Records Management Goes 'C Suite'

Just 5 years ago, if you were to approach a C-suite executive about discussing his company's record-keeping policies and procedures, you likely would have been shown the door. After all, wasn't record-keeping, file storage and electronic data retrieval the purview of middle management; perhaps residing somewhere in facilities management, information technology, or human resources?

Today, a few years and numerous perspective-changing developments later, a topic that once resided quietly in back offices and file rooms has emerged at the epicenter of high-level business conversations around internal controls and risk management. What happened? Sarbanes-Oxley legislation clearly was a watershed event, elevating records management to senior executives' radar screens, as were several high-profile ' and costly ' legal actions related to record storage and retrieval. Further fueling the issue, technological advances have made records of all types both more easily accessed and more easily erased.

Regardless of cause and effect or why the issue is front and center, the fact is that at this very moment, there are probably hundreds of lawyers and business consultants meeting with hundreds of clients in offices all around the U.S. to discuss some topic associated with proper ' or improper' record handling. It is a hot issue that is getting hotter, so the need for immediate and effective action is greater than ever.

New Electronic Discovery Rules

Even the U.S. Supreme Court has gotten involved, recently handing down a series of amendments designed to eliminate confusion surrounding 'electronic discovery' in the early stages of litigation. The new rules, which are set to take effect toward the end of this year, include these actions:

• Amend the definition of discoverable material to specifically include electronically stored information;
• Require early discussion among interested parties regarding electronic discovery issues;
• Establish procedures for the production of electronically stored information;
• Utilize a 'two-tier' approach when defining the scope of discovery, so that electronically stored information that is not readily accessible need not be produced unless ordered by the court;
• Offer a limited 'safe harbor' against sanctions in certain cases for data destruction and loss;
• Incorporate a remedy for an inadvertent production of privileged information; and
• Modify the rule regarding subpoenas to conform with other new
  proposals regarding discovery.

The good news is that senior executives are listening and responding. For example, in March of this year, this author's company, Deloitte Financial Advisory Services LLP, held a Webcast on 'Electronic Records Retention & Disposition' that attracted more than 900 executive participants. That level of participation is not surprising given recent legal and regulatory events that have served to underscore the need to get companies up-to-date on current requirements. Here are just a few examples:

• A financial services company was fined $15 million by the SEC for improper recording handling in 2006;
• Improper destruction of e-mails led to a partial summary judgment and a $1.45 billion total award to a claimant in 2005;
• In 2004, a federal court cited a ma-jor technology company for impro-per destruction of documents during the company's 'Shred Day' activities and ultimately dismissed its claims of patent infringement against another company; and
• A jury awarded $29 million to Laura Zubulake, a former employee of a large banking and investment firm, after receiving adverse inference instructions over destruction of hypothetical records on back-up tapes, including e-mails.

There are several important phases to developing and maintaining a records management program in your organization. Don't wait for an event to occur that will force you to address records management issues; take the offensive and execute pre-emptive measures. Start taking steps to define what a record is in your organization (regardless of what form or medium it is), identify the location of documents, e-mails and other media that fit that definition, and find out what the legal and regulatory requirements are for the retention and accessibility of those records.

Getting Started

A records management process should ordinarily start with identifying where the records are located ' and should also include future-oriented policies and procedures designed to achieve high quality, compliant records management over the long term. It's a process that takes time and patience to execute well. For those very reasons, an effective records management program needs strong leadership from the top of the organization, appropriate delegation of responsibilities, and regular follow up. Following is a closer look at four important considerations for developing a records management plan:

1. Define what a record is in your organization;
2. Develop a detailed understanding of varying requirement;
3. Set up the infrastructure to execute and provide oversight; and
4. Follow-up and stay on top of new developments.

All records are documents, but not all documents may be records. As a rule of thumb, a document contains information that may or may not be of business value to your organization, whereas a record is created to perform a specific task and is kept to provide evidence of that activity. Generally, your definition should be consistent with any regulatory requirements for your business.

However, we have found that many organizations tend to over-horde, with a large percentage of information retained actually falling into the category of non-records. The reality is that the paperless office has never come to fruition. On the contrary, more companies seem to be entering the paper storage business than ever before! In our experience, a good deal of paper retention is a simple function of 'comfort level.'

But keeping too much can be an expensive option. It can cost a lot to administrate and search all that paper. The same is true of electronic documents, including e-mail. It is usually helpful to start the retention and disposition process by asking why the information was created in the first place, or why it was received from someone else. Examine the continuing function of each record as well as the specific need that it meets. Also determine whether the record is one-of-a-kind or if it is duplicated elsewhere.

E-mail, in this case, should be treated like any other records in the organization. Users should be aware of retention requirements for all types of documents that they send or receive electronically the same way they would if they were on paper. A consideration for handling of email is the creation of alternative storage areas to which users can move retention-required documents so that all of the documentation is not residing on email accounts ' another costly situation. In addition to email storage requirements, it is also important to educate employees about e-mail writing and storage. In developing your records retention program, you should consider providing for safe review and storage of e-mail files when an employee leaves a company.

As a guide for this defining and sorting process, information typically falls into one of four categories, which, depending on continuing value, will help determine how long a record should be kept. When documents are found that fall into more than one of these groupings, retain for the category with the longest required period of retention (eg, state vs. federal tax record requirements).

• Legal Value ' This is the baseline for keeping a record. Retain for at least the minimum amount of time provided by statute, regulation, code, or statute of limitations.
• Fiscal Value ' Retain for at least the minimum period required to support tax filings, financial reporting, audits, etc.
• Administration Value ' Many, if not most, organizational records fall into this category and the decision about retention needs is usually subjective.
• Historical Value ' This includes records that tell the organization's story, including information that documents historic actions, photographs, correspondence, etc.

Guidance Specific to Electronic Records

The continuing evolution of new technologies and ways of communicating and exchanging documents makes it imperative that your records management program focuses on key aspects of electronic record systems. As new information technology advances are implemented, for example, your staff may be required to migrate information from one system to another. Should records be needed to support a legal position, it is important to make sure that your organization's handling of the information makes the records legally admissible. If you have failed to properly plan and implement the retention program, it may be more difficult to find and produce useful documentation. Following are some key legal requirements for electronic records:

• They were created in the normal course of business;
• They are authentic and purport to be what they say they are; and
• They are trustworthy: No alterations or tampering have taken place (ISO 15489-1 First Edition 9/15/01 under Section 7.2 Characteristics of a Record (page 7)).

Follow security procedures to help prevent unauthorized access to the records and remember to establish a schedule for periodic testing of the system. Use system back up tapes only for data loss purposes, not as an archive. These records are accessible and could result in a costly process of recovery if litigation occurs.

To help meet requirements for authenticity, certain security controls, such as data encryption, should be implemented. In addition, beyond physical controls, it is important to check proper functioning of firewalls, user access and other checkpoints that will help support a viable audit trail.

Check Retention Requirements

Regardless of how you end up categorizing materials, however, be sure to check the retention requirements, legal and financial, as these vary widely from one place or industry to another. There is no one-size-fits-all template, so you should consider any local, state and federal requirements that might apply to your location and industry. Following is just a quick glance at some of potentially confusing requirements ' and variations ' that you may see:

• Federal Unemployment Tax Act and FICA require records related to hours worked be retained for 4 years, while the Equal Pay Act and Fair Labor Standards Act require similar records be kept for 3 years. Neither specifies if actual time card or time sheet documentation is needed, or if information can be deriv-ed from payroll registers.
• In terms of fiscal record requirements, many records used to document state sales and use filings are also used for IRS and state income documentation. Unclaimed property reporting requirements vary by type of property and from state to state.

Organizing a Records Management Program

No one person or department of your organization will be able to adequately address all of the questions involved in locating and categorizing records. Consider establishing an advisory body, or records committee, that includes subject matter experts from a broad cross section of the organization. Participation by the following areas is especially recommended:

• Legal;
• Tax;
• Internal Audit;
• Risk Management;
• Information Technology;
• Corporate Secretary;
• Treasurer or Controller; and
• Records & Information Manager.

One of this group's first responsibilities should be to produce a short list of factors that are considered instrumental to the success of the organization's records management program. In my experience, these include:

• Senior leadership buy-in, support and advocacy;
• Effective program policies and procedures;
• An IT infrastructure that supports storage and retrieval of needed records;
• Focused training and effective com-munication; and
• Regular, consistent and documented program audits

You have to start with C-suite executive buy-in because a successful program will have many different facets that can be costly and may impact all areas of the organization. Build a strong business case for the program (see sidebar below) that is based on needs and a close look at both benefits and risks and so that decision makers both understand and support the program's objectives.

A records management policy begins with establishing a framework for the most important content of that policy. The following four categories of content for such a framework are recommended:

• Corporate Records Policy: Con-tains the authorization, development, and approval process for the program, as well as its staff and management structure;
• Records Retention Schedule: Pro-vides a taxonomy of record categories and series and corresponding retention periods, as well as who controls the records and other information;
• Legal Hold Policy: Details pro-cesses and systems to identify and safeguard from alteration or de-struction of required records and data when they are relevant to existing or reasonably anticipated investigation or litigation; and
• Records Management Manual: Combines relevant policies and procedures into a one-stop re-source to instruct staff on accomplishing activities that support the program throughout the organization.

Realizing and Measuring Success

In summary, I believe there are four important considerations in establishing a records management program:

1. A compliant records retention program is more than the existence of a single policy or schedule;
2. Electronic records, such as email, should be treated as any other media for retention purposes;
3. Consider establishing a legal hold policy to collect and preserve the needed records; and
4. Policies alone are not enough'effective communication and training are critical in meeting compliance and risk reduction objectives.

Conclusion

If you address each one of the above points in your planning and development efforts, you should be on the right track for designing a records management program to help you be prepared for potential legal and regulatory actions. Your organization may also be able to take advantage of potential opportunities that might otherwise have just slipped by because you may be able to access information more readily and address potential risks. Records management may have been elevated to C-suite issue status because of events in the external world, but your organization may be able to reap a number of internally directed benefits as well.

Just 5 years ago, if you were to approach a C-suite executive about discussing his company's record-keeping policies and procedures, you likely would have been shown the door. After all, wasn't record-keeping, file storage and electronic data retrieval the purview of middle management; perhaps residing somewhere in facilities management, information technology, or human resources?

Today, a few years and numerous perspective-changing developments later, a topic that once resided quietly in back offices and file rooms has emerged at the epicenter of high-level business conversations around internal controls and risk management. What happened? Sarbanes-Oxley legislation clearly was a watershed event, elevating records management to senior executives' radar screens, as were several high-profile ' and costly ' legal actions related to record storage and retrieval. Further fueling the issue, technological advances have made records of all types both more easily accessed and more easily erased.

Regardless of cause and effect or why the issue is front and center, the fact is that at this very moment, there are probably hundreds of lawyers and business consultants meeting with hundreds of clients in offices all around the U.S. to discuss some topic associated with proper ' or improper' record handling. It is a hot issue that is getting hotter, so the need for immediate and effective action is greater than ever.

New Electronic Discovery Rules

Even the U.S. Supreme Court has gotten involved, recently handing down a series of amendments designed to eliminate confusion surrounding 'electronic discovery' in the early stages of litigation. The new rules, which are set to take effect toward the end of this year, include these actions:

• Amend the definition of discoverable material to specifically include electronically stored information;
• Require early discussion among interested parties regarding electronic discovery issues;
• Establish procedures for the production of electronically stored information;
• Utilize a 'two-tier' approach when defining the scope of discovery, so that electronically stored information that is not readily accessible need not be produced unless ordered by the court;
• Offer a limited 'safe harbor' against sanctions in certain cases for data destruction and loss;
• Incorporate a remedy for an inadvertent production of privileged information; and
• Modify the rule regarding subpoenas to conform with other new
  proposals regarding discovery.

The good news is that senior executives are listening and responding. For example, in March of this year, this author's company, Deloitte Financial Advisory Services LLP, held a Webcast on 'Electronic Records Retention & Disposition' that attracted more than 900 executive participants. That level of participation is not surprising given recent legal and regulatory events that have served to underscore the need to get companies up-to-date on current requirements. Here are just a few examples:

• A financial services company was fined $15 million by the SEC for improper recording handling in 2006;
• Improper destruction of e-mails led to a partial summary judgment and a $1.45 billion total award to a claimant in 2005;
• In 2004, a federal court cited a ma-jor technology company for impro-per destruction of documents during the company's 'Shred Day' activities and ultimately dismissed its claims of patent infringement against another company; and
• A jury awarded $29 million to Laura Zubulake, a former employee of a large banking and investment firm, after receiving adverse inference instructions over destruction of hypothetical records on back-up tapes, including e-mails.

There are several important phases to developing and maintaining a records management program in your organization. Don't wait for an event to occur that will force you to address records management issues; take the offensive and execute pre-emptive measures. Start taking steps to define what a record is in your organization (regardless of what form or medium it is), identify the location of documents, e-mails and other media that fit that definition, and find out what the legal and regulatory requirements are for the retention and accessibility of those records.

Getting Started

A records management process should ordinarily start with identifying where the records are located ' and should also include future-oriented policies and procedures designed to achieve high quality, compliant records management over the long term. It's a process that takes time and patience to execute well. For those very reasons, an effective records management program needs strong leadership from the top of the organization, appropriate delegation of responsibilities, and regular follow up. Following is a closer look at four important considerations for developing a records management plan:

1. Define what a record is in your organization;
2. Develop a detailed understanding of varying requirement;
3. Set up the infrastructure to execute and provide oversight; and
4. Follow-up and stay on top of new developments.

All records are documents, but not all documents may be records. As a rule of thumb, a document contains information that may or may not be of business value to your organization, whereas a record is created to perform a specific task and is kept to provide evidence of that activity. Generally, your definition should be consistent with any regulatory requirements for your business.

However, we have found that many organizations tend to over-horde, with a large percentage of information retained actually falling into the category of non-records. The reality is that the paperless office has never come to fruition. On the contrary, more companies seem to be entering the paper storage business than ever before! In our experience, a good deal of paper retention is a simple function of 'comfort level.'

But keeping too much can be an expensive option. It can cost a lot to administrate and search all that paper. The same is true of electronic documents, including e-mail. It is usually helpful to start the retention and disposition process by asking why the information was created in the first place, or why it was received from someone else. Examine the continuing function of each record as well as the specific need that it meets. Also determine whether the record is one-of-a-kind or if it is duplicated elsewhere.

E-mail, in this case, should be treated like any other records in the organization. Users should be aware of retention requirements for all types of documents that they send or receive electronically the same way they would if they were on paper. A consideration for handling of email is the creation of alternative storage areas to which users can move retention-required documents so that all of the documentation is not residing on email accounts ' another costly situation. In addition to email storage requirements, it is also important to educate employees about e-mail writing and storage. In developing your records retention program, you should consider providing for safe review and storage of e-mail files when an employee leaves a company.

As a guide for this defining and sorting process, information typically falls into one of four categories, which, depending on continuing value, will help determine how long a record should be kept. When documents are found that fall into more than one of these groupings, retain for the category with the longest required period of retention (eg, state vs. federal tax record requirements).

• Legal Value ' This is the baseline for keeping a record. Retain for at least the minimum amount of time provided by statute, regulation, code, or statute of limitations.
• Fiscal Value ' Retain for at least the minimum period required to support tax filings, financial reporting, audits, etc.
• Administration Value ' Many, if not most, organizational records fall into this category and the decision about retention needs is usually subjective.
• Historical Value ' This includes records that tell the organization's story, including information that documents historic actions, photographs, correspondence, etc.

Guidance Specific to Electronic Records

The continuing evolution of new technologies and ways of communicating and exchanging documents makes it imperative that your records management program focuses on key aspects of electronic record systems. As new information technology advances are implemented, for example, your staff may be required to migrate information from one system to another. Should records be needed to support a legal position, it is important to make sure that your organization's handling of the information makes the records legally admissible. If you have failed to properly plan and implement the retention program, it may be more difficult to find and produce useful documentation. Following are some key legal requirements for electronic records:

• They were created in the normal course of business;
• They are authentic and purport to be what they say they are; and
• They are trustworthy: No alterations or tampering have taken place (ISO 15489-1 First Edition 9/15/01 under Section 7.2 Characteristics of a Record (page 7)).

Follow security procedures to help prevent unauthorized access to the records and remember to establish a schedule for periodic testing of the system. Use system back up tapes only for data loss purposes, not as an archive. These records are accessible and could result in a costly process of recovery if litigation occurs.

To help meet requirements for authenticity, certain security controls, such as data encryption, should be implemented. In addition, beyond physical controls, it is important to check proper functioning of firewalls, user access and other checkpoints that will help support a viable audit trail.

Check Retention Requirements

Regardless of how you end up categorizing materials, however, be sure to check the retention requirements, legal and financial, as these vary widely from one place or industry to another. There is no one-size-fits-all template, so you should consider any local, state and federal requirements that might apply to your location and industry. Following is just a quick glance at some of potentially confusing requirements ' and variations ' that you may see:

• Federal Unemployment Tax Act and FICA require records related to hours worked be retained for 4 years, while the Equal Pay Act and Fair Labor Standards Act require similar records be kept for 3 years. Neither specifies if actual time card or time sheet documentation is needed, or if information can be deriv-ed from payroll registers.
• In terms of fiscal record requirements, many records used to document state sales and use filings are also used for IRS and state income documentation. Unclaimed property reporting requirements vary by type of property and from state to state.

Organizing a Records Management Program

No one person or department of your organization will be able to adequately address all of the questions involved in locating and categorizing records. Consider establishing an advisory body, or records committee, that includes subject matter experts from a broad cross section of the organization. Participation by the following areas is especially recommended:

• Legal;
• Tax;
• Internal Audit;
• Risk Management;
• Information Technology;
• Corporate Secretary;
• Treasurer or Controller; and
• Records & Information Manager.

One of this group's first responsibilities should be to produce a short list of factors that are considered instrumental to the success of the organization's records management program. In my experience, these include:

• Senior leadership buy-in, support and advocacy;
• Effective program policies and procedures;
• An IT infrastructure that supports storage and retrieval of needed records;
• Focused training and effective com-munication; and
• Regular, consistent and documented program audits

You have to start with C-suite executive buy-in because a successful program will have many different facets that can be costly and may impact all areas of the organization. Build a strong business case for the program (see sidebar below) that is based on needs and a close look at both benefits and risks and so that decision makers both understand and support the program's objectives.

A records management policy begins with establishing a framework for the most important content of that policy. The following four categories of content for such a framework are recommended:

• Corporate Records Policy: Con-tains the authorization, development, and approval process for the program, as well as its staff and management structure;
• Records Retention Schedule: Pro-vides a taxonomy of record categories and series and corresponding retention periods, as well as who controls the records and other information;
• Legal Hold Policy: Details pro-cesses and systems to identify and safeguard from alteration or de-struction of required records and data when they are relevant to existing or reasonably anticipated investigation or litigation; and
• Records Management Manual: Combines relevant policies and procedures into a one-stop re-source to instruct staff on accomplishing activities that support the program throughout the organization.

Realizing and Measuring Success

In summary, I believe there are four important considerations in establishing a records management program:

1. A compliant records retention program is more than the existence of a single policy or schedule;
2. Electronic records, such as email, should be treated as any other media for retention purposes;
3. Consider establishing a legal hold policy to collect and preserve the needed records; and
4. Policies alone are not enough'effective communication and training are critical in meeting compliance and risk reduction objectives.

Conclusion

If you address each one of the above points in your planning and development efforts, you should be on the right track for designing a records management program to help you be prepared for potential legal and regulatory actions. Your organization may also be able to take advantage of potential opportunities that might otherwise have just slipped by because you may be able to access information more readily and address potential risks. Records management may have been elevated to C-suite issue status because of events in the external world, but your organization may be able to reap a number of internally directed benefits as well.