Users receive a compliance wake-up call

Compliance Series, Part 1

By Heidi Biggar

A joint study recently conducted by AIIM, the Enterprise Content Management (ECM) Association, and Kahn Consulting concludes that while organizations are making headway when it comes to information management and compliance, for the most part they are not doing enough.

"For a lot of organizations, there is still a credibility gap between good intent and what they are specifically doing about the [information management crisis]," according to John Mancini, president of AIIM. "Many organizations fall way, way short," he says.

Of the 401 end users who completed the online survey, 80% said that they had already made changes, or were actively considering making changes, to the way in which they handle information assets.

Click here to enlarge image

Further, when asked why they had made changes to the way they manage records and information over the past 18 months, or will make changes in the next 18 months, Sarbanes-Oxley was the most-cited reason (see figure).

Rounding out the top five responses were: issues discovered through internal auditing (37%), the Health Information Portability and Accountability Act, or HIPAA (26%), regulatory action or penalty (16%), and the inability to find or access information needed for a lawsuit, audit, or investigation (16%).

Also on the list were lawsuit or court action, Electronic Signatures in Global and National Commerce Act (E-SIGN), SEC 17a-4 (CFR 240. 17 a-4), security breach, FDA Part II (21 CFR Part II), Gramm-Leach-Bliley Act, theft of information, California Data Protection Act (1386), privacy failure, EU Data Protection Directive (Directive 95/46/EC), and destruction of information needed for a lawsuit, audit, or investigation.

The problem is that "organizations have gotten themselves into trouble with bad information management," says Mancini. "The nature of business documentation has been turned on its head, and you can't solve that overnight."

Organizations are being continually asked to manage more data (structured and unstructured); make the transition from paper to digital/electronic media, if they haven't already; and comply with an increasing number of local, state, and federal regulations, according to Mancini.

Mancini says that while organizations may be tempted to think of information management as a Sarbanes-Oxley or HIPAA problem, they should really think of it in broader terms as "part of a long-term trend toward defining what transparency and accountability mean in an electronic era."

In other words, organizations need to take a corporate-wide view of information management, and not just define policies and procedures based on the requirements of a particular regulation or, in the case of storage, throw capacity and/or systems at the management/compliance problem.

One way to do that, according to Mancini, is to adopt an information management compliance framework (which addresses both compliance and information management), such as the one presented in the book, Information nation: Seven keys to information management compliance (AIIM International, March 2004).

Keys to building framework

According to the book's authors, there are seven "keys" to building this type of framework: establishing good policies and procedures, getting executive-level program responsibility, properly delegating program roles and components, disseminating information and training people, auditing and monitoring the program to measure compliance, enforcing the program, and continually improving the program (see sidebar, below).

To see how far along the adoption curve organizations were with implementing this type of broad strategy, AIIM, ECM, and Kahn Consulting put together a survey based on these seven principles.

How did organizations fare? Overall, Mancini says that the survey results suggest that "organizations are beginning to understand the stakes involved in information management." He attributes this awakening to both external (e.g., legal and regulatory compliance) and internal factors (e.g., process standardization and cost reduction).

The survey also revealed that organizations that have implemented advanced ECM systems are more likely to have the full support of upper management for an information management compliance strategy.

In addition, the survey revealed widespread problems at the delegation level. According to the survey, less than 31% of respondents have "the core building blocks [i.e., people, policies, and procedures] in place for electronic records than traditional records."

The problem here is that the principal responsibility for these types of records has shifted to the IT department in most organizations, but most IT departments don't have an appreciation for information management from a legal or regulatory standpoint, according to Mancini.

"Asking people to deal with the e-mail deluge by having them start deleting e-mails when their in-box hits a certain threshold isn't [an effective information management] strategy," says Mancini.

Instead, organizations need to spend time and resources cross-training staff and disseminating information and policies among departments, in particular, records management and IT.

In fact, more than 60% of the survey respondents said that their organizations did not regularly train employees on records and information management issues. And those who did report some training said that it generally involved records and information managers, not general employees and IT staff.

Once again, the survey showed that organizations with ECM strategies in place were more likely (50%) to train staff than those with little or no ECM experience (24.6%).

Over the next few months, InfoStor will examine various other aspects of compliance, including a look at how attitudes about compliance are changing, the tie-in between ECM and compliance, and some of the storage-specific implications of information management compliance.

Keys to IMC

Good policies and procedures: Organizations are beginning to understand the stakes involved in information management. This realization is being driven by both external factors (legal and regulatory compliance) and internal factors (process standardization and cost reduction).

Executive-level program responsibility: There are clear gaps within many organizations in terms of the most basic level of executive responsibility for information management practices.

Auditing and monitoring to measure program compliance: Employees believe that their organizations have good intentions when it comes to records and information management.

Proper delegation of program roles and components: Only a bare majority of participants have the basic elements of proper delegation of electronic records management roles and components in place. This specific area of performance significantly lags behind other area of information management delegation.

Effective and consistent program enforcement: Although employees give their organizations credit for intentions, performance is sorely lacking.

Program dissemination, communication, and training: Gaps in communication and training threaten to undermine the effectiveness of many information management programs.

Continuous program improvement: Most organizations believe that records management failures will be ultimately uncovered by their organizations, although they believe it far from a sure thing.

Source: AIIM, ECM Association, Kahn Consulting survey, 2004

This article was originally published on September 01, 2004