For most organisations, records management traditionally meant boxing up old invoices, receipts and other financial documents and transferring them to some far-flung dusty store room. The transition from paper-based to electronic-based records did little to change that process, the main difference being that now the store rooms are full of badly labelled magnetic tapes, CD-ROMS and diskettes.
However, as recent corporate history shows, that approach is inappropriate and dangerous; good digital records management needs a very different set of processes. Just ask investment banks Morgan Stanley and Merrill Lynch, insurance group AIG or tobacco giant Phillip Morris, all of whom were hit with massive penalties by the courts after they were unable (or perhaps, in some cases, unwilling) to produce key records.
Their hard-won lessons stand alongside a raft of newly prescribed processes, governed by a long list of regulations – Sarbanes-Oxley, Basel II, data protection and many other laws – that demand that business make their records management process much more transparent and secure.
It is not surprising, therefore, that organisations are looking to records management systems to help them cope with the growing volumes that must be stored and managed. Analysts at IT adviser, Gartner, estimate that companies spent a combined $190 million on records management software and related maintenance in 2004, and that outlay will rise annually at a compound rate of 25% over the next five years. Moreover, at least 60% of all Global 2000 companies are expected to have implemented enterprise record management programmes within the next two years.
The systems they are choosing vary widely in their sophistication, but to fulfil most legal requirements any system needs to be able to enforce how long a record should be kept for, how it is preserved and ultimately when it must be deleted. It should also keep a trail of who has accessed the record and when.
Identifying what a record is, and how it should be treated, is the first step in selecting and identifying a suitable records management platform.
“Software alone is not what ideal records management implementations are all about,” says Priscilla Emery, an analyst at content management consultancy CMS Watch. “Organisations need to first focus on creating solid records management programmes before embarking on a software evaluation process.”
Yet even this process is fraught with difficulty. As Emery says: “There is no real cookie-cutter approach to defining a records retention policy for every document out there – every company has to take a look at its own business operations and examine what should be considered a record, and then decide what retention rules to apply against them.”
The commonly accepted understanding of what constitutes an electronic record is information that has had, at one stage, a recognised value to the business, as defined by internal processes or external compliance legislation, and therefore both the content and structure must be preserved in a fixed format for a set period of time. This strict definition is crucial, as once a document has been declared a record, there are a clear set of procedures that must be applied in keeping the record secure until its disposal date.
But the definition and capture of records is just one aspect of the system. According to Emery, a records management system should include the following components: the ability to manage retention schedules; the storage of records in their appropriate classification along with metadata; search capabilities; destruction of records according to prescribed schedules; holding or ‘ring fencing’ of records during an audit or legal investigation; and tracing the access of the record over its active and inactive lifecycle.
Form and substance
Adding to the records burden is a growing number of new content types that must be managed, secured and made accessible. Emails, instant messages, PDFs, video conferencing and voice calls can all be declared as records, but few companies are equipped with the infrastructure to handle all these as records.
“Retaining a record past its disposal date can be as great a liability as not capturing it in the first place.”
Tony Heywood, Hummingbird
Most records management vendors are now offering functionality around these core components, depending on which sector of the broader content or storage management sectors they target, making the selection process of a records management system a daunting task.
One aspect has become easier, though. In recent years, consolidation within the sector has cut down the number of ‘pure-play’ records management suppliers. Indeed such technology is now increasingly offered as part of the wider content management platforms provided by the larger enterprise content management (ECM) vendors.
Some analysts even see the demise of standalone records management as a positive development. “Integration with ECM, email archiving, compliance and discovery solutions is essential,” says Kenneth Chin, research vice president at IT analyst group Gartner. Vendors that have a portfolio of these products will have a significant advantage over those that only have a separate records management solution, he adds.
It is crucial that any content type used across the breadth of the organisation can be managed and accessed from within the records management system. And equally as important as the capture, management and visibility into these records is the controlled disposal of records once they have passed their retention period.
Both the maintenance and disposition are essential elements of a record, says Tony Heywood, European senior vice president at content management vendor Hummingbird. If you retain a record past its disposal date, it could potentially be used in litigation cases against an organisation, and therefore be as greater a liability as not capturing it in the first place, he says.
It is therefore critical to ensure that the record is properly secured, from the time of its creation through to its disposal. Almost all records management systems have security functionality built into them, and this security needs to also cover the records’ metadata. At its heart, the system needs to preserve the content and structure of the record in the context in which it was originally captured.
Raising the standard
There are a number of standards and certifications that organisations can look to in order to achieve sound records management practices. Certification bodies (see box) – such as the US Department of Defence’s DoD 5015.2 standard and the UK’s National Archive (TNA) standard – lay down a set of specifications and testing procedures that validates the vendors’ claims about their products.
But security should also be viewed within the wider IT context, as the records management system is often an extension of many operational processes. In a networked environment, systems may be accessed and controlled from within the organisation (a closed system), or by external users where staff are collaborating on a document and passing the final document into the records management system (an open system).
“Records management is a fundamental cornerstone of any sensible business, irrespective of whether they are highly regulated or not.”
Mark Donkersley, AXS-One
Typically, open systems need more control applied at the record level, whilst a closed system can rely to a larger extent on system integrity to manage the record. The US Food and Drug Administration, for example, uses a system of digital signatures to provide a clear audit of the record’s history, something that is necessary for the tightly regulated industry in which it operates.
A useful standard for organisations to apply is BS 7799, a British standard that has been adopted by the International Organisation for Standards as ISO 17799. Although BS 7799 is a broader standard for information security, it provides a systematic approach for securing corporate information and for the safekeeping of records by combining human workflow activities, processes and IT systems into a secure network.
In an era where the corporate governance of organisations is being heavily policed, applying a solid records management programme and building a suitable security framework is vital. Indeed, processes and technologies need to be put in place to make regulatory compliance sustainable.
“The big challenge with compliance is getting to the stage where you are acting in concert with the regulations,” says Dan Whelan, CTO at content management vendor FileNet. “And once you are there, being agile enough to continue with the process and remain compliant.”
But getting to this stage is difficult. “You almost have to employ an army of lawyers to interpret, on a daily basis, the legislation as it comes through,” says Tony Nicholls, principal consultant at financial consultancy firm Atlantic Link. And it is a problem compounded by the fact that organisations today must deal not only with the legal requirements in one country, but potentially in any country where they operate.
“Right now many of our clients are looking at a rules engine that in part comes from the records management vendors, but they also need to look at rules engines that govern the structured side of their data,” says Michael Kuhn, EMEA portal and content management practice lead at Accenture. “There is no single records management system, but rather a combination of technologies that makes up the records management programme.”
But at the very least, a records management system actually ought to be “a fundamental cornerstone of any sensible business, irrespective of whether they are highly regulated or not,” says Mark Donkersley, MD at records management vendor AXS-One. “Because if you haven’t got visibility of what is happening in your business and you cannot get hold of the data to make those decisions, how can you really manage your business?”