March 19, 2009 12:00 PM
A Complete Project-Centric Solution for Compliance and Risk Mitigation
Enterprise records management (RM) has become one of the fastest-growing areas of enterprise content management. The rush to implement new RM systems isn't hard to understand; the Sarbanes-Oxley Act and other new regulatory requirements, high storage costs, and the rising expense and complexity of evidence discovery in the event of litigation have made it increasingly vital to store the right content as records in the right way.
VP of Marketing and Product Management
This is more easily said than done. The high volume and diversity of today's enterprise content - especially e-mail - have brought unprecedented complexity to the RM challenge.
While effective risk mitigation requires consistent, uniform policy enforcement across records of all types, the lack of a suitably unified, end-to-end RM solution has forced companies to manage different types of records separately in disparate silos, from e-mails to electronic documents to paper files scattered across multiple data stores and file rooms.
At the same time, the inability of users to easily apply retention policies to essential content in the course of work has forced companies to simply capture all online, offline, and paper content - the haystack and the needles.
The difficulty of managing risk without effective RM is only part of the problem. In the event of a lawsuit or regulatory action, a legal hold may be placed on certain records. But unless all of these records are centrally managed, access cannot be restricted, leading to inadvertent destruction or alteration of these documents.
The problem is especially acute regarding e-mails, which has seen an explosion in its primary use as a collaborative exchange tool. The only way to effectively manage email has been to capture every message through e-mail archiving, which cannot guarantee proper classification.
As the case of Zubulake v. UBS made clear, U.S. District Judge Shira A. Scheindlin ruled that UBS had neglected its duty to preserve the evidence contained in several e-mails. The judge directed the company to pay part of the costs for their retrieval, as well as to cover any expenses Zubulake incurred in re-deposing any relevant witnesses during the time the e-discovery request had languished.
Meanwhile, the difficulty of producing historical e-mails has driven the expense of e-discovery to unprecedented heights. The 2003 Socha-Gelbmann Electronic Discovery Survey found that e-discovery costs had doubled in recent years and would likely continue their ascent.
A single hard drive can cost thousands of dollars to reconstruct; in a large case, costs over one million dollars are entirely possible.
Clearly, a more holistic, cost-effective, and scalable approach to RM, that extends all the way to e-discovery, is needed. As companies move to implement new IT systems to support their compliance and risk mitigation policies, they need to make sure the solution they choose meets several key criteria:
Effective enterprise RM begins with detailed policies, based on both regulatory and corporate requirements, for the classification, retention, and management of records, as well as the retirement of non-essential content.
- A unified solution for managing records of all types, including electronic documents, paper files, and e-mails, within a single, centralized system;
- Ease of use for classifying essential content as records through integration with the native applications within which business users work (e.g., Microsoft Office and Outlook);
- An intelligent, project-centric approach for accurately enforcing corporate and regulatory compliance policies, rather than simply capturing any and all content;
- Integration with an e-discovery system for complete, end-to-end risk management.
Applied consistently across all types of records - e-mails, electronic documents, and paper files - these policies can support compliance, facilitate evidence discovery, keep storage costs down, and ensure that companies can put their hands on the right content as needed, no matter what form it takes.
In reality, though, most companies are hard pressed to bring all types of content into a unified control regime. Electronic documents are classified in one system, physical files in another, and e-mails in yet another - if at all. In fact, although it serves as a primary channel for essential business communication, e-mail often lies beyond the reach of any control regime, with essential messages that should be classified and managed as records of being stored ad hoc in user in-boxes and .PST files.
In the event of a lawsuit or regulatory action, the prohibitive cost and difficulty of retrieving these specific communications from amid vast numbers of more mundane e-mails can force companies to accept a costly settlement.
To ensure consistent application of records policy while avoiding errors and duplication of effort, companies need an RM system that provides a single, centrally implemented control regime across all types of records. By enabling the management of all forms of records - even in other systems - from a single policy management and application engine, such a system can reduce both cost and risk.
Business users have always played a key role in the application of records policy, identifying and classifying records in the course of work. This is the theory, anyway; in practice, any system that requires manual end user participation is prone to error and inattention. Now, as the volume of electronic documents and e-mail continues its exponential growth, organizations can no longer rely on individuals to manually classify what can easily amount to millions or tens of millions of pieces of content each year.
Simply put, business users must have a highly automated, easy-to-use tool for RM, or they simply won't do it.
The most natural and effective way to provide a rich user experience for RM is through integration with the native applications in which business users spend most of their time: Microsoft Office and Outlook.
Rather than switching back and forth between proprietary interfaces, they should be able to simply capture content and declare it as a record without leaving e-mail, Word, or other business applications, and access any needed records management functionality the same way. By making RM a seamless part of existing work practices, the system can avoid critical lapses in policy application.
Capturing every relevant record of every content type is only part of the RM picture. To ensure accurate, scalable, and cost-effective RM, companies need to make sure that these records are being classified correctly - and that their RM control regime isn't being bloated by non-essential content that shouldn't have been captured in the first place.
To this end, companies should select an RM system with the intelligence to automate and simplify the correct enforcement of corporate and regulatory policy.
This intelligence can best be embodied in a 'project-centric' approach, such as that used by a growing number of companies to manage e-mail and documents seamlessly in an electronic matter or project file.
Extended to records management, this model enables retention policies to be applied consistently to content items regardless of their type, and provides a high level of automation based on business purpose, legal requirements, and company policy, rather than asking the user to make a series of judgment calls.
With a project-centric approach, records policies can be assigned at any level of a matter or project hierarchy, from individual content items or folders to entire workspaces or projects, across all content types.
Users simply file documents and e-mails as they ordinarily would, from within their respective business application, and the system automatically applies the policies associated with that location to eliminate the errors and lapses that come with manual classification.
On implementing a project-centric RM system, companies can create templates for project folders and subfolders based on the business processes and best practices of the organization, including the records policies associated with each location and type of item.
For example, correspondence, work-in-process, and finished product can all have different policies applied automatically. At the inception of a new project, users simply save a new copy of the template and start work.
New folders, subfolders, and documents automatically inherit the policy of the level above, so the retention period for a project or matter is automatically associated with all folders created for that project or matter. Critical records designations may also occur at any level, enabling a complete file or single folder to be declared with a single click.
In addition to bringing intelligence and automation to the application of RM policies, a project-centric approach supports the requirements for ease of use and a unified control regime described earlier.
In the event of a lawsuit or regulatory enforcement, effective RM can play a key role in keeping e-discovery from becoming an agonizing process of forensic recovery with no end in sight.
Project-centric RM lays a foundation for e-discovery by enabling companies to automate the classification of documents at the time of their creation based on their potential to become evidence. These records classification policies can be based on both proactive compliance needs stipulated by Sarbanes-Oxley and other regulations, and on reactive compliance needs such as litigation, government investigation and government second requests.
The ideal RM solution will go a step further by facilitating integration with an electronic discovery solution for complete, end-to-end evidence lifecycle management. When litigation is anticipated, the company can meet its preservation obligations by quickly and accurately identifying relevant documents from throughout the enterprise and ensuring that they are not inadvertently destroyed.
Responsive records are collected, processed, reviewed, and delivered through a process-oriented approach that is fast, efficient, predictable, and legally defensible, and no type of content item is overlooked - paper document, electronic document or e-mail. Such a system would have saved UBS considerable time, expense, and embarrassment. For other companies, end-to-end evidence lifecycle management will prevent a similar fate.
As the rush to implement new RM systems continues, companies that take a project-centric approach will find that it enables them to reduce operating costs and risks, improve business processes around RM enforcement, mitigate risk and maximize the return on their investment in RM technology.
VP of Marketing and Product Management
Neil Araujo is Interwoven's vice president of Marketing and Product Management for Professional Services and Compliance Solutions, playing an instrumental role in driving forward Interwoven's established legal and professional services technology market leadership.
Prior to Interwoven, Araujo was at iManage where he was one of the company's early founders and played a prominent role in spearheading the company's product direction as well as overall business strategy, including marketing initiatives.