Free Essay


In: Computers and Technology

Submitted By Surfkid
Words 22562
Pages 91
Best Practices in Records Management & Regulatory Compliance
Andy Moore . . . . . . . . . . . . . . . . . . . . . . . . . .2 Cheryl McKinnon, Hummingbird Ltd. . . . . . . . . . . .4 Records Management: Beyond the Quick Fix
There’s a movie playing at my multiplex that warns against placing blind trust in technology, because it’ll getcha in the end. I haven’t seen it yet …”

The RM Challenge of Electronic Communications
The world of a typical knowledge worker is changing once again. Over the last two decades the technology revolution has broadened access to authoring tools, e-mail and other forms of electronic communication …

TOWER Software North America . . . . . . . . . . . . . .6 Randolph Kahn, Esq. & . . . . . . . . . . . . . . . . . . . . . . . . . .8 Barclay T. Blair, Kahn Consulting

E-Mail Management: Avoiding the 6 Common Mistakes
Information management has become a vital focus for all organizations to address risk mitigation, compliance and overall business continuity …

Records Management Redefined: From The Backroom to the Boardroom
What is Records Management? Records management is the application of policies, practices, technologies and other management controls …

Del Zane and Dean Berg, Stellent . . . . . . . . . . . . .10 Turning Compliance Projects into Business Processes
In the not-too-distant past, compliance initiatives often were characterized by back-office operations that involved large volumes of records …

Michael McLaughlin, Exact Software . . . . . . . . . . .12 Embracing SOX Compliance with a Coping Strategy
It’s nearly a forgone conclusion that at least once in even a small company’s life, the company will be faced with regulatory scrutiny …

Larry Bowden, IBM . . . . . . . . . . . . . . . . . . . . . .14 Governance Best Practices and Approaches
Accountability and effectively managing risk are top of mind for most organizations today. Accountability is key for companies …

Dr. Galina Datskovsky, MDY Advanced Technologies . .17 Records Management: From the Basement to the Boardroom
For many years, the records department was deep in the basement of many corporations, and its mysterious functions were never valued ...

David Winkler, Mobius . . . . . . . . . . . . . . . . . . . .18 Taming the Beast: Gaining Control of E-mail
The headlines tell the tale: High-profile prosecutions hinge on the contents of e-mail messages that their authors never dreamed would constitute a permanent record . . .

Sharon Hoffman Avent, Smead Manufacturing . . . .19 A Departmental Approach to Recordkeeping Solutions
Businesses are inundated with information from everywhere, in many forms. While this presents a problem for many organizations …

Chris Redvers, JPMorgan Chase Bank . . . . . . . . . . .20 Online Image Archiving
How do you manage an avalanche of data? What if that avalanche arrives on your doorstep in the form of seven CDs per day, 35 per week . . .

Peter Mojica, AXS-One . . . . . . . . . . . . . . . . . . . .21 The Four Goals of Records Management in the New Age of Compliance
While records management as a profession is not new, the burning spotlight on its practitioners and corporate executives is …

Vasu Ranganathan & Gregory Kosinski . . . . . . . . . . . . .22 Accelerate Compliance with Integrated Content Fujitsu Consulting & EMC and Records Management
New regulations, the threat of litigation and the uncertain costs of compliance place company record-keeping, content and data management practices under unprecedented scrutiny …

Premium Sponsors

Supplement to KMWorld September 2004

Records Management: Beyond the Quick Fix
By Andy Moore, Editorial Director, KMWorld Specialty Publishing Group here’s a movie playing at my multiplex that warns against placing blind trust in technology, because it’ll getcha in the end. I haven’t seen it yet. But as I talk to vendors about records management, I go back a few years to another cautionary sci-fi flick: “Men In Black.” In it, the redoubtable Agent Kay (played by Tommy Lee Jones) makes one of the most astute observations in recent literature: “A person is smart,” he says, “but people are dumb.” Each of us can grasp the concept that the many e-mails, documents and reports we create might be construed as having some kind of importance, not only today, but also further down the line. I have more Outlook folders than Doan’s has little pills. “You never know when you might need that thread regarding a three-year-old expense report,” I reason. I keep things for reasons that are all my own. But few of us think about recordkeeping as a corporate responsibility. We assume that someone else is taking care of that. There is only the vaguest awareness that systems exist to properly retain and dispose of business documents and communications. But we are extremely familiar with how we file and recall the things we need to do each of our jobs. I would be lost without Outlook folders, but I couldn’t care less about records management. So, as Agent Kay knows, each of us can be trusted to do the right thing. But all of us can’t. Here are two ways to overcome this basic human flaw: 1. Make it mandatory, or 2., make it easy. There’s a carrot, or there’s a stick. The stick has hit home recently in the form of strict regulatory

Andy Moore has held senior editorial and publishing positions for more than 25 years.As a technology writer and editor,Moore speaks with dozens of senior executives and industry experts each month.In his role as Editorial Director for the Specialty Andy Moore Publishing Group,Moore oversees the contributions to the series as well as conducting market research for future topics of interest for the series. Moore was the editor-in-chief of KMWorld Magazine and is now its publisher


compliance pressures from governing bodies that have the means to enforce them. Threats of substantial fines and worse punishment can certainly be effective. “Sternly worded rebukes” from federal judges are increasingly common. And it’s my guess that the average office worker doesn’t give a rat’s tail about them. “Someone else takes care of that.” The records management systems vendors are smart enough to take the other route: make it easy. “What’s brought e-mail to the forefront is the threat of litigation that can result from finding e-mails that people used to think were innocuous,” says Stellent’s Del Zane. “And there are two ways to deal with e-mail. One is to store it all, and try to deal with it later. I don’t want to say that’s irresponsible, but it’s not really the solution. “What will come more into the forefront,” Zane continues, “is autodeclaration, or automatic classification.” So, one asks, the future of e-mail management is an intelligent software that automatically captures, classifies and applies retention rules to every e-mail that arrives in your server? “Well, when I say ‘automatic,’ that’s kind of a stretch,” admits Zane. “You need a very high degree of intelligence for it to be truly automatic. The idea that users can take care of their e-mail ... well, that sounds really nice. But you need a good records management system to make it as automated as you can get it.” Which is nice if you can get it. But formal records management is not a universal application. A recent AIIM study found that most companies DON’T have a reliable system for records, in particular electronic records. Mike

“Few of us think about recordkeeping as a corporate responsibility.”
S2 Supplement to KMWorld September 2004

House of Exact Software agrees: “Many small- to mid-sized companies don’t have a formal program for records management, but they DO keep records. Everyone keeps their own records. What’s missing has been the process of coupling the records with the processes that bring you into compliance. Things have been ‘loosely coupled’ via procedures, checklists and inspection records. What’s coming to the forefront now is the need to bundle all that into a package that can be easily assessed by an outside governing organization,” says House. Hummingbird’s Andrew Pery agrees that the promise of a hands-off technology solution—while attractive—is somewhat unrealistic. “There should be automated means to classify and apply predefined business and disposition rules to incoming e-mail and attachments,” Pery explains. “But there has to be flexibility. Some organizations, particularly law firms, are very reluctant to use automated classification techniques. They want to be able to drag-and-drop e-mails into predefined matter-folders, for example. “E-mail is a particular challenge,” Pery continues, “because e-mails are so widely used to share mission-critical information that there HAS to be a predefined disposition plan.” But as any current records management professional will tell you, there’s more to it than merely having a plan. “The organization must meet three criteria in all. They have to demonstrate that they have: one, welldefined policies; two, that those policies have been articulated and promulgated throughout the organization; and, thirdly, that the policies are being enforced.” “Money IS starting to be spent on e-mail management,” agrees Cliff Sink of TOWER Software. “But it’s being spent in the wrong way. Typically, corporations see e-mail as an IT problem. The products that people are buying now are what I call ‘server scrapers.’ When an e-mail hits your server, they make a copy of it and dump it into a bucket that has

a retention schedule. And after three years they delete it. Because there’s no business logic applied at the time of capture, they’re keeping things they shouldn’t keep. So they are exposing themselves to unnecessary risk by keeping all internal AND external e-mail,” says Sink. “You should give the power to the end users to comply. Users can make a decision whether each e-mail is a record. There are easy ways to accomplish this; for example, mapping users’ Outlook folders to the records management system. Everyone uses those folders anyway, just to organize their lives. So by dragging an e-mail into a folder, the records management system can then automatically categorize it by type of record, apply the retention schedules, etc.” Denise Reier of Legato adds that sensitivity to the unique nature of e-mail is becoming common among her corporate customers. “Because e-mail is such a volatile and conversational application, and because it’s so difficult to put controls around, AND because it can introduce the most risk, that’s where a customer usually starts,” she says. “From a PR perspective, that smoking-gun e-mail that’s communicated outside your organization can wreak havoc ... as we’ve seen.” I was wondering when someone would mention Martha. But interestingly, in all the conversations I had with the vendor community, that’s the closest to an overt reference to the domestic diva I heard. Much to my relief, too. I like Martha and all, but I’m kinda over her for now.

generation tool that’s going to help with not only Sarbanes, but with the broader compliance picture. People are strengthening their compliance practices ... that’s the next big wave. Sarbanes was the wave last year, but broader, more general compliance is next. By that I mean having a compliance plan that understands not just SOX, but multiple compliance initiatives, like HIPAA and JACO and Basel II. And further, deploying technology that can be leveraged across the enterprise.” Taking the time to take in that broader picture has indeed had an impact on the adoption curve. “We’ve certainly seen increased demand for compliance solutions,” says

“Money IS being spent on e-mail management ... but it’s being spent in the wrong way.”
Hummingbird’s Pery. “Not just for increased compliance pressures brought on by things like Sarbanes-Oxley, but for things like productivity, overall efficiency improvements in managing corporate records, especially in light of the enormous proliferation of digital content. Organizations realize they need better control over their digital assets. If they don’t they’re subject to both litigation AND to increased costs,” explains Pery. “This leads to a view of records management that is more than a ‘records’ solution, but instead involves a larger, enterprise-wide content management platform. They’re extending their existing content management infrastructure to implement electronic records management practices corporate-wide. There already are specific, departmentally focused document and content management solutions in place. Those applications are being leveraged to become part of corporate-wide electronic records best practices.” “A lot of traditional records management vendors DO focus on specific requirements, such as a government agency that has a DoD 5015 regulatory obligation,” agrees Legato’s Reier. “What we’ve found in the last year is that organizations want more stringent recordkeeping practices across the board. The C-level execs want to be certain they are implementing good policies and best practices across their entire companies.”

Of course, merely having an automated and documented policy is a far cry from uniformly following it across the corporation. A discovery motion will not be satisfied with merely “a documented plan.” A motion demands results. “A policy that not only archives, but also audits, the authenticity and accuracy of the archive is also a good best practice,” says Reier. “If you’re ever investigated by the NYSE, or a court of law, being able to prove that you not only have a policy, but you’re executing to that policy, is very favorable.” TOWER’s Cliff Sink expands on that a little: “A viable defense can be: we had a program that the executives sponsored for email management. We gave it to IT to implement. They evaluated products and implemented a product and applied a retention schedule. If they got it all wrong, it’s their fault; executives are responsible for ensuring there’s a policy, and that it’s been transmitted to the people, and that there’s checking up that the policy’s being enforced. If they do that, and someone beneath them screws up, the senior people may get their hands slapped ... but who’s going to get fired?”

Where DOES The Buck Start?
Cliff Sink’s comments got me thinking about the responsibility factors at work in electronic (especially e-mail) records management. I mean, who decides on the system? The product? The file and retention policies? It strikes me that the involved parties—IT, records management, line-of-business, legal, executive management—all have a stake in the decision, and have almost entirely conflicting agendas. Exact’s Mike House comments: “IT has become very sensitive to regulatory mandates. Management may sympathize with the IT agenda, but also insists that compliance be part of their charge. A significant portion of our customer base (in manufacturing and life sciences) is bound by some kind of regulatory compliance, be it FDA or ISO. If the company is in an industry that requires compliance, the executive team is painfully aware of it. They don’t necessarily know the nuances of each departmental requirement, though, and that’s where the consultative side comes in. Taking a comprehensive systems look across the organization and figuring out how to bring it all together is where they need the help.” “I don’t think it’s a tug of war,” says Denise Reier, “but it IS an educational process for all constituents. IT, legal counsel and the business owners are sometimes disconnected, and it is a good idea to get them together to learn from each other. “IT drives the project, but it’s definitely a committee,” Reier continues. “IT may take in
BEYOND continues on page 23

Market Realities
Last year, regulatory compliance was the buzz, but there was very little actual market activity. Now, it’s a different story: “The actual market adoption rate has grown even higher than the analysts predicted,” says Legato’s Reier. “Gartner predicted a year ago that in 2003 it would be a $33.7 million software opportunity. They adjusted that in the past year to $54 million.” Dean Berg of Stellent agrees there’s been a noticeable shift. “The market has changed toward the other direction. Has it come full swing? Probably not, but after Enron and Worldcom and then Sarbanes-Oxley, all of a sudden people were concerned about regulatory compliance. “The vendors didn’t see any uptick for quite a while, but the consultants were sure making a lot of money,” Berg points out. This year has been better, he thinks. “Customers definitely have a better handle on the problem, and they’re looking at technology as a key component.” Berg adds: “If they were using technology at all (for compliance), they were probably using first-generation point solutions, maybe provided by their auditor, as a kind of stop-gap. Now they’re looking for a second-

Supplement to KMWorld September 2004


The RM Challenge of Electronic Communications
By Cheryl McKinnon, Product Manager, Government Solutions, Hummingbird Ltd. he world of a typical knowledge worker is changing once again. Over the last two decades the technology revolution has broadened access to authoring tools, e-mail and other forms of electronic communication. While the truly paperless office still has not arrived, business decisions, research and number-crunching activities have all moved into a predominantly online form. Records managers and other information professionals have been playing catch-up over the last decade to ensure that appropriate lifecycle management practices cover electronic as well as paper documents. The next wave of technology change is upon us: the proliferation of new communication methods and the ubiquitous presence of e-mail on a variety of portable devices. This paper will review the technology trends that are accelerating an increasingly decentralized and distributed workforce, and highlight the areas that records managers need to watch most closely. Mainstream content and document management vendors recognize electronic records management (ERM) as the cornerstone to an enterprise approach to an information management strategy. Larger enterprise content management (ECM) vendors have acquired standalone ERM vendors over the last few years, and this industry consolidation is expected to continue. The culture of compliance that is permeating information management programs in corporate and public-sector enterprises has pushed records management practices onto the front burner for the first time. The recent string of financial scandals provoked a wave of legislation aimed at providing more guidance on information handling practices and forced additional accountability onto corporate executives. Records managers have been in the thick of this debate, and industry organizations such as ARMA ( and AIIM ( have helped move their members into these leadership roles. While many organizations have begun to review enterprise-wide information management practices, technology continues to move at an accelerating pace. Organizations with traditionally strong paper record management programs have begun to apply these


principles and lifecycle rules to the electronic documents captured and controlled within their environments. Integrated ERM systems working synchronously with mainstream office applications and electronic document management (EDM) systems are becoming standard applications in law firms, government organizations and many regulated industries. Records managers and information professionals in IT need to continually look forward, and understand where the next source of corporate records will come from.

Cheryl McKinnon is Product Manager, Government Solutions with Hummingbird Ltd.,and is responsible for ensuring Hummingbird products comply with current and emerging government standards, guidelines and Cheryl McKinnon legislation covering electronic evidence, records management, and privacy/security issues. She also works closely with Hummingbird’s worldwide partner channel and sales staff to assist in developing government markets, solutions and product awareness. Ms.McKinnon has worked in information management technologies for more than 10 years and has several years of field consulting and technical training experience with a variety of public and private sector clients. She is actively involved with key industry associations such as the Association for Information and Image Management (AIIM) where she serves on AIIM’s standards committee on integrated EDM/ERM. She is also frequently invited to speak at ARMA International events throughout North America.

The E-Mail Problem
E-mail continues to be an area of weakness for many organizations. E-mail is not a new communication platform, but the compliance culture (and recognition that e-mails can have legal standing as records) has put increased pressure on IT and records staffs to ensure that appropriate capture, control and disposal rules are reviewed. Even where a firm has a structured approach to the management of electronic office documents, e-mail often is ignored or left exclusively to the realm of IT control. Organizations can face legal exposure, embarrassment and other forms of risk if e-mail is not managed according to context and content. Many IT departments, when left without guidance, will formulate disposition policies based purely on storage capacity or age of the message. The sheer volume of incoming and outgoing e-mail is often overwhelming for the records manager to consider. This dilemma will continue to escalate as the proliferation of e-mail-enabled devices grows exponentially. According to research analysts IDC, in the year 2000, e-mail volume reached 9.7 billion per day worldwide, and has been increasing at a rate of approximately 19%, reaching a volume of 16.2 billion e-mail messages in 2002. At that rate, IDC predicts that e-mail volumes reached nearly 21 billion messages per day or about 7.6 trillion e-mail messages for 2003—and that e-mail volume will continue to increase to 60 billion per day in 2006.1 Wireless cards in laptops, Blackberry devices, smart phones and other PDAs are moving into the hands of mobile knowledge

workers at an accelerating pace and are being used to keep on top of business issues 24/7 while away from the office. The sight of an attorney checking e-mails between appointments at the courthouse, the home office worker with a wireless hub catching up on e-mail from the patio, the field inspector filing reports and photos from the job site: this is the work environment becoming commonplace today. The more easily accessible e-mail becomes, the more consistently it is being used as the dominant form of business communication. But e-mail is only the first wave in facilitating business in a distributed environment. New communication platforms are being adopted across public and private-sector organizations at an increasing rate. Instant messaging, on-line collaboration and threaded discussions, access to corporate portals and intranets from mobile devices: this is the technology shift we see today.

IM: The “New E-Mail”
Instant Messaging (IM) has been called “the new e-mail.” What started as a predominantly casual and unmonitored communication tool has evolved into a new and legitimate forum for business communications. The market is evolving as the technology finds its home within the enterprise. Organizations are beginning to recognize the value of real-time communication and discussion and knowing when key employees are present online and available for queries. Business decisions are now being made in these one-to-one or group chats. More


Supplement to KMWorld September 2004

enterprise applications are incorporating IM capabilities into their offerings as a complement to other collaborative and information management offerings. IM is moving into the context of business applications. What about the corporate records? Since IM has now become an authoring platform for business decisions, records managers need to understand the implications when IT introduces new forums for communication and ensure that key messages and discussions can be captured according to approved record-keeping principles. Records professionals need to be aware of the technology choices facing IT and ensure that systems selected are open to monitoring and easy capture into a managed environment. Organizations are also investing in secure systems through which to share information and communicate with external stakeholders. Collaborative applications permitting discussion, document authoring and other project-related work allow enterprises to open up selected elements of its information repository to external contractors, suppliers, constituents, customers and other outside contacts. Security is a key requirement when corporate data is selectively shared with external parties and the ability to capture works-in-progress and discussions on shared initiatives also falls under record-keeping requirements. Moving this collaborative work into an electronic environment does not relieve the records management professional from managing the retention of such work products. As with instant messaging, communication with IT is critical to understand how information management best practices can be carried over into external collaborative project sites. Capturing the messages and other documents created through these increasingly popular messaging platforms is only one concern for the records manager. Executives, field professionals, remote office staff, traveling professionals are typically early adopters of intelligent communication devices and of wireless technologies. It is a slippery slope when these devices become more commonly used. Ultimately users become more demanding about the range of business activities that can be performed with them. These knowledge workers are also active consumers of corporate records and both IT and Records staff must be prepared for remote users to expect access to critical records while away from the office. Executives need to be notified of agenda or budget changes that occur immediately before meetings, technical inspectors need to be aware of changes in operating procedures or guides, emergency response officials need coordinated information from a variety of sources in one simple mobile interface, remote office or home workers need equal access to corporate applications as their colleagues at head office.

The role of the records manager is more than ensuring the enterprise complies with industry-specific regulations, and more than ensuring certain files are shredded 10 years after a case is closed. Records professionals also need to ensure that business records are available to knowledge workers who need to make informed decisions on behalf of the enterprise. They must ensure that electronic data is categorized, secured and made available to users needing access. IT and records staff need to consider the requirements of busy, mobile employees. Information management technologies and repositories must be enterprise-enabled to allow full access to the corporate knowledgebase even from PDAs or other wireless communication agents. Productivity gains realized by users of such devices have been validated by many industry observers and even the most basic devices can quickly garner 10% efficiency gains for an individual user.2

Industry Needs
Professional organizations such as law firms and accountancy firms have particularly stringent record-keeping requirements for client, case and matter data. Quick and accurate access to active matters is critical for professionals driven by billable time requirements. Insight into how clientspecific communication transmitted via new platforms must be shared with information management specialists in the records and IT office. They must ensure this comprehensive picture of ongoing cases is maintained regardless of the source or format of the documents. Governments also have strict information management requirements that must be taken into account when deploying new technologies. Respect for archival legislation, obligations to citizens under freedom of information and privacy legislation and requirements to share data with other agencies or other levels of government are all universal considerations for the public sector. Government, particularly, is seeing a wide adoption rate of mobile devices in areas related to law enforcement, inspections, election campaigns and emergency services. Regardless of industry, most organizations have record-keeping obligations to clients, regulatory bodies, archives or other stakeholders. Technology is the vehicle by which the majority of corporate records are created and disseminated. The role of the records professional has changed tremendously in recent years and will continue to do so. It is critical that information management principles and best practices are taken into account as: ◆ organizations move into more e-mailcentric communication architectures; ◆ mobile workers demand access to documents and records in order to do their job; and ◆ new discussion forums such as collaboration and instant messaging are introduced. The pace of technology evolution will not slow. Enterprises must carefully consider the suites of products that are deployed to end users and ensure that all record-keeping requirements can be fulfilled seamlessly and with an integrated approach to information management. ❚
Hummingbird Ltd. is a leading global provider of enterprise software solutions, employing over 1450 people in 40 offices worldwide. Hummingbird Enterprise™ 2004 is a state-of-the-art integrated enterprise content management platform that enables organizations to securely access and manage business information such as documents, records,e-mail or financial data. Please

“The more easily accessible e-mail becomes, the more it is being used as the dominant form of business communication.”
Documents and records are the lifeblood of knowledge-driven organizations. An enterprise approach to the capture, categorization, security and lifecycle management of this corporate information—regardless of format—is the mandate of both Records and IT. It is critical for the records professional to look forward in tandem with IT as new methods of creating corporate and client records are introduced into the workplace. Private sector companies subject to industry regulation or corporate transparency legislation such as Sarbanes-Oxley particularly need to look at the records implications of new communication platforms and the expansion of e-mail enabled devices. Legal requirements around the preservation and handling of financial, audit, inspection and other monitored categories of information must compel corporate management to select technologies that lend themselves to strong record-keeping practices.

“Worldwide E-mail Usage Forecast: 2002-2006: Know What’s Coming Your Way,”IDC,September 2002. Ken Dulaney,“Wireless E-Mail is Driving the Real Time Enterprise,” Gartner Research,March 31,2003.


Supplement to KMWorld September 2004


E-Mail Management:
Avoiding the 6 Common Mistakes
TOWER Software North America

nformation management has become a vital focus for all organizations to address risk mitigation, compliance and overall business continuity. With the line between documents and records being blurred in recent years due to lawsuits and new legislation, it is imperative for enterprises to manage business-critical information, irrespective of format. According to Ferris Research, 35% to 60% of this business-critical information is stored in personal messaging systems— e-mail. If this information is not properly managed in accordance with a well thoughtout corporate records management policy, it is unavailable as a resource to the organization, becomes a massive liability in a legal or audit situation and creates mayhem for IT departments that are often more concerned with data back-up, recovery and storage. Not managing corporate e-mail properly, in tandem with a records management policy, can lead to massive fines, jail time or both. This paper explores some of the common mistakes made when rushing into an e-mail management initiative. Avoid these pitfalls, and you can effectively exploit your information assets, remain competitive and thrive.


age e-mail once it is “necessary,” it can take months. Consider how many e-mail message subject lines start with “RE:” or how many e-mail dialogues have little to do with their subject line. Without a system in place that categorizes and sorts via metadata, finding the right information at the precise time it’s needed is virtually impossible. ◆ Compliance with legislation such as Sarbanes-Oxley—Although Sarbanes-Oxley doesn’t require that companies manage e-mail per se, it does state that an organization must provide a methodology for showing that business decisions are based on accurate and truthful information. But, if your organization uses e-mail—and it most definitely does—then to comply with this piece of legislation, you must manage in-

management systems and policies in place, even if these policies are misguided. They are generally less lenient with organizations that can demonstrate nothing in regards to managing e-mail. In this sense, established policies regarding how employees should treat email are extremely important. If an organization can show that it has policies in place and has done everything possible to follow these policies, a court may conclude that the organization cannot be held accountable for any e-mail destroyed based on company e-mail policies, no matter how misguided the policies may be. Doing something is better than nothing at all ... except perhaps in the case of....

Common Mistake #2: Archive Everything
Archiving everything is a policy. However, the enterprise that saves every e-mail that crosses its servers faces almost as much risk as the enterprise that does nothing. Why, you ask? It’s simple. In the courts, e-mail very often provides “the smoking gun.” If an organization is retaining everything that crosses its servers, then everything is discoverable during litigation. In a recent anti-trust case involving a very well-known technology provider, e-mail not required to be saved was, in fact, still being retained on back-up tapes. Since there was no policy in place other than archiving all e-mail for a set amount of time, everything found on the back-up tape was considered discoverable information. And the company lost the case because of it. In government, things operate no differently. Freedom of Information Act requests must be processed. Since e-mail content is indeed information, it must be treated no differently than any other format. However, some e-mail is not necessarily public information, as defined by Federal and State Freedom of Information Acts. For example, if an employee sends a personal e-mail to her doctor regarding the need for a new prescription, it is protected under HIPAA (Healthcare Insurance Portability and Accountability Act). If this e-mail is saved due to an “archive-everything” policy, and then shared as part of a Freedom of Information request, then the agency fulfilling the request is not in compliance with HIPAA and faces the same risk of litigation. Common Mistake #2A: Use a back-up policy as an archive. Many IT organizations make a practice of using back-up tapes as a corporate archive of all company documents, e-mails, etc. And, in many cases, this is done without the knowledge of legal and/or records management departments. Back-up tapes serve a purpose: they enable an organization to restore IT infrastructure and current data. They are not meant to serve as archives. It is important to consider that any

“Not managing e-mail properly can lead to massive fines, jail time or both.” formation within this medium. Some e-mail, like it or not, is a corporate record. And it must be treated as such. ◆ Risk mitigation—E-mail has become a major liability for an enterprise that is sued or investigated. Most have no idea what exists in their e-mail systems. During the discovery phase of litigation, an enterprise may be asked to produce specific e-mail records for a particular employee, for example, from the past five years. Without a policy and system in place, there is no way to know what information the employee has been retaining and exchanging. E-mail in these cases is often “the smoking gun.” And these are just three examples. In the case of litigation, it’s interesting to note that in general, courts have been lenient when dealing with organizations that have e-mail

Common Mistake #1: Do Nothing
Amazingly enough, according to Forrester Research, only 15% of organizations report that they have a policy in place regarding e-mail management. And since “e-mail management” can mean different things to different people across different business functions, the actual percentage is likely much lower. With this in mind, it stands to reason that more than 85% of enterprises have no policies in place for managing e-mail. Likely, a large percentage of these organizations are leaving e-mail management completely in the hands of their employees. As a result, these enterprises lack: ◆ Operational efficiency—With no e-mail management policy in place, there is no way to know exactly what information is available without arduous searches. If e-mail is managed as it is sent and received, it takes seconds. If organizations only man-


Supplement to KMWorld September 2004

record of corporate information is admissible as evidence in a court of law. So even if your legal/records management departments are unaware of what makeshift records management policies IT may be practicing, the enterprise as a whole is still held responsible in court. Overcoming this mistake means setting e-mail management policies that correspond directly to the overall records management policies of the enterprise, and more importantly, making sure employees across all departments understand and practice these policies.

departments, and strong executive support, any initiative cannot survive.

Common Mistake #5: Roll Out Policy Without Training
Let’s say your organization has new policies regarding e-mail management. And let’s say these are bulletproof policies incorporating core records management principles. Both records management and IT have been involved throughout the entire process of creating the policies and their application across the enterprise. And, let’s say you also have strong top-down support from your executive leadership team. If you do not train your employees regarding the policies—OR if you do train your employees, but do not reinforce this training with scheduled refresher courses, updates, etc.—then a court

Common Mistake #3:Treating E-mail Differently Than Records
There are many different choices when it comes to e-mail management solutions. Whichever solution you choose, it is impera-

“It’s all information. Treat it with one policy that recognizes this.” tive that your policies, procedures and technology all correspond to the overall corporate records management principles. E-mail is information...information in a particular format. At the end of the day, it is no different than the memo produced by marketing, or the spreadsheet produced by finance, or the policies produced by legal. Some e-mail is a corporate record and must be treated as such across the enterprise. By employing an e-mail management system that is separate from the overall document and records management system, you decrease efficiency, increase risk and create confusion. It’s all information. Treat it with one policy that recognizes this. may view the policies as if they were never produced. Organizations must show intent to enforce policies and procedures...or face the consequences.

Common Mistake #6: Employ Technology Unfriendly to IT and LOB
With any initiative involving technology, it is important to manage change effectively. By limiting the amount of change (and the amount of work) that organizations and individuals must face, the initiative stands a greater chance of realizing longterm success. As such, it is extremely important to find a technology solution that enables users to operate in a “businessas-usual” mode. Tight integration with the user desktop is imperative. Likewise, a scalable solution that limits the work for IT is ideal. And as mentioned in Common Mistake #3, buy-in from all organizations is key.

Common Mistake #4: Team is Not Cross-functional
Like any other initiative involving technology, e-mail management needs to involve a larger, cross-functional team in order to be successful. While the records management and/or legal departments certainly should play a significant role in creating and driving policies—as well as training the organization on these policies—IT and user representatives from other departments should be involved as well. Some e-mail is a corporate record that must be managed, retained and destroyed as such. By applying records management principles to e-mail, companies can increase efficiency, mitigate risk, and ensure business continuity. But without cooperation between

◆ How are the e-mails stored? ◆ The enterprise needs to comply with which requirements/mandates? ◆ How are attachments managed? Next, several steps should be carefully considered. These include: ◆ Understand the three components of an e-mail and their importance in legal or regulatory situations—header/routing information, body, attachments; ◆ Involve C-level executives, legal, IT, records management and users in any decision process regarding policies and procedures, as well as the technology solution. Check with the legal department and records manager to understand your industry’s or sector’s legal requirements regarding the management of e-mail; ◆ To ensure high compliance from end-users and management while meeting legal/regulatory needs, select a solution that: 1. Allows users to continue work as they do now without changing current habits; 2. Integrates seamlessly into the current e-mail system; 3. Allows users to easily transfer e-mail into the records management system: 4. Provides various levels of security; 5. Manages the retention period of your e-mail; 6. Provides easy and flexible search methods to retrieve e-mail; 7. Enables users to easily catalog e-mail; and 8. Captures incoming and outgoing e-mail. ◆ Recognize that e-mail management at the desktop is the best way to ensure what is captured is relevant and purposeful to the organization; ◆ Consider e-mail to be a corporate record...It should be stored and managed in the same system and under the same policies as all other corporate records; ◆ Train all users regarding the importance of e-mail management, basic records management and organizational policies; and ◆ Offer refresher courses regarding the above so that all users are always up-to-date on all of the latest policies and procedure. ❚
TOWER Software is a leading enterprise content management (ECM) provider, delivering electronic document and records management (EDRM) solutions. TOWER Software’s award-winning solutions empower organizations to manage and secure their vital information assets.The TRIM Context® solution is a single,integrated platform that manages business information throughout its complete lifecycle. By relying on its proven domain expertise, strong strategic partnerships and powerful solutions, TOWER Software enables organizations to improve the accuracy of information on which business decisions are made; maximize efficiency by finding business critical information more quickly and easily;and achieve and maintain standards compliance across industries,resulting in sustained competitive advantage.TOWER Software is a privately held company with operations in North America, Europe and Asia-Pacific. For more information, visit

The Business Solution
E-mail management is a Herculean task that requires good business rules, training and a solution outside of your messaging system. But a successful program is very attainable. By answering some questions, an enterprise can start down the path to a successful program: ◆ Which e-mails need to be managed or archived? ◆ How long should they be archived?

Supplement to KMWorld September 2004


Records Management Redefined: From the Backroom to the Boardroom
By Randolph Kahn, Esq., & Barclay T. Blair, Kahn Consulting, Inc.


hat is Records Management? Records management is the application of policies, practices, technologies and other management controls related to information in order to: 1. Support business operations and processes; and 2. Protect legal interests and respond to regulators. Good records management practices allow information to be easily accessed and reproduced on demand, regardless of location or form. Records management requires that an organization’s “treasure trove” of business content, data, records, messages, documents and so on (collectively referred to here as “information”) is managed over time, based upon its intrinsic value. A value-based approach dictates that limited company resources should not be spent managing less valuable information such as drafts, non-records and duplicates, for example. While simply “keeping everything forever” ensures that the information exists, it does not ensure that the right information can be found and produced when needed. Not only does such an approach add time and expense to records management, it may create liability by allowing information to be revealed in the context of litigation that could have been discarded in due course. Furthermore, failing to properly capture, index and store records and other significant business content according to business rules and retention schedules may have the same effect as losing or destroying it. Courts have made clear that “utilizing a system of recordkeeping which conceals rather than discloses or makes it unduly difficult to locate” information may be the equivalent of destroying records. While most organizations have programs that address paper records, these same organizations commonly fail to develop similar programs for methodically managing electronic records and other digital information. Organizations spend vast resources on

e-mail and other communication systems, but often fail to spend enough to ensure that e-mail records are managed as a business asset. Part of the problem is that the definition of a “business record” in the digital world is rapidly changing and may require a new approach to records management—ideally, an approach that reflects the depth of an organization’s reliance upon information technology and promotes both business and legal interests. Organizations need an approach that reflects today’s business reality: organizations conduct business a multitude of ways, using a multitude of technologies and communications devices. Failing to address these challenges exposes organizations to unnecessary risk, hampers regulatory and policy compliance, breeds mistrust among investors and citizens and makes business processes (such as CRM and transaction processing) less productive, so there are more than adequate incentives to get it right up front.

Approaches to Records Management
Each organization is unique and has different needs and priorities. However, it is clear that proper management should be a priority, and that there are several concepts and activities that are required in every organization: 1. Manage and retain by value, not by format. A fundamental goal of any records management program is the identification and proper retention of required information. However, many organizations put themselves at risk by recycling storage media and by purging retired computer systems without considering the megabytes of potentially significant business content that may be lost in the process. Significant digital business content is created by a multitude of software applications and stored on a multitude of hardware devices. In many cases, if the same content were created in paper form, it likely would

be retained and managed in accordance with records management policies. Consequently, only by managing digital information according to its legal and business value and not according to its method of creation can organizations ensure that they are acting in their best interests. However, the current reality is that most organizations are good at applying such policies to paper records, but they fail miserably when it comes to digital information. The IT department often makes decisions about “what data shall live and what data shall die” without regard to overarching legal and regulatory issues. As the Applied Telematics case (available in the full-length white paper—see footnote) indicates, such actions may create substantial liability. 2. Manage in electronic form. Digital business content often contains information that is lost or significantly altered when it is reduced to printed form. For example, digital documents may contain metadata (i.e., “data about data”) indicating title, author, reviewers, edits, and storage locations, among other things. While such metadata enables document management applications, it may also be crucial for determining a document’s authenticity or “chain of custody.” Unfortunately, this important information may be lost when the document is printed and the original digital file is destroyed. Courts and rules of evidence have responded to these facts by allowing (and in some cases requiring) parties to a dispute to have access to digital “live” versions of electronic records despite the fact that “complete” paper versions were already available. In Public Citizen v. John Carlin, the court asserted that records created electronically should remain in electronic form because there was information available in that format that was not available when printed to paper. The example of a spreadsheet calculation was used to demonstrate the point. While the case was overturned for unrelated reasons, there are certain regulators, such as the FDA, which believes that “once electronic, always electronic” is the only way to retain such records. Further, there are many business benefits to managing digital content in its original form, such as ease of searching, retrieval, integration and dissemination. Consequently, organizations should manage digital content in its original format whenever practical or required. 3. Manage from creation to disposition. Organizations can only truly appreciate the challenge of managing records after viewing it within the context of an information management lifecycle—a holistic viewpoint that considers information as having a living, breathing existence with a beginning, middle and end, with varying importance in each phase. This section identifies


Supplement to KMWorld September 2004

the five basic phases within the information management lifecycle, and their concomitant records management challenges and solutions. a. Capture: Most electronic information comes into existence without prior thought as to how it will be identified, retained, protected and made accessible in the future, when in fact such considerations should be an inherent part of any technology purchasing and implementation cycle. It is much easier and cheaper to build a new system correctly from the outset than to break old habits and modify an entrenched installation. In addition, employees should be trained to identify and retain records that they generate directly, and their conduct in this regard should be audited. b. Index: While the content of a paper document is obvious “on its face,” viewing the contents of a digital document depends on software and hardware. Further, the contents of digital storage media cannot be easily accessed without some clue as to its structure and format. Consequently, the proper indexing of digital content is fundamental to its utility. Without an index, retrieving digital information is expensive and time consuming, if it can be retrieved at all. In a recent case, a company could not search imaged medical claims records because the wrong metadata had been used in the indexing process, and they were therefore required to open and examine each record individually at great expense. c. Store and Protect: Backup alone is not retention. Creating highly available backups of “mission-critical” digital information supports disaster recovery and business continuance purposes, and is one element of an

overall information management strategy. However, organizations should not exclusively rely on these procedures for records management. Backup systems are generally designed to minimize the storage burden, not to enable easy retrieval of individual records. Consequently, the cost of information retrieval from backup systems can be very high. In one case, experts estimated the cost of reviewing e-mail contained on 12 monthly backup sessions to be at least $99,000 and to take 660 hours. In addition, the courts have been willing to impose arduous requirements on litigants to access stored electronic records. For example, in re Brand Name Prescription Drugs Antitrust Litigation, the court ordered one of the parties to develop a special computer program to extract data from nearly 30 million pages of e-mail stored on backup tapes. Retention of backup media should also align with an organization’s overall records management practices. For example, if an organization’s policy requires disposing of certain e-records pursuant to a retention schedule, then backup of those same e-records should cease to exist contemporaneous with disposition of the official copy and not be left to linger in an off-site storage vault indefinitely. d. Access: Capturing, indexing and storing digital business content serves little purpose if it is not readily accessible when required. Too often organizations implement systems that may improve business processes but hamper the accessibility of significant business content, a fact that the courts and regulators may be unwilling to overlook. In 2000, it was reported in Florida that county e-records were not uniformly available as

required by public records laws. County officials admitted that they were violating the law by failing to produce requested e-records, and asserted that it would take hundreds of hours and thousands of dollars that they had not budgeted for to produce them. Instead, they “suggested that residents interested in public officials’ e-mail would need to sit at each official’s computer and manually check the e-mail received.” e. Disposition: Everything cannot be retained forever. Just like paper records, electronic records need to be disposed of at the end of their useful life, in conformance with predefined retention rules. Proper disposition eases the records management burden by reducing storage volumes and controlling potential sources of future liability and discovery expense. Disposition should be done in the “ordinary course of business,” and documentary evidence kept regarding the salient details of the disposition process (e.g., date, parties involved, process used). Organizations should have storage media containing sensitive information “cleaned and sanitized” using appropriate techniques, such as those outlined by the US Department of Defense DoD 5220.22-M Standard 36 to ensure that data cannot be recovered using advanced forensic techniques.

Records management is not a luxury that only “the few” can afford. Rather, it is a discipline that must gain greater visibility and traction in corporations and government agencies, not only in the boardrooms, but also on the ground floor. While recent headlines have compelled many organizations to revisit their records management approach, organizations should ensure that records management becomes a long-term organizational priority, not merely a short-term reaction to current events. Organizations should increasingly view records management as a strategic component of business success, not simply a tactical, cost-driven activity. Records management not only plays a major role in protecting legal interests, but it also promotes the interests of shareholders and citizens by increasing organizational transparency, accountability and efficiency. ❚
EMC Corporation is the world leader in products,services and solutions for information storage and management.We help customers of all sizes manage their growing information—from the time of its creation to its archival and eventual disposal—through information lifecycle management, to enable organizations to better and more cost-effectively manage, protect and share information. EMC’s goal is to help our customers get the maximum value from their information at the lowest total cost,at every point in the information lifecycle. This article was excerpted from “Records Management Redefined:From The Backroom to the Boardroom,” at ct/?s=KMWorld&t=/resources/brochures/F071.pdf

EmailXtender Records Management for E-mail
The EmailXtender family of products from the EMC Software Group provides both enterprise data storage AND content management for electronic messaging. EmailXtender products support Microsoft Exchange/Outlook, Lotus Notes/Domino, UNIX Sendmail and Bloomberg Mail. EmailXtender is a comprehensive, policy-based system that automatically collects, organizes, retains and retrieves e-mail messages/attachments. It makes enterprise e-mail easier to use and administer as it: ◆ Automatically copies every e-mail and attachment into an Enterprise Message Center; ◆ Generates a full-text index of all messages/attachments; ◆ Enables administrators, supervisors, and users to conduct intelligent search/retrieval; and ◆ Reduces e-mail server stress and bottlenecks by seamlessly extending e-mail message stores into low-cost and high-capacity storage devices. For more information, go to

Supplement to KMWorld September 2004


Turning Compliance Projects into Business Processes
By Del Zane, VP, Compliance, & Dean Berg, Dir., Business Development, Stellent

Oxley compliance processes into daily n the not-too-distant past, compliance business practices. initiatives often were characterized by backWhen companies concentrate on managing office operations that involved large volregulated business processes, demonstrable umes of records stored in basement filing compliance simply becomes a by-product of cabinets. Recently, this situation has everyday work activities. changed. Accounting scandals, the growing number of regulatory mandates, and the litigation consequences associated with those Turning Projects into Processes regulations have prompted many businesses to bring compliance initiatives out of the Current compliance and records manback office and into the boardroom. agement solutions, such as Stellent’s, allow High-ranking executives, such as chief companies to turn compliance projects into compliance officers and board members, ongoing processes that are conveniently and now actively oversee many compliance inherently carried out during the normal activities. As a result, it has become a critcourse of business. In particular, today’s full ical priority for many companies to find Web-based document management solutechnology solutions that quickly increase tions effectively manage the massive the efficiency of compliance processes and amounts of content involved in compliance generate significant return-on-investment documentation and testing—providing the (ROI). A key requirement for achieving necessary foundation for storing, managing, these objectives is selecting a solution that processing and tracking content in a central, embraces the successful processes compasecure repository. nies have used during compliance “projYour vendor should support multiple comects” and makes them part of daily busipliance initiatives with a single technology ness practices. architecture that utilizes a common repository For example, most companies initially and interface. This way, companies can levertook a tactical, manual approach to age the infrastructure to comply with a variety Sarbanes-Oxley compliance by creating projects Enterprise Risk Management that included dedicated employees, consultants, project plans, ongoing meetings, executive status SarbanesInternal reports and specialized Patriot Oxley, Audit Sec 17a ISO technology—a standard Act Euro SOX Operations practice in developing methodologies for new compliance efforts. However, now that companies Workflow understand the methodology necessary for 404 compliance, they must Records Management create a more efficient, long-term compliance strategy by incorporating Document Management their successful Sarbanes-


of government mandates from SarbanesOxley, JCAHO (Joint Commission on Accreditation of Healthcare Organizations) and HIPAA (Health Insurance Portability and Accountability Act), to ISO (International Organization for Standardization) regulations in the manufacturing industry. Customers thus reduce the number of software applications they must purchase for compliance efforts and lower the duplication of documents and data across multiple compliance applications— leading to less complex IT integrations, faster user adoption, lower total cost of ownership and an overall substantial cost savings. Based on a content management platform, an integrated suite of compliance solutions allows companies to manage the full scope of their compliance responsibilities while reducing operational costs. Stellent’s compliance platform, for example, is based on five key components: document management, records management, workflow, enterprise risk management and vertical applications. Document management—Enables organizations to effectively and efficiently capture, secure, share and distribute digital and paper-based documents and reports. Retention policies, escalation flows and audit trails are accessed quickly and easily by only those authorized to see them. Records management—Stellent’s builtin Department of Defense (DoD) 5015.2certified active and fixed records management solutions help companies control the creation, declaration, classification, retention and destruction of all types of business records—whether they are “active” such as documents and graphics, or “fixed” such as scanned images and e-mail. These records are stored and managed, along with other business content, within one server and accessed using a single interface. Workflow—Workflow capabilities provide periodic “check-ups” on progress toward compliance goals by automating assessment, audit, remediation, approval and review processes.





Supplement to KMWorld September 2004

Powering Multiple Compliance Initiatives with a Single Solution
Companies across a variety of industries use compliance and records management solutions to comply with a wide range of regulations, including Sarbanes-Oxley, JCAHO, Basel II, HIPAA, FDA approvals and ISO 9001. Examples of successful customer implementations include: Sarbanes-Oxley Compliance Reliant Energy, Inc., a provider of electricity and energy services, has streamlined its Sarbanes-Oxley compliance processes by distributing documentation tasks to process owners and smoothing its attestation process. Specifically, their Stellent solution provides Reliant’s core compliance team with an enterprise-wide view of the company’s internal control makeup. This view allows the core team to keep track of and schedule control changes based on company priorities, which helps the company meet its goal of automating as many internal controls as possible. Additionally, Reliant has centralized process management capabilities and a centralized content repository. The core compliance team easily manages the overall process of Sarbanes-Oxley compliance through an automated workflow system that involves process owners. Reliant has customized specific features within the workflow that monitor contributions from process owners to ensure all work and processes meet the quality standards set by the company. In addition, the centralized repository has eliminated Reliant’s disparate content repositories and disconnected areas of the company carrying out compliance efforts on their own. Another benefit of Reliant’s compliance solution is the ability to easily share content with multiple audiences, including external auditors, process owners, company executives and managers and internal auditors. Users log in to the system through an easy-touse, Web-based interface and access information immediately, 24 hours a day. Auditors easily access the latest documentation they need for external audits—resulting in significantly less preparation time for internal staff. JCAHO/HIPAA Compliance Washoe Health System, northern Nevada’s largest integrated health care system, uses technology to support compliance with JCAHO and HIPAA mandates. They store and manage all procedures, policies, training materials and patient information in a central, Webbased repository, making JCAHO- and HIPAA-related content readily available to hospital employees and auditors. Washoe employs a Stellent system to maintain audit trails of updates, approvals and revisions to hospital policies, in accordance with JCAHO requirements. The technology also helps the organization support its corporate compliance processes by ensuring employees tap a single, centralized source for all policies and procedural information. To widen access to this content, Washoe placed kiosks in high-traffic areas across its hospitals where employees, such as nurses (who do not have a computer readily available) can easily retrieve information. In addition,Washoe is building a HIPAA-Compliancy Team Web site that will enable the company to easily circulate the most current changes to HIPAA regulations throughout the health system. ISO 9001 Compliance Agfa Corp., a digital imaging manufacturer, efficiently manages and retrieves its ISO 9001 documentation, such as procedures, meeting minutes, feasibility studies, problem resolution documents and product design specifications.Their system indexes and assigns metadata to files, enabling users to quickly and easily search for and retrieve documentation using a Web browser— rather than plodding through cryptic, eight-character UNIX filenames to trace content for ISO 9001 audits. By making content available on the Web, Agfa has reduced its costs related to printing ISO 9001 documentation and policy manuals. According to the company, it has completely transformed the way it does business by simplifying its content creation and management processes. For example, Agfa’s equipment dealers and suppliers can access product information, such as material safety data sheets (MSDS), through a partner extranet. Agfa and its manufacturing partners can exchange product drawings, specifications and engineering change orders through the extranet, eliminating the need for Agfa to ship paper-based information to manufacturers and suppliers.

Enterprise risk management—An enterprise-wide view of compliance efforts enables leveragability across the organization and diminishes project “silos.” Enterprise risk management prioritizes compliance initiatives based on areas of greatest risk and aligns all strategies with corporate goals. Vertical applications—Your vendor should also provide vertical applications. The Stellent Sarbanes-Oxley Solution, for example, automates long-term SarbanesOxley compliance methodologies, enabling companies to efficiently manage and approve documentation supporting financial and non-financial disclosures and Section 404 compliance. The best solutions are highly personalized for non-technical busi-

ness users, allowing auditors, accountants and CFOs to easily create, manage, share, track, approve and archive information with minimal training, using only a Web browser. E-mail management solutions facilitate the intelligent integration of e-mail into customers’ business processes. With rule-based, centralized e-mail archiving, these solutions guarantee seamless records and fulfillment of legal requirements.

stand-alone compliance systems—are best equipped to effectively support compliance initiatives. Through rapid implementation, integration with existing systems and broad user adoption, customers can promptly transition their resource-intensive compliance projects into ongoing, productive business processes and reap the substantial benefits these evolutions can generate. ❚
Stellent is a global provider of content management software solutions that drive rapid success for customers by enabling fast implementations and generating quick, broad user adoption. Stellent Universal Content and Process Management enables customers to rapidly deploy line-of-business applications as well as content management solutions for enterprise initiatives such as enterprise portals and business commerce applications.

The Most Effective Compliance Solution
Because most compliance mandates are primarily a process of massive documentation and testing, comprehensive document management-based solutions—rather than

Supplement to KMWorld September 2004


Playing by the New Rules:
Embracing SOX Compliance with a Coping Strategy
By Michael McLaughlin, Exact Software


vention and detection of fraud or financial irregularities. What follows is a strategy to ensure compliance by tackling the problem of knowledge management head-on. By evaluating business processes, technology and ERP systems, as well as making corporate changes to improve their ability to support internal controls required by Section 404 of the Sarbanes-Oxley Act, companies faced with compliance issues can make the transition with little to no pain.

t’s nearly a forgone conclusion that at least once in even a small company’s life, the company will be faced with regulatory scrutiny, litigation or an accounting need that requires it to search and analyze its business records. Averse to risk? Then try not complying with regulations for archiving your business records. No business, no industry, no employee can hide from the need for accurate business records management that complies with federal and state law—including such regulatory compliance as Sarbanes-Oxley, ISO or HIPAA. In order to address the new SarbanesOxley legislation—which requires public companies to establish, approve, implement and evaluate their internal controls for purposes of financial statement reporting and operational integrity—organizations are searching for tools to help them achieve corporate compliance. Today’s quick-paced, information-rich businesses are full of data that can be classified as a business record. These business records are required to be collected, tracked, stored, archived and potentially located. Automated, efficient and reasonable recordkeeping protects all stakeholders in a business—officers, employees and shareholders alike. Good recordkeeping allows companies to operate more efficiently, account for their actions and protect assets. Recordkeeping is the “memory” of an organization, the brain by which a company can gain a retrospective on certain corporate actions or inactions. This “memory” becomes the means by which a company can shape its course for the future. But the amount of data even a single business can produce could be staggering. Many companies, from the CEO to the company records manager, simply become numb to the need for effective records management. And even when they are addressing the most immediate recordkeeping concerns, there is still the “dust-bin”—the repository of archived, legacy data that is stored throughout the network and over disparate systems, whether on a server or residing in a steel filing cabinet in the corporate library. Compounding the problem is today’s flurry of federal and state regulations. Triggered by scandals involving Enron and Andersen, the specter of complying with SOX has many companies grappling to get

current data properly archived. Organizations faced with SOX regulations, despite best intentions, remain uncertain about what data needs to be archived and retained to meet new regulatory and compliance requirements. Organizations are not sure if they can even meet compliance regulations because they lack the technology to properly meet these targets. Retrieving is another nightmare. Many companies would not know where to look or how to find it, unless they undertook an expensive inventory and comprehensive analysis of their records. In addition to corporate issues surrounding internal compliance, many organizations are having difficulties managing and consolidating information from remote locations. In companies with multiple offices, the financial truth is often hidden in separate databases, technology solutions and various spreadsheets.

Analyze This!
By first evaluating—honestly—your current records management system, you will be able to make the leap to establishing a better framework for keeping records. How much of your current recordkeeping is still physical and how much is electronic? Are you covering all the new records being created with new forms of electronic communications such as instant messaging (IM), blogs and e-mail? Is your firm using e-mail to communicate transaction details or negotiations? Do you have an existing process for capturing the business records that employees and departments generate? How is it captured and what means is used to archive these records?

Developing Necessary Compliance Coping Skills
Unfortunately, finding a corporate governance solution that provides the internal control systems necessary to adhere to the financial compliance and auditing processes mandated by Sarbanes-Oxley is perceived as a burdensome task. However, few companies face the underlying problem: defining the process by which business records are attained and retained. In fact, if companies embrace the issue of compliance head-on they can actually improve the business practices, financial performance and reduce the business risk to their organization. What is needed is a mechanism that provides the essential baseline for establishing financial accountability, policy compliance and procedural tracking. In addition this system must be user-friendly, bringing together employees, technology and processes that support financial governance, auditing processes and Sarbanes-Oxley compliance. This framework becomes the “business rule” that directs processes for expense approval, workflow and document certification, and thus directly aids in automating the flow of financial information throughout the organization, ensuring responsible managers obtain timely and accurate data, aiding in the pre-

“Recordkeeping is the memory of an organization.”
Once the existing recordkeeping system is inventoried and evaluated, certain trends should emerge. Typically, problem areas will arise in one or more of three areas—people, technology or processes. Creating a mechanism to solve the recordkeeping problems can be thought of in terms of a triangle. People are at one point of the triangle, process is at another point of the triangle and technology is the third point of the triangle. People Power: People are the originators of records and those who will rely on the records once they are created. Without changing the internal mindset of an organization, becoming compliant with the recordkeeping aspects of Sarbanes-Oxley will be impossible. People often do not understand the reasons for recordkeeping and thus engage in sloppy records management or use non-archiving methods of communication. Also, recordkeeping can be viewed as a non-


Supplement to KMWorld September 2004

mission critical task that is taken on only when the more “pressing” responsibilities of an employee have been addressed. The opposite is also true: employees can become so mired in recordkeeping that they shun aspects of their job or the process becomes inefficient and unworkable. Companies must evaluate the mindset of their employees when it comes to recordkeeping. Employees must be taught the reasons for recordkeeping and must be held accountable through measurable objectives. Technology Solution: Technology is how we automate recordkeeping and how we create a good many records. Without the right technology in place an effective business records system cannot comply with Sarbanes-Oxley. Business records collection and archiving must be considered part of the overall planning process when IT decides to implement new technologies or upgrade existing ones, otherwise things fall through the cracks. How many companies have updated their business records systems to be able to collect information that is posted on corporate blogs, for instance? Is the newest content on the company employee portal being archived? Taking into account IT infrastructure is a key consideration when evaluating your recordkeeping in the quest to become compliant. Planning should be routine to keep pace with the momentum of technological change. Consideration for open, flexible and scalable technologies must also be taken into account to keep pace with the growth (or downsizing) of an organization. Technology can also be a problem. First technology has multiplied the sheer number and variety of formats of records. Second, in some cases, technology can actually hamper records management, because few have architected a solution and automated workflow for storing a record in a recognizable and centralized repository that can be easily accessed. For example, since records management touches multiple departments on a daily basis, it is imperative for these departments to work hand-in-hand in order to assure information is updated quickly and accurately. Despite the efficiencies brought about by technology, many organizations remain dependant upon paper-driven, laborintensive tasks. Enterprise applications that connect multiple departments can help streamline processes and provide a central document management location where all data can be accurately updated and accessed throughout the organization. Process Methods: Process is the means by which recordkeeping is synchronized. The foundation of the triangle is the processes by which an organization determines if a record should be kept, how it is automatically archived and located when it needs to be retrieved. Process is the heart of

any effective recordkeeping system and the link between people and technology.

The Need for Uniform Internal Processes?
Many organizations still continue to overlook the importance of establishing clear internal processes. While a company may have “a way of getting things done,” generally the steps are not defined and tasks can easily fall off track. Process is typically defined as improving how well an organization gets from point A to point C. While this step-bystep approach may seem ideal, it’s quite unrealistic since within today’s complex organizations a process may involve a number of steps and a broad group of employees. With that said, organizations can understand that process is really about workflow and the ability to maintain visibility and accountability of a task from beginning to end, independent of the path the processes may take.

ness of your newly established SOX policies and procedures, there are available technologies that provide online training tools, internal newspages and policy authorization and approval via automated workflow. A good workflow solution unifies the people, technologies and processes in regulatory compliance, such as Sarbanes-Oxley, ISO and HIPAA.

Closing the Loop
Contrary to popular belief, organizing processes doesn’t simply mean streamlining activities so they move in linear fashion throughout the organization. Each task executed has unique demands and requirements, and while organizations need to have a defined system in place, this system needs to remain flexible enough to accommodate each individual task. Process is really about creating a “closed-loop” workflow system that enables the user to define the processes for each unique task. Effective controls necessitate real-time information on the status of internal compliance. Technology that accommodates the framework should be able to generate realtime reports and automatic alerts on the status of several business activities such as month-end closings, sales documentation with integrated CRM, credit management, expense approval and reporting, budget, G/L and cash-flow reporting. A company concerned with financial governance would need technology that addresses financial issues such as: secure collaboration between subsidiaries and external accounting groups; automated alerts on specific financial events; audit trails to prevent or detect fraud; automated workflow of financial documents to responsible parties; and real-time financial reporting. By leveraging a single, centralized database and 24/7 access to information, companies can drive new levels of organizational efficiency. By synchronizing people, technology and business processes, compliance with Sarbanes-Oxley, ISO, HIPAA, and other recordkeeping legislation as mandated can be accomplished. The benefits are innumerable. Companies can pinpoint accountability, ensure compliance and protect the organization’s interests simply through developing a framework simply addressing the problem of records management. ❚
Michael McLaughlin is the e-Synergy consulting manager at Exact Software™ North America. Exact Software believes in Business Unified™—providing solutions that connect the people, processes and knowledge essential to an efficient,competitive business.Exact’s solutions provide greater visibility across the organization with real-time access to central Web-based corporate information and exchange.Exact e-Synergy® is a business management solution that maximizes an organization’s access to the very latest information,anytime,anywhere.e-Synergy makes it possible to connect everything within an organization—people, documents, tasks, assets and more—in a single database, making regulatory compliance easy,for companies of all sizes.

“By leveraging a single, centralized database, companies can drive new levels of efficiency.”
Despite the technologies and collaborative tools available, employees still continue to work independently, keeping information stored in individual tracking systems. Employees depend on personal e-mail, Excel spreadsheets and an array of notes, none of which can be accessed or updated by other employees. This lack of collaboration is why processes are poorly managed and where a number of significant company-wide pain points have their origins. Disjointed processes can lead to lost customers, duplication of work efforts and excessive costs, among other problems. By implementing an effective workflow, companies can establish projects and tasks to aid in the management of the SarbanesOxley compliance process. Secure collaboration between subsidiaries and external accounting groups enhances compliance communication and accuracy of information. To aid with internal support and effective-

Supplement to KMWorld September 2004


Governance Best Practices and Approaches
By Larry Bowden, Vice President, IBM Workplace Software Solutions ccountability and effectively managing risk are top of mind for most organizations today. Accountability is key for companies in their efforts to ensure that they meet the wide variety of mandates specific to their industry (examples include Basel II focused on improved risk management in banks or the Healthcare Insurance Portability and Accounting Act [HIPAA] for the healthcare industry) as well as cross-industry regulations like Sarbanes-Oxley (SOX) or the International Accounting Standards (IAS) in Europe. One common theme among many of these regulations (regardless of industry) is the need to manage information content and retention through the application of effective business controls, also known as records management. While managing content and adhering to compliance regulations is key, a critical success factor in deploying the architecture lies in ensuring that employees’ adoption of new processes doesn’t require extensive training or throw in a significant learning curve. Since productivity is key, the architecture itself must comply with ease of use throughout the organization. However, effectively managing this information requires a strategy that encompasses business acumen, strong technology underpinnings and intellectual capital.

nology foundation that includes an effective risk and compliance strategy. As you can see in the graphic, the challenges facing customers today with regard to risk and compliance are primarily based on the integration of business and IT requirements.

Governance Challenges
As companies look to effectively manage governance, some of the business and IT challenges they face may include: 1. Business/Operational Challenges: ◆ Business Silos and Solution Silos. Many business solutions around governance have been implemented to solve a single problem, by a single group or division within a company such as a trading desk, banking region, financial or healthcare group, etc. This silo-based approach makes it very difficult for firms today to implement enterprise level risk and compliance solutions; ◆ Evolving Regulations. As a regulation changes or a new one is created, the same requirement must be implemented in each silo, resulting in significant costs to the corporation. For example, if individual trading departments have implemented their own SEC 17a-4 solutions, each silo would need to be updated as additional archival requirements are defined. There is an additional cost in terms of staffing for organizations to keep up with and understand all of the various regulations that may impact their business. This is extremely challenging in the U.S. alone, where more than 4,000 new regulations/rules are approved by agencies of the U.S. Federal Government every year; and ◆ Varying Enforcement Levels. Companies need the ability to think globally with a


which has led to the creation of a new role in the organization—the Chief “Governance” Officer (CGO). Governance can have many different definitions. In one sense, it means to better govern their companies, enhancing both corporate accountability and the creation of wealth. In another, it talks to “the exercise of authority, management and control.” In the context of risk and compliance and the role of the CGO, it means to govern or manage both regulatory mandates as well as effective risk management. It should come as no surprise that this focus on governance is leading to an increased focus on improving and managing business assets and processes within companies today. In addition to improving financial management and reporting, creation of content, operational risk or privacy management, information must also be archived and retained effectively. The bottom line is that as companies look to expand their competitive advantage and transform business processes into the on-demand world, risk and compliance is a constant that must be managed and considered. Companies need to build a tech-

A Business Strategy
As we have all learned, the exponential growth of data comes with its own set of management challenges. Adding to these challenges are many of the new legal requirements associated with a company’s ability to identify, assess and effectively manage risk. Harnessing the compliance-related information and managing it for better decisionmaking is the foundation of enterprise risk management. In its broadest sense, an enterprise risk management strategy allows organizations to help manage the variety of strategic, market, credit, operational and financial risks that they confront. Additionally, it should not further burden IT staff or business managers whose jobs have been extended to ensure organization-wide compliance. Today, many companies are managing regulatory compliance and risk together,


Supplement to KMWorld September 2004

common and flexible infrastructure that respects the regulations specific to a county, country or region. 2. IT Challenges: ◆ Componentized Systems and Architectures. The demand for componentized systems and architectures that share a common infrastructure, while enabling many applications, is key to many IT shops because it ensures the compliance information can easily “speak” to different parts of the organization; ◆ Standards-Based Architectures. Such as Java, Linux and Web Services can make implementing a common infrastructure, as well as re-use of existing systems, easier to achieve; and ◆ Reduce Total Cost of Ownership for risk and compliance through a common infrastructure that allows for integration of different applications, processes and information.

should do its best to avoid an ad hoc tactical approach to compliance that is narrowly focused on dealing with individual regulations as they come along. Rather, business leaders should seize the strategic opportunity to improve overall business operations. Two key approaches include: ◆ Creating an effective team between the CFO, governance officers and IT; and ◆ Establishing a governance infrastructure to meet all of your critical needs.

Key Governance Components
A key component to a successful governance infrastructure is the ability to establish a common user experience around risk and compliance. The goal is to provide a single, secure, easy-to-use, enterprise-wide user interface for a CFO or CGO that delivers anytime, anywhere access to critical resources such as content, applications, governance processes and people—both within and outside the organization. In addition, this interface should include a governance scorecard (performance management), where users can monitor governance metrics based on strategic objectives and better respond to critical governance situations. With this scorecard, a CFO or CGO would have the ability to increase operations effectiveness and efficiency, employee and customer satisfaction and subsequently drive additional revenue. Benefits include: ◆ Improved access to the right information at the right time—anywhere within the organization; ◆ Lower total governance TCO with integrated multiple collaborative capabilities, while maximizing people skills; and ◆ Extended value of existing IT investments through integration with IT governance systems. In addition to a single user interface, a wide variety of other technologies play a role in establishing an e-business on demand compliance infrastructure: ◆ Business process management—including process modeling and monitoring along with workflow (includes the management and monitoring of governance business processes and IT events); ◆ Controls framework—to help understand what risks are inherent in the business, controls that are in place and what gaps exist; ◆ Strong security—to help control access, protect information and data disclosure, including strong audit trails and reports; ◆ Storage management—to protect and retain data as well as ensure business recovery; ◆ Simplified content/information management—to help search as well as retrieval of information to improve the discovery of information; control access to infor-

Governance—Driving IT Spending
It should also come as no surprise that along with the increased focus on risk management and expanded regulations comes a slew of vendors vying for compliance-related budget dollars. The Chief Financial Officer (CFO), CGO, regulatory compliance officers and IT staff are now faced with almost too many options without the luxury of time to evaluate which strategy and solution(s) best addresses their organization’s and clients’ needs. While certain regulations such as OSHA and EEOC have been a long-standing requirement for many industries, the frontpage headlines have ignited new regulations that have ushered in a wave of compliancerelated IT spending. To illustrate this point, recent findings by Forrester found that in 2003, 17 out of 20 CFOs indicated that the new SOX regulation had a minimal impact on spending plans. One year later, it’s clear that this regulation is a corporate priority as evidenced by the surge in SOX compliance-related spending. In this same report, “IT Execs Wake up To Sarbanes-Oxley Compliance,” Forrester surveyed 878 technology decision makers at North American companies regarding Sarbanes-Oxley and its affect on their IT budgets. 48 % of the companies surveyed had 1,000 to 4,999 employees and 52 % had 5,000+ employees. Highlights from the research to note: ◆ 52% of those surveyed are affected by SOX; and ◆ Of those affected, 77% plan to increase spending to support compliance. As government regulations drive IT spending, companies need to ensure that their staffs are getting the most from their investments as compliance is critical to the overall health of the organization. With regulatory deadlines looming and requirements constantly changing, an organization

mation; manage compliance reporting through a defined workflow including appropriate sign-offs; and records management and archiving to meet retention regulations; and ◆ Analytics and business intelligence—to help assess risk. Many of these regulatory requirements often mandate formal, structured recordkeeping practices. For example, government agencies have to comply with numerous laws regarding freedom of information, privacy and the maintenance of historical and archival records. In the commercial world, businesses must adhere to statutes concerning taxation, occupational health and safety regulations, environmental protection laws and more. Businesses today are seeking formal, structured recordkeeping for their electronic documents and content to help demonstrate compliance with regulations and laws. In addition, they need to establish strong, credible evidence of proper business conduct in order to avoid litigation. Records management can also help with the glut of electronic information that exists in companies today. Too much recorded information is often worse than not saving enough. Businesses today need to know, with full legal confidence, what records they can delete and when. Organizations need to manage their electronic content in a way that reduces their risk and enables them to demonstrate their regulatory, legal and fiscal compliance. Electronic recordkeeping provides a means by which a company can begin to demonstrate its recordkeeping accountability to shareholders, customers and regulators. One method that can be used is “e-records software,” which brings formal, structured recordkeeping practices to electronic information produced or managed by business software. Business software with this capability applies formal recordkeeping practices and methods to the electronic content, which helps to demonstrate compliance with regulations, preserves critical documents necessary for future decision making and deletes information at only the appropriate time, in accordance with applicable laws, regulations and/or policies. Businesses can now preserve the business records they’ve determined they must keep, while destroying those permitted by law, policy or regulations. Electronic recordkeeping forms a key part of the infrastructure supporting a business’s overall accountability.

Creating an Effective Compliance Infrastructure
One of the most compelling outcomes for a CFO, CGO, Chief Compliance Office
GOVERNANCE BEST PRACTICES continues on page 16

Supplement to KMWorld September 2004


GOVERNANCE BEST PRACTICES continues from page 15

(CCO), Chief Risk Officer (CFO) or CIO with regard to compliance is the fact that governance needs are driving organizations to assess their current infrastructures, while presenting an opportunity to adjust their newly examined business capabilities. This includes implementing a variety of products and services that can be leveraged to help support companies in the execution of their business initiatives as well as helping them to adapt to the everincreasing regulatory risk and compliance environment. Thus, businesses have an opportunity to go beyond mere compliance with these new obligations. They can use this opportunity to improve their business operations by making them more efficient and predictable. Integrating the vital aspects of your corporate IT infrastructure with business processes to support compliance presents an opportunity to re-evaluate your current business methodologies and revise as required moving forward. Certainly, the task can at first appear daunting. The sheer volume of information from the Web, e-mail and instant messaging have caused a tremendous increase in the amount of information an organization produces. In fact, up to 80% of business information is now stored in electronic formats. And records management and regulatory compliance is only going to get more challenging, as the drive to e-business on demand gives way to an even more meteoric rise in the amount of information a company generates— and is responsible for managing within defined business processes and mandates. But consider the upside. An infrastructure that supports the myriad IT requirements to help support governance can help streamline complex regulation processes. What’s more, it can spur productivity, enhance customer service and boost return on technology investment— all while optimizing your business. The tactical approach cannot and should not be the goal. The problem with implementing ad hoc solutions to address individual regulations is that they don’t fully utilize—or gain insight from—company information on demand. And while such an approach may be cheaper in the short run, it can be much more costly in the end because modern information technology can alert IT and business decision makers to threats and opportunities before they would otherwise be on broader corporate radar screens. According to PriceWaterhouseCoopers, an integrated approach to governance, risk and compliance management can improve a company’s reputation value by 23%, employee retention by 10% and revenue by 8%. By contrast, the strategic approach implements a technology framework that provides common value to all business solutions, including governance. The goal is to provide

businesses with access to critical information in real time, bridge disparate teams through collaboration tools and seamless workflow and enable the viewing of vital corporate data on a single dashboard—all while implementing a seamless retention policy in an effort to improve time to deliver, time to value and reduced total cost of ownership. Such a framework helps companies improve employee productivity by establish-

or CGO’s office and the IT department on their strategies to manage risk or mitigate risk. For example, in many cases IT departments may not understand auditing procedures and the appropriate implementation of internal controls for Sarbanes-Oxley Section 404—mainly because of the struggle of the IT department to understand audit-centric terms and how they apply to an IT infrastructure. Without a common understanding

“As companies look to expand, risk and compliance is a constant that must be managed.” ing a common user experience, maximizing security and control, shortening business cycles and improving customer satisfaction. The goal of the infrastructure is to help companies adopt best-practice standards to transform their business operations and meet governance needs. The software should help increase business efficiencies so companies can gain deeper insight and predictability on the status of their compliance and business efforts, and help address the information requirements of regulations affecting their businesses. What does this take? A single governance infrastructure should provide: ◆ Common value to all business solutions, not just risk and compliance; ◆ Integration among people, process, applications and information, with a common base for compliance processes and improved data quality and consistency; and ◆ Timely access to information and reports along with automated data archival and retention. The bottom line is that companies need to improve their time to value, time to delivery and reduce their total cost of ownership. or translation of terms, it may appear that the IT organization is reluctant to help corporate auditors document IT controls in order to meet Sarbanes-Oxley requirements. This can also be the case for other regulatory mandates. It’s important to get to a common understanding of the CFO’s strategic objectives and how IT can work as a team to help achieve these needs. Regardless of who’s in charge, the most effective team is one that that crosses boundaries throughout the organization.

In Summary
An integrated approach to governance built on a common infrastructure can result in many business benefits: ◆ Reduced total cost of ownership, and reduced implementation cost by working on a common infrastructure for both risk management as well as regulatory compliance; ◆ Reduced level of risk; ◆ Competitive advantage. If your company can respond quickly to new or changing regulations and leverage the infrastructure investment with performance management projects that improve overall business performance while others in your industry can't, the edge goes to you; ◆ Accurate information that is delivered on-time to those who need it, so that they may understand current status at glance; respond quickly to critical situations; and enable better planning for new or updated mandates; ◆ Improved reputation, by helping reduce potential liabilities and fines—keeping the company out of the news; increased shareholder value; improved confidence for investors and customers; and maintaining credit rating; ◆ Increased customer knowledge; and ◆ Enhanced communications ❚

Creating an Effective Team
In addition to potentially creating new roles, like the CGO, many companies are forming compliance committees or boards to help guarantee that standards and strategies are met. Members should include representatives from key areas throughout the organization who have a role in ensuring compliance. This may include representatives from risk management, internal and/or external audit, finance, IT, legal and safety departments, environmental teams, the board of directors and human resources. Unfortunately, in many companies today there can be a disconnect between the CFO


Supplement to KMWorld September 2004

Records Management
From the Basement to the Boardroom
By Dr. Galina Datskovsky, CEO, MDY Advanced Technologies Inc.


or many years, the records department was deep in the basement of many corporations, and its mysterious functions were never valued until some vital document needed to be found. All of a sudden, the records manager is in the hot seat to find a single document in the sea of e-mail, paper and electronic file stores. The records manager might have spent years trying to implement some type of records process, but probably gave up from the lack of attention to the issue.

“Records practices zoom to the top of everyone’s to-do list in times of crisis.”
Until, of course, something is needed. Records practices zoom to the top of everyone’s to-do list in times of crisis, during an investigation or when something vital is lost.

Through the Lens of a Senior Executive
Senior staff members are drowning in documents, e-mail, instant messages, voice mail and video clips. Along with legislation that now holds them personally accountable for what they sign, they are also responsible for the behaviors of the people they manage, and how those very people manage documents. A senior leader should look through two lenses in evaluating how vital information is managed: Lens #1—If disaster strikes. Do you have an efficient records practice that allows for efficiencies in business process? Do you have the policies and practices that ensure your business would go on in the event of a catastrophic loss of facility?

Lens #2—Litigation risk. It is the job of litigators to make every shred of information discoverable. It is up to you to have the policies and practices that limit this discovery, while allowing for sound business practices. Both of these lenses depend on the same set of solid policies and the reinforcement of behaviors so everyone actually complies with the policy. One of the jury’s key decision points that decided the fate of Arthur Andersen was the fact that even though they had a written policy (one they sold to other companies!), they had not trained their own people very well. Here’s a short list to serve as a “Records Policy Check Up”: 1. Look for evidence. Do you actually have a written policy? Can you find any evidence that one exists? What do you do with your own e-mails? Are they stored, backed up, destroyed against a sanctioned retention policy? 2. Visit the records center. Does your records manager have a voice in the policyand procedure-setting activities? Look for synergy between the records department and the IT department. Together they need to ensure all electronic and physical documents are treated the same way. 3. Self-inspect. Senior managers are often the worst offenders of a records program. For example, many legal rulings deem that back-up tapes used for disaster recovery only are not discoverable. But senior managers frequently ask the IT department to recover e-mails that they deleted accidentally. This practice voids the argument that back-up tapes are used solely for disaster recovery. 4. Get help. If you find too many issues to deal with internally—or do not even have the time to check—engage the experts for a consulting project.

Galina Datskovsky has more than 20 years of experience in computer sciences, focusing on records management. She is president of the New York City Chapter of ARMA and has been published in prestigious academic Dr. Galina Datskovsky journals and computer science conference proceedings. She has spoken on information management, government regulation/international regulations,conflict resolution and e-business challenges. Dr.Datskovsky founded and is currently the CEO of MDY Advanced Technologies,and one of the creators of FileSurf®.

Through the Lens of a Records Manager
For many years, records managers were relegated to the dusty shelves of paper records. It used to be easy; as long as you were organized and used some level of filing system your job could be done efficiently and effectively. Now with the advent of multimedia, and end-user control of their records, the

job has become more complex and no longer a standalone task. Today’s records manager is on the forefront of new and innovative ways to capture and store documents in electronic formats that can be searched and retrieved, even if the original program has long since been replaced. Here’s some advice for the modern-day records manager: 1. Find your voice. A records manager needs to play a role in the setting and implementation of records and document policies and practices. Speak often to department heads, executives and the IT department on the “current versus desired” state of records management. 2. Be the expert. Know the legislation and how it applies to your business. Be able to articulate how you are compliant and what needs to be done to ensure that the needs of your organization are met. 3. Be a great partner. A good relationship with the IT department is critical to your records policy. IT controls the storage of documents, e-mails and other media. Their preference will be to keep everything forever or until they run out of drives— whichever comes first. The other important partner is the legal department. They know more than anyone the importance of retention policies and will give you the legal backup for your arguments. 4. View records as a marathon, not a sprint. It might take years to get records under control. Having a written policy that is updated and communicated on a regular basis is a great start. ❚
MDY is committed to helping organizations properly manage the ever-increasing volume and complexity of their physical and electronic records and information. We strongly believe that proper records management can also enhance knowledge management and overall productivity for all types of organizations. For more advice on document and records management best practices, please visit us at

Supplement to KMWorld September 2004


Taming the Beast: Gaining Control of E-mail
David Winkler

By David Winkler, Vice President, Product Marketing, Mobius he headlines tell the tale: High-profile prosecutions hinge on the contents of e-mail messages that their authors never dreamed would constitute a permanent record. Beleaguered IT departments spend weeks combing through voluminous files to produce messages required for legal discovery. But beyond the evening news lie more mundane challenges caused by the explosive growth of e-mail: performance degradation of e-mail servers; mushrooming storage requirements; the recognition that messaging systems have become the primary means of business communication; and that those messages contain critical enterprise information. In most organizaCompanies tions today, e-mail manthat have no agement is either nonretention policy existent or is done using for e-mail: 59% in-place technologies— like simple backup systems—that fall short of what is needed to protect the organization and to ensure compliance.

David Winkler directs product planning and manages the product life cycle for the ViewDirect TCM suite.He has over 18 years of experience leading technical and professional services teams in applying information technology to business needs.


David welcomes comments and conversation about this article.He can be reached at

The Three E-mail issues
There are three primary issues associated with e-mail, each imposing a series of requirements on an e-mail management solution: e-mail as a source of corporate records; e-mail as a source of business-critical information; and e-mail growth as an IT headache. #1. E-mail as a Source of Corporate Records. A record is any Companies that accept piece of data, in e-mail as written any form, that is confirmation of required to be kept transactions: 79% as documentation of an organization’s decisions, actions and transactions. Clearly then, e-mail messages are records and must be controlled and managed according to an organization’s policies and procedures for record retention, access and disposition. To reduce the enormous costs of producing e-mails for litigation discovery and audits, they must be categorized and searchable. Much of the recent visibility of e-mail is a consequence of the emerging importance of e-mail as a source of corporate records.

#2. E-mail as a Source of BusinessCritical Information. E-mail is increasingly recognized as a source of corporate information and companies are looking for ways to manage it as they do other business-critical content. Industry analysts endorse this strategy, recommending that their corporate clients look for solutions that integrate e-mail with other content and look to enterprise content management (ECM) vendors as providers. This integrated approach enables retrieving all the records related to a particular customer or transaction—purchase order, invoice, correspondence, e-mail—with a single query and viewing them together. #3. E-mail Growth as an IT Headache. The explosive growth of e-mail has E-mails per day: 31 billion in 2002, overloaded e-mail 60 billion in 2006 servers and degraded system performance and reliability. Messaging servers were designed to be mailrooms, not file rooms. The requirement is to offload e-mail from production servers to maintain system performance while continuing to make them easily and efficiently available to users, auditors, compliance officers and management.

New Solutions for E-mail Archiving
The new generation of e-mail management solutions goes beyond earlier, more limited products that provided simple backup and offloading of e-mail stores and products that left it to each user’s discretion to decide which messages to retain. Today’s products are designed to address three primary requirements: ◆ Retain messages in compliance with regulatory requirements and corporate policy; ◆ Facilitate searching as required for legal discovery; and ◆ Improve system performance. These products automatically capture, classify and index e-mail messages, create a searchable archive and manage the information lifecycle according to corporate retention and disposition rules. Offloaded to secondary storage to improve the efficiency of the e-mail system, the archive remains accessible to users, auditors and compliance officers.

To meet today’s requirements, make sure you choose a solution that allows you to: ◆ Capture everything you need—but only what you need. That means taking the decision on which messages to retain out of users’ hands and automating it according to rules you establish. It also means capturing only the messages that meet your criteria. You should be able to screen on subject, sender, recipient, message content and date. Make sure you can store attachments with messages and avoid duplicating messages that are sent to multiple recipients. ◆ Establish flexible, automatic classification based on business rules and content analysis. This is a logical structure that can be organized by user, by chronology, by organizational function or by some combination. The classification system can also assign codes that determine length of retention and disposition. ◆ Maintain accessibility for users, compliance officers and corporate managers via the e-mail client and a Web-based interface. Retrieval should be based on categorization and/or full-text search of messages and attachments. ◆ Implement an e-mail management software infrastructure that supports multiple storage options, including emerging network-attached storage from vendors such as StorageTek, Network Appliance and EMC. ◆ Seamlessly integrate with your plans for implementing a sound information lifecycle management (ILM) strategy that will allow you to manage all types of information from creation to disposition. Mobius’s ViewDirect E-mail Management meets these criteria for supporting regulatory compliance, facilitating legal discovery and improving system performance. It also enables integrating e-mail with other enterprise content to maximize the business value of the critical information contained in e-mails. ❚
Mobius is the leading provider of software solutions for total content management.The ViewDirect® TCM suite includes integrated e-mail and records management as well as facilities for Web content management,business process management,and content integration across the enterprise.


Supplement to KMWorld September 2004

A Departmental Approach to Recordkeeping Solutions
By Sharon Hoffman Avent, President and CEO, Smead Manufacturing Company


usinesses are inundated with information from everywhere, in many forms. While this presents a problem for many organizations, the reality is that it can actually provide a great opportunity for companies large and small—as long as they can maintain the data they want, and use it to their advantage. An enterprise-wide recordkeeping strategy is needed to maximize organizational benefits. Defining a recordkeeping strategy requires a step-by-step approach:

Step-by-Step Deployment
Just as rolling out any application enterprise-wide, the project can be overwhelming. The approach of starting with one department and growing to multi-department deployment provides many benefits, including cost savings. While some configurations will be department-specific, other parts of the implementation are scalable and can be utilized across multiple departments, creating economies of scale. Look for a recordkeeping system that utilizes similar configurations to increase both the efficiency and cost effectiveness of subsequent department installations. In keeping with the theme of efficiency and cost-effectiveness, recordkeeping systems should be able to be integrated into existing (host) software. Employees need to be able to work in their current line of business software and shouldn’t have to learn new applications to utilize e-mail, faxes, paper files and electronic documents. Information holds a different business value over the course of its lifecycle, as well as from one department to another, and must be managed accordingly. By growing departmental solutions that are inter-related and managed by the overlying best practices and records management principles, businesses can manage their assets across the entire enterprise. Recordkeeping is as much a strategy as a product. Just as a business needs a strategic plan to succeed, so must it have a strategy for managing its information. A complete recordkeeping solution provides the right information to the right people at the right time and should offer the following capabilities: ◆ Incremental departmental solutions— can be configured to work in various departments with host applications; ◆ Scalable—can grow across multiple departments. Solution must be configurable to work with varying departmental needs—whether it’s starting with paper management in one department, electronic records in another department, or

Sharon Hoffman Avent is the owner,President and CEO of Smead Manufacturing Company,Hastings, MN.Avent joined the family-owned business in 1965 as an hourly employee,and was named president and Sharon Hoffman Avent CEO in 1998.Smead Manufacturing Company has been woman-run since 1955,and Avent, just as her mother before her,continues on with the company’s legacy of providing high quality organizational products.Founded in 1906,Smead grosses over $500 million annually and has 2,600 employees worldwide.

◆ Decide what information is crucial for managing the business; ◆ Learn what documents are necessary to meet regulatory compliance; and ◆ Determine in what form each type of information is best retained—paper or electronic. Regulatory compliance has joined the forefront of issues facing CEOs today. According to a recent survey by AIIM International, 11% of the top executives surveyed said managing information to meet regulatory compliance was one of the three biggest challenges businesses face today. Other top concerns: ◆ Increasing profits and productivity (46%); ◆ Improving customer service (16%); and ◆ Remaining competitive, ensuring quality, controlling costs (27%). Once the top concerns have been identified, the step-by-step approach begins by analyzing the organization to identify which department would show the fastest return on investment or the greatest impact on the core business process by implementing a recordkeeping solution. Then, through an analysis of the departmental processes, the recordkeeping solution is configured to meet that department’s specific needs. (Recordkeeping is an information management system that manages both paper and electronic records with consistent retention management controls.) A complete recordkeeping solution increases the reliability and trustworthiness of records storage and retrieval, with the benefit of improving work efficiency and reducing legal liability.

workflow in yet a third department. Scalability and the ability to grow with the changing needs of the organization is key; ◆ Able to manage retention—can classify documents by their business value. The records are managed through their lifecycle and destroyed within the legal and operational requirements of the business; and ◆ Flexible—can manage business records, regardless of form—paper or electronic. To develop a corporate-wide information management system, follow these steps: ◆ Develop an information management strategy to meet the company’s most pressing needs; ◆ Find a recordkeeping system that is flexible, scalable, compatible with host applications and able to manage retention; and ◆ Implement the recordkeeping solution one department at a time to allow the company to first maximize the departmental benefits, then use the knowledge gained in the installation to make subsequent departmental implementations even more efficient and cost effective. Once a corporate-wide information management solution is in place, businesses will be able to see direct improvements in any business areas that need reliable information to make sound decisions. In addition, a good recordkeeping system will protect privacy, secure vital records, maintain data integrity, manage retention and ensure regulatory compliance. As the amount and complexity of information grows each year, so must the ability of the recordkeeping system. No company can afford to be without access to accurate, reliable information relevant to their business. ❚
Smead is uniquely positioned to apply over 98 years of records management experience into recordkeeping solutions. Committed to providing innovative solutions for the management of information, Smead has developed a comprehensive line of recordkeeping software.

Supplement to KMWorld September 2004


Online Image Archiving
Toyota Financial Services’ Powerful Document Access
By Chris Redvers, VP and i-VAULT! Product Manager, JPMorgan Chase Bank ow do you manage an avalanche of data? What if that avalanche arrives on your doorstep in the form of seven CDs per day, 35 per week, 140 per month . . . amounting to more than 1,600 discs per year? This hugely inefficient data nightmare became a daily reality for Toyota Financial Services. TFS is one of the largest captive finance companies in the U.S., with a retail lockbox network handling 1.5 million payments monthly. Handling vehicle payments from 34 field offices, TFS’s Lockbox Accounting Group is responsible for identifying payments with missing account numbers, correcting mis-coded items and resolving customer errors on checks deposited as lease and loan payments for TFS-financed vehicles. To operate effectively, associates within the Lockbox Group require timely access to copies of checks associated with those payments. Because of the massive volume of CDs generated by TFS’s two servicing banks, check research was a time-consuming process. A typical query required staff to complete a form requesting information and fax the form to the Accounting group. Field offices might also submit their own requests for copies of checks to verify payments. Average resolution time

staff no longer must handle and manage a rapidly expanding library of CDs, which had become unduly cumbersome.

Saving Time,Improving Customer Service
Since TFS’s 34 field offices and three customer service centers are able to access check images online in a matter of seconds, staff members can now perform with far greater efficiency. The average query resolution has been reduced to less than 10 minutes. And the quality of online check images is superior to that of a fax. In addition to faster retrieval times, an overall improvement in work processes has been achieved, with multiple representatives now being able to gain access to the same image at the same time. According to TFS Cash Manager Janet Rydell, “i-VAULT!’s central repository provides all of our locations direct access to images, which has significantly improved our productivity.” In setting up the system, TFS was able to establish which index fields it considered critical for its searches, resulting in quicker, more accurate access to documents in the archive. This added indexing flexibility allows TFS corporate accounting staff and representatives to search for checks by customer account number, date range and/or location. Personnel can use the system to verify payments, find “payoff” checks for title release processing, find checks that have been applied to the wrong account, as well as locate customers who have stopped making their payments altogether. Check images can be easily copied into documents such as customer correspondences, or bookmarked for future use, and queries can be saved and reused. Since implementing i-VAULT!, TFS is averaging 44,000 item retrievals from the archive per month. Rydell indicates that the per-item load fees for storage have been more than offset by employee time savings and improved customer service. “This was definitely a product our customer service centers needed,” states Rydell. “I don’t know how they functioned without it.” As evidenced by TFS’s successful implementation, an image archiving solution can reduce document retrieval time down to seconds, eliminate wasteful inhouse processes, provide critical business continuity and disaster recovery capabilities, while helping to ensure better, faster customer service and operational efficiency. JPMorgan’s solution lets businesses focus on what matters most—their core competency. ❚
Chris Redvers is the i-VAULT! Product Manager for financial institutions at JPMorgan Chase Bank. i-VAULT! is an Internet-based enterprise content management service that provides a centralized repository of data with online retrieval capabilities.For more information regarding i-VAULT!, call 1-866-2-ivault (866-248-2858) or visit


for these searches was typically more than three hours.

Central Archive Delivers Efficiency
TFS recognized the need for creating a central repository that would put everything in one place, so documents could be quickly and easily accessed and allow searches by multiple index criteria. Rather than deploying an in-house system, TFS turned to JPMorgan Chase’s i-VAULT!SM solution, a high-volume image archive service. i-VAULT! is a secure image warehouse with redundant archive sites in the Northeast and Southwest, offering instant access through a Web interface. TFS is now able to achieve significant gains in efficiency, improved customer service and increased disaster recovery/business continuity protection. This outsourced solution has allowed the further mitigation of concerns over escalating on-site data storage costs, as well as issues of technology obsolescence. TFS’s two lockbox providers now send data CDs directly to JPMorgan where the images are loaded into the online archive by noon of the next day. As a result, TFS


Supplement to KMWorld September 2004

The Four Goals of Records Management in the New Age of Compliance
By Peter Mojica, VP, Product Marketing, AXS-One


hile records management as a profession is not new, the burning spotlight on its practitioners and corporate executives is. Due to the confluence of technology, and the flawed records stewardship and mismanagement of several high profile organizations, records management is being driven by new government regulations and compliance initiatives. The traditional practice of records management—a demanding business function—is now under the watchful eyes of regulators and legislators who are impacting how public organizations and their employees, customers, and partners operate. As a result, several things have happened: ◆ Risks associated with records management have been elevated to embrace the entire organization globally; ◆ Demands on information management professionals have crossed over into the business area of compliance; and ◆ Consequences of deploying IT systems without considering the compliance and information risk associated with them are being exposed, as they are oftentimes inefficient and costly to re-engineer. These factors and a myriad of compliance and disclosure regulations have added to the responsibility and accountability of all exec-

Records Questions to Ask
1. Do you have a documented policy for all electronic records, including e-mail and IM? 2. Is it electronically enforceable? 3. Is it electronically auditable? 4. Are your audit trail records irrefutable? 5. Do you have a regularly documented testing plan? 6. Are you taking advantages of new technologies to save costs?

utive management. So then, what is the best way to manage this seemingly out-of-control conundrum? For those responsible, the answer is to establish clear records management goals and create a realistic game plan that is understood, implemented, and used by IT staff and business-level users. Based on best practices and years of helping leading organizations develop and execute records management programs, consider these four goals: 1. Prevent and Immediately Detect Policy Violations. Make it as unlikely as possible for employees to fail to retain, preserve and archive all content your organization creates to operate its business; 2. Mitigate Risk When Violations Occur. Have self-reporting and incidentmanagement policies in place to protect your organization across all levels; 3. Manage Content First, The Medium Second. Information today has to be managed based on content, not medium; this changes everything. While technology has perpetuated some of the records management chaos in organizations, it can also play a crucial role in making it work; and 4. Educate Employees. Ensure compliance awareness so all employees understand their records management roles and obligations, and what is expected from them on an ongoing basis.

Cohen helped develop a transparent e-mail archive and supervision program that met the expectations of executive management and the needs of IT staff and employees. MONY brought IT in from the very beginning and went over rules and regulations that needed to be addressed. Then, from this collaboration, it evaluated possible enhancements to existing processes. Next, the company identified solutions and processes and implemented a pilot program for IT and line employees to trial. After testing an e-mail archive system from AXS-One with a group of sales managers and other supervisors, MONY gauged its e-mail archiving process. According to Cohen, “We identified, reviewed and documented e-mail in a manner consistent with our goals. Based on the trial’s success, the system was deployed across the entire sales organization. The technology and process made archiving and records management much easier. “Based on the initial success of our e-mail archival program, we would recommend replicating this execution strategy for all areas of records management, including existing paper-based and electronic communications within operations and finance.”

Solving the Problem
The intricacies of today’s business and IT environment combined with compliance regulations and legal consequences are changing how corporate executives and records management professionals like Jay Cohen operate. While technology has contributed to the electronic communications onslaught, it can be used effectively (and transparently) to provide organizations control and efficiencies in managing their growing storage environments. The goals offered above should help guide your records management and compliance efforts in the new age of compliance and provide perspective on how to crystallize and accelerate existing initiatives. Cohen chose to focus his initial compliance efforts on e-mail archival, and you may choose another approach, but whatever your path, these goals can help guide you as you strive to proactively manage this increasingly complex business and IT function. ❚
Peter Mojica is vice president of product marketing and business development for New Jersey-based AXS-One, a leading provider of records compliance management solutions worldwide and developer of the AXS-One Compliance Platform.Mr.Mojica is a recognized thought leader in the fields of records management,corporate compliance and risk mitigation,and speaks at numerous industry events annually. AXS-One is a leading provider of records management, e-mail and instant messaging archival management, financial management, and workflow software to efficiently manage complex business processes. AXS-One’s solutions help organizations control and leverage their transactional activities within their normal business activities with customers, partners, vendors or internal departments to address compliance, collaboration or content management needs. For further information please visit us at

Compliance in Action
Jay Cohen, the former chief corporate compliance officer at the MONY Group, followed these goals, and created a game plan for the financial services holding company with approximately $55 billion in assets. “For us, it was about focus,” says Cohen. “One of our most pressing records management challenges from a regulatory and business perspective was how do we continue to best manage and archive e-mails which are now legally considered business records, for all of our employees.”

Supplement to KMWorld September 2004


Integrated Content and Records Management

Accelerate Compliance
By Vasu Ranganathan & Gregory Kosinski, Fujitsu Consulting & EMC Corporation ew regulations, the threat of litigation and the uncertain costs of compliance place company record-keeping, content and data management practices under unprecedented scrutiny. Organizations today are required to meet a growing body of regulations set up to assure corporate accountability. Evaluating your records management policy in this new era of accountability is critical in order to achieve compliance with government regulations, such as the Sarbanes-Oxley Act of 2002, SEC 17a, NASD 3010, and the U.K. Data Protection Act, as well as with corporate policies or industry standards. As we have seen, companies who do not comply face dire consequences.


to meet evolving regulations and statutes over time. Regulations may change, but they will not disappear. An integrated compliance framework should be based on a “best of breed” architecture that will minimize the pain of transition and leverage common policies, content and applications for compliance.

Managing Risks and Exposures
As you develop your approach to compliance, consider the regulatory environment, timeframe for compliance, the process controls needed to achieve compliance and evaluate the people, process and technology risks and exposures. While penalties stemming from non-compliance are enforced at the executive level, every employee is an information custodian. Corporate policies and procedures must be communicated, monitored and measured. The tasks of compliance should be automated to reduce the potential for human error, and integrated to minimally impact the daily routines of employees. Most importantly, the people responsible for active declaration of financial records, audit records, proposals, pricing, etc., must have the right tools and training. How can you minimize the risks and exposures? Develop a content-based records management solution that provides: ◆ Consistency: Demonstrate that policies are consistently applied across the enterprise;

◆ Capture: Ensure that all items deemed as records are captured and managed; ◆ Accessibility: Provide high-performance search, retrieval and presentation functionality and deliver all information quickly—regardless of format; ◆ Completeness: Capture and preserve the original content, context and structure of information; ◆ Integrity: Ensure records are protected against alteration or deletion; ◆ Auditability: Generate audit trails and reports detailing user access; ◆ Retention: Enforce retention requirements and policies—retaining items for as long as necessary, but no longer; ◆ Destruction: Expunge records completely so as to prevent any reconstruction; ◆ Continuity and Recovery: Build in redundancy to protect assets and guarantee operational continuity; ◆ Authenticity: Provide records that are verifiably accurate and reliable; and ◆ Official Copy: Have one “official copy” of records, with copies governed by different business rules.

An Integrated Approach to Compliance
Is your organization prepared to overcome the risks of non-compliance and manage the operational costs of retaining, accessing and archiving records? An integrated compliance framework and a policy-based program of records retention, supported by technology that can properly classify and archive all records, can help you mitigate risks and prepare for the future. The approach followed must be proven and methodical—however, the most critical aspect of any compliance initiative is to ensure that the solution not only meets the organization’s existing compliance needs, but that it is sustainable and serves as a platform

The Need for Common Content Infrastructure
To support this comprehensive approach, you must define what constitutes a “record series” based on content, and establish rules for how records are captured and stored . The critical success factor is a common content infrastructure that lets you see how records are related, and enables easy retrieval to support discovery. A common content infrastructure has the following features1: 1. A universal content repository supporting common search and access control across all information types—paper and microfilm, images, revisable documents and e-mail, common retrieval for all electronic types and an audit log of all actions on stored content objects. 2. A standards-compliant records management application (RMA), tightly integrated with the repository user interface and workflow, providing file-plan management, record classification and enforced retention management. 3. Enterprise content management (ECM) software, for a scalable solution for the creation, version control, workflow, security and lifecycle management of all content types and to achieve consistency across content types and sources.

Bottom Line
There are no magic bullets. But to be successful, you need a content-based records management plan, which mitigates


Supplement to KMWorld September 2004

the people, process and technology risks and exposures. The best approach is to partner with a cross-functional team that provides both products and services, such as EMC Corporation and Fujitsu Consulting. EMC provides a complete information lifecycle management solution for compliance: the combination of Documentum Records Manager with the Documentum ECM platform and storage provides an end-to-end solution for content creation, version control, security, archiving and storage. Documentum Records Manager provides formal records management procedures for the classification, declaration, retention and disposition of records, while Legato EmailXtender archives and manages e-mail messages. Documentum Content Intelligence Services (CIS) allows actionable metadata from new or existing records to be automatically identified, automating and controlling the tagging and categorization of all record types. Fujitsu Consulting brings business and consulting expertise in the area of compliance management and integrates EMC’s applications for end-to-end compliance. As a first step toward compliance, Fujitsu Consulting will conduct an interactive review and assessment of your records and content management technologies and business activities. This assessment will include your key stakeholders to identify the enterprise’s desired end-state, uncover potential risks and provide you with specific recommendations to include in your compliance approach. ❚
1 Bruce Silver Associates Industry Trend Report,“Answering the Call for Enterprise Records Management,”May 2003

BEYOND continues from page 3

About Documentum Software from EMC Documentum software from EMC Corporation includes enterprise content management (ECM) solutions that enable organizations to unite teams,content and associated business processes. With a single platform, EMC Documentum software enables people to collaboratively create, manage, deliver and archive the content that drives business operations, from documents and discussions to email,Web pages,records and rich media. For more information,visit About Fujitsu Consulting A trusted provider of management and technology consulting,Fujitsu Consulting is the North American services arm of the 45 billon-dollar Fujitsu Group. Fujitsu Consulting integrates the core expertise of Fujitsu companies and partners to deliver complete solutions that drive business value.For more information,visit: or send an email to

requirements from the legal or compliance officer, but they’re the ones who implement the technology. But it’s the role of the records manager that will expand the most, as the kinds of document required for records retention move beyond just paper documents— things like advertising, memoranda, Web pages, e-mails, even voice. The records manager will thus become part of a larger consortium in charge of all recordkeeping practices,” Reier predicts. Dean Berg from Stellent agrees: “There’s a new visibility for records managers. They’ve gone from the backroom to the boardroom. And that visibility comes from the board, who are now looking for answers: “Hey let’s ask Joe, the records manager, what he thinks about all this.” He’s right about one thing: this is a BIG change. I would have been shocked last year to learn that the board even knew Joe’s name. It’s a matter of balancing cost versus risk,” says Reier. “The IT folks want to get rid of e-mail as fast as possible. The compliance officers have a different agenda; they recognize those e-mails may contain content that is subject to some kind of regulatory recordkeeping requirement.” Stellent’s Del Zane thinks it’s the vendor’s job to tailor the consultative work according to the needs of the individual. “We have two kinds of demo,” he says. “One is for the records manager. It takes three hours and goes deeply into the inner workings of the system. The other is for end users; it takes three minutes for us to say ‘don’t worry about it, this is how your document gets automatically classified into your records system. ’ ” He’s only half kidding. “Records managers don’t traditionally have control of electronic documents,” he says. “They’re taken care of by the IT department. But we were gratified to see recently (at the MERS Conference in Chicago) that the attendees came in teams consisting of the records managers, their IT people AND their legal representatives. “One piece of advice we give,” says Zane, “is not only to take the team approach, but put somebody in charge of that team—call him or her the Chief Compliance Officer— and make sure that person involves all segments: records, IT and the business owners. The extent to which somebody can be tasked with the role will help tremendously.” “Technology is only one component,” adds Hummingbird’s Pery. “You also have to make sure there are effective policies in place, and that there are mechanisms in place to enforce those policies. You can have the best content management in the world, but if employees are not incented, or are not provided sufficient training, then information will not be effectively managed.

“There are huge implications if you don’t,” warns Pery. “For one, if you don’t have effective retention and disposition rules, you may be subject to a default judgment, and unable to defend yourself. If a company destroys e-mail—deliberately or inadvertently—and has no policies in place, the company is subject to significant fines.” Pery goes on: “Even if you DO have a published policy, but it can be shown that you don’t follow it, you may be required to produce records that SHOULD have been destroyed, but weren’t. There can be staggering costs associated with this, and it’s no excuse to plead that the costs would be exorbitant.” So we’re back to Agent Kay—your people can be informed and trained, but can they be relied upon? “Nobody will do anything until they’re forced to,” points out Exact Software’s Mike House, quite accurately. “But deadlines are now—or about to—drive the decision to deploy records management systems. The thing you have to realize: The technology upon which to build a regulatory compliance framework is not meant for a select’s meant for everybody. Whether you have an active participatory role in the mechanics of the compliance technology on a day-to-day basis is irrelevant. As a member of the organization, you MUST be aware if it. You never know when someone—anyone—will pick up a document that qualifies as ‘controlled data.’ “E-mail is a wide open pit of quicksand when it comes to compliance. It’s an openloop system, and you really don’t have any control. The best you can do is bring e-mail from the open loop into a controlled system, such as a document management system, where you have visibility and can apply business rules—who’s touched it? who’s modified it?” There’s no easy answer. But after reading the essays in this White Paper, you’ll definitely begin to formulate your own strategy for getting your “people” to think like “a person.” ❚
Andy Moore is a 25-year publishing professional,editor and writer who concentrates on business process improvement through document and content management.As a publication editor,Moore most recently was editor-in-chief and co-publisher of KMWorld Magazine. He is now publisher of KMWorld Magazine and its related online publications. As Editorial Director for the Specialty Publishing Group,Moore acts as chair for the“KMWorld Best Practices White Papers”and the“EContent Leadership” series,overseeing editorial content,conducting market research and writing the opening essays for each of the white papers in the series. Moore has been fortunate enough to cover emerging areas of applied technology for much of his career,ranging from telecom and networking through to information management.In this role,he has been pleased to witness first-hand the decade’s most significant business and organizational revolution:the drive to leverage organizational knowledge assets (documents, records, information and object repositories) to improve performance and improve lives. Moore is based in Camden, Maine, and can be reached at

Supplement to KMWorld September 2004


For more information on the companies who contributed to this white paper, visit their Web sites or contact them directly:

AXS-One 301 Route 17 North Rutherford NJ 07070 PH: 800.828.7660 or 201.935.3400 FAX: 201.935.1443 E-mail: Web:

Hummingbird Ltd. 1 Sparks Avenue Toronto ON M2H 2W1 PH: 877.FLY.HUMM or 416.496.2200 FAX: 416.496.2207 E-mail: Web:

Mobius Management Systems, Inc. 120 Old Post Road Rye NY 10580 PH : 800.235.4471 or 914.921.7200 FAX: 914.921.1360 E-mail: Web:

IBM Corporation Web: EMC Corporation Documentum Office 6801 Koll Center Parkway Pleasanton CA 94566 PH: 925.600.6800 FAX: 925.600.6850 E-mail: Web:

Smead Software 600 Smead Boulevard Hastings MN 55033 JPMorgan Chase Bank 2 Chase Manhattan Plaza, 14th floor New York NY 10081 PH: 866-2-ivault (866-248-2858) Web: PH : 800.216.3832 or 651.437.4111 FAX: 800.216.3837 E-mail: Web:

Exact Software North America 300 Brickstone Square Andover MA 01810 PH: 978.474.4900 FAX: 978.474.9317 E-mail: Web:

Legato EMC Software Group 2350 West El Camino Real Mountain View CA 94040 PH: 888.853.4286 FAX: 650.210.7032 E-mail: Web:

Stellent, Inc. 7777 Golden Triangle Drive Eden Prairie MN 55344 PH: 800.989.8774 or 952.903.2000 FAX: 952.829.5424 Web:

Fujitsu Consulting 333 Thornall Street Edison NJ 08837 PH: 800.882.3212 or 732.549.4100 FAX: 732.549.2375 E-mail: Web:

MDY Advanced Technologies, Inc. 21-00 Route 208 South Fair Lawn NJ 07410 PH 888.639.6200 or 201.797.6676 FAX: 201.797.6852 E-mail: Web:

TOWER Software Two Discovery Square, Suite 510, 12012 Sunset Hills Road Reston VA 20190 PH: 800. 255.9914 or 703.476.4203 FAX: 703.437.9006 E-mail: Web:

Produced by: KMWorld Magazine Specialty Publishing Group
Kathryn Rogals 207-338-9870 Paul Rosenlund 207-338-9870 Andy Moore 207-236-0331

For information on participating in the next white paper in the “Best Practices” series. contact: or • 207.338.9870…...

Similar Documents

Premium Essay

Trusted Computing: Real Security for Today’s Advanced Threats you how, in minutes, to set up a self-encrypting drive and use your Common Access Card for drive-level authentication. Further, you will see how Wave’s user recovery, Windows synchronization, single-sign-on and reporting make a Wave-managed SED solution the best option for protecting data-at-rest. Mobile Security: Device Authentication and Health The traditional means of unlocking a self-encrypting drive (SED) on a laptop is via username/password or an alternate credential (token, smartcard, etc.). Wave has partnered with Trusted Logic to replace these traditional methods with a mobile device that serves as hardware-based authentication. The device then retrieves credentials from the Wave Cloud with no user interaction. Basing credentials in hardware provides stronger authentication that is highly resistant to tampering, as well as the ability to check the health of the device before it is allowed to connect. The mobile device, sitting between the laptop and the Wave Cloud, retrieves credentials from the Wave Cloud and forwards them to the laptop via a Bluetooth connection. If either the identity or integrity verification of the mobile device fails, the Wave Service will refuse to complete the challenge-response protocol and the user will not gain access to the SED. Additionally, because the Bluetooth connection is a proximity connection, the user will lock the SED simply by walking away rather than having to log out. This demonstration will show you how to......

Words: 427 - Pages: 2

Premium Essay

Directions for Web and E-Commerce Application Security

...the notion of credential[17]. A credential is a set of properties concerning a user that are relevant for security purposes (for example, age, position within an organization, projects a user is working on). The use of credentials allows the security officer to directly express relevant security policies in terms that are closer to the organizational structure. For instance, by using credentials, one can simply formulate policies such as “Only permanent staff can access documents related to the internals of the system”. We believe that the XML language [18] can play a key role in access control for ecommerce applications. The reason is that XML is becoming the common representation language for document interchange over the web, and it is also becoming the language for ecommerce. Thus, on the one hand there is the need of making XML representations secure, by providing access control mechanisms specifically tailored to the protection of XML documents. On the other hand, access control information (that is, access control policies and user credentials) can be expressed using XML itself. The Directory Service Markup Language [19] provides a foundation for this: A standard for communicating with the directory services that will be responsible for providing/authenticating user credentials. This uniform representation of both protection objects and access control information has several benefits. First, access control policies can be applied to policies and credentials......

Words: 3283 - Pages: 14

Premium Essay


...rights reserved. Page 7 Steps of Access Control Process Access control requires: Identification Id tifi ti Access control process: Subject: presents credentials to the system Authentication: Authentication system verifies and validates that the credentials are authentic d i l h i Authorization A th i ti Authorization: grants A th i ti permission to allowed resources IS3230 Access Security © ITT Educational Services, Inc. All rights reserved. Page 8 Authentication Elements Authentication elements can be any of the following or a combination of the following elements: Something you know: password/passphrase, PIN number PIN - 9723 PASSWORD Drmb9^wX Something you are: biometrics, retina, fingerprint, facial Something you have: tokens, dongles, device IS3230 Access Security © ITT Educational Services, Inc. All rights reserved. Page 9 User IAA Process 1 2 3 2.2 22 2.3 Identification— 1 Id tifi ti User presents credentials: Account Name & Password (Passphrase, Tokens, and Biometrics) Authentication server 2 A th ti ti Operating System: 1. Receives and compares credentials with authorized credentials 2. If matched correctly, y, access granted otherwise denial notice sent to user Authorization— 3 A th i ti Mainframe application server or database: 1. 1 Recognizes authorized credentials 2. Facilitates requests of authorized resources 3. Denies access to unauthorized resources IS3230 Access Security © ITT Educational Services, Inc.......

Words: 836 - Pages: 4

Premium Essay

Health Technician

...providers to better manage patient care. Working in health information technology is a great way to enter the workforce in the growing healthcare industry. A health information technician is a unique job because it doesn’t require direct patient care. They collect, organize, and analyze data used in healthcare. In hospitals, doctor’s offices, clinics, and insurance companies, they ensure the accuracy and security of medical records. The purpose of this research is to identify the requirements for a Health Information Technician in the United States. Secondary research includes a review on numerous job related websites, library research, and textbooks. The research contains the following parts: Education, Licensing and/or Certifications, Credentials, Salary Range, Job Opportunities, and Job Growth. Primary research focuses on questionnaires and surveys about this specific topic. The limitations of research were due to time management and a lack of face-to-face interviews. Education The type of Health Information Technician degree or certification depends on the desired career path pursued by the individual. A high school diploma is necessary for admission to a college level program in this field. Some individuals already working in the healthcare industry can pursue a six month certificate program. Most people in health information technology complete a two year course from an accredited organization through a community college or an online learning program. Many......

Words: 809 - Pages: 4

Premium Essay

Cissp Cpe-Guidelines

.................................................................................... 4 Concentrations ....................................................................................................................................................................... 5 Multiple Credentials ............................................................................................................................................................... 5 Rollover CPE ........................................................................................................................................................................... 5 Failure to Meet Requirements ............................................................................................................................................... 6 CPE Activities .......................................................................................................................................................................... 7 Group A and Group B CPE Credits .......................................................................................................................................... 7 Group A and Group B Credits Shown by Credential .............................................................................................................. 7 Calculating CPE Credits................................................................................................................................................

Words: 6091 - Pages: 25

Premium Essay

Cost Management

...and advanced-level credential appropriate for accountants and financial professionals in business. It is the key to greater career potential. As the author mentioned, there are several characteristics in the CMA credential. That is prestigious, professional, rigorous, empowering and competent. The CMA covers the in-demand skills for accountants and financial professionals in business needed on the job today as a professional and as a leader. Pursuing the CMA certification makes difference for whom want to obtain the combination skills of accounting and finance. For the compensation, the “gold standard” of management accounting credential also makes a difference. Professionals who hold the CMA credential on average earn $34,000 more in annual total compensation than their noncertified peers.* Whether candidates want to enhance the value that brings to the current position, or expand their career potential, the CMA will help them set the standard for professional excellence. IMA, the worldwide association of accountants and financial professionals working in business, empowers accountants and financial professional to drive business performance. IMA is committed to help the members which are more than 70,000 now and to expand their professional skills, better manage their organization and enhance their career. There are four features of IMA benefits the career story. First of all, IMA would strengthen professional skills through the highly respected CMA credential and best......

Words: 849 - Pages: 4

Free Essay

Equal Economic Opportunity of Canadian Immigrants

...government does not accept or recognize foreign education credentials from many countries. Second, because these immigrants often come from countries with different labour markets, the Canadian government does accept their foreign work experience, or does not understand how their work experience in their home country will transfer into the Canadian marketplace. These two issues devalue immigrants’ workplace value, landing them jobs in low-paying, entry-level positions. Finally, many immigrants are discriminated against by employers. As explained in conflict theory, specifically dual labour market theory, some employers take the view that immigrants should be placed in the secondary market, so as not to overtake the power of the dominant group. Discrimination is also made on linguistic ability. As a result of this economic inequality, immigrants struggle to live above the poverty line, are forced to live in unfavourable neighbourhoods or live in homes with multiple generation of family, and run the risk of being a drain on the Canadian economy, instead of boosting it. Foreign Education Credentials One of the largest barriers to economic equality of Canadian immigrants is that the government and professional organizations do not recognize or transfer their foreign credentials, because they are not viewed as equivalent to the education received in Canada (Government of Canada, 2012). Without the appropriate education credentials, immigrants are forced to take......

Words: 2641 - Pages: 11

Free Essay

The College Bubble

...In Megan McArdle’s article, “The College Bubble,” McArdle thoroughly argues that the government, and parents should be rethinking about how we invest in higher education. She focuses on the fact that 18-year olds often don’t look quite so hard at the education that they are getting. She writes, “For many students, college is less about providing an education than a credential.” For some people, a certificate testifying that they are smart is all they need. She also talks about how many students take the easy way out and cheat. Since the credential matters more to them than the education, “they look for ways to get the credential as painlessly as possible.” These students do not care and must have no motivation or passion. Once these uninterested students get their credentials, they don’t add meaning to their major in the real world. Many people also wonder where all the money that they pay is going. McArdle discusses how in addition to paying the faculty a majority of the tuition goes into amenities which include high speed Internet, well-upholstered classrooms, world-class fitness facilities and this is all in order to stay competitive with other colleges around the world. This article did a really good job arguing both sides of the issue of why we spend so much on college and is it really worth it. McArdle used many quotes from very knowledgeable people and also used statsitics to try to get her point across in the article. In the article, she quotes James Heckman, the......

Words: 318 - Pages: 2

Free Essay

Declaration of Independence program is intended to help boost standards in our state while at the same time providing individuals an incentive to achieve a first-time credential in the field of early care and education. We also encourage FIRST recipients to enhance and continue their journey in professional development with the Department’s SCHOLARSHIPS & INCENTIVES programs.” --Holly A. Robinson, Commissioner The FIRST program is Georgia’s First-time Incentive to Raise Standards for Teachers. The FIRST incentive is for an individual who attains his or her first valid early care and education or school-age care credential from an eligible institution. Eligible credentials are the Child Development Associate (CDA) credential, the Technical Certificate of Credit (TCC), the Technical College Diploma (TCD), and the Associate Degree if earned between September 1, 2009 and February 28, 2011. Deadline extended to 7/1/2011 To Pre-Qualify for F I R S T ✓ ❑ program of study leading to your first early childhood education (ECE) credential or degree. Those qualifying are: • Child Development Associate (CDA) issued by the Council for Professional Recognition, or • Technical Certificate of Credit (TCC), or • Technical College Diploma (TCD) or You must be pursuing an early childhood education ✓ ❑ September 1, 2009 and February 28, 2011. You must attain your credential/degree between • Associate Degree in Early Childhood Education (containing a minimum of 39 quarter hours or 30 semester hours in ECE......

Words: 1602 - Pages: 7

Premium Essay

Is3220 Unit 2 Assignment 1: Selecting Security Countermeasures

...needing an open port can be or become vulnerable to the system or network. 2. Setting up a secure wireless access is the same as the workstations connected via wired to a domain, therefore the wireless network needs to be secure with credentials. The benefit is that users can use wireless devices while having a secure and mobile wireless access. Limitation of a secure wireless access is that it can become vulnerable from unsecure devices or location due to wireless access being everywhere. 3. Enforcing proper user training will ensure that users read and follow the policies in-place of the company. The majority of the users will just sign the AUP and the employers assume they have read the policies in-place, when in reality they did not. The benefit of having proper training will inform users what they have to do and what will happen if the policy is not followed. Limitation of proper user training, is that most users will probably not care or forget about it. 4. Using credentials will provide an extra layer of security and limit what users can access based on their credentials. The benefit of having credentials can provide more specific loggings based on that user and limit certain access to servers or workstations. Limitation of credentials are users can face lockouts and limited access. 5. Having encrypted data and network devices can help limit or prevent access from a breach in the system or network. Also, it can limit what users can access including data or......

Words: 436 - Pages: 2

Premium Essay

It/ 244 Week 7 Appendix F

...Axia College Material Appendix F Access Control Policy Student Name: Chris Davis Axia College IT/244 Intro to IT Security Instructor’s Name: Bryan Berg Date: November 13, 2011 Access Control Policy Due in Week Seven: Outline the Access Control Policy. Describe how access control methodologies work to secure information systems Authentication Describe how and why authentication credentials are used to identify and control access to files, screens, and systems. Include a discussion of the principles of authentication such as passwords, multifactor authentication, biometrics, and single-sign-on. An authentication process establishes the identity of some entity under scrutiny. On the Internet, authentication is somewhat more complex. Network entities do not typically have physical access to the parties they are authenticating. Malicious users or programs may attempt to obtain sensitive information, disrupt service, or forge data by impersonating valid entities. Distinguishing these malicious parties from valid entities is the role of authentication, and is a vital role in network security. Access control strategy Discretionary access control Describe how and why discretionary access control will be used. Include an explanation of how the principle of least privilege applies to assure confidentiality. Explain who the information owner is that has the responsibility for the information and has the discretion to dictate access to that information.  Discretionary......

Words: 665 - Pages: 3

Premium Essay

Project Management

...Program and Portfolio Management) – Nearly 3Million PMBOK® Guide in circulation • Credentials – 6 major credentials, widely recognized • Professional and Market Research • University Accreditation 42 Gap in Skills What are the real skills needed by employers? Is there a real or perceived gap? 43 What Skills are Needed? “Even with colleges churning out larger numbers of graduates, many of them will not have the skills that employers most demand: •Ability to communicate effectively •Think critically •Solve problems and execute solutions •Solid work ethic •Creativity with specific technical knowledge” 44 44 Skills Gap Research Over the past five years which of the following has been the most important management skill at your company? 600 senior executives worldwide 45 45 Availability of skilled project managers has the largest influence on delivery of projects • The industry is facing a huge shortage of project managers who have the largest influence on project delivery • The prevailing people-dependent culture is expected to be succeeded by welldefined project management systems and processes 99 percent respondents feel that strong forecasting and planning for resources is an effective measure to address shortages 46 Top Reasons for Earning a PMI Credential • When you earn a PMI credential, you show peers, supervisors and clients your commitment to the profession, • PMI credentials recognize your knowledge, skills and abilities. • PMI serves as an......

Words: 2554 - Pages: 11

Free Essay

Sfa - Slice Based Facility

... • Credentials: a credentials allow user to give more specification in a slice The interface is the main function in the SFA and we have three different term: • Registry Interface: Has six operations. Those are uses to pass the message from different actors with return of credential. Register (Credential, Record) Remove(Credential, Record) Update(Credential, Record) Record = Resolve(Credential, HRN, Type) Record[ ] = List(Credential, HRN, Type) Credential = GetCredential(Credential, HRN, Type) • Slice Interface: After the slice register, every user will have right to use the operation on components to instantiate and provision the slice > Instantiating a Slice: four operations: we can create and delete a slice of ticket. GetTicket(Credential, RSpec) RedeemTicket(Ticket) ReleaseTicket(Ticket) CreateSlice(Credential, RSpec) > Provisioning a Slice: we can split ticket without being encapsulated in a ticket and update a slice. NewTicket = SplitTicket(Ticket, GID, RSpec) LoanResources(Credential, GID, RSpec) UpdateSlice(Credential, RSpec) • Controlling a Slice (four control operations): all four operations are with the credential as...

Words: 1349 - Pages: 6

Premium Essay


...offices. These locations might not have a domain controller. Or, they might have a writable domain controller but not the physical security, network bandwidth, or local expertise to support it. The following RODC functionality mitigates these problems: * Read-only AD DS database * Unidirectional replication * Credential caching * Administrator role separation * Read-only Domain Name System (DNS) Read-only AD DS database Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the RODC. Changes must be made on a writable domain controller and then replicated back to the RODC. Local applications that request Read access to the directory can obtain access. Lightweight Directory Application Protocol (LDAP) applications that request Write access receive an LDAP referral response. This response directs them to a writable domain controller, normally in a hub site. RODC filtered attribute set Some applications that use AD DS as a data store might have credential-like data (such as passwords, credentials, or encryption keys) that you do not want to be stored on an RODC in case the RODC is compromised. For these types of applications, you can dynamically configure a set of attributes in the schema for domain objects that will not replicate to an RODC. This set of attributes is called the RODC filtered attribute set....

Words: 5692 - Pages: 23

Premium Essay


...example; include a proper MLA citation, as well as who said/provided evidence and what their credentials are).  1b. Follow quote/statistic with an explanation as to how that evidence SUPPORTS the assertion you made in the topic sentence.   2a. Include a specific piece of evidence (1-2 sentences; should directly support your example; include a proper MLA citation, as well as who said/provided evidence and what their credentials are).  2b. Follow quote/statistic with an explanation as to how that evidence SUPPORTS the assertion you made in the topic sentence.    C. Concluding sentence that restates, in different words, the assertion made in the topic sentence: III. Body Paragraph #2 A. Assertion #2 (without using “I think”)  B.  Introduce specific example to support assertion #2 (write in own words)  1a. Include a specific piece of evidence (1-2 sentences; should directly support your example; include a proper MLA citation, as well as who said/provided evidence and what their credentials are).  1b. Follow quote/statistic with an explanation as to how that evidence SUPPORTS the assertion you made in the topic sentence.   2a. Include a specific piece of evidence (1-2 sentences; should directly support your example; include a proper MLA citation, as well as who said/provided evidence and what their credentials are).  2b. Follow quote/statistic with an explanation as to how......

Words: 540 - Pages: 3