The Compliance Imperative
Meitchik: It's a combination. I think you need technology to manage disparate systems, to handle the volume, to get to unified repositories or archives, to be able to have a central place to handle things. And I think you have to have policies and procedures that ensure that you're using that technology in a proper way.
Rosi: Business rules are very much core to the whole management of information and, therefore, the records management principles and rules should be applied from the point of creation of that information, and then managed right through its lifecycle, and after its life-cycle so you can actually justify why you've disposed of information to the courts if you need to.
If you've got information in multiple repositories handled by multiple different rules, then that gives lawyers nice big holes to shoot their guns through. They don't say "we want to look at all your records." They will say "we want to look at all your information."
Moore: Think fast: which is worse? Legal risk of regulatory pressure?
Ptacek: The greater cost is the risk. It's usually a no-brainer selling risk management to a company that has just gone through a nightmare experience having their records subpoenaed. Fear does sell.
But it's not an all-or-nothing type of thing. The DoD 5015.2 standard can be pretty intimidating, but if you don't need to comply with DoD 5015.2, you can start with a small retention management solution. It may be a much easier to get into records management than you think.
Anderson: I view risk management and compliance—not just regulatory compliance, but overall compliance—as two sides of the same coin. We always want to comply or meet the requirements of the external entities that we are beholden to, as well as our own internal requirements that we define. Our policies and procedures can be ethics-oriented or safety-oriented. It's difficult to say that organizations are focusing on one or the other, because they're inextricably linked.
Wiltshire: I clarify the difference between "governance" and "compliance." Governance is the voluntary, ethically driven aspect of compliance. Compliance, with a capital "C," is driven by regulators and laws...things you have to do. Governance is the things that you ought to do. I think that is increasingly becoming important.
It changes from country to country, and market to market. If you go to Korea or Japan, compliance tends to be more guidance-driven. The regulators tend to be less specific about exactly what you have to do. For example, Sarbanes-Oxley is very prescriptive about what you have to do, whereas the equivalent legislation emerging in Korea and Japan is much more principal driven. There's a lot of interpretation. That creates a culture that's built around corporate governance.
Around the Next Bend
Moore: What do our readers have to worry about next?
Campbell: Amendments have been made recently to the Federal Rules of Civil Procedure, the US standard of governing rules that come into play when civil litigation occurs. These amendments specifically address retention requirements, how to deal with litigation holds to effectively ensure the company ceases deletions, or recycling back-up tapes, or expiring content related to a specific matter. If you're not able to do that, you're going to face some stiff fines and possible sanctions. Those rules kick in, I think, on December 1st. A lot of companies are anxious to see what will happen, and what the courts will and will not accept.
Romanowski: Globalization. North American companies do not hold a monopoly on compliance and risk. Companies all around the world are feeling the effect of litigation driving their RM practices. In many cases, companies are connected with offices in various geographic locations and must adhere to polices in their local areas. With North American companies opening offices in other locations outside of North America, they need to be able to adjust policies to meet the local laws. In fact, in the US, each state has its own retention rulings. RM systems need to be flexible and handle cascading policies.
Forquer: Email is the largest, fastest growing and least controlled repository. And it hits both the compliance and risk sides of the coin.
McKinnon: Organizations are still focusing on capturing records at the very last end stage of the business process. That's certainly a good starting point, but they're not getting bottom-line and top-line benefit out of their investment. Just catching the output of a business system is not strategic use of intellectual property. We really have to look at continuing to push organizations into much more of a continuous—almost circular—approach to information management.
The Cast of CharactersJanice Anderson
President & CEO
Access Sciences
Dave Campbell
Product Marketing Manager
Symantec
Galina Datskovsky
SVP Development
CA
Bill Forquer
EVP, ECM Business Development
Open Text
Cheryl McKinnon
Director for Industry and Solutions Marketing
Hummingbird
Corey Meitchik SVP Worldwide Sales and Marketing
docHarbor
Lubor Ptacek
Director of Product Marketing
EMC Documentum
Joe Romanowski
VP Product Strategy ZANTAZ
Jan Rosi
President
TOWER Software North America
Simon Wiltshire
VP Product Marketing-Compliance
Stellent