Content and records management has become increasingly crucial to organizations due to the multitude of data-related risks that exist in today’s environment. These risks originate from compliance initiatives, corporate governance mandates, operational and financial reporting requirements, and litigation and regulatory concerns. Further compounding these risks is rising data proliferation, estimated to reach 28 megabytes of new content per e-mail user every day.
In addition, organizations are facing a number of highimpact industry requirements, ranging from Payment Card Industry standards and more than 40 different state data breach laws to the Federal Rules of Civil Procedure governing electronic discovery (e-discovery). Given these demands, more organizations are being compelled to examine – and often defend – how they manage content from creation through destruction.
Challenges and Opportunities
In light of these requirements, it is surprising that relatively few organizations have adopted a comprehensive plan to address content and records management across the enterprise. One reason undoubtedly is due to the scope and complexity of such initiatives. Enterprisewide efforts of this kind require a thoughtful alignment of organizational strategy, performance goals, existing processes and organizational structure, risk management, and technology infrastructure. More often than not, companies that have been unsuccessful in their attempts to address content and record management enterprisewide have failed to integrate a risk-based approach with the requisite organizational, procedural and technological skills.
Adopting an integrated approach to content and records management enables organizations to tailor a solution that is engineered to their specific needs. It also ensures that no aspect of the solution – from people to process to technology – is over-engineered in any significant way. This allows the organization to maximize its investments to address datarelated risks in a manner that is proportional to those risks.
Additionally, by unifying an approach based upon risk criteria, an organization has a unique opportunity to examine its content across many different disciplines. The benefit of this multidisciplinary perspective is that organizations can identify new threats and new leverage points in areas that traditionally have been siloed and isolated from such scrutiny. This leads to a more informed and streamlined use of records and content across the enterprise, resulting in increased efficiencies and greater ease of satisfying compliance burdens.
Finally, a unified, risk-based approach enables companies to articulate and defend their policies and practices related to content management. The risks attendant to data breaches, accidental disclosures and mishandling of sensitive information can cost organizations dearly in terms of fines, sanctions and reputation damage. Through the identification of the organization’s actual practice and an examination of how well this practice aligns with documented policy and whether adjustments need to be made, a company is in a far better position to manage such exposures.
Our Point of View
Using ad hoc methods and technologies to manage records and content is no longer sufficient to mitigate the data-related risks prevalent in today’s environment. Organizations must integrate current-state methods and technologies with a risk-based approach that provides them with real insights into protocols for the creation, handling, retention and destruction of data. Likewise, they must understand and classify the nature, content and risks of the data now in their possession. Finally, they must educate the custodians of this data and establish compliance monitoring to ensure that newly deployed systems and practices remain aligned with newly established protocols.
Organizations successful in these endeavors will achieve the four cornerstones of a sustainable records management program:
- Compliance with internal policies and applicable legal and regulatory requirements
- Operational efficiencies via minimized disruptions to business operations and enhanced practices for team members to create, use and dispose of data
- Savings via practical solutions that reduce storage and retrieval costs, and costs to respond to investigations, litigation or regulatory requests
- Routine operations via defensible processes that allow organizations to sustain consistent practices and defend these practices when necessary
How We Help Companies Succeed
Protiviti’s Enterprise Information Management practice is dedicated to solutions related to the entire data management lifecycle, from creation through destruction. We help organizations understand, manage and monitor their datarelated risks across the enterprise and implement solutions tailored to high-risk areas that merit the most attention and provide the largest benefit to the organization.
Our professionals understand the impacts of the legal and regulatory environment on your data, and we have a thorough knowledge of the systems and protocols proven to work on a long-term basis. We also have deep industry knowledge and understand that a risk-based approach is the ideal mechanism to tailor solutions unique to each organization. We can help any organization understand, manage and monitor its records- and content-related risks, regardless of its current environment.
A large credit reporting agency wanted to increase visibility into its records management practices and e-discovery preparedness. Despite the fact that the company was subject to frequent regulatory compliance audits, it managed much of its data in ad hoc repositories with few mechanisms in place for identifying which systems and ownership applied to these repositories. This left the organization vulnerable to regulatory inquiries and litigation involving the identification and production of large volumes of data.
Protiviti’s EIM team worked with management to classify content and records, identify functional and system owners, and identify large volumes of data being retained for no business or legal purpose. By the end of the engagement, the client was able to adjust policy, process and technology to manage these risks more efficiently and cost-effectively, making it more responsive to regulatory requests and more prepared for litigation and investigation.