quite costly to put in a records solution, so they are leveraging their initial investment," says Pery. "This realization has led to a consolidation in the marketplace," he says. "Records management is no longer viewed as a stovepipe application. It's really in the context of a much broader set of requirements. That's why vendors offer records management as part of a suite, with a shared repository, a common framework for managing content and records and the ability to publish that content out. Only partly has this consolidation been driven by regulatory compliance; a much broader market driver has been efficiency and managing content as a critical corporate asset."
Mark Gilbert agrees: "If you think you can leave multiple systems in place, with sometimes redundant and contradictory data in them, there's a risk—and a cost associated with that risk. If you make a change in one system, and it's not mirrored over into other applications, there's a risk in that lack of integrity."
"Records management has gone from a departmental need, used in the financial and legal departments, to a facility that needs to be available to all the content in an organization," explains Oracle's Harald Collet. "That change needs to be reflected in how we vendors price our solutions. That's very important: In order to support broadbase deployment of RM, a few things need to happen. First of all, the average ECM project for 100 users costs $500,000. If you're thinking of rolling out to, say, 10,000 users, very quickly the majority of your IT budget can be tied up in a records management deployment.
"The other thing that needs to happen," continues Collet, "is the ability to push it into the infrastructure. Don't look at it as a stovepipe application. Look at it as a data management problem and as a facility that's available as a service."
Michael Cliff, general manager of sales and marketing for TOWER Software, identifies a humanistic aspect: "Records management is now more of a philosophy, as opposed to a functionality or product. There's a whole change-management happening within organizations regarding the practices and procedures they're putting in place to manage their information...whatever that information might be. In some cases, it's becoming as important as an HR or financial system. You could stop paying staff for about a month, and they would probably accept that until they couldn't pay their bills. But take away the information they need to do their jobs, and you're lucky if they last 24 hours before the business starts to be critically affected."
The "people theme" gets picked up by Jens Rabe, director of compliance solutions at Open Text. "Our customers are overwhelmed, and quite desperately looking for guidance. The highly regulated businesses have it pretty much under control; it's the general regulations that have emerged that are not understood. What really scares people are the unspecific regulations regarding ‘communications' that—at the time of generation—make it very hard to tell where those communications need to be put. The documents generated by general business processes used day-by-day are making people nervous. I think it will be quite some time before companies are compliant with this documentation, because it demands so much interpretation, and demands so much change in the way people work," predicts Rabe.
What's the ROI?
"Customers are still in a quandary, still thinking of this as a ‘spend,' versus trying to figure out how to get efficiencies," says Peter Mojica, VP product strategy and management for AXS-One. "And it's unfortunate, because they're in kind of a haze, deciding between what they have to do and what they can do from a bigger corporate perspective. We tell them there's a monumental paradigm shift, making things difficult not just for the customers, but for the vendors as well.
"We are in a ‘storming phase,'" Mojica continues. "We're trying to get from the storm to the calm, where we can get clarity of decision. But we're still dealing with the colliding factors that have led to monumental shifts in records management. Two or three years ago, people didn't consider e-mail a corporate record. People are now asking ‘What is it? How do I deal with it?' In a couple of years, we're going to have storage area networks (SANs) just handling corporate records which will dwarf the largest SANs we've seen for the last 10-15 years. It's just a matter of a couple years. It really is a tremendous shift for both the business side and the IT side," says Mojica.
"The big driver for records management is litigation...trying to find information that you know you have somewhere in the form of documents and e-mails and contracts and formal as well as informal communication, that's connected to the case," explains Open Text's Jens Rabe. But it's not all stick and no carrot. "What records management allows you to do is group information around certain classifications, while assigning a lifecycle to it. Twenty years ago, there were commonly plans in place to store paper documents for the right period of time, and for when you would bring them down to the basement and eventually destroy them at the proper time. But with the advent of e-mail, electronic document management and the growth of file systems and the like, suddenly that culture disappeared. Reintroducing that culture due to regulatory pressure is certainly a good thing."
"Records management needs to be defined as a comprehensive solution that includes document management capabilities as well as lifecycle capabilities—they go hand-in-hand," says Vignette's Mark Gilbert. "With this type of approach, the labor savings are huge, especially if you're automating a specific vertical process. For regulated environments—finance, insurance, banking—the labor savings are derived from the time it takes to locate a document, share the document with only the people who need to work on it, force versioning on the document. But it's not just the documents and lifecycles and versions, etc....it's the ability to save the process that went into the creation and handling of that document. Should you be called up on a Sarbanes-Oxley issue, you can say ‘these were the controls in place at the time, this is the process we used, it was reviewed by these accountants and finance people at these different times, this is how it changed over time and the rationale behind improving the process...' You can more accurately mitigate the risks that underlie the process surrounding each document. That's where the benefit really pays off.
"Sure, there are substantial costs in implementing records and document management software," Gilbert continues. "But 10 years ago they were three times that. So the market is asking the vendors to bring down costs to the point where they CAN have enterprise records management. Unlike 1995, when a records management system had eight seats, today it could have a thousand seats, or more."
ZyLAB's Johannes Scholtes puts it into another perspective: "The cost of a lawyer is infinite, so ROI calculation is really easy!" (Laughter ensues.) "As a manager under a legal discovery request, you cannot do anything else except focus on the lawsuit. You don't stand for your business anymore...you spend more money and have less money coming in. I always say, if you find fraud before it finds you, that's a great benefit."
But What Will it Cost?
There are a number of ways to look at cost avoidance and value, as we've learned, but there are a few more we haven't tackled yet: "Most content sits on hundreds of servers across enterprises," reminds Collet. "That means records management allows for server consolidation, a benefit on the hardware side. You have the ability, with records management married with content management, to lower your storage costs."
Galina Datskovsky from MDY agrees: "Absolutely—an optimized records program reduces storage costs, allows your users to get at records faster in a more efficient way, allows you to know that the record you have retrieved is the correct one and eliminates mistakes. Sarbanes, etc., may be making it more visible, but I'm finding that companies are embarking on records programs for those reasons and beyond purposes of regulation. Very seldom is the records program Sarbanes-driven. The example of Morgan Stanley, and the concern companies have around litigation, has done more for records management than Sarbanes-Oxley has," she says.
Collet adds another aspect or two: "The cost for a legal discovery effort is around $400,000 for each effort. But a harder number to pin down is ability to craft an effective legal strategy, based on your knowledge of the information you have. If you know you've got something responsive to discovery ahead of time, you can review it early on and create a legal strategy to address it. Perhaps you can get a settlement, rather than go to court, where something inappropriate could be revealed."
Hummingbird's Pery adds "Section 404 (of the Sarbanes-Oxley Act) doesn't necessarily mandate that you have an automated solution...just that you comply. But if you don't have an effective system in place, estimates are that you'll use 1,000 person-hours to create a 404-compliant environment and a minimum of $100,000...probably much more. The costs of implementing are quite high, but the risks of NOT doing it makes it imperative."
Open Text's Rabe adds, "A law firm we work with estimates it costs $2 to locate a single e-mail message in a legal discovery. With all the news surrounding Morgan Stanley, Philip Morris and the rest, you can imagine the costs of a legal discovery. Then, without rigor in the organization of information and records, your company may STILL not be able to find pertinent information, and face huge fines on top of the costs of discovery! So it's obvious that putting rigor into your records plan will have a huge cost avoidance."
Mojica concurs: "Legal discovery is one expensive proposition. Once a customer realizes they can use the same system for regulatory compliance AND to address a legal discovery, that's where a lot of the ROI comes from. We have customers who have paid for their entire system by avoiding the costs from one legal discovery request. I wish we'd have charged more!"
The Chilling Effect
It's tempting to look at the recent regulatory flurry as merely another pain in the ... pocketbook. But there have been subtler effects, not the least of which has been the shift in the relationship between corporate financial officers and their auditing firms. Formerly, a company and its auditors could be termed "partners" in the sense of an old-boy's network of you scratch my back and I'll scratch yours. But not anymore. Auditors are now as liable for financial misdoings as the CEOs who face the perp walk into a US District Court. And that has created a chilling effect between companies and auditors. "Yes, it's become an arm's-length relationship," confirms MDY's Datskovsky. "A lot of our customers have changed auditors, because they either felt uncomfortable with the new relationship forced onto them, or they felt there were too many internal loyalties. However, with the reduction of the number of auditing firms, it's hard to change auditors...at least in the larger arena. An interesting side effect of Sarbanes is that the largest auditing firms (the "Big Five or So") have been seeking larger clients and telling smaller clients to go elsewhere. The audit companies are also hiring like crazy...it's a great time to be an accountant," Datskovsky says.
Hummingbird's Pery adds, "Organizations are much more cautious recognizing revenue, and every time there's even a small contentious issue, they have to go to the auditors for comment. And they (the auditors) in turn may need executive approval within the auditing firm to mitigate their own risks. And that costs money."
"Companies are spending twice as much if not more to their audit firms post-Sarbanes, so that doesn't sit well," says Gilbert. "They used to send draft-work to their auditors, and ask for their thoughts. Now they want it to be locked down first. If they send something in draft form, the scrutiny they'll be under later will be immense."
Harald Collet puts another spin on it: "There is a much more aggressive auditing of IT controls, typically using CObIT (Control Objectives for IT). We see records management right up there at the top as a red flag, because once you start going through the 250 or so control objectives of CObIT, you often run into areas where you have to retain important information as part of the change-management process, for example. The change in the relationship between auditors and companies can be seen and is felt directly in the IT department, and that translates in how people look at these technologies. It's all connected."
"Every company that has been fined or investigated under the SEC and other regulators has had heavy-duty compliance officers and heavy-duty IT that were minding the store," says Mojica. "They were trying their best to mitigate the very risk they got dinged for. And they don't know what went wrong! It's all about the changing of the business climate."It sure is. And that's what the rest of this White Paper is all about. The good news: we're all trying to sort it out together.
Andy Moore is a 25-year publishing professional, editor and writer who concentrates on business process improvement through document and content management. As a publication editor, Moore most recently was editor-in-chief and co-publisher of KMWorld Magazine. He is now publisher of KMWorld Magazine and its related online publications.
Moore acts as chair for the "KMWorld Best Practices White Papers", overseeing editorial content, conducting market research and writing the opening essays for each of the white papers in the series.
He has been fortunate enough to cover emerging areas of applied technology for much of his career, ranging from telecom and networking through to information management. In this role, he has been pleased to witness first-hand the decade's most significant business and organizational revolution: the drive to leverage organizational knowledge assets (documents, records, information and object repositories) to improve performance and improve lives.
Moore is based in Camden, Maine, and can be reached at andy_moore@verizon.net