Regulatory compliance should be a significant concern to most organizations. Enterprise Content Management (ECM) and Document Management (DM) systems have been around for years, and their development was aimed to help organizations manage documents through their entire lifecycle—creation, revision, distribution, storage, and retrieval. These tools have a heaver weight on their shoulders these days, however, as customers leverage the technology to meet the increasing demands of regulatory compliance. The key is to adopt a system that will ensure information is tightly managed and secure, while providing increased flexibility in terms of how people can access, share, and utilize that information.
Companies often find that their existing systems are inadequate to address the stringent regulations they must adhere to. In addition, few have a strategy to deal with the complexities of compliance when it comes to electronic documents. In other instances, organizations focus only on paper and overlook the need to integrate multimedia documents.
Traditionally, Records Management has focused solely on physical documents—paper, microfilm, or tape. As business migrates to a digital platform, regulatory mandates present more acute challenges. High volumes of records, coupled with diverse formats from mixed sources, make implementing ECM strategies a daunting and uncertain undertaking.
The rising risk of litigation or penalty provides reason for organizations to overcome the challenges of ECM. And, especially when you consider the tragic natural disasters in recent months, increased protection of and access to vital documents and information becomes imperative for business continuity and recovery.
Regulations and Mandates
Managing vital and sensitive corporate information has always been a cumbersome and complex process, but now, companies must be constantly prepared for government audits aimed to prove or disprove their adherence with regulations. Below are a few important statutes to consider on the road to compliance.
Sarbanes-Oxley Act (SOX) focuses on financial records by examining corporate reporting practices and auditor policies. How companies retain financial reports, as well as the integrity of the procedures related to the process, are scrutinized.
Health Insurance Portability and Accountability Act (HIPAA) imposes standards on the healthcare industry for electronic documents and transactions. The security and privacy of patient information is paramount. HIPAA mandates compliance for providers such as doctors, hospitals, and clinics; payors such as insurance companies, HMOs, and health plans; as well as organizations that do business with providers and payors.
The USA Patriot Act requires that banking and financial institutions implement procedures to verify the identity of anyone seeking to open an account. Banks must maintain records of the information used to verify a person’s identity. The Patriot Act also affects other organizations that conduct customer screening such as car dealerships, travel agencies, real estate firms, and jewelers.
The Gramm-Leach-Bliley Act requires that all financial institutions ensure the security and confidentiality of customer records. Firms must protect personal information from anticipated threats and unauthorized access.
Securities and Exchange Commission (SEC) Rule 17a describes mandates for financial brokers and dealers regarding the retention, storage, and retrieval of electronic records, particularly email and instant messages. Information must be stored in an immutable, or unaltered, format for a period of three years.
The Government Paperwork Elimination Act (GPEA) provides for the option of electronic information as a substitute for paper. This requires federal agencies to provide electronic submission forms and to utilize electronic signatures.
FDA Title 21CFR Part 11 states that industries regulated by the FDA—food, drugs, cosmetics—are required to document conditions and events within the manufacturing process.
The Bank Secrecy Act (BSA) requires that financial institutions maintain a record of personal transactions that "have a high degree of usefulness in criminal, tax and regulatory investigations." Institutions are required to report any suspicious transactions to the U.S. Treasury Department.
The U.S. Department of Defense Directive 5015.2—DoD Records Management Program—defines mandatory requirements for records management and assures data is being stored according to government standards. This directive applies to the Office of the Secretary of Defense, the Military, the Joint Chiefs of Staff, and all other organizational entities of the Department of Defense. It requires that these groups create, maintain, and preserve information as records, in any media, that document the transaction of business and mission in wartime and peacetime.
Three Looming Clouds
While it may seem overwhelming, in general, regulations fall into three categories: Privacy, Governance, and National Security. Privacy regulations, like HIPPA, govern how organizations gather, use, and retain private information. Governance regulations, like SOX, require organizations to maintain standards in record keeping that represent good corporate governance. The USA Patriot Act and other National Security regulations control how organizations track and report suspicious activities.
Surviving the Statutes
"Keep in mind that there are more than 10,000 federal, state, and industry-specific regulations active in the U.S. today," says Charles Brett, managing principal, Xerox Global Services. "While some newer regulations have taken a lot of the recent spotlight, these regulations are but additions to ever-changing records management and compliance regulations." According to Brett, the severity of potential fines and penalties should prompt organizations to regard a compliance audit very seriously. "When it comes to managing documents and data, governing bodies and auditors are looking for accuracy and integrity as demonstrated by chains of custody," says Brett. "The ability to preserve that chain for evidence, coupled with reasonably fast and easy retrieval, is paramount to surviving an audit."
In September, Xerox announced its certification for their DocuShare Records Manager software as compliant under the DoD Records Management Program 5015.2. Gartner research estimates that by 2008, 60 percent of Global 2000 companies will implement enterprise-wide records management systems, such as DocuShare, up from 20 percent in 2004.
Simply keeping up with the ever-increasing compliance requirements itself is a challenge, but experts advise vigilance. "Ignorance is not an excuse," says Matt Winstanley, senior sales manager, TOWER Software. "It is important to evaluate the specific compliance requirements for your particular organization. Often, this is best facilitated with a professional risk assessment that evaluates your potential gross negligence risk as well as the risks of noncompliance."
According to Theresa O’Neil, a director of marketing at IBM Corporation, organizations must show integrity and trustworthiness in all aspects of their business operation in order to successfully demonstrate regulatory compliance. "A business must be able to verify that it has operated within the guidelines and with integrity," says O’Neil. "This means that organizations must have the necessary infrastructure in place to retain their business information and records in a trustworthy system for as long as required." O’Neil emphasizes that while retaining information is key, knowing when to remove it is important as well. "Both deleting information prematurely and retaining information for longer than is required can lead to problems."
Improving the Process
In order to ensure this type of management integrity, many organizations are looking for ECM automation features they can trust. "Often, companies must conform to different requirements by state," says Garth Landers, director of content management strategies, Mobius Management Systems, Inc. "Data must be 100 percent accurate and its validation must be automated to reduce dependence on labor-intensive, error-prone manual processes."
In most cases, implementing an ECM compliance solution will require significant changes to your current records management and retention processes. "Companies must often rework their data infrastructures and their financial reporting, and examine their overall risk-management practices," says O’Neil. "Executives often view this as a daunting task, but in the long run it positions your company to go far beyond mere compliance—it positions you to significantly improve your overall business operations."
Maintaining compliance and improving business processes requires a balance between the free flow of information and the need to comply with strict requirements and mandates. "The technology must facilitate communication and improve customer service while also maintaining the necessary controls," says Martin Brauns, chairman and CEO, Interwoven, Inc. Brauns sums it up with these essential questions; "How well does the system map into your business processes; how well will it improve how users organize and share information; and finally, how tightly does the solution integrate with the tools that users already use to get their work done?"
Planning for Compliance
The good news is that a variety of ECM systems and services are readily available. The technology and market has matured and pricing has dropped. Now may be the best opportunity to leverage those developments, especially for organizations that previously could not afford the enterprise-sized price tag of early solutions. "Compliance doesn’t just apply to Fortune 100 companies," says Carl Azar, VP of marketing, ColumbiaSoft Corporation.
Whatever the size of your company, realizing the promise of ECM compliance technology requires thoughtful preparation and planning, and a broad approach that includes active participation from key stakeholders. "Successful compliance strategies require the consideration of all aspects of business culture, process, and technology," says Brett. "While the technology is essential, it accounts for only about one-third of what is required to implement and maintain an effective program. It is important that the system support the way people conduct business and serve customers—not the other way around."
Azar agrees, stressing that unlike legal discovery, which is typically both rare and focused, regulatory compliance is ongoing and relatively broad. "It is important that any ECM system integrate intuitively within normal business processes," says Azar. "If it isn’t easy and intuitive to use, every policy and procedure in the world won’t convince your workers to comply with your compliance process."
Documents, Data, and Formats
The ability to effectively manage heterogeneous content types—electronic documents, scans, email, Web content, and rich media, is another important attribute of any ECM compliance solution. "You need to capture all types of relevant information and documents," says Azar. "Something like 80 percent of all business information resides in unstructured documents. You must be able to manage every type of document with equal facility."
The ability to integrate content of different types from different sources, across multiple, distributed platforms and disparate repositories is not only vital for compliance, but paves the way for process improvement as well. "Organizations must strive to build a database-independent repository capable of capturing content from any source," says Landers. "Most companies have multiple content repositories. When end-users make multiple requests for content—such as a request for a check, for example—the system should enable the retrieval of the statement as well as the related correspondence regardless of where the content resides."
Eric Stevens, director of research and strategy, Hummingbird, Ltd., advises organizations to avoid single-purpose, point-oriented solutions. "Expect that the regulations will change over time and that new legislation will be introduced," says Stevens. "This constantly-changing regulatory environment requires that all types of organizations have an infrastructure in place that will allow them to change and adapt on an ongoing basis."
According to Stevens, the internal process changes that are required to achieve compliance are the most important factors ECM users should consider. "Organizations can gain the maximum benefit from ECM compliance tools by first ensuring that the processes and activities performed within the organization effectively address the regulations," says Stevens. "Then use that basis to select the best tools to support those processes."
Failure to Comply
For some, the time and expense associated with choosing a management system, getting employees to adopt the process, and keeping up to date with regulations is just too overwhelming. These are the same organizations that just may find themselves caught up in mountains of paperwork, fines, and litigation.
FileNet Corporation hosted a free series of mock trials to help stress the importance of regulatory compliance and map out what can happen if a company chooses not to comply. The mock legal proceedings, which ran in Chicago, New York, and Washington D.C., simulated an actual trial involving a company whose records and email management are under scrutiny. Expert attorneys conducted the mock trial with no scripts, and attendees were the jury. Real-time court rulings were based on a line of case law and a set of statutes and regulations.
FileNet’s Records Manager version 3.5, released in September, is designed to combine content, process, and connectivity to automate and streamline all records-based activities, eliminate unnecessary end user participation, enforce compliance, and create a return on investment. Its innovative FileNet ZeroClick solution is designed to enforce records management policies at the technology layer, eliminating user-related error, time, and costs.
The Promise of ECM
Beyond the issues of regulatory compliance, the right set of ECM technology allows organizations to automate and manage a wide range of content-centric business processes and activities. This can result in considerable cost savings and efficiencies. "Properly implemented, ECM and DM technology can form the backbone of ongoing cost saving and productivity initiatives," says Azar. "If you choose a flexible and extensible system, it should be able to grow with you and provide a variety of benefits across all business processes."
Leveraging the information within your enterprise, sharing it more dynamically, and bringing it to bear on strategic development are all aspects of ECM technology that can streamline your operational success. If your company faces the challenges of regulatory compliance, however, this may be all the reason you need to explore how ECM tools can make a difference.