An effective and up-to-date set of records management policies may help companies reduce the likelihood of sanctions and other adverse consequences by ensuring records are retained and preserved in accordance with legal requirements, according to Gibbons Director Phillip Duffy; TechLaw Solutions’ Northeast Regional Director Michael Landau; and Inventus LLC Senior Consultant Bryan Melchionda.
The challenges, Duffy notes, include identifying and managing data, determining how long to retain it, and how to implement policies and execute them.
“As a general rule, records should be retained long enough to satisfy the purpose of their creation, and the applicable legal requirements, including those imposed by applicable statutes or regulations” he says. “Of course, there is also a common-law duty to preserve records that are relevant to lawsuits, investigations, audits and other circumstances, which is why every records management policy must contain provisions for institution of a legal hold when necessary.”
“So while it’s not unreasonable to destroy records after a specified period in compliance with a company’s general policy, before destruction begins, one must be certain that a duty to preserve that may require suspension of that routine destruction has not arisen and is not likely to arise,” Duffy adds.
But the regulations may be more constrained for non-profits, thanks to the Sarbanes-Oxley Act of 2002, notes TechLaw’s Landau.
“Certain SOX requirements impose criminal liability on exempt organizations that destroy records with the intent to obstruct a federal investigation,” he says. “Additionally, IRS’ revised Form 990—the annual information return filed by most publicly supported exempt organizations—indicates the agency’s intent to continue to scrutinize corporate governance policies of exempt organizations.”
The challenges aren’t limited to paper-based documents, notes Inventus’ Melchionda.
“Despite the widespread use of electronic filings, the volume of paper records is increasing in about 56 percent of organizations, and it’s decreasing in only 22 percent,” he relates. “Concurrently, electronic records volume is increasing rapidly for 70 percent of companies and it’s not decreasing in any of them.”
Findings like those hint at the potential cost savings, and regulatory compliance that may be utilized by businesses, Melchionda points out.
“We worked with a Fortune 10 financial services company that requested a comprehensive physical records reconciliation project to comply with records retention rules and business process procedures,” Melchionda says. “The client was incurring a high annual carrying cost for records with inventory that was more than 10 years old.”
Completing the metadata record-keeping requirements associated with the non-compliant records meant the client was able to make “confident and defensible retention and destruction decisions” on the records “as well as provide cost savings opportunities,” he adds. “We developed a robust methodology and strategy that provided better planning and estimation of disposition, and created scalable, repeatable record classification methodology while aligning record classification with corporate taxonomy. We’ve had cases where improved record retention and destruction strategies have yielded annual savings of nearly $800,000, while easing the integration of legacy and present records through a manageable, scalable and process driven framework.”
Generally Accepted Recordkeeping Principles, or GARP, have been developed by ARMA International, a non-profit professional association that addresses issues concerning the efficient maintenance, retrieval and preservation of vital records and information, says Duffy.
“The eight GARP principles address accountability, transparency, integrity, protection, compliance, availability, retention and disposition,” he explains. “Being GARP-compliant involves identifying all laws and regulations, developing systematic processes to capture and manage records through their life-cycle, and establishing continuous audit and improvement processes.”
Adherence to GARP Principles can result in ethical decisions by organizations and individuals, he adds, noting that the success of such efforts means they must be embraced by board and C-level officers.
“In our experience, GARP compliance requires the establishment of a statement of purpose to ensure compliance, facilitate retrieval and reduce storage costs,” he says. “You also have to establish the scope of your efforts, including the identification of employees, business units and storage locations.”
Consider the reasonableness of your records management policies and practices, Duffy advises.
“Among other issues, examine their scope, purpose, application and compliance,” he explains. “Do they address preservation and production issues, and do they address the information life cycle, while providing for obligations and measures directed at protecting privacy of information that should be kept confidential, such as medical records or propriety company information?”
As Landau further explained, “over-restrictive IG policies and record retention plans will lead to underground archiving.” Policies need to focus on business continuity needs as well as regulatory compliance. They also need to allow employees to do their jobs effectively and efficiently. “Clearly defensibility and risk mitigation is critical and so is the ability and willingness to comply. It is a delicate balance that has to be managed,” says Landau.
"Overall, retention schedules should be prepared with care," Duffy adds.
“Bear in mind that consistent application of your records policy can demonstrate good faith legal compliance,” he cautioned. “So, when you group records into categories, use terms that all employees understand—and speak with your IT, regulatory/compliance and legal departments so they ‘make sense’ to the employees. If you do so, you’re much more likely to facilitate understanding and implementation.”
The PowerPoint presentation that was used for this panel discussion can be found here.