Information Governance for E-Mail

profilestudent118
email.PDF

Best Prac tices in Records Management & Regulator y Compliance

KMWorldSupplement to

Premium Sponsors

September 2004

Andy Moore . . . . . . . . . . . . . . . . . . . . . . . . . .2 Records Management: Beyond the Quick Fix There’s a movie playing at my multiplex that warns against placing blind trust in technology, because it’ll getcha in the end. I haven’t seen it yet …”

Cheryl McKinnon, Hummingbird Ltd. . . . . . . . . . . .4 The RM Challenge of Electronic Communications The world of a typical knowledge worker is changing once again. Over the last two decades the technology revolution has broadened access to authoring tools, e-mail and other forms of electronic communication …

TOWER Software North America . . . . . . . . . . . . . .6 E-Mail Management: Avoiding the 6 Common Mistakes Information management has become a vital focus for all organizations to address risk mitigation, compliance and overall business continuity …

Randolph Kahn, Esq. & . . . . . . . . . . . . . . . . . . . . . . . . . .8 Records Management Redefined: Barclay T. Blair, Kahn Consulting From The Backroom to the Boardroom

What is Records Management? Records management is the application of policies, practices, technologies and other management controls …

Del Zane and Dean Berg, Stellent . . . . . . . . . . . . .10 Turning Compliance Projects into Business Processes In the not-too-distant past, compliance initiatives often were characterized by back-office operations that involved large volumes of records …

Michael McLaughlin, Exact Software . . . . . . . . . . .12 Embracing SOX Compliance with a Coping Strategy It’s nearly a forgone conclusion that at least once in even a small company’s life, the company will be faced with regulatory scrutiny …

Larry Bowden, IBM . . . . . . . . . . . . . . . . . . . . . .14 Governance Best Practices and Approaches Accountability and effectively managing risk are top of mind for most organizations today. Accountability is key for companies …

Dr. Galina Datskovsky, MDY Advanced Technologies . .17 Records Management: From the Basement to the Boardroom For many years, the records department was deep in the basement of many corporations, and its mysterious functions were never valued ...

David Winkler, Mobius . . . . . . . . . . . . . . . . . . . .18 Taming the Beast: Gaining Control of E-mail The headlines tell the tale: High-profile prosecutions hinge on the contents of e-mail messages that their authors never dreamed would constitute a permanent record . . .

Sharon Hoffman Avent, Smead Manufacturing . . . .19 A Departmental Approach to Recordkeeping Solutions Businesses are inundated with information from everywhere, in many forms. While this presents a problem for many organizations …

Chris Redvers, JPMorgan Chase Bank . . . . . . . . . . .20 Online Image Archiving How do you manage an avalanche of data? What if that avalanche arrives on your doorstep in the form of seven CDs per day, 35 per week . . .

Peter Mojica, AXS-One . . . . . . . . . . . . . . . . . . . .21 The Four Goals of Records Management in the New Age of Compliance

While records management as a profession is not new, the burning spotlight on its practitioners and corporate executives is …

Vasu Ranganathan & Gregory Kosinski . . . . . . . . . . . . .22 Accelerate Compliance with Integrated Content Fujitsu Consulting & EMC and Records Management

New regulations, the threat of litigation and the uncertain costs of compliance place company record-keeping, content and data management practices under unprecedented scrutiny …

compliance pressures from governing bod- ies that have the means to enforce them. Threats of substantial fines and worse pun- ishment can certainly be effective. “Sternly worded rebukes” from federal judges are increasingly common. And it’s my guess that the average office worker doesn’t give a rat’s tail about them. “Someone else takes care of that.”

The records management systems ven- dors are smart enough to take the other route: make it easy.

“What’s brought e-mail to the forefront is the threat of litigation that can result from finding e-mails that people used to think were innocuous,” says Stellent’s Del Zane. “And there are two ways to deal with e-mail. One is to store it all, and try to deal with it later. I don’t want to say that’s irre- sponsible, but it’s not really the solution.

“What will come more into the fore- front,” Zane continues, “is autodeclara- tion, or automatic classification.”

So, one asks, the future of e-mail man- agement is an intelligent software that auto- matically captures, classifies and applies retention rules to every e-mail that arrives in your server?

“Well, when I say ‘automatic,’ that’s kind of a stretch,” admits Zane. “You need a very high degree of intelligence for it to be truly automatic. The idea that users can take care of their e-mail ... well, that sounds real- ly nice. But you need a good records man- agement system to make it as automated as you can get it.”

Which is nice if you can get it. But formal records management is not a universal appli- cation. A recent AIIM study found that most companies DON’T have a reliable system for records, in particular electronic records. Mike

House of Exact Software agrees: “Many small- to mid-sized companies don’t have a formal program for records management, but they DO keep records. Everyone keeps their own records. What’s missing has been the process of coupling the records with the processes that bring you into compliance. Things have been ‘loosely coupled’ via pro- cedures, checklists and inspection records. What’s coming to the forefront now is the need to bundle all that into a package that can be easily assessed by an outside governing organization,” says House.

Hummingbird’s Andrew Pery agrees that the promise of a hands-off technology solu- tion—while attractive—is somewhat unreal- istic. “There should be automated means to classify and apply predefined business and disposition rules to incoming e-mail and attachments,” Pery explains. “But there has to be flexibility. Some organizations, particular- ly law firms, are very reluctant to use auto- mated classification techniques. They want to be able to drag-and-drop e-mails into prede- fined matter-folders, for example.

“E-mail is a particular challenge,” Pery continues, “because e-mails are so widely used to share mission-critical information that there HAS to be a predefined disposition plan.” But as any current records manage- ment professional will tell you, there’s more to it than merely having a plan. “The organi- zation must meet three criteria in all. They have to demonstrate that they have: one, well- defined policies; two, that those policies have been articulated and promulgated throughout the organization; and, thirdly, that the policies are being enforced.”

“Money IS starting to be spent on e-mail management,” agrees Cliff Sink of TOWER Software. “But it’s being spent in the wrong way. Typically, corporations see e-mail as an IT problem. The products that people are buying now are what I call ‘server scrapers.’ When an e-mail hits your server, they make a copy of it and dump it into a bucket that has

Supplement to

Records Management: Beyond the Quick Fix

There’s a movie playing at my multiplex that warns against placing blind trust in technology, because it’ll getcha in the end. I haven’t seen it yet. But as I talk to vendors about records management, I go back a few years to another cautionary sci-fi flick: “Men In Black.”

In it, the redoubtable Agent Kay (played by Tommy Lee Jones) makes one of the most astute observations in recent literature: “A person is smart,” he says, “but people are dumb.”

Each of us can grasp the concept that the many e-mails, documents and reports we create might be construed as having some kind of importance, not only today, but also further down the line. I have more Outlook folders than Doan’s has little pills. “You never know when you might need that thread regarding a three-year-old expense report,” I reason. I keep things for reasons that are all my own.

But few of us think about recordkeeping as a corporate responsibility. We assume that someone else is taking care of that. There is only the vaguest awareness that systems exist to properly retain and dispose of business documents and communica- tions. But we are extremely familiar with how we file and recall the things we need to do each of our jobs. I would be lost without Outlook folders, but I couldn’t care less about records management.

So, as Agent Kay knows, each of us can be trusted to do the right thing. But all of us can’t.

Here are two ways to overcome this basic human flaw: 1. Make it mandatory, or 2., make it easy. There’s a carrot, or there’s a stick. The stick has hit home recently in the form of strict regulatory

September 2004S2 KMWorld

Andy Moore has held senior editorial and publishing positions for more than 25 years. As a technology writer and editor, Moore speaks with dozens of senior executives and industry experts each month. In his role as Editorial Director for the Specialty Publishing Group, Moore oversees the

contributions to the series as well as conducting market research for future topics of interest for the series.

Moore was the editor-in-chief of KMWorld Magazine and is now its publisher

Andy Moore

By Andy Moore, Editorial Director, KMWorld Specialty Publishing Group

“Few of us think about recordkeeping as

a corporate responsibility.”

Supplement to September 2004 S3

a retention schedule. And after three years they delete it. Because there’s no business logic applied at the time of capture, they’re keeping things they shouldn’t keep. So they are exposing themselves to unnecessary risk by keeping all internal AND external e-mail,” says Sink. “You should give the power to the end users to comply. Users can make a deci- sion whether each e-mail is a record. There are easy ways to accomplish this; for exam- ple, mapping users’ Outlook folders to the records management system. Everyone uses those folders anyway, just to organize their lives. So by dragging an e-mail into a folder, the records management system can then automatically categorize it by type of record, apply the retention schedules, etc.”

Denise Reier of Legato adds that sensi- tivity to the unique nature of e-mail is becoming common among her corporate customers. “Because e-mail is such a volatile and conversational application, and because it’s so difficult to put controls around, AND because it can introduce the most risk, that’s where a customer usually starts,” she says. “From a PR perspective, that smoking-gun e-mail that’s communi- cated outside your organization can wreak havoc ... as we’ve seen.”

I was wondering when someone would mention Martha. But interestingly, in all the conversations I had with the vendor community, that’s the closest to an overt reference to the domestic diva I heard. Much to my relief, too. I like Martha and all, but I’m kinda over her for now.

Market Realities Last year, regulatory compliance was the

buzz, but there was very little actual market activity. Now, it’s a different story: “The actual market adoption rate has grown even higher than the analysts predicted,” says Legato’s Reier. “Gartner predicted a year ago that in 2003 it would be a $33.7 million soft- ware opportunity. They adjusted that in the past year to $54 million.”

Dean Berg of Stellent agrees there’s been a noticeable shift. “The market has changed toward the other direction. Has it come full swing? Probably not, but after Enron and Worldcom and then Sarbanes-Oxley, all of a sudden people were concerned about regula- tory compliance.

“The vendors didn’t see any uptick for quite a while, but the consultants were sure making a lot of money,” Berg points out. This year has been better, he thinks. “Customers definitely have a better handle on the problem, and they’re looking at tech- nology as a key component.”

Berg adds: “If they were using technolo- gy at all (for compliance), they were proba- bly using first-generation point solutions, maybe provided by their auditor, as a kind of stop-gap. Now they’re looking for a second-

generation tool that’s going to help with not only Sarbanes, but with the broader compli- ance picture. People are strengthening their compliance practices ... that’s the next big wave. Sarbanes was the wave last year, but broader, more general compliance is next. By that I mean having a compliance plan that understands not just SOX, but multiple compliance initiatives, like HIPAA and JACO and Basel II. And further, deploying technology that can be leveraged across the enterprise.”

Taking the time to take in that broader picture has indeed had an impact on the adoption curve.

“We’ve certainly seen increased demand for compliance solutions,” says

Hummingbird’s Pery. “Not just for increased compliance pressures brought on by things like Sarbanes-Oxley, but for things like productivity, overall efficiency improve- ments in managing corporate records, espe- cially in light of the enormous proliferation of digital content. Organizations realize they need better control over their digital assets. If they don’t they’re subject to both litigation AND to increased costs,” explains Pery. “This leads to a view of records management that is more than a ‘records’ solution, but instead involves a larger, enterprise-wide content management platform. They’re extending their existing content management infrastruc- ture to implement electronic records manage- ment practices corporate-wide. There already are specific, departmentally focused docu- ment and content management solutions in place. Those applications are being leveraged to become part of corporate-wide electronic records best practices.”

“A lot of traditional records management vendors DO focus on specific requirements, such as a government agency that has a DoD 5015 regulatory obligation,” agrees Legato’s Reier. “What we’ve found in the last year is that organizations want more stringent record- keeping practices across the board. The C-level execs want to be certain they are implementing good policies and best practices across their entire companies.”

Of course, merely having an automated and documented policy is a far cry from uni- formly following it across the corporation. A discovery motion will not be satisfied with merely “a documented plan.” A motion demands results.

“A policy that not only archives, but also audits, the authenticity and accuracy of the archive is also a good best practice,” says Reier. “If you’re ever investigated by the NYSE, or a court of law, being able to prove that you not only have a policy, but you’re executing to that policy, is very favorable.”

TOWER’s Cliff Sink expands on that a little: “A viable defense can be: we had a pro- gram that the executives sponsored for e- mail management. We gave it to IT to imple- ment. They evaluated products and imple- mented a product and applied a retention schedule. If they got it all wrong, it’s their fault; executives are responsible for ensuring there’s a policy, and that it’s been transmitted to the people, and that there’s checking up that the policy’s being enforced. If they do that, and someone beneath them screws up, the senior people may get their hands slapped ... but who’s going to get fired?”

Where DOES The Buck Start? Cliff Sink’s comments got me thinking

about the responsibility factors at work in electronic (especially e-mail) records man- agement. I mean, who decides on the sys- tem? The product? The file and retention policies? It strikes me that the involved par- ties—IT, records management, line-of-busi- ness, legal, executive management—all have a stake in the decision, and have almost entirely conflicting agendas.

Exact’s Mike House comments: “IT has become very sensitive to regulatory man- dates. Management may sympathize with the IT agenda, but also insists that compli- ance be part of their charge. A significant portion of our customer base (in manufactur- ing and life sciences) is bound by some kind of regulatory compliance, be it FDA or ISO. If the company is in an industry that requires compliance, the executive team is painfully aware of it. They don’t necessarily know the nuances of each departmental requirement, though, and that’s where the consultative side comes in. Taking a comprehensive sys- tems look across the organization and figur- ing out how to bring it all together is where they need the help.”

“I don’t think it’s a tug of war,” says Denise Reier, “but it IS an educational process for all constituents. IT, legal counsel and the business owners are sometimes disconnected, and it is a good idea to get them together to learn from each other.

“IT drives the project, but it’s definitely a committee,” Reier continues. “IT may take in

KMWorld

BEYOND continues on page 23

“Money IS being

spent on e-mail

management ... but

it’s being spent in

the wrong way.”

principles and lifecycle rules to the electronic documents captured and controlled within their environments. Integrated ERM systems working synchronously with mainstream office applications and electronic document management (EDM) systems are becoming standard applications in law firms, govern- ment organizations and many regulated industries. Records managers and informa- tion professionals in IT need to continually look forward, and understand where the next source of corporate records will come from.

The E-Mail Problem E-mail continues to be an area of weak-

ness for many organizations. E-mail is not a new communication platform, but the com- pliance culture (and recognition that e-mails can have legal standing as records) has put increased pressure on IT and records staffs to ensure that appropriate capture, control and disposal rules are reviewed. Even where a firm has a structured approach to the man- agement of electronic office documents, e-mail often is ignored or left exclusively to the realm of IT control. Organizations can face legal exposure, embarrassment and other forms of risk if e-mail is not managed accord- ing to context and content. Many IT depart- ments, when left without guidance, will formulate disposition policies based purely on storage capacity or age of the message.

The sheer volume of incoming and out- going e-mail is often overwhelming for the records manager to consider. This dilemma will continue to escalate as the proliferation of e-mail-enabled devices grows exponen- tially. According to research analysts IDC, in the year 2000, e-mail volume reached 9.7 billion per day worldwide, and has been increasing at a rate of approximately 19%, reaching a volume of 16.2 billion e-mail messages in 2002. At that rate, IDC predicts that e-mail volumes reached nearly 21 billion messages per day or about 7.6 trillion e-mail messages for 2003—and that e-mail volume will continue to increase to 60 billion per day in 2006.1

Wireless cards in laptops, Blackberry devices, smart phones and other PDAs are moving into the hands of mobile knowledge

workers at an accelerating pace and are being used to keep on top of business issues 24/7 while away from the office. The sight of an attorney checking e-mails between appointments at the courthouse, the home office worker with a wireless hub catching up on e-mail from the patio, the field inspec- tor filing reports and photos from the job site: this is the work environment becoming commonplace today. The more easily acces- sible e-mail becomes, the more consistently it is being used as the dominant form of business communication.

But e-mail is only the first wave in facili- tating business in a distributed environment. New communication platforms are being adopted across public and private-sector organizations at an increasing rate. Instant messaging, on-line collaboration and threaded discussions, access to corporate portals and intranets from mobile devices: this is the technology shift we see today.

IM: The “New E-Mail” Instant Messaging (IM) has been called

“the new e-mail.” What started as a pre- dominantly casual and unmonitored com- munication tool has evolved into a new and legitimate forum for business communica- tions. The market is evolving as the tech- nology finds its home within the enterprise. Organizations are beginning to recognize the value of real-time communication and discussion and knowing when key employees are present online and available for queries. Business decisions are now being made in these one-to-one or group chats. More

Supplement to

The RM Challenge of Electronic Communications

The world of a typical knowledge worker is changing once again. Over the last two decades the technology revolution has broadened access to authoring tools, e-mail and other forms of electronic communica- tion. While the truly paperless office still has not arrived, business decisions, research and number-crunching activities have all moved into a predominantly online form. Records managers and other information professionals have been playing catch-up over the last decade to ensure that appropri- ate lifecycle management practices cover electronic as well as paper documents. The next wave of technology change is upon us: the proliferation of new communication methods and the ubiquitous presence of e-mail on a variety of portable devices. This paper will review the technology trends that are accelerating an increasingly decentralized and distributed workforce, and highlight the areas that records managers need to watch most closely.

Mainstream content and document management vendors recognize electronic records management (ERM) as the corner- stone to an enterprise approach to an infor- mation management strategy. Larger enter- prise content management (ECM) vendors have acquired standalone ERM vendors over the last few years, and this industry consoli- dation is expected to continue. The culture of compliance that is permeating information management programs in corporate and public-sector enterprises has pushed records management practices onto the front burner for the first time. The recent string of finan- cial scandals provoked a wave of legislation aimed at providing more guidance on infor- mation handling practices and forced addi- tional accountability onto corporate exec- utives. Records managers have been in the thick of this debate, and industry organiza- tions such as ARMA (www.arma.org) and AIIM (www.aiim.org) have helped move their members into these leadership roles.

While many organizations have begun to review enterprise-wide information manage- ment practices, technology continues to move at an accelerating pace. Organizations with traditionally strong paper record man- agement programs have begun to apply these

September 2004S4 KMWorld

Cheryl McKinnon is Product Manager, Government Solutions with Hummingbird Ltd., and is responsible for ensuring Hummingbird products comply with current and emerging government standards, guidelines and legislation covering electronic evidence, records management,

and privacy/security issues. She also works closely with Hummingbird’s worldwide partner channel and sales staff to assist in developing government markets, solutions and product awareness.

Ms. McKinnon has worked in information management technologies for more than 10 years and has several years of field consulting and technical training experience with a variety of public and private sector clients. She is actively involved with key industry associations such as the Association for Information and Image Management (AIIM) where she serves on AIIM’s standards committee on integrated EDM/ERM. She is also frequently invited to speak at ARMA International events throughout North America.

Cheryl McKinnon

By Cheryl McKinnon, Product Manager, Government Solutions, Hummingbird Ltd.

Supplement to September 2004 S5

enterprise applications are incorporating IM capabilities into their offerings as a complement to other collaborative and infor- mation management offerings. IM is moving into the context of business applications.

What about the corporate records? Since IM has now become an authoring platform for business decisions, records managers need to understand the implications when IT introduces new forums for communication and ensure that key messages and discussions can be captured according to approved record-keeping principles. Records profes- sionals need to be aware of the technology choices facing IT and ensure that systems selected are open to monitoring and easy capture into a managed environment.

Organizations are also investing in secure systems through which to share information and communicate with external stakeholders. Collaborative applications permitting discussion, document authoring and other project-related work allow enterprises to open up selected elements of its information repository to external contractors, suppliers, constituents, customers and other outside contacts. Security is a key requirement when corporate data is selectively shared with external parties and the ability to capture works-in-progress and discussions on shared initiatives also falls under record-keeping requirements. Moving this collaborative work into an electronic environment does not relieve the records management professional from managing the retention of such work products. As with instant messaging, com- munication with IT is critical to understand how information management best practices can be carried over into external collaborative project sites.

Capturing the messages and other docu- ments created through these increasingly popular messaging platforms is only one concern for the records manager. Executives, field professionals, remote office staff, travel- ing professionals are typically early adopters of intelligent communication devices and of wireless technologies. It is a slippery slope when these devices become more com- monly used. Ultimately users become more demanding about the range of business activities that can be performed with them. These knowledge workers are also active consumers of corporate records and both IT and Records staff must be prepared for remote users to expect access to critical records while away from the office. Executives need to be notified of agenda or budget changes that occur immediately before meetings, technical inspectors need to be aware of changes in operating procedures or guides, emergency response officials need coordinated information from a variety of sources in one simple mobile interface, remote office or home workers need equal access to corporate applications as their colleagues at head office.

The role of the records manager is more than ensuring the enterprise complies with industry-specific regulations, and more than ensuring certain files are shredded 10 years after a case is closed. Records professionals also need to ensure that business records are available to knowledge workers who need to make informed decisions on behalf of the enterprise. They must ensure that electronic data is categorized, secured and made avail- able to users needing access. IT and records staff need to consider the requirements of busy, mobile employees. Information man- agement technologies and repositories must be enterprise-enabled to allow full access to the corporate knowledgebase even from PDAs or other wireless communication agents. Productivity gains realized by users of such devices have been validated by many industry observers and even the most basic devices can quickly garner 10% efficiency gains for an individual user.2

Documents and records are the lifeblood of knowledge-driven organizations. An enterprise approach to the capture, catego- rization, security and lifecycle management of this corporate information—regardless of format—is the mandate of both Records and IT. It is critical for the records professional to look forward in tandem with IT as new methods of creating corporate and client records are introduced into the workplace.

Private sector companies subject to industry regulation or corporate transparency legislation such as Sarbanes-Oxley particu- larly need to look at the records implications of new communication platforms and the expansion of e-mail enabled devices. Legal requirements around the preservation and handling of financial, audit, inspection and other monitored categories of information must compel corporate management to select technologies that lend themselves to strong record-keeping practices.

Industry Needs

Professional organizations such as law firms and accountancy firms have particularly stringent record-keeping requirements for client, case and matter data. Quick and accurate access to active matters is critical for professionals driven by billable time requirements. Insight into how client- specific communication transmitted via new platforms must be shared with information management specialists in the records and IT office. They must ensure this compre- hensive picture of ongoing cases is main- tained regardless of the source or format of the documents.

Governments also have strict information management requirements that must be taken into account when deploying new technologies. Respect for archival legisla- tion, obligations to citizens under freedom of information and privacy legislation and requirements to share data with other agen- cies or other levels of government are all universal considerations for the public sec- tor. Government, particularly, is seeing a wide adoption rate of mobile devices in areas related to law enforcement, inspections, elec- tion campaigns and emergency services.

Regardless of industry, most organizations have record-keeping obligations to clients, regulatory bodies, archives or other stake- holders. Technology is the vehicle by which the majority of corporate records are created and disseminated. The role of the records pro- fessional has changed tremendously in recent years and will continue to do so. It is critical that information management principles and best practices are taken into account as:

◆ organizations move into more e-mail- centric communication architectures;

◆ mobile workers demand access to docu- ments and records in order to do their job; and

◆ new discussion forums such as collabora- tion and instant messaging are introduced.

The pace of technology evolution will not slow. Enterprises must carefully consider the suites of products that are deployed to end users and ensure that all record-keeping requirements can be fulfilled seamlessly and with an integrated approach to information management. ❚

Hummingbird Ltd. is a leading global provider of enterprise software solutions, employing over 1450 people in 40 offices worldwide. Hummingbird Enterprise™ 2004 is a state-of-the-art integrated enter- prise content management platform that enables organizations to securely access and manage business information such as documents, records, e-mail or financial data. Please visit: www.hummingbird.com.

1 “Worldwide E-mail Usage Forecast: 2002-2006: Know What’s Coming Your Way,” IDC, September 2002.

2 Ken Dulaney, “Wireless E-Mail is Driving the Real Time Enterprise,” Gartner Research, March 31, 2003.

KMWorld

“The more easily

accessible e-mail becomes,

the more it is being

used as the dominant

form of business

communication.”

age e-mail once it is “necessary,” it can take months. Consider how many e-mail mes- sage subject lines start with “RE:” or how many e-mail dialogues have little to do with their subject line. Without a system in place that categorizes and sorts via metadata, find- ing the right information at the precise time it’s needed is virtually impossible.

◆ Compliance with legislation such as Sarbanes-Oxley—Although Sarbanes-Ox- ley doesn’t require that companies manage e-mail per se, it does state that an organiza- tion must provide a methodology for show- ing that business decisions are based on accurate and truthful information. But, if your organization uses e-mail—and it most definitely does—then to comply with this piece of legislation, you must manage in-

formation within this medium. Some e-mail, like it or not, is a corporate record. And it must be treated as such.

◆ Risk mitigation—E-mail has become a major liability for an enterprise that is sued or investigated. Most have no idea what ex- ists in their e-mail systems. During the dis- covery phase of litigation, an enterprise may be asked to produce specific e-mail records for a particular employee, for example, from the past five years. Without a policy and sys- tem in place, there is no way to know what information the employee has been retain- ing and exchanging. E-mail in these cases is often “the smoking gun.” And these are just three examples. In the

case of litigation, it’s interesting to note that in general, courts have been lenient when dealing with organizations that have e-mail

management systems and policies in place, even if these policies are misguided. They are generally less lenient with organizations that can demonstrate nothing in regards to man- aging e-mail. In this sense, established poli- cies regarding how employees should treat e- mail are extremely important.

If an organization can show that it has policies in place and has done everything possible to follow these policies, a court may conclude that the organization cannot be held accountable for any e-mail destroyed based on company e-mail policies, no matter how misguided the policies may be.

Doing something is better than nothing at all ... except perhaps in the case of....

Common Mistake #2: Archive Everything Archiving everything is a policy.

However, the enterprise that saves every e-mail that crosses its servers faces almost as much risk as the enterprise that does nothing. Why, you ask?

It’s simple. In the courts, e-mail very often provides “the smoking gun.” If an organization is retaining everything that crosses its servers, then everything is discov- erable during litigation.

In a recent anti-trust case involving a very well-known technology provider, e-mail not required to be saved was, in fact, still being retained on back-up tapes. Since there was no policy in place other than archiving all e-mail for a set amount of time, everything found on the back-up tape was considered discoverable information. And the company lost the case because of it.

In government, things operate no differ- ently. Freedom of Information Act requests must be processed. Since e-mail content is indeed information, it must be treated no dif- ferently than any other format. However, some e-mail is not necessarily public infor- mation, as defined by Federal and State Freedom of Information Acts. For example, if an employee sends a personal e-mail to her doctor regarding the need for a new prescrip- tion, it is protected under HIPAA (Healthcare Insurance Portability and Accountability Act). If this e-mail is saved due to an “archive-everything” policy, and then shared as part of a Freedom of Information request, then the agency fulfilling the request is not in compliance with HIPAA and faces the same risk of litigation.

Common Mistake #2A: Use a back-up policy as an archive. Many IT organizations make a practice of using back-up tapes as a corporate archive of all company documents, e-mails, etc. And, in many cases, this is done without the knowledge of legal and/or records management departments. Back-up tapes serve a purpose: they enable an organ- ization to restore IT infrastructure and cur- rent data. They are not meant to serve as archives. It is important to consider that any

Supplement to

E-Mail Management: Avoiding the 6 Common Mistakes

Information management has become a vital focus for all organizations to address risk mitigation, compliance and overall busi- ness continuity. With the line between docu- ments and records being blurred in recent years due to lawsuits and new legislation, it is imperative for enterprises to manage business-critical information, irrespective of format.

According to Ferris Research, 35% to 60% of this business-critical information is stored in personal messaging systems— e-mail. If this information is not properly managed in accordance with a well thought- out corporate records management policy, it is unavailable as a resource to the organiza- tion, becomes a massive liability in a legal or audit situation and creates mayhem for IT departments that are often more concerned with data back-up, recovery and storage. Not managing corporate e-mail properly, in tan- dem with a records management policy, can lead to massive fines, jail time or both.

This paper explores some of the common mistakes made when rushing into an e-mail management initiative. Avoid these pitfalls, and you can effectively exploit your informa- tion assets, remain competitive and thrive.

Common Mistake #1: Do Nothing Amazingly enough, according to

Forrester Research, only 15% of organiza- tions report that they have a policy in place regarding e-mail management. And since “e-mail management” can mean different things to different people across different business functions, the actual percentage is likely much lower. With this in mind, it stands to reason that more than 85% of enterprises have no policies in place for managing e-mail.

Likely, a large percentage of these organ- izations are leaving e-mail management completely in the hands of their employees. As a result, these enterprises lack: ◆ Operational efficiency—With no e-mail

management policy in place, there is no way to know exactly what information is available without arduous searches. If e-mail is managed as it is sent and received, it takes seconds. If organizations only man-

September 2004S6 KMWorld

TOWER Software North America

“Not managing

e-mail properly can

lead to massive fines,

jail time or both.”

Supplement to September 2004 S7

record of corporate information is admissible as evidence in a court of law. So even if your legal/records management departments are unaware of what makeshift records manage- ment policies IT may be practicing, the enterprise as a whole is still held responsible in court. Overcoming this mistake means setting e-mail management policies that cor- respond directly to the overall records man- agement policies of the enterprise, and more importantly, making sure employees across all departments understand and practice these policies.

Common Mistake #3: Treating E-mail Differently Than Records

There are many different choices when it comes to e-mail management solutions. Whichever solution you choose, it is impera-

tive that your policies, procedures and tech- nology all correspond to the overall corporate records management principles. E-mail is information...information in a particular for- mat. At the end of the day, it is no different than the memo produced by marketing, or the spreadsheet produced by finance, or the poli- cies produced by legal. Some e-mail is a cor- porate record and must be treated as such across the enterprise. By employing an e-mail management system that is separate from the overall document and records management system, you decrease efficiency, increase risk and create confusion.

It’s all information. Treat it with one policy that recognizes this.

Common Mistake #4: Team is Not Cross-functional

Like any other initiative involving tech- nology, e-mail management needs to involve a larger, cross-functional team in order to be successful. While the records management and/or legal departments certainly should play a significant role in creating and driving policies—as well as training the organization on these policies—IT and user representatives from other departments should be involved as well.

Some e-mail is a corporate record that must be managed, retained and destroyed as such. By applying records management prin- ciples to e-mail, companies can increase effi- ciency, mitigate risk, and ensure business continuity. But without cooperation between

departments, and strong executive support, any initiative cannot survive.

Common Mistake #5: Roll Out Policy Without Training

Let’s say your organization has new poli- cies regarding e-mail management. And let’s say these are bulletproof policies incorporat- ing core records management principles. Both records management and IT have been involved throughout the entire process of creating the policies and their application across the enterprise. And, let’s say you also have strong top-down support from your executive leadership team. If you do not train your employees regarding the policies—OR if you do train your employees, but do not reinforce this training with scheduled refresher courses, updates, etc.—then a court

may view the policies as if they were never produced. Organizations must show intent to enforce policies and procedures...or face the consequences.

Common Mistake #6: Employ Technology Unfriendly to IT and LOB

With any initiative involving technology, it is important to manage change effec- tively. By limiting the amount of change (and the amount of work) that organizations and individuals must face, the initiative stands a greater chance of realizing long- term success. As such, it is extremely important to find a technology solution that enables users to operate in a “business- as-usual” mode. Tight integration with the user desktop is imperative. Likewise, a scalable solution that limits the work for IT is ideal. And as mentioned in Common Mistake #3, buy-in from all organizations is key.

The Business Solution E-mail management is a Herculean task

that requires good business rules, training and a solution outside of your messaging system. But a successful program is very attainable. By answering some questions, an enterprise can start down the path to a successful program: ◆ Which e-mails need to be managed or

archived? ◆ How long should they be archived?

◆ How are the e-mails stored? ◆ The enterprise needs to comply with which

requirements/mandates? ◆ How are attachments managed?

Next, several steps should be carefully considered. These include: ◆ Understand the three components of an

e-mail and their importance in legal or regulatory situations—header/routing information, body, attachments;

◆ Involve C-level executives, legal, IT, records management and users in any decision process regarding policies and procedures, as well as the technology solu- tion. Check with the legal department and records manager to understand your indus- try’s or sector’s legal requirements regarding the management of e-mail;

◆ To ensure high compliance from end-users and management while meeting legal/reg- ulatory needs, select a solution that: 1. Allows users to continue work as

they do now without changing current habits;

2. Integrates seamlessly into the current e-mail system;

3. Allows users to easily transfer e-mail into the records management system:

4. Provides various levels of security; 5. Manages the retention period of your

e-mail; 6. Provides easy and flexible search

methods to retrieve e-mail; 7. Enables users to easily catalog e-mail;

and 8. Captures incoming and outgoing e-mail.

◆ Recognize that e-mail management at the desktop is the best way to ensure what is captured is relevant and purposeful to the organization;

◆ Consider e-mail to be a corporate record...It should be stored and managed in the same system and under the same policies as all other corporate records;

◆ Train all users regarding the importance of e-mail management, basic records manage- ment and organizational policies; and

◆ Offer refresher courses regarding the above so that all users are always up-to-date on all of the latest policies and procedure. ❚

TOWER Software is a leading enterprise content management (ECM) provider, delivering electronic document and records management (EDRM) solutions. TOWER Software’s award-winning solutions empower organizations to manage and secure their vital information assets.The TRIM Context® solution is a single, integrated platform that manages business information throughout its complete lifecycle. By relying on its proven domain expertise, strong strategic partnerships and powerful solutions, TOWER Software enables organizations to improve the accuracy of information on which business decisions are made; maximize efficiency by finding business critical information more quickly and easily; and achieve and maintain standards compliance across industries, resulting in sustained competitive advantage.TOWER Software is a privately held company with operations in North America, Europe and Asia-Pacific. For more information, visit www.towersoft.com.

KMWorld

“It’s all information. Treat it with one

policy that recognizes this.”

e-mail and other communication systems, but often fail to spend enough to ensure that e-mail records are managed as a business asset. Part of the problem is that the defini- tion of a “business record” in the digital world is rapidly changing and may require a new approach to records management—ide- ally, an approach that reflects the depth of an organization’s reliance upon information technology and promotes both business and legal interests. Organizations need an approach that reflects today’s business reality: organizations conduct business a multitude of ways, using a multitude of technologies and communications devices.

Failing to address these challenges exposes organizations to unnecessary risk, hampers regulatory and policy compliance, breeds mistrust among investors and citizens and makes business processes (such as CRM and transaction processing) less productive, so there are more than adequate incentives to get it right up front.

Approaches to Records Management Each organization is unique and has dif-

ferent needs and priorities. However, it is clear that proper management should be a priority, and that there are several concepts and activities that are required in every organization:

1. Manage and retain by value, not by format. A fundamental goal of any records management program is the identification and proper retention of required information. However, many organizations put them- selves at risk by recycling storage media and by purging retired computer systems without considering the megabytes of potentially significant business content that may be lost in the process.

Significant digital business content is created by a multitude of software applica- tions and stored on a multitude of hardware devices. In many cases, if the same content were created in paper form, it likely would

be retained and managed in accordance with records management policies. Consequently, only by managing digital information according to its legal and business value and not according to its method of creation can organizations ensure that they are act- ing in their best interests.

However, the current reality is that most organizations are good at applying such policies to paper records, but they fail mis- erably when it comes to digital information. The IT department often makes decisions about “what data shall live and what data shall die” without regard to overarching legal and regulatory issues. As the Applied Telematics case (available in the full-length white paper—see footnote) indicates, such actions may create substantial liability.

2. Manage in electronic form. Digital business content often contains informa- tion that is lost or significantly altered when it is reduced to printed form. For example, digital documents may contain metadata (i.e., “data about data”) indicat- ing title, author, reviewers, edits, and stor- age locations, among other things. While such metadata enables document manage- ment applications, it may also be crucial for determining a document’s authenticity or “chain of custody.” Unfortunately, this important information may be lost when the document is printed and the original digital file is destroyed. Courts and rules of evidence have responded to these facts by allowing (and in some cases requiring) par- ties to a dispute to have access to digital “live” versions of electronic records despite the fact that “complete” paper versions were already available.

In Public Citizen v. John Carlin, the court asserted that records created electron- ically should remain in electronic form because there was information available in that format that was not available when printed to paper. The example of a spread- sheet calculation was used to demonstrate the point. While the case was overturned for unrelated reasons, there are certain reg- ulators, such as the FDA, which believes that “once electronic, always electronic” is the only way to retain such records. Further, there are many business benefits to managing digital content in its original form, such as ease of searching, retrieval, integration and dissemination.

Consequently, organizations should manage digital content in its original format whenever practical or required.

3. Manage from creation to disposition. Organizations can only truly appreciate the challenge of managing records after viewing it within the context of an information management lifecycle—a holistic view- point that considers information as having a living, breathing existence with a begin- ning, middle and end, with varying impor- tance in each phase. This section identifies

Supplement to

Records Management Redefined: From the Backroom to the Boardroom

What is Records Management? Records management is the application of policies, practices, technologies and other management controls related to information in order to:

1. Support business operations and processes; and

2. Protect legal interests and respond to regulators.

Good records management practices allow information to be easily accessed and reproduced on demand, regardless of location or form. Records management requires that an organization’s “treasure trove” of business content, data, records, messages, documents and so on (collec- tively referred to here as “information”) is managed over time, based upon its intrin- sic value. A value-based approach dictates that limited company resources should not be spent managing less valuable information such as drafts, non-records and duplicates, for example. While simply “keeping everything forever” ensures that the information exists, it does not ensure that the right information can be found and produced when needed. Not only does such an approach add time and expense to records management, it may create liability by allowing information to be revealed in the context of litigation that could have been discarded in due course.

Furthermore, failing to properly capture, index and store records and other significant business content according to business rules and retention schedules may have the same effect as losing or destroying it. Courts have made clear that “utilizing a system of recordkeeping which conceals rather than discloses or makes it unduly difficult to locate” information may be the equivalent of destroying records.

While most organizations have programs that address paper records, these same organizations commonly fail to develop sim- ilar programs for methodically managing electronic records and other digital informa- tion. Organizations spend vast resources on

September 2004S8 KMWorld

By Randolph Kahn, Esq., & Barclay T. Blair, Kahn Consulting, Inc.

Supplement to September 2004 S9

the five basic phases within the information management lifecycle, and their concomi- tant records management challenges and solutions.

a. Capture: Most electronic information comes into existence without prior thought as to how it will be identified, retained, protected and made accessible in the future, when in fact such considerations should be an inherent part of any technology purchas- ing and implementation cycle. It is much easier and cheaper to build a new system correctly from the outset than to break old habits and modify an entrenched installa- tion. In addition, employees should be trained to identify and retain records that they generate directly, and their conduct in this regard should be audited.

b. Index: While the content of a paper document is obvious “on its face,” viewing the contents of a digital document depends on software and hardware. Further, the contents of digital storage media cannot be easily accessed without some clue as to its structure and format. Consequently, the proper indexing of digital content is funda- mental to its utility. Without an index, retrieving digital information is expensive and time consuming, if it can be retrieved at all. In a recent case, a company could not search imaged medical claims records because the wrong metadata had been used in the indexing process, and they were therefore required to open and examine each record individually at great expense.

c. Store and Protect: Backup alone is not retention. Creating highly available back- ups of “mission-critical” digital information supports disaster recovery and business con- tinuance purposes, and is one element of an

overall information management strategy. However, organizations should not exclu- sively rely on these procedures for records management. Backup systems are generally designed to minimize the storage burden, not to enable easy retrieval of individual records. Consequently, the cost of information retrieval from backup systems can be very high. In one case, experts estimated the cost of reviewing e-mail contained on 12 monthly backup sessions to be at least $99,000 and to take 660 hours.

In addition, the courts have been willing to impose arduous requirements on litigants to access stored electronic records. For exam- ple, in re Brand Name Prescription Drugs Antitrust Litigation, the court ordered one of the parties to develop a special computer pro- gram to extract data from nearly 30 million pages of e-mail stored on backup tapes.

Retention of backup media should also align with an organization’s overall records management practices. For example, if an organization’s policy requires disposing of certain e-records pursuant to a retention schedule, then backup of those same e-records should cease to exist contempo- raneous with disposition of the official copy and not be left to linger in an off-site storage vault indefinitely.

d. Access: Capturing, indexing and storing digital business content serves little purpose if it is not readily accessible when required. Too often organizations implement systems that may improve business processes but hamper the accessibility of significant busi- ness content, a fact that the courts and regu- lators may be unwilling to overlook. In 2000, it was reported in Florida that county e-records were not uniformly available as

required by public records laws. County officials admitted that they were violating the law by failing to produce requested e-records, and asserted that it would take hundreds of hours and thousands of dollars that they had not budgeted for to produce them. Instead, they “suggested that residents interested in public officials’ e-mail would need to sit at each official’s computer and manually check the e-mail received.”

e. Disposition: Everything cannot be retained forever. Just like paper records, elec- tronic records need to be disposed of at the end of their useful life, in conformance with predefined retention rules. Proper disposition eases the records management burden by reducing storage volumes and controlling potential sources of future liability and discovery expense. Disposition should be done in the “ordinary course of business,” and documentary evidence kept regarding the salient details of the disposition process (e.g., date, parties involved, process used). Organizations should have storage media containing sensitive information “cleaned and sanitized” using appropriate techniques, such as those outlined by the US Department of Defense DoD 5220.22-M Standard 36 to ensure that data cannot be recovered using advanced forensic techniques.

Conclusion

Records management is not a luxury that only “the few” can afford. Rather, it is a discipline that must gain greater visibility and traction in corporations and government agencies, not only in the boardrooms, but also on the ground floor. While recent head- lines have compelled many organizations to revisit their records management approach, organizations should ensure that records management becomes a long-term organiza- tional priority, not merely a short-term reac- tion to current events. Organizations should increasingly view records management as a strategic component of business success, not simply a tactical, cost-driven activity. Records management not only plays a major role in protecting legal interests, but it also promotes the interests of shareholders and citizens by increasing organizational trans- parency, accountability and efficiency. ❚

EMC Corporation is the world leader in products, services and solutions for information storage and management. We help customers of all sizes manage their growing information—from the time of its creation to its archival and eventual disposal—through information lifecycle management, to enable organizations to better and more cost-effectively manage, protect and share information. EMC’s goal is to help our customers get the maximum value from their information at the lowest total cost, at every point in the information lifecycle.

This article was excerpted from “Records Management Redefined: From The Backroom to the Boardroom,” at http://www.legato.com/ ct/?s=KMWorld&t=/resources/brochures/F071.pdf

KMWorld

EmailXtender Records Management for E-mail

The EmailXtender family of products from the EMC Software Group provides both enterprise data storage AND content management for electronic messaging. EmailXtender products support Microsoft Exchange/Outlook, Lotus Notes/Domino, UNIX Sendmail and Bloomberg Mail.

EmailXtender is a comprehensive, policy-based system that automatically collects, organizes, retains and retrieves e-mail messages/attachments. It makes enterprise e-mail easier to use and administer as it:

◆ Automatically copies every e-mail and attachment into an Enterprise Message Center;

◆ Generates a full-text index of all messages/attachments; ◆ Enables administrators, supervisors, and users to conduct intelligent

search/retrieval; and ◆ Reduces e-mail server stress and bottlenecks by seamlessly extending

e-mail message stores into low-cost and high-capacity storage devices.

For more information, go to http://www.legato.com/products/emailxtender/

Oxley compliance processes into daily business practices.

When companies concentrate on managing regulated business processes, demonstrable compliance simply becomes a by-product of everyday work activities.

Turning Projects into Processes Current compliance and records man-

agement solutions, such as Stellent’s, allow companies to turn compliance projects into ongoing processes that are conveniently and inherently carried out during the normal course of business. In particular, today’s full Web-based document management solu- tions effectively manage the massive amounts of content involved in compliance documentation and testing—providing the necessary foundation for storing, managing, processing and tracking content in a central, secure repository.

Your vendor should support multiple com- pliance initiatives with a single technology architecture that utilizes a common repository and interface. This way, companies can lever- age the infrastructure to comply with a variety

of government mandates from Sarbanes- Oxley, JCAHO (Joint Commission on Accreditation of Healthcare Organizations) and HIPAA (Health Insurance Portability and Accountability Act), to ISO (International Organization for Standardization) regulations in the manufacturing industry. Customers thus reduce the number of software applications they must purchase for compliance efforts and lower the duplication of documents and data across multiple compliance applications— leading to less complex IT integrations, faster user adoption, lower total cost of ownership and an overall substantial cost savings.

Based on a content management plat- form, an integrated suite of compliance solutions allows companies to manage the full scope of their compliance responsibilities while reducing operational costs. Stellent’s compliance platform, for example, is based on five key components: document man- agement, records management, workflow, enterprise risk management and vertical applications.

Document management—Enables organizations to effectively and efficiently capture, secure, share and distribute digital and paper-based documents and reports. Retention policies, escalation flows and audit trails are accessed quickly and easily by only those authorized to see them.

Records management—Stellent’s built- in Department of Defense (DoD) 5015.2- certified active and fixed records man- agement solutions help companies control the creation, declaration, classification, retention and destruction of all types of busi- ness records—whether they are “active” such as documents and graphics, or “fixed” such as scanned images and e-mail. These records are stored and managed, along with other business content, within one server and accessed using a single interface.

Workflow—Workflow capabilities pro- vide periodic “check-ups” on progress toward compliance goals by automating assessment, audit, remediation, approval and review processes.

Supplement to

Turning Compliance Projects into Business Processes

In the not-too-distant past, compliance initiatives often were characterized by back- office operations that involved large vol- umes of records stored in basement filing cabinets. Recently, this situation has changed. Accounting scandals, the growing number of regulatory mandates, and the lit- igation consequences associated with those regulations have prompted many businesses to bring compliance initiatives out of the back office and into the boardroom.

High-ranking executives, such as chief compliance officers and board members, now actively oversee many compliance activities. As a result, it has become a crit- ical priority for many companies to find technology solutions that quickly increase the efficiency of compliance processes and generate significant return-on-investment (ROI). A key requirement for achieving these objectives is selecting a solution that embraces the successful processes compa- nies have used during compliance “proj- ects” and makes them part of daily busi- ness practices.

For example, most companies initially took a tactical, manual approach to Sarbanes-Oxley compli- ance by creating projects that included dedicated employees, consultants, project plans, ongoing meetings, executive status reports and specialized technology—a standard practice in developing methodologies for new compliance efforts. How- ever, now that companies understand the methodol- ogy necessary for 404 compliance, they must create a more efficient, long-term compliance strategy by incorporating their successful Sarbanes-

September 2004S10 KMWorld

By Del Zane, VP, Compliance, & Dean Berg, Dir., Business Development, Stellent

Enterprise Risk Management

Sarbanes- Oxley,

Euro SOX

Internal Audit

Operations

Patriot Act

Sec 17a ISO HIPAA, JCAHO

BASEL II, IAS,

GLBA FDA

Workflow

Records Management

Document Management

Supplement to September 2004 S11

Enterprise risk management—An enterprise-wide view of compliance efforts enables leveragability across the organization and diminishes project “silos.” Enterprise risk management prioritizes compliance initia- tives based on areas of greatest risk and aligns all strategies with corporate goals.

Vertical applications—Your vendor should also provide vertical applications. The Stellent Sarbanes-Oxley Solution, for example, automates long-term Sarbanes- Oxley compliance methodologies, enabling companies to efficiently manage and approve documentation supporting financial and non-financial disclosures and Section 404 compliance. The best solutions are highly personalized for non-technical busi-

ness users, allowing auditors, accountants and CFOs to easily create, manage, share, track, approve and archive information with minimal training, using only a Web browser. E-mail management solutions facilitate the intelligent integration of e-mail into cus- tomers’ business processes. With rule-based, centralized e-mail archiving, these solutions guarantee seamless records and fulfillment of legal requirements.

The Most Effective Compliance Solution Because most compliance mandates are

primarily a process of massive documenta- tion and testing, comprehensive document management-based solutions—rather than

stand-alone compliance systems—are best equipped to effectively support compliance initiatives. Through rapid implementation, integration with existing systems and broad user adoption, customers can promptly transition their resource-intensive compli- ance projects into ongoing, productive business processes and reap the substantial benefits these evolutions can generate. ❚

Stellent is a global provider of content management software solutions that drive rapid success for customers by enabling fast implementations and generating quick, broad user adoption. Stellent Universal Content and Process Management enables customers to rapidly deploy line-of-business applications as well as content management solutions for enterprise initiatives such as enterprise portals and business commerce applications.

KMWorld

Companies across a variety of indus- tries use compliance and records man- agement solutions to comply with a wide range of regulations, including Sarbanes-Oxley, JCAHO, Basel II, HIPAA, FDA approvals and ISO 9001. Examples of successful customer implementations include:

Sarbanes-Oxley Compliance Reliant Energy, Inc., a provider of

electricity and energy services, has streamlined its Sarbanes-Oxley com- pliance processes by distributing doc- umentation tasks to process owners and smoothing its attestation process. Specifically, their Stellent solution pro- vides Reliant’s core compliance team with an enterprise-wide view of the company’s internal control makeup. This view allows the core team to keep track of and schedule control changes based on company priorities, which helps the company meet its goal of automating as many internal controls as possible.

Additionally, Reliant has centralized process management capabilities and a centralized content repository. The core compliance team easily manages the overall process of Sarbanes-Oxley compliance through an automated workflow system that involves process owners. Reliant has customized specific features within the workflow that moni- tor contributions from process owners to ensure all work and processes meet the quality standards set by the company. In addition, the centralized repository has eliminated Reliant’s disparate content repositories and disconnected areas of

the company carrying out compliance efforts on their own.

Another benefit of Reliant’s compli- ance solution is the ability to easily share content with multiple audiences, including external auditors, process owners, company executives and man- agers and internal auditors. Users log in to the system through an easy-to- use, Web-based interface and access information immediately, 24 hours a day. Auditors easily access the latest documentation they need for external audits—resulting in significantly less preparation time for internal staff.

JCAHO/HIPAA Compliance Washoe Health System, northern

Nevada’s largest integrated health care system, uses technology to support compliance with JCAHO and HIPAA man- dates. They store and manage all proce- dures, policies, training materials and patient information in a central, Web- based repository, making JCAHO- and HIPAA-related content readily available to hospital employees and auditors.

Washoe employs a Stellent system to maintain audit trails of updates, approvals and revisions to hospital policies, in accordance with JCAHO requirements. The technology also helps the organization support its corporate compliance processes by ensuring employees tap a single, cen- tralized source for all policies and pro- cedural information.

To widen access to this content, Washoe placed kiosks in high-traffic areas across its hospitals where employ- ees, such as nurses (who do not have a

computer readily available) can easily retrieve information. In addition, Washoe is building a HIPAA-Compliancy Team Web site that will enable the company to easily circulate the most current changes to HIPAA regulations throughout the health system.

ISO 9001 Compliance Agfa Corp., a digital imaging man-

ufacturer, efficiently manages and retrieves its ISO 9001 documentation, such as procedures, meeting minutes, feasibility studies, problem resolution documents and product design specifi- cations.Their system indexes and assigns metadata to files, enabling users to quickly and easily search for and retrieve documentation using a Web browser— rather than plodding through cryptic, eight-character UNIX filenames to trace content for ISO 9001 audits.

By making content available on the Web, Agfa has reduced its costs related to printing ISO 9001 documentation and policy manuals.

According to the company, it has completely transformed the way it does business by simplifying its content creation and management processes.

For example, Agfa’s equipment dealers and suppliers can access prod- uct information, such as material safety data sheets (MSDS), through a partner extranet. Agfa and its manufacturing partners can exchange product draw- ings, specifications and engineering change orders through the extranet, eliminating the need for Agfa to ship paper-based information to manufac- turers and suppliers.

Powering Multiple Compliance Initiatives with a Single Solution

current data properly archived. Organizations faced with SOX regulations, despite best intentions, remain uncertain about what data needs to be archived and retained to meet new regulatory and compliance requirements.

Organizations are not sure if they can even meet compliance regulations because they lack the technology to properly meet these targets. Retrieving is another night- mare. Many companies would not know where to look or how to find it, unless they undertook an expensive inventory and com- prehensive analysis of their records.

In addition to corporate issues surround- ing internal compliance, many organizations are having difficulties managing and consol- idating information from remote locations. In companies with multiple offices, the financial truth is often hidden in separate databases, technology solutions and various spreadsheets.

Developing Necessary Compliance Coping Skills

Unfortunately, finding a corporate gover- nance solution that provides the internal control systems necessary to adhere to the financial compliance and auditing processes mandated by Sarbanes-Oxley is perceived as a burdensome task. However, few companies face the underlying problem: defining the process by which business records are attained and retained. In fact, if companies embrace the issue of compliance head-on they can actually improve the business prac- tices, financial performance and reduce the business risk to their organization.

What is needed is a mechanism that pro- vides the essential baseline for establishing financial accountability, policy compliance and procedural tracking. In addition this sys- tem must be user-friendly, bringing together employees, technology and processes that support financial governance, auditing processes and Sarbanes-Oxley compliance. This framework becomes the “business rule” that directs processes for expense approval, workflow and document certification, and thus directly aids in automating the flow of financial information throughout the organi- zation, ensuring responsible managers obtain timely and accurate data, aiding in the pre-

vention and detection of fraud or financial irregularities.

What follows is a strategy to ensure compliance by tackling the problem of knowledge management head-on. By eval- uating business processes, technology and ERP systems, as well as making corporate changes to improve their ability to support internal controls required by Section 404 of the Sarbanes-Oxley Act, companies faced with compliance issues can make the transition with little to no pain.

Analyze This! By first evaluating—honestly—your cur-

rent records management system, you will be able to make the leap to establishing a bet- ter framework for keeping records. How much of your current recordkeeping is still physical and how much is electronic? Are you covering all the new records being created with new forms of electronic communica- tions such as instant messaging (IM), blogs and e-mail? Is your firm using e-mail to communicate transaction details or negotia- tions? Do you have an existing process for capturing the business records that employees and departments generate? How is it captured and what means is used to archive these records?

Once the existing recordkeeping system is inventoried and evaluated, certain trends should emerge. Typically, problem areas will arise in one or more of three areas—people, technology or processes. Creating a mecha- nism to solve the recordkeeping problems can be thought of in terms of a triangle. People are at one point of the triangle, process is at another point of the triangle and technology is the third point of the triangle.

People Power: People are the originators of records and those who will rely on the records once they are created. Without changing the internal mindset of an organi- zation, becoming compliant with the record- keeping aspects of Sarbanes-Oxley will be impossible. People often do not understand the reasons for recordkeeping and thus engage in sloppy records management or use non-archiving methods of communication. Also, recordkeeping can be viewed as a non-

Supplement to

Playing by the New Rules: Embracing SOX Compliance with a Coping Strategy

It’s nearly a forgone conclusion that at least once in even a small company’s life, the com- pany will be faced with regulatory scrutiny, litigation or an accounting need that requires it to search and analyze its business records. Averse to risk? Then try not complying with regulations for archiving your business records. No business, no industry, no em- ployee can hide from the need for accurate business records management that complies with federal and state law—including such regulatory compliance as Sarbanes-Oxley, ISO or HIPAA.

In order to address the new Sarbanes- Oxley legislation—which requires public companies to establish, approve, implement and evaluate their internal controls for pur- poses of financial statement reporting and operational integrity—organizations are searching for tools to help them achieve cor- porate compliance. Today’s quick-paced, information-rich businesses are full of data that can be classified as a business record. These business records are required to be collected, tracked, stored, archived and potentially located. Automated, efficient and reasonable recordkeeping protects all stake- holders in a business—officers, employees and shareholders alike. Good recordkeeping allows companies to operate more efficiently, account for their actions and protect assets. Recordkeeping is the “memory” of an organization, the brain by which a company can gain a retrospective on certain corporate actions or inactions. This “memory” becomes the means by which a company can shape its course for the future.

But the amount of data even a single busi- ness can produce could be staggering. Many companies, from the CEO to the company records manager, simply become numb to the need for effective records management. And even when they are addressing the most immediate recordkeeping concerns, there is still the “dust-bin”—the repository of archived, legacy data that is stored through- out the network and over disparate systems, whether on a server or residing in a steel fil- ing cabinet in the corporate library.

Compounding the problem is today’s flurry of federal and state regulations. Triggered by scandals involving Enron and Andersen, the specter of complying with SOX has many companies grappling to get

September 2004S12 KMWorld

By Michael McLaughlin, Exact Software

“Recordkeeping is

the memory of an

organization.”

Supplement to September 2004 S13

mission critical task that is taken on only when the more “pressing” responsibilities of an employee have been addressed. The opposite is also true: employees can become so mired in recordkeeping that they shun aspects of their job or the process becomes inefficient and unworkable. Companies must evaluate the mindset of their employees when it comes to recordkeeping. Employees must be taught the reasons for recordkeeping and must be held accountable through meas- urable objectives.

Technology Solution: Technology is how we automate recordkeeping and how we create a good many records. Without the right technology in place an effective busi- ness records system cannot comply with Sarbanes-Oxley. Business records collection and archiving must be considered part of the overall planning process when IT decides to implement new technologies or upgrade existing ones, otherwise things fall through the cracks. How many companies have updated their business records systems to be able to collect information that is posted on corporate blogs, for instance? Is the newest content on the company employee portal being archived? Taking into account IT infra- structure is a key consideration when evalu- ating your recordkeeping in the quest to become compliant.

Planning should be routine to keep pace with the momentum of technological change. Consideration for open, flexible and scalable technologies must also be taken into account to keep pace with the growth (or downsizing) of an organization.

Technology can also be a problem. First technology has multiplied the sheer number and variety of formats of records. Second, in some cases, technology can actually hamper records management, because few have architected a solution and automated work- flow for storing a record in a recognizable and centralized repository that can be easily accessed. For example, since records man- agement touches multiple departments on a daily basis, it is imperative for these depart- ments to work hand-in-hand in order to assure information is updated quickly and accurately. Despite the efficiencies brought about by technology, many organizations remain dependant upon paper-driven, labor- intensive tasks. Enterprise applications that connect multiple departments can help streamline processes and provide a central document management location where all data can be accurately updated and accessed throughout the organization.

Process Methods: Process is the means by which recordkeeping is synchronized. The foundation of the triangle is the processes by which an organization deter- mines if a record should be kept, how it is automatically archived and located when it needs to be retrieved. Process is the heart of

any effective recordkeeping system and the link between people and technology.

The Need for Uniform Internal Processes? Many organizations still continue to over-

look the importance of establishing clear internal processes. While a company may have “a way of getting things done,” general- ly the steps are not defined and tasks can eas- ily fall off track. Process is typically defined as improving how well an organization gets from point A to point C. While this step-by- step approach may seem ideal, it’s quite unrealistic since within today’s complex organizations a process may involve a num- ber of steps and a broad group of employees. With that said, organizations can understand that process is really about workflow and the ability to maintain visibility and accountabil- ity of a task from beginning to end, inde- pendent of the path the processes may take.

Despite the technologies and collabora- tive tools available, employees still continue to work independently, keeping information stored in individual tracking systems. Employees depend on personal e-mail, Excel spreadsheets and an array of notes, none of which can be accessed or updated by other employees. This lack of collaboration is why processes are poorly managed and where a number of significant company-wide pain points have their origins. Disjointed processes can lead to lost customers, duplication of work efforts and excessive costs, among other problems.

By implementing an effective workflow, companies can establish projects and tasks to aid in the management of the Sarbanes- Oxley compliance process. Secure collabo- ration between subsidiaries and external accounting groups enhances compliance communication and accuracy of information. To aid with internal support and effective-

ness of your newly established SOX policies and procedures, there are available technolo- gies that provide online training tools, inter- nal newspages and policy authorization and approval via automated workflow. A good workflow solution unifies the people, tech- nologies and processes in regulatory compli- ance, such as Sarbanes-Oxley, ISO and HIPAA.

Closing the Loop Contrary to popular belief, organizing

processes doesn’t simply mean streamlining activities so they move in linear fashion throughout the organization. Each task exe- cuted has unique demands and require- ments, and while organizations need to have a defined system in place, this system needs to remain flexible enough to accommodate each individual task. Process is really about creating a “closed-loop” workflow system that enables the user to define the processes for each unique task.

Effective controls necessitate real-time information on the status of internal compli- ance. Technology that accommodates the framework should be able to generate real- time reports and automatic alerts on the status of several business activities such as month-end closings, sales documentation with integrated CRM, credit management, expense approval and reporting, budget, G/L and cash-flow reporting. A company con- cerned with financial governance would need technology that addresses financial issues such as: secure collaboration between subsidiaries and external accounting groups; automated alerts on specific financial events; audit trails to prevent or detect fraud; auto- mated workflow of financial documents to responsible parties; and real-time financial reporting.

By leveraging a single, centralized data- base and 24/7 access to information, compa- nies can drive new levels of organizational efficiency. By synchronizing people, tech- nology and business processes, compliance with Sarbanes-Oxley, ISO, HIPAA, and other recordkeeping legislation as mandated can be accomplished. The benefits are innu- merable. Companies can pinpoint accounta- bility, ensure compliance and protect the organization’s interests simply through developing a framework simply addressing the problem of records management. ❚

Michael McLaughlin is the e-Synergy consulting manager at Exact Software™ North America. Exact Software believes in Business Unified™—providing solutions that connect the people, processes and knowledge essential to an efficient, competitive business. Exact’s solutions provide greater visibility across the organization with real-time access to central Web-based corporate information and exchange.Exact e-Synergy® is a business management solution that maximizes an organization’s access to the very latest information, anytime, anywhere.e-Synergy makes it possible to connect everything within an organization—people, documents, tasks, assets and more—in a single database, making regulatory compliance easy, for companies of all sizes.

KMWorld

“By leveraging a

single, centralized

database, companies

can drive new levels

of efficiency.”

which has led to the creation of a new role in the organization—the Chief “Governance” Officer (CGO). Governance can have many different definitions. In one sense, it means to better govern their companies, enhancing both corporate accountability and the creation of wealth. In another, it talks to “the exercise of authority, management and con- trol.” In the context of risk and compliance and the role of the CGO, it means to govern or manage both regulatory mandates as well as effective risk management.

It should come as no surprise that this focus on governance is leading to an increased focus on improving and managing business assets and processes within compa- nies today. In addition to improving financial management and reporting, creation of con- tent, operational risk or privacy management, information must also be archived and retained effectively. The bottom line is that as companies look to expand their competitive advantage and transform business processes into the on-demand world, risk and compli- ance is a constant that must be managed and considered. Companies need to build a tech-

nology foundation that includes an effective risk and compliance strategy.

As you can see in the graphic, the chal- lenges facing customers today with regard to risk and compliance are primarily based on the integration of business and IT requirements.

Governance Challenges As companies look to effectively manage

governance, some of the business and IT challenges they face may include:

1. Business/Operational Challenges:

◆ Business Silos and Solution Silos. Many business solutions around governance have been implemented to solve a single problem, by a single group or division within a company such as a trading desk, banking region, financial or healthcare group, etc. This silo-based approach makes it very difficult for firms today to implement enterprise level risk and compliance solutions;

◆ Evolving Regulations. As a regulation changes or a new one is created, the same requirement must be implemented in each silo, resulting in significant costs to the cor- poration. For example, if individual trading departments have implemented their own SEC 17a-4 solutions, each silo would need to be updated as additional archival require- ments are defined. There is an additional cost in terms of staffing for organizations to keep up with and understand all of the various reg- ulations that may impact their business. This is extremely challenging in the U.S. alone, where more than 4,000 new regulations/rules are approved by agencies of the U.S. Federal Government every year; and

◆ Varying Enforcement Levels. Companies need the ability to think globally with a

Supplement to

Governance Best Practices and Approaches

Accountability and effectively managing risk are top of mind for most organizations today. Accountability is key for companies in their efforts to ensure that they meet the wide vari- ety of mandates specific to their industry (examples include Basel II focused on improved risk management in banks or the Healthcare Insurance Portability and Accounting Act [HIPAA] for the healthcare industry) as well as cross-industry regulations like Sarbanes-Oxley (SOX) or the Interna- tional Accounting Standards (IAS) in Europe. One common theme among many of these regulations (regardless of industry) is the need to manage information content and retention through the application of effective business controls, also known as records management.

While managing content and adhering to compliance regulations is key, a critical success factor in deploying the architecture lies in ensuring that employees’ adoption of new processes doesn’t require extensive training or throw in a significant learning curve. Since pro- ductivity is key, the architecture itself must com- ply with ease of use throughout the organization.

However, effectively managing this information requires a strategy that encom- passes business acumen, strong technology underpinnings and intellectual capital.

A Business Strategy As we have all learned, the exponential

growth of data comes with its own set of management challenges. Adding to these challenges are many of the new legal require- ments associated with a company’s ability to identify, assess and effectively manage risk. Harnessing the compliance-related informa- tion and managing it for better decision- making is the foundation of enterprise risk management. In its broadest sense, an enterprise risk management strategy allows organizations to help manage the variety of strategic, market, credit, operational and financial risks that they confront. Additionally, it should not further burden IT staff or business managers whose jobs have been extended to ensure organization-wide compliance.

Today, many companies are managing regulatory compliance and risk together,

September 2004S14 KMWorld

By Larry Bowden, Vice President, IBM Workplace Software Solutions

Supplement to September 2004 S15

common and flexible infrastructure that respects the regulations specific to a county, country or region.

2. IT Challenges: ◆ Componentized Systems and Architectures.

The demand for componentized systems and architectures that share a common infra- structure, while enabling many applications, is key to many IT shops because it ensures the compliance information can easily “speak” to different parts of the organization;

◆ Standards-Based Architectures. Such as Java, Linux and Web Services can make implementing a common infrastructure, as well as re-use of existing systems, easier to achieve; and

◆ Reduce Total Cost of Ownership for risk and compliance through a common infrastruc- ture that allows for integration of different applications, processes and information.

Governance—Driving IT Spending It should also come as no surprise that

along with the increased focus on risk manage- ment and expanded regulations comes a slew of vendors vying for compliance-related budg- et dollars. The Chief Financial Officer (CFO), CGO, regulatory compliance officers and IT staff are now faced with almost too many options without the luxury of time to evaluate which strategy and solution(s) best addresses their organization’s and clients’ needs.

While certain regulations such as OSHA and EEOC have been a long-standing requirement for many industries, the front- page headlines have ignited new regulations that have ushered in a wave of compliance- related IT spending.

To illustrate this point, recent findings by Forrester found that in 2003, 17 out of 20 CFOs indicated that the new SOX regulation had a minimal impact on spending plans. One year later, it’s clear that this regulation is a corporate priority as evidenced by the surge in SOX compliance-related spending. In this same report, “IT Execs Wake up To Sarbanes-Oxley Compliance,” Forrester sur- veyed 878 technology decision makers at North American companies regarding Sarbanes-Oxley and its affect on their IT budgets. 48 % of the companies surveyed had 1,000 to 4,999 employees and 52 % had 5,000+ employees. Highlights from the research to note:

◆ 52% of those surveyed are affected by SOX; and

◆ Of those affected, 77% plan to increase spending to support compliance.

As government regulations drive IT spending, companies need to ensure that their staffs are getting the most from their investments as compliance is critical to the overall health of the organization. With regulatory deadlines looming and require- ments constantly changing, an organization

should do its best to avoid an ad hoc tacti- cal approach to compliance that is narrowly focused on dealing with individual regula- tions as they come along. Rather, business leaders should seize the strategic opportu- nity to improve overall business operations. Two key approaches include:

◆ Creating an effective team between the CFO, governance officers and IT; and

◆ Establishing a governance infrastructure to meet all of your critical needs.

Key Governance Components A key component to a successful gover-

nance infrastructure is the ability to establish a common user experience around risk and compliance. The goal is to provide a single, secure, easy-to-use, enterprise-wide user interface for a CFO or CGO that delivers any- time, anywhere access to critical resources such as content, applications, governance processes and people—both within and outside the organization.

In addition, this interface should include a governance scorecard (performance man- agement), where users can monitor gover- nance metrics based on strategic objectives and better respond to critical governance sit- uations. With this scorecard, a CFO or CGO would have the ability to increase operations effectiveness and efficiency, employee and customer satisfaction and subsequently drive additional revenue. Benefits include:

◆ Improved access to the right information at the right time—anywhere within the organization;

◆ Lower total governance TCO with inte- grated multiple collaborative capabilities, while maximizing people skills; and

◆ Extended value of existing IT investments through integration with IT governance systems.

In addition to a single user interface, a wide variety of other technologies play a role in establishing an e-business on demand compliance infrastructure:

◆ Business process management—in- cluding process modeling and monitoring along with workflow (includes the man- agement and monitoring of governance business processes and IT events);

◆ Controls framework—to help understand what risks are inherent in the business, con- trols that are in place and what gaps exist;

◆ Strong security—to help control access, protect information and data disclosure, including strong audit trails and reports;

◆ Storage management—to protect and retain data as well as ensure business recovery;

◆ Simplified content/information manage- ment—to help search as well as retrieval of information to improve the discovery of information; control access to infor-

mation; manage compliance reporting through a defined workflow including appropriate sign-offs; and records man- agement and archiving to meet retention regulations; and

◆ Analytics and business intelligence—to help assess risk.

Many of these regulatory requirements often mandate formal, structured record- keeping practices. For example, government agencies have to comply with numerous laws regarding freedom of information, pri- vacy and the maintenance of historical and archival records. In the commercial world, businesses must adhere to statutes concern- ing taxation, occupational health and safety regulations, environmental protection laws and more.

Businesses today are seeking formal, structured recordkeeping for their electronic documents and content to help demonstrate compliance with regulations and laws. In addition, they need to establish strong, cred- ible evidence of proper business conduct in order to avoid litigation.

Records management can also help with the glut of electronic information that exists in companies today. Too much recorded information is often worse than not saving enough. Businesses today need to know, with full legal confidence, what records they can delete and when.

Organizations need to manage their elec- tronic content in a way that reduces their risk and enables them to demonstrate their regulatory, legal and fiscal compliance. Electronic recordkeeping provides a means by which a company can begin to demon- strate its recordkeeping accountability to shareholders, customers and regulators. One method that can be used is “e-records software,” which brings formal, structured recordkeeping practices to electronic infor- mation produced or managed by business software. Business software with this capa- bility applies formal recordkeeping practices and methods to the electronic content, which helps to demonstrate compliance with regu- lations, preserves critical documents neces- sary for future decision making and deletes information at only the appropriate time, in accordance with applicable laws, regula- tions and/or policies. Businesses can now preserve the business records they’ve deter- mined they must keep, while destroying those permitted by law, policy or regula- tions. Electronic recordkeeping forms a key part of the infrastructure supporting a business’s overall accountability.

Creating an Effective Compliance Infrastructure

One of the most compelling outcomes for a CFO, CGO, Chief Compliance Office

KMWorld

GOVERNANCE BEST PRACTICES continues on page 16

(CCO), Chief Risk Officer (CFO) or CIO with regard to compliance is the fact that governance needs are driving organiza- tions to assess their current infrastructures, while presenting an opportunity to adjust their newly examined business capabili- ties. This includes implementing a variety of products and services that can be lever- aged to help support companies in the exe- cution of their business initiatives as well as helping them to adapt to the ever- increasing regulatory risk and compliance environment.

Thus, businesses have an opportunity to go beyond mere compliance with these new obligations. They can use this opportunity to improve their business operations by mak- ing them more efficient and predictable. Integrating the vital aspects of your corporate IT infrastructure with business processes to support compliance presents an opportunity to re-evaluate your current business methodolo- gies and revise as required moving forward.

Certainly, the task can at first appear daunting. The sheer volume of information from the Web, e-mail and instant messaging have caused a tremendous increase in the amount of information an organization pro- duces. In fact, up to 80% of business infor- mation is now stored in electronic formats.

And records management and regulatory compliance is only going to get more chal- lenging, as the drive to e-business on demand gives way to an even more meteoric rise in the amount of information a company generates— and is responsible for managing within defined business processes and mandates. But consider the upside. An infrastructure that supports the myriad IT requirements to help support governance can help streamline com- plex regulation processes. What’s more, it can spur productivity, enhance customer service and boost return on technology investment— all while optimizing your business.

The tactical approach cannot and should not be the goal. The problem with implement- ing ad hoc solutions to address individual reg- ulations is that they don’t fully utilize—or gain insight from—company information on demand. And while such an approach may be cheaper in the short run, it can be much more costly in the end because modern infor- mation technology can alert IT and business decision makers to threats and opportunities before they would otherwise be on broader corporate radar screens.

According to PriceWaterhouseCoopers, an integrated approach to governance, risk and compliance management can improve a company’s reputation value by 23%, employee retention by 10% and revenue by 8%.

By contrast, the strategic approach imple- ments a technology framework that provides common value to all business solutions, including governance. The goal is to provide

businesses with access to critical information in real time, bridge disparate teams through collaboration tools and seamless workflow and enable the viewing of vital corporate data on a single dashboard—all while implement- ing a seamless retention policy in an effort to improve time to deliver, time to value and reduced total cost of ownership.

Such a framework helps companies improve employee productivity by establish-

ing a common user experience, maximizing security and control, shortening business cycles and improving customer satisfaction.

The goal of the infrastructure is to help companies adopt best-practice standards to transform their business operations and meet governance needs. The software should help increase business efficiencies so companies can gain deeper insight and predictability on the status of their compli- ance and business efforts, and help address the information requirements of regulations affecting their businesses.

What does this take? A single gover- nance infrastructure should provide:

◆ Common value to all business solutions, not just risk and compliance;

◆ Integration among people, process, appli- cations and information, with a common base for compliance processes and improved data quality and consistency; and

◆ Timely access to information and reports along with automated data archival and retention.

The bottom line is that companies need to improve their time to value, time to delivery and reduce their total cost of ownership.

Creating an Effective Team

In addition to potentially creating new roles, like the CGO, many companies are forming compliance committees or boards to help guarantee that standards and strategies are met. Members should include representatives from key areas throughout the organization who have a role in ensuring compliance. This may include representatives from risk man- agement, internal and/or external audit, finance, IT, legal and safety departments, environmental teams, the board of directors and human resources.

Unfortunately, in many companies today there can be a disconnect between the CFO

or CGO’s office and the IT department on their strategies to manage risk or mitigate risk. For example, in many cases IT depart- ments may not understand auditing procedures and the appropriate implementation of inter- nal controls for Sarbanes-Oxley Section 404—mainly because of the struggle of the IT department to understand audit-centric terms and how they apply to an IT infra- structure. Without a common understanding

or translation of terms, it may appear that the IT organization is reluctant to help corporate auditors document IT controls in order to meet Sarbanes-Oxley requirements. This can also be the case for other regulatory man- dates. It’s important to get to a common understanding of the CFO’s strategic objec- tives and how IT can work as a team to help achieve these needs.

Regardless of who’s in charge, the most effective team is one that that crosses boundaries throughout the organization.

In Summary An integrated approach to governance

built on a common infrastructure can result in many business benefits:

◆ Reduced total cost of ownership, and reduced implementation cost by working on a common infrastructure for both risk man- agement as well as regulatory compliance;

◆ Reduced level of risk; ◆ Competitive advantage. If your com-

pany can respond quickly to new or changing regulations and leverage the infrastructure investment with perform- ance management projects that improve overall business performance while others in your industry can't, the edge goes to you;

◆ Accurate information that is delivered on-time to those who need it, so that they may understand current status at glance; respond quickly to critical situations; and enable better planning for new or updated mandates;

◆ Improved reputation, by helping reduce potential liabilities and fines—keeping the company out of the news; increased shareholder value; improved confidence for investors and customers; and maintaining credit rating;

◆ Increased customer knowledge; and ◆ Enhanced communications ❚

Supplement to September 2004S16 KMWorld

“As companies look to expand, risk

and compliance is a constant

that must be managed.”

GOVERNANCE BEST PRACTICES continues from page 15

Supplement to September 2004 S17KMWorld

Lens #2—Litigation risk. It is the job of litigators to make every shred of infor- mation discoverable. It is up to you to have the policies and practices that limit this dis- covery, while allowing for sound business practices.

Both of these lenses depend on the same set of solid policies and the reinforcement of behaviors so everyone actually complies with the policy. One of the jury’s key deci- sion points that decided the fate of Arthur Andersen was the fact that even though they had a written policy (one they sold to other companies!), they had not trained their own people very well.

Here’s a short list to serve as a “Records Policy Check Up”:

1. Look for evidence. Do you actually have a written policy? Can you find any evidence that one exists? What do you do with your own e-mails? Are they stored, backed up, destroyed against a sanctioned retention policy?

2. Visit the records center. Does your records manager have a voice in the policy- and procedure-setting activities? Look for synergy between the records department and the IT department. Together they need to ensure all electronic and physical docu- ments are treated the same way.

3. Self-inspect. Senior managers are often the worst offenders of a records pro- gram. For example, many legal rulings deem that back-up tapes used for disaster recovery only are not discoverable. But senior man- agers frequently ask the IT department to recover e-mails that they deleted accidentally. This practice voids the argument that back-up tapes are used solely for disaster recovery.

4. Get help. If you find too many issues to deal with internally—or do not even have the time to check—engage the experts for a consulting project.

Through the Lens of a Records Manager For many years, records managers were

relegated to the dusty shelves of paper records. It used to be easy; as long as you were organized and used some level of filing system your job could be done efficiently and effectively. Now with the advent of multime- dia, and end-user control of their records, the

job has become more complex and no longer a standalone task. Today’s records manager is on the forefront of new and innovative ways to capture and store documents in electronic formats that can be searched and retrieved, even if the original program has long since been replaced.

Here’s some advice for the modern-day records manager:

1. Find your voice. A records manager needs to play a role in the setting and imple- mentation of records and document policies and practices. Speak often to department heads, executives and the IT department on the “current versus desired” state of records management.

2. Be the expert. Know the legislation and how it applies to your business. Be able to articulate how you are compliant and what needs to be done to ensure that the needs of your organization are met.

3. Be a great partner. A good relation- ship with the IT department is critical to your records policy. IT controls the storage of documents, e-mails and other media. Their preference will be to keep everything forever or until they run out of drives— whichever comes first.

The other important partner is the legal department. They know more than anyone the importance of retention policies and will give you the legal backup for your arguments.

4. View records as a marathon, not a sprint. It might take years to get records under control. Having a written policy that is updated and communicated on a regular basis is a great start. ❚

MDY is committed to helping organizations properly manage the ever-increasing volume and complexity of their physical and electronic records and information. We strongly believe that proper records management can also enhance knowledge management and overall productivity for all types of organizations.

For more advice on document and records management best practices, please visit us at http://www.mdy.com

Records Management From the Basement to the Boardroom

For many years, the records department was deep in the basement of many corpora- tions, and its mysterious functions were never valued until some vital document needed to be found. All of a sudden, the records manager is in the hot seat to find a single document in the sea of e-mail, paper and electronic file stores. The records man- ager might have spent years trying to im- plement some type of records process, but probably gave up from the lack of attention to the issue.

Until, of course, something is needed. Records practices zoom to the top of everyone’s to-do list in times of crisis, dur- ing an investigation or when something vital is lost.

Through the Lens of a Senior Executive Senior staff members are drowning in

documents, e-mail, instant messages, voice mail and video clips. Along with legisla- tion that now holds them personally accountable for what they sign, they are also responsible for the behaviors of the people they manage, and how those very people manage documents. A senior leader should look through two lenses in evaluat- ing how vital information is managed:

Lens #1—If disaster strikes. Do you have an efficient records practice that allows for efficiencies in business process? Do you have the policies and practices that ensure your business would go on in the event of a catastrophic loss of facility?

Galina Datskovsky has more than 20 years of experience in computer sciences, focusing on records management. She is president of the New York City Chapter of ARMA and has been published in prestigious academic journals and computer science conference

proceedings. She has spoken on information management, government regulation/international regulations, conflict resolution and e-business challenges.

Dr. Datskovsky founded and is currently the CEO of MDY Advanced Technologies, and one of the creators of FileSurf®.

Dr. Galina DatskovskyBy Dr. Galina Datskovsky, CEO, MDY Advanced Technologies Inc.

“Records practices

zoom to the top of

everyone’s to-do list in

times of crisis.”

#2. E-mail as a Source of Business- Critical Information. E-mail is increasingly recognized as a source of corporate informa- tion and companies are looking for ways to manage it as they do other business-critical content. Industry analysts endorse this strat- egy, recommending that their corporate clients look for solutions that integrate e-mail with other content and look to enterprise con- tent management (ECM) vendors as providers. This integrated approach enables retrieving all the records related to a particu- lar customer or transaction—purchase order, invoice, correspondence, e-mail—with a sin- gle query and viewing them together.

#3. E-mail Growth as an IT Headache. The explosive

growth of e-mail has overloaded e-mail servers and degraded system perform-

ance and reliability. Messaging servers were designed to be mailrooms, not file rooms. The requirement is to offload e-mail from production servers to maintain system performance while continuing to make them easily and efficiently available to users, auditors, compliance officers and management.

New Solutions for E-mail Archiving The new generation of e-mail manage-

ment solutions goes beyond earlier, more limited products that provided simple backup and offloading of e-mail stores and products that left it to each user’s discretion to decide which messages to retain.

Today’s products are designed to address three primary requirements: ◆ Retain messages in compliance with regu-

latory requirements and corporate policy; ◆ Facilitate searching as required for legal

discovery; and ◆ Improve system performance.

These products automatically capture, classify and index e-mail messages, create a searchable archive and manage the informa- tion lifecycle according to corporate retention and disposition rules. Offloaded to secondary storage to improve the efficiency of the e-mail system, the archive remains accessible to users, auditors and compliance officers.

To meet today’s requirements, make sure you choose a solution that allows you to: ◆ Capture everything you need—but only

what you need. That means taking the deci- sion on which messages to retain out of users’ hands and automating it according to rules you establish. It also means capturing only the messages that meet your criteria. You should be able to screen on subject, sender, recipient, message content and date. Make sure you can store attachments with messages and avoid duplicating mes- sages that are sent to multiple recipients.

◆ Establish flexible, automatic classification based on business rules and content analy- sis. This is a logical structure that can be organized by user, by chronology, by orga- nizational function or by some combina- tion. The classification system can also assign codes that determine length of retention and disposition.

◆ Maintain accessibility for users, compli- ance officers and corporate managers via the e-mail client and a Web-based inter- face. Retrieval should be based on cate- gorization and/or full-text search of messages and attachments.

◆ Implement an e-mail management soft- ware infrastructure that supports multi- ple storage options, including emerging network-attached storage from vendors such as StorageTek, Network Appliance and EMC.

◆ Seamlessly integrate with your plans for implementing a sound information life- cycle management (ILM) strategy that will allow you to manage all types of information from creation to disposition. Mobius’s ViewDirect E-mail Management

meets these criteria for supporting regulatory compliance, facilitating legal discovery and improving system performance. It also enables integrating e-mail with other enterprise content to maximize the business value of the critical information contained in e-mails. ❚

Mobius is the leading provider of software solutions for total content management. The ViewDirect® TCM suite includes integrated e-mail and records management as well as facilities for Web content management, business process management, and content integration across the enterprise.

Supplement to

Taming the Beast: Gaining Control of E-mail

The headlines tell the tale: High-profile prosecutions hinge on the contents of e-mail messages that their authors never dreamed would constitute a permanent record. Beleaguered IT departments spend weeks combing through voluminous files to pro- duce messages required for legal discovery.

But beyond the evening news lie more mundane challenges caused by the explosive growth of e-mail: performance degradation of e-mail servers; mushrooming storage require- ments; the recognition that messaging sys- tems have become the primary means of busi- ness communication; and that those messages contain critical enterprise information.

In most organiza- tions today, e-mail man- agement is either non- existent or is done using in-place technologies— like simple backup

systems—that fall short of what is needed to protect the organization and to ensure compliance.

The Three E-mail issues There are three primary issues associated

with e-mail, each imposing a series of requirements on an e-mail management solu- tion: e-mail as a source of corporate records; e-mail as a source of business-critical infor- mation; and e-mail growth as an IT headache.

#1. E-mail as a Source of Corporate Records.

A record is any piece of data, in any form, that is required to be kept as documentation of an organiza-

tion’s decisions, actions and transactions. Clearly then, e-mail messages are records and must be controlled and managed according to an organization’s policies and procedures for record retention, access and disposition. To reduce the enormous costs of producing e-mails for litigation discovery and audits, they must be categorized and searchable. Much of the recent visibility of e-mail is a consequence of the emerging importance of e-mail as a source of corporate records.

September 2004S18 KMWorld

David Winkler directs product planning and manages the product life cycle for the ViewDirect TCM suite. He has over 18 years of experience leading technical and professional services teams in applying information technology to business needs.

David welcomes comments and conversation about this article. He can be reached at [email protected].

David Winkler

By David Winkler, Vice President, Product Marketing, Mobius

Companies that have no

retention policy for e-mail: 59%

Companies that accept e-mail as written confirmation of

transactions: 79%

E-mails per day: 31 billion in 2002, 60 billion in 2006

Supplement to September 2004 S19

Step-by-Step Deployment Just as rolling out any application enter-

prise-wide, the project can be overwhelm- ing. The approach of starting with one department and growing to multi-depart- ment deployment provides many benefits, including cost savings. While some configu- rations will be department-specific, other parts of the implementation are scalable and can be utilized across multiple departments, creating economies of scale. Look for a recordkeeping system that utilizes similar configurations to increase both the efficien- cy and cost effectiveness of subsequent department installations.

In keeping with the theme of efficiency and cost-effectiveness, recordkeeping sys- tems should be able to be integrated into existing (host) software. Employees need to be able to work in their current line of busi- ness software and shouldn’t have to learn new applications to utilize e-mail, faxes, paper files and electronic documents.

Information holds a different business value over the course of its lifecycle, as well as from one department to another, and must be managed accordingly. By growing departmental solutions that are inter-related and managed by the overlying best practices and records management principles, businesses can manage their assets across the entire enterprise.

Recordkeeping is as much a strategy as a product. Just as a business needs a strate- gic plan to succeed, so must it have a strat- egy for managing its information. A com- plete recordkeeping solution provides the right information to the right people at the right time and should offer the following capabilities:

◆ Incremental departmental solutions— can be configured to work in various de- partments with host applications;

◆ Scalable—can grow across multiple de- partments. Solution must be configurable to work with varying departmental needs—whether it’s starting with paper management in one department, elec- tronic records in another department, or

workflow in yet a third department. Scal- ability and the ability to grow with the changing needs of the organization is key;

◆ Able to manage retention—can classify documents by their business value. The records are managed through their lifecy- cle and destroyed within the legal and op- erational requirements of the business; and

◆ Flexible—can manage business records, regardless of form—paper or electronic.

To develop a corporate-wide information management system, follow these steps:

◆ Develop an information management strategy to meet the company’s most pressing needs;

◆ Find a recordkeeping system that is flexi- ble, scalable, compatible with host appli- cations and able to manage retention; and

◆ Implement the recordkeeping solution one department at a time to allow the company to first maximize the depart- mental benefits, then use the knowledge gained in the installation to make subse- quent departmental implementations even more efficient and cost effective.

Once a corporate-wide information man- agement solution is in place, businesses will be able to see direct improvements in any business areas that need reliable information to make sound decisions. In addition, a good recordkeeping system will protect privacy, secure vital records, maintain data integrity, manage retention and ensure regulatory compliance. As the amount and complexity of information grows each year, so must the ability of the recordkeeping system. No company can afford to be without access to accurate, reliable information relevant to their business. ❚

Smead is uniquely positioned to apply over 98 years of records manage- ment experience into recordkeeping solutions. Committed to providing innovative solutions for the management of information, Smead has developed a comprehensive line of recordkeeping software.

A Departmental Approach to Recordkeeping Solutions

Businesses are inundated with information from everywhere, in many forms. While this presents a problem for many organizations, the reality is that it can actually provide a great opportunity for companies large and small—as long as they can maintain the data they want, and use it to their advantage. An enterprise-wide recordkeeping strategy is needed to maximize organizational benefits. Defining a recordkeeping strategy requires a step-by-step approach:

◆ Decide what information is crucial for managing the business;

◆ Learn what documents are necessary to meet regulatory compliance; and

◆ Determine in what form each type of information is best retained—paper or electronic.

Regulatory compliance has joined the forefront of issues facing CEOs today. According to a recent survey by AIIM International, 11% of the top executives sur- veyed said managing information to meet regulatory compliance was one of the three biggest challenges businesses face today. Other top concerns:

◆ Increasing profits and productivity (46%); ◆ Improving customer service (16%); and ◆ Remaining competitive, ensuring quality,

controlling costs (27%).

Once the top concerns have been identi- fied, the step-by-step approach begins by ana- lyzing the organization to identify which department would show the fastest return on investment or the greatest impact on the core business process by implementing a record- keeping solution. Then, through an analysis of the departmental processes, the record- keeping solution is configured to meet that department’s specific needs. (Recordkeeping is an information management system that manages both paper and electronic records with consistent retention management con- trols.) A complete recordkeeping solution increases the reliability and trustworthiness of records storage and retrieval, with the benefit of improving work efficiency and reducing legal liability.

KMWorld

Sharon Hoffman Avent is the owner, President and CEO of Smead Manufacturing Company, Hastings, MN. Avent joined the family-owned business in 1965 as an hourly employee, and was named president and CEO in 1998. Smead Manufacturing

Company has been woman-run since 1955, and Avent, just as her mother before her, continues on with the company’s legacy of providing high quality organizational products. Founded in 1906, Smead grosses over $500 million annually and has 2,600 employees worldwide.

Sharon Hoffman Avent

By Sharon Hoffman Avent, President and CEO, Smead Manufacturing Company

for these searches was typically more than three hours.

Central Archive Delivers Efficiency

TFS recognized the need for creating a central repository that would put everything in one place, so documents could be quickly and easily accessed and allow searches by multiple index criteria. Rather than deploying an in-house system, TFS turned to JPMorgan Chase’s i-VAULT!SM solution, a high-volume image archive service. i-VAULT! is a secure image warehouse with redundant archive sites in the Northeast and Southwest, offering instant access through a Web interface.

TFS is now able to achieve significant gains in efficiency, improved customer serv- ice and increased disaster recovery/business continuity protection. This outsourced solution has allowed the further mitigation of concerns over escalating on-site data storage costs, as well as issues of technology obsolescence.

TFS’s two lockbox providers now send data CDs directly to JPMorgan where the images are loaded into the online archive by noon of the next day. As a result, TFS

staff no longer must handle and manage a rapidly expanding library of CDs, which had become unduly cumbersome.

Saving Time, Improving Customer Service Since TFS’s 34 field offices and three

customer service centers are able to access check images online in a matter of seconds, staff members can now perform with far greater efficiency. The average query reso- lution has been reduced to less than 10 minutes. And the quality of online check images is superior to that of a fax. In addi- tion to faster retrieval times, an overall improvement in work processes has been achieved, with multiple representatives now being able to gain access to the same image at the same time. According to TFS Cash Manager Janet Rydell, “i-VAULT!’s central repository provides all of our loca- tions direct access to images, which has significantly improved our productivity.”

In setting up the system, TFS was able to establish which index fields it considered crit- ical for its searches, resulting in quicker, more accurate access to documents in the archive. This added indexing flexibility allows TFS corporate accounting staff and representatives to search for checks by customer account number, date range and/or location.

Personnel can use the system to verify pay- ments, find “payoff” checks for title release processing, find checks that have been applied to the wrong account, as well as locate cus- tomers who have stopped making their pay- ments altogether. Check images can be easily copied into documents such as customer corre- spondences, or bookmarked for future use, and queries can be saved and reused.

Since implementing i-VAULT!, TFS is averaging 44,000 item retrievals from the archive per month. Rydell indicates that the per-item load fees for storage have been more than offset by employee time savings and improved customer service. “This was definitely a product our customer service centers needed,” states Rydell. “I don’t know how they functioned without it.”

As evidenced by TFS’s successful implementation, an image archiving solu- tion can reduce document retrieval time down to seconds, eliminate wasteful in- house processes, provide critical business continuity and disaster recovery capabili- ties, while helping to ensure better, faster customer service and operational efficien- cy. JPMorgan’s solution lets businesses focus on what matters most—their core competency. ❚

Chris Redvers is the i-VAULT! Product Manager for financial institu- tions at JPMorgan Chase Bank. i-VAULT! is an Internet-based enterprise content management service that provides a centralized repository of data with online retrieval capabilities. For more information regarding i-VAULT!, call 1-866-2-ivault (866-248-2858) or visit www.jpmorgan.com/ivault.

Supplement to

Online Image Archiving Toyota Financial Services’ Powerful Document Access

How do you manage an avalanche of data? What if that avalanche arrives on your doorstep in the form of seven CDs per day, 35 per week, 140 per month . . . amounting to more than 1,600 discs per year?

This hugely inefficient data nightmare became a daily reality for Toyota Financial Services. TFS is one of the largest captive finance companies in the U.S., with a retail lockbox network handling 1.5 million pay- ments monthly. Handling vehicle payments from 34 field offices, TFS’s Lockbox Ac- counting Group is responsible for identify- ing payments with missing account num- bers, correcting mis-coded items and resolving customer errors on checks de- posited as lease and loan payments for TFS-financed vehicles.

To operate effectively, associates within the Lockbox Group require timely access to copies of checks associated with those pay- ments. Because of the massive volume of CDs generated by TFS’s two servicing banks, check research was a time-con- suming process. A typical query required staff to complete a form requesting infor- mation and fax the form to the Account- ing group. Field offices might also submit their own requests for copies of checks to verify payments. Average resolution time

September 2004S20 KMWorld

By Chris Redvers, VP and i-VAULT! Product Manager, JPMorgan Chase Bank

Supplement to September 2004 S21

utive management. So then, what is the best way to manage this seemingly out-of-control conundrum? For those responsible, the answer is to establish clear records manage- ment goals and create a realistic game plan that is understood, implemented, and used by IT staff and business-level users.

Based on best practices and years of helping leading organizations develop and execute records management programs, consider these four goals:

1. Prevent and Immediately Detect Policy Violations. Make it as unlikely as possible for employees to fail to retain, pre- serve and archive all content your organi- zation creates to operate its business;

2. Mitigate Risk When Violations Occur. Have self-reporting and incident- management policies in place to protect your organization across all levels;

3. Manage Content First, The Medium Second. Information today has to be man- aged based on content, not medium; this changes everything. While technology has perpetuated some of the records management chaos in organizations, it can also play a crucial role in making it work; and

4. Educate Employees. Ensure compli- ance awareness so all employees under- stand their records management roles and obligations, and what is expected from them on an ongoing basis.

Compliance in Action

Jay Cohen, the former chief corporate compliance officer at the MONY Group, followed these goals, and created a game plan for the financial services holding company with approximately $55 billion in assets.

“For us, it was about focus,” says Cohen. “One of our most pressing records manage- ment challenges from a regulatory and busi- ness perspective was how do we continue to best manage and archive e-mails which are now legally considered business records, for all of our employees.”

Cohen helped develop a transparent e-mail archive and supervision program that met the expectations of executive manage- ment and the needs of IT staff and employ- ees. MONY brought IT in from the very beginning and went over rules and regula- tions that needed to be addressed. Then, from this collaboration, it evaluated possible enhancements to existing processes. Next, the company identified solutions and processes and implemented a pilot program for IT and line employees to trial. After test- ing an e-mail archive system from AXS-One with a group of sales managers and other supervisors, MONY gauged its e-mail archiving process.

According to Cohen, “We identified, reviewed and documented e-mail in a manner consistent with our goals. Based on the trial’s success, the system was deployed across the entire sales organization. The technology and process made archiving and records manage- ment much easier.

“Based on the initial success of our e-mail archival program, we would recommend replicating this execution strategy for all areas of records management, including existing paper-based and electronic commu- nications within operations and finance.”

Solving the Problem The intricacies of today’s business and IT

environment combined with compliance regu- lations and legal consequences are changing how corporate executives and records man- agement professionals like Jay Cohen operate. While technology has contributed to the elec- tronic communications onslaught, it can be used effectively (and transparently) to provide organizations control and efficiencies in man- aging their growing storage environments.

The goals offered above should help guide your records management and compliance efforts in the new age of compliance and pro- vide perspective on how to crystallize and accelerate existing initiatives. Cohen chose to focus his initial compliance efforts on e-mail archival, and you may choose another approach, but whatever your path, these goals can help guide you as you strive to proactive- ly manage this increasingly complex business and IT function. ❚

Peter Mojica is vice president of product marketing and business devel- opment for New Jersey-based AXS-One, a leading provider of records compliance management solutions worldwide and developer of the AXS-One Compliance Platform. Mr. Mojica is a recognized thought leader in the fields of records management, corporate compliance and risk miti- gation, and speaks at numerous industry events annually.

AXS-One is a leading provider of records management, e-mail and instant messaging archival management, financial management, and workflow software to efficiently manage complex business processes. AXS-One’s solutions help organizations control and leverage their transactional activities within their normal business activities with customers, partners, vendors or internal departments to address compliance, collaboration or content management needs. For further information please visit us at www.axsone.com.

The Four Goals of Records Management in the New Age of Compliance

While records management as a profession is not new, the burning spotlight on its prac- titioners and corporate executives is. Due to the confluence of technology, and the flawed records stewardship and mismanagement of several high profile organizations, records management is being driven by new govern- ment regulations and compliance initiatives. The traditional practice of records manage- ment—a demanding business function—is now under the watchful eyes of regulators and legislators who are impacting how pub- lic organizations and their employees, cus- tomers, and partners operate.

As a result, several things have happened: ◆ Risks associated with records manage-

ment have been elevated to embrace the entire organization globally;

◆ Demands on information management professionals have crossed over into the business area of compliance; and

◆ Consequences of deploying IT systems without considering the compliance and information risk associated with them are being exposed, as they are oftentimes inefficient and costly to re-engineer. These factors and a myriad of compliance

and disclosure regulations have added to the responsibility and accountability of all exec-

KMWorld

By Peter Mojica, VP, Product Marketing, AXS-One

Records Questions to Ask 1. Do you have a documented

policy for all electronic records, including e-mail and IM?

2. Is it electronically enforceable?

3. Is it electronically auditable?

4. Are your audit trail records irrefutable?

5. Do you have a regularly documented testing plan?

6. Are you taking advantages of new technologies to save costs?

to meet evolving regulations and statutes over time. Regulations may change, but they will not disappear. An integrated compliance framework should be based on a “best of breed” architecture that will minimize the pain of transition and leverage common poli- cies, content and applications for compliance.

Managing Risks and Exposures As you develop your approach to com-

pliance, consider the regulatory environ- ment, timeframe for compliance, the process controls needed to achieve compli- ance and evaluate the people, process and technology risks and exposures. While penalties stemming from non-compliance are enforced at the executive level, every employee is an information custodian. Corporate policies and procedures must be communicated, monitored and measured. The tasks of compliance should be auto- mated to reduce the potential for human error, and integrated to minimally impact the daily routines of employees. Most importantly, the people responsible for active declaration of financial records, audit records, proposals, pricing, etc., must have the right tools and training.

How can you minimize the risks and exposures? Develop a content-based records management solution that provides:

◆ Consistency: Demonstrate that policies are consistently applied across the enterprise;

◆ Capture: Ensure that all items deemed as records are captured and managed;

◆ Accessibility: Provide high-performance search, retrieval and presentation func- tionality and deliver all information quickly—regardless of format;

◆ Completeness: Capture and preserve the original content, context and structure of information;

◆ Integrity: Ensure records are protected against alteration or deletion;

◆ Auditability: Generate audit trails and re- ports detailing user access;

◆ Retention: Enforce retention require- ments and policies—retaining items for as long as necessary, but no longer;

◆ Destruction: Expunge records completely so as to prevent any reconstruction;

◆ Continuity and Recovery: Build in re- dundancy to protect assets and guarantee operational continuity;

◆ Authenticity: Provide records that are verifiably accurate and reliable; and

◆ Official Copy: Have one “official copy” of records, with copies governed by dif- ferent business rules.

The Need for Common Content Infrastructure

To support this comprehensive approach, you must define what constitutes a “record series” based on content, and establish rules for how records are captured and stored . The critical success factor is a common content infrastructure that lets you see how records are related, and enables easy retrieval to sup- port discovery.

A common content infrastructure has the following features1:

1. A universal content repository sup- porting common search and access control across all information types—paper and microfilm, images, revisable documents and e-mail, common retrieval for all elec- tronic types and an audit log of all actions on stored content objects.

2. A standards-compliant records management application (RMA), tightly integrated with the repository user interface and workflow, providing file-plan manage- ment, record classification and enforced retention management.

3. Enterprise content management (ECM) software, for a scalable solution for the creation, version control, workflow, security and lifecycle management of all content types and to achieve consistency across content types and sources.

Bottom Line There are no magic bullets. But to be

successful, you need a content-based records management plan, which mitigates

Integrated Content and Records Management

Accelerate Compliance

New regulations, the threat of litigation and the uncertain costs of compliance place company record-keeping, content and data management practices under unprecedented scrutiny. Organizations today are required to meet a growing body of regulations set up to assure corporate accountability.

Evaluating your records management policy in this new era of accountability is critical in order to achieve compliance with government regulations, such as the Sarbanes-Oxley Act of 2002, SEC 17a, NASD 3010, and the U.K. Data Protection Act, as well as with corporate policies or industry standards. As we have seen, companies who do not comply face dire consequences.

An Integrated Approach to Compliance Is your organization prepared to over-

come the risks of non-compliance and man- age the operational costs of retaining, access- ing and archiving records? An integrated compliance framework and a policy-based program of records retention, supported by technology that can properly classify and archive all records, can help you mitigate risks and prepare for the future.

The approach followed must be proven and methodical—however, the most critical aspect of any compliance initiative is to ensure that the solution not only meets the organization’s existing compliance needs, but that it is sustainable and serves as a platform

Supplement to September 2004S22 KMWorld

By Vasu Ranganathan & Gregory Kosinski, Fujitsu Consulting & EMC Corporation

Supplement to September 2004 S23KMWorld

the people, process and technology risks and exposures. The best approach is to partner with a cross-functional team that provides both products and services, such as EMC Corporation and Fujitsu Consulting.

EMC provides a complete informa- tion lifecycle management solution for compliance: the combination of Documentum Records Manager with the Documentum ECM platform and storage provides an end-to-end solution for con- tent creation, version control, security, archiving and storage. Documentum Records Manager provides formal records management procedures for the classification, declaration, retention and disposition of records, while Legato EmailXtender archives and manages e-mail messages. Documentum Content Intelligence Services (CIS) allows actionable metadata from new or existing records to be automatically identified, automating and controlling the tagging and categorization of all record types.

Fujitsu Consulting brings business and consulting expertise in the area of compliance management and integrates EMC’s applications for end-to-end compliance.

As a first step toward compliance, Fujitsu Consulting will conduct an inter- active review and assessment of your records and content management tech- nologies and business activities. This assessment will include your key stake- holders to identify the enterprise’s desired end-state, uncover potential risks and provide you with specific rec- ommendations to include in your compli- ance approach. ❚

1 Bruce Silver Associates Industry Trend Report, “Answering the Call for Enterprise Records Management,” May 2003

About Documentum Software from EMC Documentum software from EMC Corporation includes enterprise content management (ECM) solutions that enable organizations to unite teams, content and associated business processes. With a single platform, EMC Documentum software enables people to collaboratively create, manage, deliver and archive the content that drives business operations, from documents and discussions to email,Web pages, records and rich media.

For more information, visit www.documentum.com.

About Fujitsu Consulting A trusted provider of management and technology consult- ing,Fujitsu Consulting is the North American services arm of the 45 billon-dollar Fujitsu Group. Fujitsu Consulting inte- grates the core expertise of Fujitsu companies and partners to deliver complete solutions that drive business value. For more information, visit: http://www.fujitsu.com/us or send an email to [email protected].

requirements from the legal or compliance officer, but they’re the ones who implement the technology. But it’s the role of the records manager that will expand the most, as the kinds of document required for records reten- tion move beyond just paper documents— things like advertising, memoranda, Web pages, e-mails, even voice. The records man- ager will thus become part of a larger consor- tium in charge of all recordkeeping practices,” Reier predicts.

Dean Berg from Stellent agrees: “There’s a new visibility for records managers. They’ve gone from the backroom to the boardroom. And that visibility comes from the board, who are now looking for answers: “Hey let’s ask Joe, the records manager, what he thinks about all this.” He’s right about one thing: this is a BIG change. I would have been shocked last year to learn that the board even knew Joe’s name.

It’s a matter of balancing cost versus risk,” says Reier. “The IT folks want to get rid of e-mail as fast as possible. The compli- ance officers have a different agenda; they recognize those e-mails may contain content that is subject to some kind of regulatory recordkeeping requirement.”

Stellent’s Del Zane thinks it’s the ven- dor’s job to tailor the consultative work according to the needs of the individual. “We have two kinds of demo,” he says. “One is for the records manager. It takes three hours and goes deeply into the inner workings of the system. The other is for end users; it takes three minutes for us to say ‘don’t worry about it, this is how your document gets automatically classified into your records system. ’ ”

He’s only half kidding. “Records man- agers don’t traditionally have control of electronic documents,” he says. “They’re taken care of by the IT department. But we were gratified to see recently (at the MERS Conference in Chicago) that the attendees came in teams consisting of the records managers, their IT people AND their legal representatives.

“One piece of advice we give,” says Zane, “is not only to take the team approach, but put somebody in charge of that team—call him or her the Chief Compliance Officer— and make sure that person involves all seg- ments: records, IT and the business owners. The extent to which somebody can be tasked with the role will help tremendously.”

“Technology is only one component,” adds Hummingbird’s Pery. “You also have to make sure there are effective policies in place, and that there are mechanisms in place to enforce those policies. You can have the best content management in the world, but if employees are not incented, or are not pro- vided sufficient training, then information will not be effectively managed.

“There are huge implications if you don’t,” warns Pery. “For one, if you don’t have effective retention and disposition rules, you may be subject to a default judgment, and unable to defend yourself. If a company destroys e-mail—deliberately or inadvertent- ly—and has no policies in place, the compa- ny is subject to significant fines.”

Pery goes on: “Even if you DO have a published policy, but it can be shown that you don’t follow it, you may be required to produce records that SHOULD have been destroyed, but weren’t. There can be stag- gering costs associated with this, and it’s no excuse to plead that the costs would be exorbitant.”

So we’re back to Agent Kay—your peo- ple can be informed and trained, but can they be relied upon? “Nobody will do anything until they’re forced to,” points out Exact Software’s Mike House, quite accurately. “But deadlines are now—or about to—drive the decision to deploy records management systems. The thing you have to realize: The technology upon which to build a regulatory compliance framework is not meant for a select few...it’s meant for everybody. Whether you have an active participatory role in the mechanics of the compliance technology on a day-to-day basis is irrele- vant. As a member of the organization, you MUST be aware if it. You never know when someone—anyone—will pick up a docu- ment that qualifies as ‘controlled data.’

“E-mail is a wide open pit of quicksand when it comes to compliance. It’s an open- loop system, and you really don’t have any control. The best you can do is bring e-mail from the open loop into a controlled system, such as a document management system, where you have visibility and can apply business rules—who’s touched it? who’s modified it?”

There’s no easy answer. But after read- ing the essays in this White Paper, you’ll definitely begin to formulate your own strategy for getting your “people” to think like “a person.” ❚

Andy Moore is a 25-year publishing professional, editor and writer who concentrates on business process improvement through document and content management. As a publication editor, Moore most recently was editor-in-chief and co-publisher of KMWorld Magazine. He is now publisher of KMWorld Magazine and its related online publications.

As Editorial Director for the Specialty Publishing Group, Moore acts as chair for the “KMWorld Best Practices White Papers”and the “EContent Leadership” series, overseeing editorial content, conducting market research and writing the opening essays for each of the white papers in the series.

Moore has been fortunate enough to cover emerging areas of applied technology for much of his career,ranging from telecom and networking through to information management.In this role, he has been pleased to witness first-hand the decade’s most significant business and organiza- tional revolution: the drive to leverage organizational knowledge assets (documents, records, information and object repositories) to improve performance and improve lives.

Moore is based in Camden, Maine, and can be reached at [email protected].

BEYOND continues from page 3

www.infotoday.com

Produced by:

KMWorld Magazine Specialty Publishing Group

For information on participating in the next white paper in the “Best Practices” series. contact: [email protected] or [email protected] • 207.338.9870

Kathryn Rogals Paul Rosenlund Andy Moore 207-338-9870 207-338-9870 207-236-0331 [email protected] [email protected] [email protected]

For more information on the companies who contributed to this white paper, visit their Web sites or contact them directly:

www.kmworld.com

AXS-One 301 Route 17 North Rutherford NJ 07070

PH: 800.828.7660 or 201.935.3400 FAX: 201.935.1443 E-mail: [email protected] Web: www.axsone.com

EMC Corporation Documentum Office 6801 Koll Center Parkway Pleasanton CA 94566

PH: 925.600.6800 FAX: 925.600.6850 E-mail: [email protected] Web: www.documentum.com

Exact Software North America 300 Brickstone Square Andover MA 01810

PH: 978.474.4900 FAX: 978.474.9317 E-mail: [email protected] Web: www.exactamerica.com

Fujitsu Consulting 333 Thornall Street Edison NJ 08837

PH: 800.882.3212 or 732.549.4100 FAX: 732.549.2375 E-mail: [email protected] Web: www.fujitsu.com/us

Hummingbird Ltd. 1 Sparks Avenue Toronto ON M2H 2W1

PH: 877.FLY.HUMM or 416.496.2200 FAX: 416.496.2207 E-mail: [email protected] Web: www.hummingbird.com

IBM Corporation Web: www.ibm.com/software

JPMorgan Chase Bank 2 Chase Manhattan Plaza, 14th floor New York NY 10081

PH: 866-2-ivault (866-248-2858) Web: www.jpmorgan.com/ivault

Legato EMC Software Group 2350 West El Camino Real Mountain View CA 94040

PH: 888.853.4286 FAX: 650.210.7032 E-mail: [email protected] Web: www.legato.com

MDY Advanced Technologies, Inc. 21-00 Route 208 South Fair Lawn NJ 07410

PH 888.639.6200 or 201.797.6676 FAX: 201.797.6852 E-mail: [email protected] Web: www.mdy.com

Mobius Management Systems, Inc. 120 Old Post Road Rye NY 10580

PH : 800.235.4471 or 914.921.7200 FAX: 914.921.1360 E-mail: [email protected] Web: www.mobius.com

Smead Software 600 Smead Boulevard Hastings MN 55033

PH : 800.216.3832 or 651.437.4111 FAX: 800.216.3837 E-mail: [email protected] Web: www.smeadsoftware.com

Stellent, Inc. 7777 Golden Triangle Drive Eden Prairie MN 55344

PH: 800.989.8774 or 952.903.2000 FAX: 952.829.5424 Web: www.stellent.com

TOWER Software Two Discovery Square, Suite 510, 12012 Sunset Hills Road Reston VA 20190

PH: 800. 255.9914 or 703.476.4203 FAX: 703.437.9006 E-mail: [email protected] Web: www.towersoft.com