1. Home
  2. ISO Consultation
  3. Other Activities
  4. Records Management (ISO 15489)

Records Management (ISO 15489)

Other Activities

1:  EXECUTIVE SUMMARY:

Information has always been an organization’s central resource. Without it, the modern organization simply could not function. Business records are operational—and sometimes strategic—assets. They have economic, legal, fiscal, risk-management, and competitive values. Many organizations, however, lack effective policies and procedures for systematic control of their recorded information. As a result, they keep some records too long, spend too much to store them, waste time looking for misplaced information, risk penalties for non-compliance with recordkeeping regulations, risk a public-relations nightmare, and fail to protect mission-critical information from harm.

Narratives about such records management problems form the backbone of the field’s experience with organizations that lack records management. Common examples include:

  • Paperwork is the largest overhead expense in any organization,
  • Active files typically grow at a rate of about 25% annually,
  • Managers spend an average of 4 weeks a year searching for or waiting on misfiled, mislabeled, untracked, or “lost” information,
  • Office workers can waste up to two hours a day looking for misplaced paperwork,
  • 90% of records, once filed, are never referred to again,
  • 95% of references are to records less than 3 years old,
  • Two thirds of records in organizations  without records management may be removed from offices and either destroyed as being obsolete or transferred to lower-cost offsite facilities,
  • At any given time, between 3 and 5 percent of an organization’s files are lost or misplaced,
  • The average cost of recreating a one-page document is $180,
  • Companies typically misfile 2% to 7% of their paper and electronic records,
  • Computer users spend 7.5% of their time on a PC looking for files,
  • 67% of data loss is directly related to user blunders, making them 30 times more menacing than viruses and the leading cause of data loss,
  • 30% of paperwork is useless and could be eliminated; and  37% of photocopies made are unnecessary, and
  • Large organizations lose a document every 12 seconds,

The creation, storage, retrieval, use, and destruction (or permanent archival retention) of information of all types and in all media is an increasingly difficult challenge for business and government organizations. Despite the application of information technologies, the mounting rise of “paperwork” requirements continues to accelerate. In today’s corporate volatile environment, records management is simply not optional. In fact, records management works all day every day for every unit in those organizations that adopt a comprehensive records management program.

Records are central to the work of all organized entities. They sustain the work of the organization, yet they are, to an extent, a drain on its resources as well. What is often not well understood is that records are as much a resource-intense feature of operations as are employees, facilities, and equipment. In fact, some estimate that about 90 percent of all white-collar activities focus on information-related activities (e. g, creating, storing, retrieving, distributing). Clearly, considerable expense is required for this activity, and records management works to keep all aspects of these functions as economical as possible. Records should earn their keep, and records management makes sure they do. One study found that in single year records management saved a university $667,882 – in source and filing equipment alone – after subtracting the program’s budget http://www.theimpros.com/im/case.html

Records management—also called “records and information management” or “recorded information management” (RIM)—is the systematic application of management principles—chiefly control—to the recorded information needed and used in the normal course of an organization’s business. Records document transactions and, in some cases, may be legally required as evidence of each transaction. Transactional records include orderings, schedules, receipts, notification, loans, and contracts, and many other types. While it is no surprise that records document such actions today, these same actions were documented by records some 4,000 years ago.

In a Federal Computer Week article, J. Timothy Sprehe addresses the linguistic barriers between information technology personnel and records managers. “Take a simple word such as ‘record.’ In database management, a record is a complete set of information composed of data fields; a set of records makes up a file. In document technologies, ‘record’ means any information stored by any device. In workflow, a record is a collection of individual items of data treated as a unit. These are the meanings familiar to IT managers.”

“In records management, the term ‘record’ carries far heavier weight. The International Organization for Standardization defines a record as ‘information created, received and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business’” (ISO 15489).

“In this sense,” as Sprehe notes, “a record is something you can take into a court of law. And if called upon, you must be able to show in court that the record has authenticity, reliability, integrity and usability — that is, you must prove that the record is what it purports to be, that it is complete and unaltered, that it fully and accurately represents the facts to which it attests, and that it can be retrieved and presented.”

Sprehe’s commentary cuts straight to the heart of the issue of organizational records management. A going concern is compelled by law, by potential litigation, by audit requirements, or by common industry practice to produce evidence of its operations. These requirements may extend to a finite period, indefinitely—or may be permanently retained. In addition, an organization must plan for contingencies in the event of natural or man-made disasters which would provide for the survival of the business in those circumstances. These items represent the risk-management aspects of records management.

These have been considered records by courts:

  • Doodles on a paper napkin
  • Core samples from oil exploration
  • A pipe with a part number on it
  • Sections of frozen tissue samples

Records managers see recordkeeping systems in a larger framework than just the records alone. Such systems include people who create and use organizational records, policies related to records, procedures to ensure maximum access to and use of records, tools and technologies to create and store records in a variety of formats, as well as education and training both for records managers and those they serve.

Records and information management also brings significant classification benefits to an organization. Properly applied, records and information generated by the organization is classified, or organized, in such a way that it can be found quickly and used successfully to aid in decision processes undertaken by workers and management. This is particularly true in the area of digital information creation since employees may combine poor organizational skills with the capability of creating volumes of new business information independently of each other. This quickly leads to infoglut. Cost control is another major value since information storage costs can be significant regardless of media type. Skilled management of information prior to a pre-authorized destruction date is a way to keep organizations from drowning in the volumes of information it produces on a daily basis.

Employees involved in records and information management should have a high degree of interaction with critical business units. IT/IS departments, legal counsel or legal departments, accountants, auditing, finance departments, and contingency or disaster planning units or individuals are all critical areas of interaction for the records manager. Records management is a specialized field of information management concerned with systematic analysis and control of operating records associated with business activities. Just as attorneys handle legal issues, increasingly recordkeeping issues are best handled by experienced records professionals. The field has been professionalized through a certification program which grants the Certified Records Manager (CRM) status to those who pass a six-part written examination and maintain certification through continuing education <http://www.icrm.org>.

Coordination of records functions to support and reinforce business operations are central to the mission of records and information management. In the United States the recent passage of the Sarbanes-Oxley Act and regulations promulgated by the Securities and Exchange Commission prompt Chief Executive Officers to meet periodically with their CFOs and records managers to insure that all required information is being retained, managed, and destroyed according to statute. Failure to comply with these and other regulations, including enhanced laws protecting personal privacy in many countries, regarding information retention and disposition could result in severe fines, criminal charges, and imprisonment.

Where there is substantial employee turnover or where there have been consolidations due to mergers or acquisitions, a skilled records manager can prove invaluable in reminding departments such as marketing and sales of information assets that already exist within the organization. The organization of these assets to facilitate retrieval and use by specialized employees, departments, or outsource providers, such as consultants, or agencies can leverage existing assets to create additional profits for the organization.

Records and information management is most effective when it is implemented in an organization-wide approach. Resources such as ISO 15489—discussed below—provide significant guidance in implementing a systems approach that incorporates all employee records output and considers all types of information irrespective of the type of media or its creation and disposition date. Application of ISO 15489 within all departments and in all operating units requires the complete support of management, as well as training of individual employees to identify records at the point they are created. It also requires cooperation in identifying all company records, identifying a thesaurus of terms in use among various individuals or departments in order to design finding aids and to adhere to records management principles.

Because of their specific training in records and information management concepts, records managers should be involved in purchasing decisions for information storage and retrieval devices and should be empowered to provide guidance to operating departments regarding appropriate media selection for information storage and retrieval. They should be tasked with the responsibility (or consulted where appropriate) for locating outsourcing vendors for inactive records storage, computer tape backup and disaster recovery vendors, and vendors specializing in the confidential destruction of information. Records and information managers should also provide ongoing training to various departments regarding records retention requirements, records series identification, information technology (IT) alternatives, and finding aids and retrieval procedures.

By implementing a consistent, organization-wide and upper-management supported records and information management program, an organization seeks to

  • Conform to statutory requirements for information retention,
  • Provide itself appropriate evidence of transactions to defend itself in litigation or audit,
  • Leverage information assets into meaningful competitive intelligence and market research data,
  • Minimize jeopardy during the discovery phase of litigation, Provide for the continuity of the organization during a disaster, and Assist in controlling costs through the timely disposition of information.

At any given time, between 3 and 5 percent of an organization’s files are lost or misplaced. The average cost of recreating a document is $180. Annual loses for a Fortune 1000 company with one million files is $5 million dollars Information Week

These risk-management and value-added benefits are essential to the efficient and effective operation of an enterprise and should receive both strong management support and sufficient resources to operate effectively within the organization.

2. RECORDS MANAGEMENT: WHAT IS IT?

Records management is both a discipline and management function concerned with the systematic application of management techniques to and control of the information created or received in the normal information of an organization’s business.1 Unlike many information sources, records also have a more distinct life cycle that includes creation or receipt, processing, distribution, maintenance, evaluation, and ultimate disposition (i.e., either destruction or transmittal for permanent housing in an archive, vault, or other dedicated facility operated by the company or an outsourcing partner).

There will be organizational information systems that are made up of records (e.g., library records), but not all information systems are recordkeeping systems. Recordkeeping systems are required to have the following:

  • Reliability (consistent capture, organization access to records),
  • Integrity (no unauthorized alteration, destruction, removal),
  • Permanence (cannot be tampered with, altered, or improperly deleted),
  • Comprehensiveness (management of all records created and stored as a normal continuous activity of all units in an organization), and
  • Compliance (created and maintained in a manner that is consistent with all policies and procedures that apply to organizational records).

There are several benefits from an energetic and systematic records management program. According to Robek, they include:

  • Control of the creation, volume, redundancy, and growth of records,
  • Reduction of operating costs through active management and intelligent outsourcing decisions,
  • Improvement of overall  efficiency and productivity,
  • Assimilation of emerging records management technologies,
  • Ensuring legislative, regulatory compliance as well as other risk-management concerns, such as litigation,
  • Safeguarding the organization’s vital information, including historical records,
  • Supporting enhanced performance and productivity of business processes, and
  • Enabling quicker and better management decision making.

Records management offers a variety of asset-management benefits :protection (e.g., of privacy, data ownership, intellectual property); monitoring (e.g., auditing, due diligence, compliance); maintenance(e.g., storage, preservation, retention according to policy); documenting (e.g., past decisions and actions).

3.FUNCTIONS OF RECORDS MANAGEMENT

In addition to the goals noted above, there are programmatic functions of records management programs: what do they do in an operational sense?  Here we can only introduce each component briefly. The basic functions of a records management program once it is agreed to by senior management include:

  • Taking a records inventory throughout the organization to identify records as to types, locations, volumes, and conditions in which the records are housed. (discussed in more detail below; also, see Records Inventory Form, Appendix 1). From the inventory a variety of program initiatives emerge (e.g., identification of vital records, privacy and confidentiality issues, opportunities for application of appropriate technology)./
  • Using information from the records inventory and legal research tools, develop retention schedules for all the records series in the organization regardless of media or location. Among the issues to be addressed are: how long records must maintained in the creating office and then later in offsite storage, confidentiality, security, status as vital or archival records, medium in which the information is recorded (paper, film, tape, etc.), and how should they be disposed of—destruction or transfer to an archival repository). (See Retention Schedule Form, Appendix 2). Records retention is discussed in more detail, below.
  • Vital records are those which contain data or information essential to the survival of an organization in the event of natural or man-made disaster. As many as 90% of businesses are unable to continue after two years when their vital records are destroyed Some of these records will be unique, that is, there is but one copy being created. The vital records program, part of a larger business recovery plan, uses a variety of strategies to ensure access to vital records. (Vital records are discussed in more detail, below; see Vital Records Identification, Appendix 3.)

83% of all business documents consist of forms. Businesses spend $1 billion a year designing and printing forms but $25-35 billion a year filing, storing, and retrieving then, and some $65-85 billion processing, maintaining, and distributing them.
The Myth of the Paperless Office (2002)

  • The management of active files is an integral part of a comprehensive records management program. This function is particularly important since these records cause the greatest expenditures in space, staff, equipment, and supplies. The role of the active files function is to reduce costs but at the same time increase efficiency and effectiveness in the workplace. To achieve these objectives, records in each organizational unit are reviewed in areas such the type of media used to store the information, physical location and access to the files, and classification systems best suited for the management of each particular type of files. There are many electronic and paper-based systems available to set up classifications and filing systems.
  • Inactive files management is a strategy to continually move files out of more expensive office space when they have become inactive (often defined as a reference rate of less than one search per file drawer per month). Removed files are typically placed in a high-density, low-cost records storage environment (either in-house or outsourced). Here labor, space, shelving, and supplies are much less expensive than in the office environment. Records retention programs, policies, procedures, and schedules—discussed below—drive the transfer of inactive records.  Savings from the management of inactive files is compelling; for example, Sandy Santori, Minister, Management Services for the Canadian Province of British Columbia reported in a 2002 speech that “The three contracts to private storage [records] facilities totaled $2.3 million in the last fiscal year. For every dollar spent to store [700,000 boxes of] records in these off-site centers, it is estimated that the government [of British Columbia] saves four dollars.”
  • On average, three percent of the total body of an organization’s records qualify as archival records and thus have a life-of-company retention value.  Archival records, sometimes called “corporate memory,” form a record of both the past and present, showing long-term growth, development, and accountability to stakeholders. They also record long-term functions and activities. Records with archival value normally fall into one or more of the following categories: historical, legal, fiscal, or informational.
  • Imaging technologies have become an important part of records management. Records should be analyzed to determine if microfilming or digital imaging is appropriate. Microforms remain an appropriate technology, particularly for records that need absolute file integrity or have a retention requirement for which long-term storage is mandated. Microfilm offers virtues such as low-cost, easy retrieval, use for vital records backup, and a medium widely used for preservation of important documents. Optical disk systems can be used to scan paper records and offer other useful capabilities; these include high-volume storage, fast retrieval, fast printing as needed along with the other virtues of digital systems, such has high-speed transmission to various locations. Some technologies enable simultaneous scanning and microfilming.
  • Forms management is important to records management. By far the largest volume of records in any organization are printed or electronic forms. Forms facilitate handling of current but variable data. They are helpful in recording or documenting discrete transactions. In working with a team to create a form, records managers can set up forms control systems that include (1) analysis of the process or procedure requiring the form’s use, (2) identification of where the form should be positioned in the specific business process, (3) creation of layout and then design of the form, (4) upload or install form (if digital) or have it printed and procured (if paper), and (5) then dissemination to the forms’ users. This activity creates an opportunity for records managers to participate at the important creation stage of records in order to reduce long-term costs and enhance productivity.

Since clerical processing of the form—printed or electronic—costs significantly more than its design and printing, it is critical to use what we know about how people process information to ensure that two objectives of form design are met: (1) the greatest amount of needed information will be supplied and (2) the information can be supplied in the shortest amount of employee or customer time. Effective forms design and management significantly improves productivity.

Are Records Really Valuable? In trying to resurrect Iraq’s oil industry, authorities discovered that seismic charts for 200,000 kilometers of land were destroyed. Each chart cost approximately $15,000 to create. The value of the records? $3 billion.            Newsweek July 21, 2003

4: DISASTER RECOVERY AND BUSINESS SURVIVAL

On September 11, 2001, thousands of businesses located in or around the World Trade Center found themselves in the midst of a catastrophe. There was massive loss of life, facilities and equipment were ruined, transportation routes were gridlocked, communication channels were overwhelmed, and airspace was sanitized. Yet many of the affected businesses were able to resume operations on September 12. How was this possible? Careful planning.

Contingency planners and disaster recovery experts may disagree on some details, but all would agree that every business and organization should have a disaster recovery plan. These plans will vary widely based upon the scope and scale of the organization, but all should identify possible scenarios that could interrupt their operations and then devise strategies to overcome these interruptions. The most common scenarios are forces of nature such as earthquakes, hurricanes, tornados, landslides, wildfires, flooding, blizzards, ice storms, volcanoes and tidal waves. Man-made disasters should also be addressed; e.g., arson, prolonged power loss, burglary, vandalism, computer attacks, espionage, bomb threats, terrorist attacks, chemical spills, transportation interruptions, etc.

A basic assumption of disaster recovery is that the primary site of organizational operations will be either non-existent, unsuitable for occupancy, or inaccessible. This necessitates the creation of a temporary location to continue the activity of the organization. In order to accomplish this objective, information and other critical resources must be transferred from the primary location to a secondary location. From a records management standpoint, this requires organization of information assets in such a way that critical active records, as well as vital records, such as corporate charters, are both complete and portable (e.g., via dispersion).

The ANSI standard for maintaining unused data-bearing media is 40 degrees F and 20% RH. ANSIIT9.23-1998

The first step in protecting critical information assets is to identify them—in advance. This calls for an information and records inventory. A records manager should interview employees from all departments, including legal counsel and external accounting partners, in order to gain a complete picture of company information assets that would be essential in maintaining a viable organization. These records receive the label vital records. Vital records are frequently protected by redundancy. That is, a copy of each vital record is created and then be sent for storage in a facility physically separated from the primary operations unit of the company. While many organizations who operate in multiple facilities or geographically disparate locations may rely on unaffected company locations for other disaster recovery strategies, the preservation of vital records is frequently outsourced to a third party commercial information management company in order to insulate that information from internal attacks by disgruntled employees.

The need for this third-party involvement is clearly demonstrated in the following excerpt from an article in Network World magazine. “Tim Lloyd of Wilmington, Delaware, was found guilty last spring of planting a software time bomb in a centralized file server at Omega Engineering’s Bridgeport, New Jersey, manufacturing plant. The malicious software code destroyed the programs that ran the company’s manufacturing machines, costing Omega more than $10 million in losses, $2 million in reprogramming costs, and eventually leading to 80 layoffs…The case stems from a July 31, 1996, incident at Omega, a Stamford, Connecticut, manufacturer of customized high-tech measurement and instrumentation devices. On that morning, the central file server crashed on boot up, deleting and purging all programs on it. After months of data recovery efforts, the programs are considered a complete loss.”

Here is a further illustration from the Computer Security Institute, “Companies reporting computer crime for 1997 have reported the following: virus infection – 65%; laptop theft – 57%; abusive use of the Internet – 31%; unauthorized computer use – 16%; telecommunications fraud – 16%; information theft – 14%; financial fraud – 12%; sabotage – 11%; network break-in – 8%.” The Harris Corporation reports that “60% of computer abuse is caused by insiders. 85% of computer break-ins occur internally. Insiders still remain as the most serious threat to intellectual property.”

Redundant copies may take the form of paper records, microforms, computer data tapes, or combinations of all those media types and others as well. The location of these materials, along with an inventory of the redundant copies should be communicated in the disaster recovery plan, along with contact information for the commercial information management company. Access to this information is shielded by a restrictive authorization list, which is a select group of employees authorized to order the retrieval of information. When contemplating a scenario such as September 11, where there was massive loss of life, it would be prudent to include the name of a non-company employee (such as legal counsel or external company accountant) on the authorization list in order to insure that there will be a surviving person authorized to order retrieval of vital information, even in the case of an incident leading to significant casualties. It is also a prudent step to include a copy of the organization’s disaster recovery plan at a distant offsite location.

Paperless? For every sales increase of $100 million that a company experiences, it uses 8.8 million more sheets of paper.

PriceWaterhouseCoopers (2000)A responsibility of records managers is that of ensuring that records of all types are housed in fire-proof, climate controlled environments appropriate to their nature. Commercial facilities protecting vital records, particularly computer data tapes and microfilm, are known as media vaults. This is an important distinction, since the characteristics of a media vault bear very little resemblance to a bank vault. The exterior surfaces of a media vault are equipped with special fittings and doors in order to prevent the expansion of a fire into the facility. In the case of media storage, the fittings will be rated to hold the internal temperature of a vault to 125 degrees Fahrenheit for a finite number hours when directly exposed to a fire. On the interior of the vault, special gas-based fire suppression systems are installed, special filters siphon particles of dust and contaminants out of the air, and special machinery is used to maintain a constant temperature and humidity level. This specialized environment is designed to maximize the life of the media contained in the vault.

Even though special steps are taken to maintain a pristine environment, degradation of media is a naturally occurring phenomenon. This requires vital records copies to be regularly tested in order to insure that data contained on tapes, CDs, or other digital media is still readable. If data tapes or other digital media are being maintained for an extended period of time, in a tape library for example, data should be periodically scheduled for transfer to fresh  media. This practice is known as data migration and will take into account changes in hardware used to read the media, the operating systems of machines, and software versions used to interpret the data contained on the digital media. The National Archives and Records Administration of the United States (NARA) recommends that five  percent of digital information in storage be sampled after the first seven years in order to insure that information is still accessible.

U.S. managers spend an average of 4 weeks a year searching for or waiting on misfiled, mislabeled, untracked, or “lost” papers. Cuadra Associates

 

5: Efficiency/Effectiveness

Since records management is a staff rather than a line function, its values are often cast in terms of organizational support rather than direct revenue production. Any such function, however, must have clear purposes and offer a variety of benefits important to line management. Traditionally, cost savings has been a primary benefit and has focused on such areas as the difference in space costs between expensive low-density office space and that for low-cost, high-density storage space for inactive records.

Records management is often introduced into an organization when one or more driving problems emerge and action must be taken. Below is a diagnostic checklist that may reveal the need for a systematic, organization-wide, and life-cycle approach to managing recorded information.

  • Managers spend too much time waiting or searching for documents, Files needed by customers, employees, auditors, the public, attorneys, and others are increasing difficult—or even impossible—to find,
  • Important documents are sometimes inadvertently discarded or removed without authorization,
  • Offices are needlessly housing records no longer required for day–to–day business; current filing systems are no longer able to handle the growing volume,
  • Office space is becoming crowded with filing cabinets—each requiring allocation of 6.9 sq. ft. of floor space (cabinet base, file use space, and passageway space for other staff  + wheelchair passage) to house, provide access to, and permit employee traffic while drawers are open and in use,
  • Employees suffer morale problems when they compete with the growth of records for rapidly diminishing space,
  • There are no policy-based retention schedules, and “old” records are kept “just in case” and stack up in attics, basements, closets, and passageways because no one is sure what ought to be done with them,
  • Important categories of critical records (e.g., vital records, archival records) go unidentified and unprotected—some may be thrown out in the trash,
  • Inactive records are banished to hostile environments, such as basements, attics, garages, closets, abandoned buildings and there is neither an adequate list of locations nor an effective index to what is stored there,
  • Records are exposed to dust, dirt, rodents, insects, mold, mildew—all of which accelerate deterioration of records,
  • Records storage areas for active and inactive records as well as digital media do not meet national standards for climate control,
  • Despite vendor claims, a lack of certainty prevails about the various types, benefits, limitations, and applicability of recordkeeping technologies,
  • Backups for each computer (not just network files) not regularly made and all media rotated to secure offsite locations (putting a backup disc next to one’s computer won’t be helpful if the office burns),
  • Lack of policy and procedures manuals to standardize effective information handling processes,
  • Corporate image suffers when records needed by customers or auditors are “missing,”
  • There is a crisis (e.g., broken water pipes, fire, flood, lawsuits, embarrassing audits, etc.) that reveal inadequacies in recordkeeping.

Clearly, organizational productivity and efficiency are bound up in these problems. In some ways, records are organizational orphans—they are every unit’s information asset and, frequently, their “problem.” They are too often, however, no one’s specific organization-wide responsibility. IT’s interests and priorities often fall well outside the needs of managing records.

Federal and New York regulators ordered the U.S. Trust Corporation to pay $10 million in fines to settle accusations that it violated bank secrecy laws and failed to keep complete records in a special trading unit.

Reduction in labor costs and increases in worker productivity are key priorities in almost every business around the world. The presence of a highly organized and systematic records management program that includes all records, regardless of media type or location, can provide much needed productivity increases and lower labor costs. In his report “Dying For Information: A Report on Information Overload in the UK and Worldwide,” Paul Waddington of Reuters makes the following observations. “Time is wasted. People spend too much time looking for information. 38% of managers surveyed waste ‘substantial’ amounts of time just looking for information.”

The Reuters studies, conducted  in three sections from 1994-1996 looked at managers from the UK, United States, Hong Kong and Singapore. surveyed expressed a very high need for information. Further, Waddington’s report states “Decisions are often delayed: 43% of respondents thought that decisions were delayed and otherwise adversely affected by ‘analysis paralysis’ or the existence of too much information. 47% of respondents said that information collection distracts them from their main responsibilities. They find it difficult to develop strategies for dealing with the information they retrieve. It is interesting to imagine the potential increase in productivity if all distractions were removed.”

In addition to productivity losses, the Reuters study also points out health ramifications of information overload that leads to stress — particularly in the United States. Information overloaded employees cancelled social events and other social outlets where participation would be helpful in the reduction of stress. Respondents also reported increased tension.

6: STATUTORY REQUIREMENTS AND CRIMINAL PENALTIES

Recently, the management of business records has received close scrutiny from news media, legislators, government regulators, stockholders, and others. News events have raised troubling questions about the recordkeeping practices of U.S. corporations, professional service firms, and other business entities. Examples of widely publicized recordkeeping irregularities include reported shredding of documents to obstruct justice by Enron Corporation, falsification of financial statements by WorldCom, judicial sanctions imposed against the Walt Disney Company for destruction of royalty records, allegations that the chief executive officer (CEO) of ImClone ordered the destruction of documents relating to a government investigation of securities trading, and, most famously, the criminal trial of Arthur Andersen for destruction of audit records.

Relevance of the Andersen Case 
The Andersen trial, which led to the sudden and dramatic demise of one of America’s best known professional service firms, a $9.3 billion company, illustrates the significance of recordkeeping issues as well as the importance of systematic compliance with record retention policies and procedures.

In November 2001, the U.S. Securities and Exchange Commission (SEC) issued a subpoena to Arthur Andersen for records related to public accounting work it performed for Enron, the subject of a government investigation for possible violation of federal securities laws. That investigation began in October 2001, although the events leading up to it were widely reported during the preceding months. In January 2002, Andersen officials disclosed that the company had destroyed a number of records related to Enron audits. The officials said that the records were destroyed in conformity with company policy, a policy which permitted the destruction of non-essential records relating to specific audits. Andersen officials further stated that the audit records were destroyed without criminal intent before the SEC investigation began and before the subpoena was received.

Federal prosecutors alleged, however, that Andersen destroyed the audit records after the SEC investigation had begun and that Andersen officials were fully aware that the company would be asked to produce the records. It is illegal to knowingly and intentionally destroy records relevant to pending or ongoing litigation or government investigations, even though legitimate corporate policies—including those related to records retention schedules—would otherwise permit such destruction. In March 2002, federal prosecutors charged Andersen with obstruction of justice for destroying records needed for the Enron investigation. The company was convicted of obstructing justice in June 2002, but considerable damage to the company was done before the verdict was rendered. Many of Andersen’s leading clients withdrew their business shortly after the criminal charges were announced, and the company drastically reduced its workforce and sold several of its operations to competitors.

What Has Been the Public Reaction to These Events? 
The Andersen case and other high-profile incidents involving corporate records have provoked a strong reaction from public officials, legislators, regulatory authorities, shareholders, and law enforcement agencies. Public policy analysts predict extensive revision of legislation affecting corporate financial activities, with greater emphasis on executive accountability. In particular, companies can expect stricter regulation and oversight of their accounting and financial reporting practices, with significant penalties for non-compliance. The Sarbanes-Oxley Act (July 30, 2002) is but the first of these regulatory initiatives.

“Utilizing a system of record keeping which conceals rather than discloses or makes it unduly difficult to identify or locate them is the functional equivalent of destroying records. “ Sears vs. Kozlowski

Sarbanes-Oxley
This legislation (2002) represents a new focus on issues related to records and pushes accountability for proper handling of them (content and management) to a higher level. The law requires:

  • CEOs and CFOs to certify personally financial records and reports periodically,
  • Requires that guidelines for audit committees to be established,
  • Mandates the retention of all documents relevant to possible government investigation,
  • Audit work papers, which some might argue are not official records, must now be retained for seven years

The act also provides for executive-level criminal penalties: CFOs and CEOs falsely representing company financial status may be fined up to $1 million and sentenced to prison for up to ten years. Willful violators may be fined up to $5 million and spend 20 years in prison. Sec. 802 of the Act specifies that anyone who knowingly alters, destroys, mutilates, conceals, covers up falsifies, or makes false entries in records or documents is liable for fines and up to 20 years in prison.

While Sarbanes-Oxley is the first major piece of legislation to penalize upper management directly, there is also case law pointing to managerial culpability. For example, in Danis vs. USN Communications, the CEO was faulted for not ensuring that a comprehensive records retention plan was developed and implemented, failing to ensure that records retention directives were followed, delegating records responsibilities not to a records manager but to an in-house attorney with little knowledge of or experience with records issues, and failed to notify staff of imminent litigation such that the documents would be preserved.This is fast becoming an era when you say what you do, you do what you say, and you make a record that you did it.

  • Under the Sarbanes-Oxley Act, there is a focus on the protection of whistleblowers:
  • Employees who file or assist in proceedings involving alleged violations of Securities and Exchange Commission (SEC) rules may not be harassed or terminated.
  • SEC-subject companies may not discharge, demote, suspend, threaten, or harass an employee who has reason to believe that SEC rules are being violated and assists in providing information or evidence of malfeasance.

In both cases, the whistleblower might be turn out to be records specialists since they, more than others within the organization, may become aware of inappropriate behavior or suspicious patterns in recordkeeping functions.

Rules stemming from the Sarbanes-Oxley Act concerning records retention practices were issued by the SEC (e.g., 68 Federal Register 4861 [January 30, 2003]).  Someone, presumably the records manager, keeps track of newly promulgated regulations and puts them into corporate practice via new procedures.  It is clear that chief executives are asking more questions and requiring more information from line managers. Some have initiated internal certification processes in which managers attest to the accuracy of their own reports. The consequence of this new direction is a reformed vision of the significance of records.

The SEC’s section 17a-3/4 (and NASD 3010/3110) took effect May 12, 2003.
These requirements apply to financial institutions generally and to brokerage firms and anyone else dealing in securities overseen by the SEC. These rules require, among other things,

  • Storing data on non-rewritable media (e.g., WORM [Write Once Read Many]),
  • Ability to automatically verify the quality and accuracy of the storage media process,
  • Written and active records retention policies,
  • Storage of data—second copies—off site with a third party,
  • Searchable indexes of records on and off site,
  • Searchable index of all data, and
  • Easily retrievable data.

Some records are to be maintained six years after the closing of any customer’s account. The third-party requirement has important implications for the commercial information storage industry.

Spoilation Principle
A legal principle of importance in Sarbanes-Oxley is that of spoilation. The legal tenet of spoliation (destruction, alteration) of evidence is that “all things are presumed against a despoiler or wrongdoer” (Black’s Law Dictionary).  So, any destruction or alteration (e.g., forgery) or failing to preserve records for another party’s use in litigation (current,future, or potential) is grounds for adverse inference in court and is subject to possible penalties, including a summary judgment against the guilty party (see Carlucci vs. Piper Aircraft, below). A related problem is the corruption of electronic data, even with no malice involved. If , for example, records on magnetic tape or optical disk became unreadable, the fault would lie not at the feet of the plaintiff seeking such records but with those who, possibly, failed to maintain records in a storage environment meeting widely accepted standards for climate control (e.g., ANSI IT9.23-1998). A court could apply penalties in such cases.

The U.S. and the Shifting Regulatory Environment
Each year at state and federal levels, dozens of new laws are enacted and hundreds of new regulations are added to existing statutes that incorporate records requirements. Records managers must find ways to keep track of those that affect their type of organization. At the federal level, regulatory agencies issue new requirements and changes in recordkeeping requirements meant to achieve compliance with statutes. These are first published in The Federal Register (a daily publication of some 70,000 pages a year). Regulations accumulate in the Code of Federal Regulations, which comprises some 250 volumes a year, each 600-750 pages in length. Administrative rulings from agencies, revenue rulings, may be little publicized but must be tracked. At the state level, new laws and regulations which can affect businesses as well as government agencies also crop up by the hundreds. Companies doing business in more than one state must factor in the varying retention requirements in each state. Records managers must also keep abreast of those new federal laws, or statutes, which appear in the United States Code (USC) that may have records implications—and those at the state level as well. A recent case in point is the Sarbanes-Oxley Act.

Statutes of Limitation on Action
These statues, which vary from state to state, do not themselves require records retention.  But records, especially contracts, should be reviewed as to the number of years for which action (e.g., litigation) may be brought.  If the statute of limitations in a given state is six years, then retaining contracts for the current year plus six years would be sound retention policy; in Maryland there is a three-year statute on limitations, and so a different retention decision may emerge.

IRS
Another source of regulation of records practices is the Internal Revenue Service (IRS).  Beginning in 1998, “Revenue Procedure (Rev. Proc.) 98-25.”  Taxpayers are allowed to maintain records in electronic formats. Companies must be able, however, to provide “sufficient information to support and verify entries make on the taxpayer’s return.” If there is any question about the accuracy of the electronic records, the taxpayer must be able to supplement the electronic records with hardcopy records and be able to document the process under which the records were created and maintained. This means that detailed descriptions are required for the record format(s) used, descriptions of the various fields in the record, showing how the indexing system works, monitoring to show maintenance checking, and reconciliation of the electronic records and the taxpayer’s ledgers. Rev. Proc. 98-25 also requires appropriate labeling, a secure storage environment (e.g., fireproof, humidity/temperature controlled), selection of an offsite storage facility, and the means to ensure data integrity. Loss of data may sanctioned with penalties by the IRS. While there are legal and technological issues at play, this is yet another example of the need for knowledgeable records managers and commercial information management providers.

Fines for Inadequate Records
Businesses and other types of organizations face hefty fines for inept recordkeeping. For example, failure to properly document recordable injuries and illnesses over the past three years resulted in a $536,000 proposed penalty for a Texas pipe manufacturer. One of the nation’s largest credit-rating agencies, Moody’s Investors Service Inc., plead guilty to destroying documents it was supposed to turn over during an antitrust investigation. The agency was ordered to pay a $195,000 criminal fine according to the Justice Department. Five large investment houses were fined over $1 million each because they failed to preserve e-mail for three years as required by the SEC.

Cases of Confusion
Often the laws and regulations still lead to misunderstanding. At the personal level, most people believe they must retain their tax returns for seven years.  In fact, returns in most cases may be audited only within three years of their filing date (IRS Code § 6501).

Different federal agencies may have different retention regulations that apply to the same record.  In that case, the retention is for the longer of the two periods required.  In some cases, Maryland, for example, there is a requirement to keep records but without stating how long they should be kept. Where there is a requirement to keep but no specification as to the retention period, some organizations apply a “three-year default” retention if neither law nor common sense indicates otherwise.

Some confusion also exists about an assumed difference between personal and corporate records. If the document has anything whatever to do with one’s work, it qualifies as a corporate record and is not protected by the Fifth Amendment, which accords privilege against self-incrimination to persons, not organizations.  One’s day planner, for example, may contain personal appointments. This, however, is not enough to keep it from being part of a document production list.  The same principle applies to what we often consider our “personal” files, those kept in or near desks, and it extends to rolodexes, business cards received, call return slips, and small notebooks carried in one’s pocket.  A university president’s alteration of barber and dental appointment records in his electronic calendar provided evidence in a felony investigation of improper and personal use of university resources.

Case Law  
Ultimately, records managers must be aware of—and communicate to others—the statutory and regulatory bases for determining the length of the retention period assigned to each records series. Hundreds of records related requirements at the federal and state levels change each year, so tracking these changes are important. In addition to statutes and regulations, there is a considerable amount of case law that has shaped thinking about records retention issues (see Donald Skupsky, Law, Records, and Information Management).

A case with an important focus on records management is Carlucci v. Piper Aircraft Corporation (102 FDR 472 [1984]. In this case, a wrongful death suit, a summary judgment in the amount of $10,000,000 was made primarily because the court found that Piper had wrongly and deliberately destroyed records (“spoliation”), records which Piper would reasonably know that they would likely to be required to produce during the discovery phase of litigation. This is an example of how case law has influenced thinking about effective management of records. It shores up, for example, how important it is to have in place an effective records management program.  The records called for by the plaintiff probably would not have caused Piper as much harm intact as they did by being destroyed. Perhaps, this was a $10,000,000 risk management blunder.

Public companies are now under intense scrutiny to verify the authenticity of their financial records and accounting transactions. These companies, and private companies who may have equity partners exerting similar pressures, must turn to records and information managers in order to verify the validity of records, locate key supporting information, and to provide key information to auditors who seek to authenticate prior work. In this environment of high pressure and scrutiny, records management effectiveness and efficiency will be tested through use. The good news is that a realization of the value of records and information management can benefit an organization through a critical role: restoring investor and stakeholder trust.

7:RISK MANAGEMENT

In addition to the economic model (e.g., cost reduction, cost avoidance, efficiency, productivity, and effectiveness), another approach to the value of records management is in the area of risk management.  Much of the discussion above suggests how critical risk-management strategies can be. Essentially, risk management is the continuous, cost-effective organizational process of identifying, controlling, and mitigation (or elimination) of vulnerabilities in legal, economic, and behavioral factors. As to its processes, risk management includes risk analysis, cost-benefit analysis, and security evaluation.  Clearly, a continuous, professional-level effort in records management supports regulatory, legal, and audit challenges and supports the authenticity of the organization’s recordkeeping policies. To gain such benefits, Edwin Dietel, an attorney who evaluates records and information programs from a risk-management perspective, points out several corporate records management commitments that must be made to get the necessary results. He advises organizations to:

A. Create a Comprehensive Records Management Program.
Records management initiatives should not be undertaken either piecemeal or randomly and should be developed and documented and tested well in advance of any foreseen need. Each piece of the program should be undertaken as a part of an overall, comprehensive integrated program. To “whip up” a records retention policy and yet have no implementing procedures or management-endorsed records retention schedules for all records would prove laughable in an adversarial proceeding. (A list of records management activities or functions is treated under Functions of Records Management, above.)  Once a program is in place, it must be reviewed for both compliance and utility.

As Dietel suggests, an organized and systematic corporate records management program offers the organization an opportunity to deal with invaluable corporate information as it does with other valuable corporate assets, such as its capital, equipment, people, trade secrets, and good will. The first step is to “drain the corporate records management swamp” so that the playing field is usable.

A key to creating and improving an effective program lies in acquiring and maintaining the leadership of a records manager whose credentials and experience are appropriate.  The criteria here for candidates may include a four-year degree in management or business administration, several years of professional experience, and, perhaps, being a Certified Records Manager (CRM). An organization’s lack of experience with the title and work of records managers sometimes leads to the erroneous impression that they do filing when, in fact, they create filing systems and taxonomies—and more—for use by everyone in the organization.

B. Develop an Evaluation Program.
As Dietel notes, an evaluation focuses on whether organizational policy rightly and logically are appropriated to the organization’s records management needs. Are the proper records management processes and procedures being used?  Such an evaluation might be determined by benchmarking with other organizations, keeping current with the literature of the field, attending educational events, or by comparing the program to the elements of ISO 15489 (discussed below). When a commitment is made to constantly improving records management program, it may help to create a competitive advantage.

C. Develop an Audit Program.
An audit examine whether those tasked with managing information assets are following the records management procedures the company has established. For example, are records being filed as prescribed in the organization’s file guide and related policies? Are records being consistently destroyed in accord with the company records retention schedule (the point is missed if only paper versions of a record series is destroyed and the digital copies left in place)? Are staff performing their records management responsibilities correctly?

D. Place the Records Management Program Effectively in the Organization
Depending on the type of organization, records management may be found in legal services, management and audit, administrative services, or information services. The head of this unit should have middle-management status and report to a high level, such as the Chief Information Officer, Chief Legal Officer, or even the CEO.  This latter placement becomes more likely as the implications of Sarbanes-Oxley begin to dawn on senior management, who must, often for the first time, take an active role in records management issues and not merely provide some resources and tacit support.  Records management is likely to find new champions in the highest ranks in the organization.

At the same time, consideration of appropriate delegation of roles is important.  Putting an attorney in charge of records management is just as wrong as putting a records manager in charge of the legal department. When handled in an informed way, senior management will make effective delegation of roles such that, for example, records management will do the managerial and specialized legal research for each records series, and the organization’s counsel will review and endorse it.  In a similar way, records management and Information Technology (IT) will work together on computer-based systems so that issues such as records retention requirements will continue to fall under records management while IT more purely technological needs. It would be foolish to have a high-quality retention program and yet allow IT staff to claim that deletion of obsolete records does not apply to records on computers.

E. Integrate Records Management Initiatives with Technological Innovations
Information technology can greatly facilitate the sharing of information, yet people can be easily inundated with too much information. At the other extreme, people may not be able to find the work of an associate in the next office. Pre-positioned, organization-wide information technology with workable organizing schemes (often called taxonomies—discussed below), discussed below, must be in place for effective retrieval:  the right information at the right time for the right person.

In recent years, much of the IT focus has been on electronic document management systems.  Recently, however, vendors have recognized the critical importance of building records management requirements into their systems.  Technology is emerging that provides modules to handle retention and related records issues.

F.  The Vital Records Program: A Risk Management Imperative
Managers are responsible for the enhancement and protection of all the organization’s assets. The creation of a vital records program may prove to be a key business asset to the organization’s very survival and should be a prominent part of any organizations’ business continuity plan. Some know the term “vital records” as referring to public records of births, deaths, etc. In records management, however, “vital records” are those that are fundamental to the functioning of an organization. Certain vital records contain information critical to continued operation or survival during or immediately following a crisis (e.g., fire, flood, earthquake).  Such records are necessary to continue operations under abnormal conditions.  They contain information necessary to recreate an organization’s legal and financial status and to preserve rights and obligations of stakeholders, including employees, customers, investors, and citizens. Some vital records may be unique and not easily reproducible, or the cost of reproduction or replacement may be considerable.  Some records may be required in their original form to meet evidential requirements.  Records should be classified as vital only for as long as they support critical business processes and fulfill the requirements described above. Once they have fulfilled this role, they should be reclassified. (Detailed information about vital records programs is available in ANSI/ARMA 5-2003: Vital Records Programs.)

It is widely understood that the organizations that lose their vital records are in grave jeopardy. As many as 90% of businesses with lost vital records are unable to continue in business. All the more reason to develop a vital records program. As suggested in ANSI/ARMA 5-2003: Vital Records Programs, this program should provide:

  • Lists of all records identified as necessary to protect assets, protect legal and financial status, preserve rights of . . . stakeholders, and ensure continuity of business operations,
  • Procedures and practices to be followed to protect these records, and
  • Procedures to permit effective use of selected records in an emergency.

Normally, vital records will constitute only 5%-7% of the total volume of records, but clearly they would prove to be among the most critical to the operation of an organization. Among the most important activities in developing the vital records program would be:

  • Creating a list of all records that qualify as vital records (e.g., paid invoices, accounts receivable, corporate charters),
  • Development of strategies to protect the records identified as vital (e.g., copies sent offsite, microfilm sent offsite, dispersal of copies in normal course of business, media tape rotation or automatic electronic vaulting for storage in a data vault (corporate or external vendor), and
  • Make copies of unique vital records and retain onsite while sending originals to an offsite records management company or media vault (ANSI/ARMA 5-2003: Vital Records Programs).

In addition, the management of vital records—including use of computer back up tapes and microfilm masters—is made more secure by redundancy. If copies of these materials exist at a remote location, the effects of a fire or other potentially catastrophic event can be more easily overcome. Since events like arson or data sabotage are often initiated by disgruntled or recently terminated employees, a third party vendor is frequently employed to preserve vital records copies or originals. This third-party storage strategy is getting increased attention since federal regulations increasingly require it for some records types.

Helpful Hints:

  1. Are you storing your records correctly? Are records located in basement areas or under water pipes that may be prone to flooding? Are the records protected against fire? Your commercial information managementoutsource  partner can help you determine whether some records may be at risk and can provide effective services to lower cost, minimize risk, and aid in business continuity planning.
  2. Are your records policies and procedures clearly defined? Do those policies and procedures provide for the auditing of the records program to ensure compliance? Are employees trained in proper procedures for submitting records along with the appropriate documentation?
  3. Are computer backup tapes, vital paper records, or copies of tape or disk libraries located away from the originals? Too many people store backups of their PC’s files onto a disc kept in a drawer of the desk on which their computer is placed—not helpful in the event of a fire or flood.
  4.  Are restricted records such as personnel files or protected health information shielded from unauthorized viewing and locked when not in use?
  5. Is a copy of your disaster recovery plan located away from company facilities, but quickly available, in case the primary facility should become inaccessible?
  6. Are you using a “clean desk policy” to make sure active records and information are removed from desk surfaces after hours? This provides several benefits, including minimizing unintended viewing of potentially sensitive information by cleaning personnel, unauthorized employees, or others who may gain entry to work areas.

8: DATA MINING, KNOWLEDGE MANAGEMENT, AND A RECORDS MANAGEMENT

STANDARD

Records managers are concerned with differences in what has come to be called the information hierarchy.  Below is a graphic depiction of this hierarchy:  Data are typically seen as the raw material, or building blocks, of information.  This data means little by itself. The data must be processed, analyzed, or organized in order for it to be meaningful. When data is formatted, correlated, or plotted, it becomes—or rises to the level of—information. These have greater value in decision-making and the performance and strategy of an organization.

Compared to data, information is a meaningful message—often within a document or other tangible communication. Because it reduces uncertainty, one can take action from information or make decisions based on it. A piece of information—recorded information for our purposes—has limited value until many items of information can be acquired, evaluated, compared with other information, and put into the context of experience and judgment.  At that point, information becomes knowledge.  There we are focusing on the cognitive realm—including intuition—that may include the generation of new ideas, new interpretations, and possibly new products.  Yet, this knowledge may be somewhat limited until it is synthesized and visualized at the level of understanding.  Whether wisdom should represent the next level in this structure remains to be seen, though some have suggested that it—or perhaps values—should be next in order.

Where do records fit into this model and why should we be interested? Some suggest that “a” record can be nothing more or higher than data—with little value on its own.  Others assign a higher value to individual records, suggesting that certain types of records have enough information content within them to have a higher status than mere data.  Records have their value as records when they document an action or transaction.  At some point in time after the transaction, they rapidly lose value and are kept mostly because of their retention requirements.

The emergence of knowledge management, however, may give new value to what had seemed to be lifeless records. Records used for one purpose—usually to document a transaction—may be re-used, or recycled, and used in some other way.  In the pharmaceutical industry, for example, a compound may be developed to create a medicine for a particular ailment and not prove itself of value for that problem. Yet the research records created from that earlier initiative is often revisited, and new experiments emerge to see if the drug has value for some other condition.  When the first effort fails, the records of that effort gain new life and value. In this context, records become competitive weapons and revenue generators.

In his The Value of Records Management: A Manager’s Briefing, William Saffady declares that “Systematic recordkeeping practices confer competitive advantages that can increase revenues in some business situations. Recorded information is a critical supporting element in value chain activities associated with the creation, marketing, and delivery of products and services. All value-chain activities depend on information contained in paper documents, computer databases, and other records. Although information-processing technologies attract considerable attention, recorded information itself is the real value carrier in most business operations.”

Introducing ISO 15489: An International Standard
In September 2001, an important milestone was achieved in standardizing records and information management practices around the world. An international standard, initiated by records management standards organizations in Australia, and through the cooperative technical committees of the International Organization for Standardization (ISO), culminated in the creation of an international standard for records management called ISO 15489: Information and Documentation—Records Management. A further document, “DIRKS: A Strategic Approach to Managing Business Information,”2 has also been created by the National Archives of Australia as a potential resource to records managers around the world in their implementation of ISO 15489.

The scope statement of ISO 15489 states, “This International Standard provides guidance on managing records of originating organizations, public or private for internal and external clients.” It adds, “The standardization of records management policies and procedures ensures that appropriate attention and protection is given to all records, and that the evidence and information they contain can be retrieved more efficiently and effectively using standard practices and procedures.” This standard, along with the DIRKS Manual and other resources, can provide key substantiation for changes in records management policies when communicated to appropriate management personnel.

“One of the strengths of [ISO 15489] is that it focuses on the business interests in good records management and provides a strategic and holistic approach to it.” Sarah Tyacke, Keeper of the Records, Public Records Office, UK

  • Among the benefits of implementing ISO 15489 noted by Robert McLean are
  • Conducting business in an orderly, efficient, and accountable way,
  • Delivering services in a consistent and equitable manner,
  • Documenting policy formation and managerial decision-making,
  • Providing continuity in case of a disaster,
  • Meeting legislative and regulatory requirements including archival, audit, and oversight activities,
  • Providing consistency, continuity, and productivity in management,
  • Facilitating effective performance of activities throughout the organization,
  • Providing protection and support in litigation, including the management of risks, associated with the existence or non-existences of organization activity,
  • Establishing business and cultural identity,
  • Protecting interests of the organization and its stakeholders, and
  • Maintaining corporate, personal, and collective memory.3

Any organization seeking or having ISO 9000 certification should look closely to ISO 15489 as direct support to their ability to demonstrate compliance with the “quality records” and other information requirements of the ISO 9000 series.

Leave a Reply

Your email address will not be published. Required fields are marked *

    • 4 × four =