The worldwide trend is towards better corporate compliance, governance and risk management. Tough new international reporting standards and broader definitions of evidence to include electronic documents and emails are catching organisations off guard. These reporting standards are driving a new generation of electronic archiving, document management and e-audit.
Specifically organisations must:
- Understand statutory retention obligations;
- Implement email and internet policies;
- Implement document retention policies;
- Ensure relevant records are accessible, searchable and recoverable;
- Take care in what they destroy.
Regulations and compliance
Laws vary from country to country.
Australia: The Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004 (CLERP 9) became law on 1 July 2004. Companies need adequate measures, processes and procedures to meet the obligations of the Act, especially if involved in auditing and company financial reporting.
The International Financial Reporting Standard (IFRS) means that from January 2006 organisations must hold financial records for seven years. Australian accounting standards, which are legally binding under the Corporations Act 2001, will be equivalent to the International Financial Reporting Standards (IFRS).
United States: Sarbanes-Oxley is US legislation with global implications, designed to prevent financial malpractice and accounting scandals. Publicly traded companies must have policies and controls in place to secure documents and process material information dealing with their financial results. Auditors and accountants must keep all records for five years and it is a felony to knowingly destroy or create documents to impede, obstruct or influence federal investigation.
The Gramm-Leach-Bliley Act (GLBA) establishes rules for privacy and security of customer information. It sets standards for safeguarding customer information through encryption and monitoring systems, and protects against loss or damage if privacy does not occur.
SEC Rules require retention of records of all trader-broker communication for three years, that records are stored in an unalterable format and are serialised and indexed for easy retrieval, and that brokerages make duplicate copies of each message and associated index.
NASD Rules mandate that firms draft and enforce a policy for supervision and review of correspondence, monitor correspondence for compliance with codes of conduct, identify correspondence to be pre- or post-reviewed and record supervisory activity.
Europe: The Data Protection Act imposes duties on individuals and organisations that have access to personal data. The European Union Data Protection Directive specifies that "personal data" must have "appropriate security".
Basel II Accord will require financial service providers to formalise and adopt a process-driven approach to risk and information management.
Existing obligations
Nick Abrahams, partner at Deacons law firm, says that on top of new legislation there are myriad documentary retention obligations and evidence requirements in many Australian Acts and Statutes. These cover all traditional and electronic document types in areas such as the:
- Public Records Act
- Tax statutes including the Income Tax Assessment Act; Goods and Services Tax, Capital Gains Tax, Fringe Benefits Tax and Payroll Tax
- orporations Act
- Privacy Act
- NSW Workplace Surveillance Act
- Evidence Acts of each State
- Electronic Transactions Act
There are also non-specific risks such as vicarious liability where a company is liable for the acts of an employee within the scope of his duties as well as personal liability for directors or officers for failure to implement appropriate corporate governance policies.
Burgeoning information
Over 80 per cent of all corporate communication is now conducted via email. It is paramount that organisations can produce emails and attachments yet few organisations ensure important electronic documents are kept properly.
This leaves organisations and executives vulnerable to prosecution if they cannot meet reporting requirements and weakens their position in litigious situations if they are unable to locate evidentiary electronic documents.
All this against a background of rapidly growing amounts of organisational data. According to Abrahams the amount of new information is doubling every two years and more new information will be created over the next few years than in the entire history of mankind so far.
To manage the risks of existing and burgeoning documentation, organisations must expedite the archiving, storage and retrieval of traditional paper-based documents and implement systems and policies for the archiving, storage and retrieval of all electronic documents.
In addressing document retention issues to meet regulatory and legislative requirements, organisations are finding other risk-mitigation benefits, from intellectual property protection to improved staff effectiveness.
Civil and criminal risks
While not as clearly defined as regulatory and governance issues, businesses also face civil and criminal risks. Lawsuits are won and lost every day on evidence produced to prove or disprove a claim.
Every company, large, small, public, private, regulated or non-regulated, will need to produce evidentiary email and documentation at some point.
Operational risks
Archiving and retrieval
Ineffective archiving can lead to time wasted and employees distracted while documents are searched manually. In addition, important information can be overlooked leading to incomplete decision making.
Strong archiving and retrieval policies and procedures also improve document standardisation and help multiple sites control and access documents in a meaningful way.
Emails
Organisations can head off many problems with email filtering, reducing storage space, retrieval time and enhancing productivity.
Effective email filtering cuts down on employee time spent dealing with non-work emails and spam and it reduces the network burden liability. It also reduces risks associated with inappropriate, offensive or illegal content.
Privacy and security risks
Unsecured information has a two-fold risk. With much organisational data covered by Privacy and other Acts, it is paramount that the security of the information is ensured.
In addition, insecure information management increases the risk of intellectual property breaches with easier access to proprietary information and reduced chances of detection.
External risks
Disaster recovery is a vital element of any corporate risk mitigation strategy. Mirroring corporate databases at off-site, secure locations has saved many businesses hit by a major on-site disaster.
The solution
Establish policies
Document retention and destruction guidelines must be developed in consultation with those with the legal know-how.
It is wise to determine policies for the day-to-day business environment and have a crisis policy for times when the risk of litigation is heightened.
While email filtering is vital, it is just one aspect of a process which should review all computer-generated documents, other documents and even voicemails.
Consider too, how documents will be archived for ready retrieval. It is the outcome that is the most important driver of the policies. Consider worst-case scenarios and apply logic to how materials will be easily found.
Decisions made by employees about which information to retain are subjective and must be based on each organisation's specific policies. Using technology to implement those policies ensures a systematic approach, limits user intervention and eliminates subjectivity.
Technology can help by demanding passwords, tracking documents to develop audit trails and limiting 'creative archiving' which will hamper retrieval.
Review technical requirements
There has been software available for years which has helped primarily large companies and law firms digitise and store paper documents. But the ability to quickly and easily lay hands on these documents, regardless of their source, is not necessarily inherent in early generation document management systems.
There are plenty of examples where companies simply settled civil suits or regulatory actions because it would have cost more to do the document search than to settle or pay the fine.
Now organisations require systems to manage both paper and electronic information, with far more sophisticated archival, storage and retrieval.
There has been a huge surge in demand for new technology to meet privacy, accounting and global reporting requirements.
Redmap is experiencing explosive growth in provision of systems that ensure email and electronic information is stored and accessible. From vital records to critical business information, Redmap technology assists capture and index of electronic documents to strict archival standards. This helps organisations meet their compliance requirements, coupled with the technical benefits of single instance archiving, significant storage benefits and simplified back-up, restoration and disaster recovery policies and procedures.
Redmap's solutions can index emails and attachments in a secure managed environment. In doing so, summaries of the emails and attachments are taken via Redmap's artificial intelligence engine. This summary can then be used to locate the information you are searching for. It is no longer necessary to spend hours or days trying to remember "who sent me that email?" as you can find it based on the content.
Furthermore, the information and knowledge residing in email can now be archived ensuring you never lose an email again.
Provide training
The best policies in the world are meaningless without implementation at the user level.
At the highest level, the aim is for employees to fully understand what is required and to have easy technical systems which enable them to comply.
At another level, demonstrating strong policies and training may reduce liability if an employee acts outside these, resulting in the loss of important information.
Evaluate and refine
There will always be room for improvement. Compliance with policies should be constantly monitored and action taken to simplify systems where necessary. In addition, changes to the operating and regulatory environments must be tracked and accommodated.
The bottom line
If your company conducts business in a market regulated by one or more government agencies, you may or may not be aware of all of the guidelines to which you must conform to be deemed compliant. If you are aware and have implemented an intelligent document management system, then you are one of the few who is ahead of the game. If you are not aware and/or have no internal system to produce evidentiary emails and documents proving compliance, I suspect you lie awake at night a lot.
And developing the systems to meet corporate reporting requirements in the longer term will prepare your organisation and mitigate risks immediately.
