The Proactive Organization: Managing Information for Compliance

Transcription

1 Doculabs White Paper The Proactive Organization: Managing Information for Compliance As organizations face heightened regulatory oversight, the technology to manage content has become a key part of how an organization approaches its compliance function. Effective management of content has also become increasingly critical for organizations facing litigation, as they seek to manage potentially discoverable information. Today, an estimated 85 to 90 percent of the content created within an organization now exists electronically. Business operations are generating vast volumes of unstructured data ranging from the content created in desktop applications to the web content and digital assets that are created and used in the course of business. Add to this the growing volume of digital communications , as well as the increasing use of instant messaging, PDAs, and voic and it s clear that today s organization has many more sources of information to manage than the organization of even just five years ago. The question for your organization is whether you are taking proactive steps to manage your content and make optimal use of the available technologies not just to improve operational efficiency, but to facilitate both compliance and litigation discovery. In this white paper, Doculabs has compiled the top ten questions our consulting clients are asking us about managing content to address compliance- and litigation discovery-related challenges, together with answers that will help you to begin a compliance initiative in your own organization Doculabs, 200 West Monroe Street, Suite 2050, Chicago, IL 60606, (312) , info@doculabs.com. Reproduction in whole or in part without written permission is prohibited. Doculabs is a registered trademark. All other vendor and product names are assumed to be trade and service marks of their respective companies.

2 2 Doculabs White Paper Overview Some industry statistics on ESI volumes: More than 97 percent of documents are electronic, and most of them will never become paper. North America sends more than 4 trillion s per day. Worldwide, organizations create between 1 and 2 Exabytes of information annually (1 Exabyte = 1 trillion books). (Source: AIIM ARMA) Some statistics on litigation trends: An estimated 90 percent of U.S. companies are involved in litigation. The average company is juggling 37 lawsuits. Larger companies (revenues > $1 billion) are juggling 147 lawsuits. For companies with revenues greater than $100 million, electronic discovery is the greatest concern. For companies with revenues below $100 million, compliance issues are the greatest concern. (Source: Litigation Trends Survey, Fulbright & Jaworski) An estimated 35 percent of all corporate documents contain legally sensitive information. (Source: Cohasset survey, 2005) Compliance has always been a part of the cost of doing business. But that cost has gone up considerably in recent years. Organizations are now subject to increasing oversight under a variety of government and industry regulations with heavy penalties and potentially damaging public exposure if they fail to comply. Compliance requires management of a defined set of documents, ensuring they are retained and can be produced when requested by the applicable regulators. But many of these organizations also face the possibility of litigation, with the obligation to preserve potentially discoverable information much of which is likely to be electronic. In the absence of effective information management, an organization can face exorbitant costs for litigation discovery, given that this potentially discoverable information includes everything from word-processing documents and spreadsheets, to web content, engineering drawings, and digital assets, to , instant messaging, PDA text messages, and voic all of which falls into the category of electronically stored information (ESI). No longer can an organization easily claim that searching for the requested information is an undue burden. With the issuing of amendments to the Federal Rules of Civil Procedure (FRCP) late in 2006, all that ESI is now subject to discovery, so long as the information can be obtained, translated if necessary, by the respondent into reasonably usable form. Factor in the hefty penalties and the risks of public exposure, and the costs of discovery have never been higher. Clearly, how an organization manages its electronically stored information matters now as never before. Technology is part of the answer particularly enterprise content management (ECM) technologies that manage unstructured content and enable appropriate management and retrieval of information. If, as in many organizations, your unstructured content is stored in multiple repositories, across multiple locations, you may be taking steps to consolidate and optimize your existing ECM platforms; you may also be looking into software solutions to address records management and management. But technology is not the whole answer. Meeting today s compliance and litigation discovery challenges also involves process and people: policies and procedures to ensure compliance management; and people, as those policies and procedures related to records and information management are socialized throughout the organization. An effective approach to compliance requires a program that encompasses all three of these components. Doculabs has consulted for many organizations that have sought to get their unstructured content under control. In this white paper, we have compiled the top ten questions our clients are asking us when it comes to compliance- and litigation discovery-related issues, together with answers that will help you take steps toward becoming a proactive organization.

3 The Proactive Organization: Managing Information for Compliance 3 Doculabs Top Ten Questions Key Issues Related to Compliance and Litigation Discovery: Increasing costs: The cost of compliance within organizations is increasing rapidly (including both actual and opportunity costs). Exorbitant litigation discovery costs: The cost of litigation discovery is disproportionately high and rising rapidly in the face of increasing volumes of information. Increasing regulatory oversight: The number of statutory and regulatory requirements is increasing, requiring that organizations expend resources to respond. Uncertainty of settlement risk: There is a high degree of uncertainty in determining the level of the settlement that might be required in any litigation. Underutilized technology: Technology is not being effectively utilized to streamline compliance and litigation discovery efforts. Deficient policies, procedures, and processes: Many organizations fail to develop adequate policies, procedures, and processes and do not socialize those policies, procedures, and processes to ensure efficient compliance management. Poor information management: Unstructured information is poorly managed, thereby compromising the integrity, confidentiality, and accessibility of critical information. Following are the top ten compliance- and litigation discovery-related questions that organizations are asking Doculabs: 1. How does enterprise information management impact compliance and litigation discovery? 2. How should the new Federal Rules of Civil Procedure affect the way our organization manages information? 3. What s involved in doing a repository inventory? 4. What are the pockets of electronically stored information that we may not have thought of? 5. We re deploying an management tool. Will that cover the issue? 6. Where does records management fit into the compliance and litigation discovery picture? 7. How does enterprise content management technology serve as the foundation for compliance and litigation discovery initiatives? 8. Why do we need a program to address compliance and litigation discovery issues? 9. What does it take to develop and implement a compliance program? 10. What kind of governance structure will we need to support and maintain our compliance program?

4 4 Doculabs White Paper 1. How does enterprise information management impact compliance and litigation discovery? What are the major cost components of e-discovery? Information identification and collection Processing, review, and analysis of the collected information Production and presentation Hardware and software costs Third-party counsel and discovery vendor services Organizational impact of unfavorable rulings Discussion According to industry research conducted by the Tower Group, businesses worldwide now create more than 7.5 billion Microsoft Office documents each year. Chances are, many of those documents are going largely unmanaged, stored in whichever repository is the most convenient, possibly duplicated on business users hard drives or in attachments, with no expiration date (i.e. retention schedule) applied, and in formats that may be difficult to produce. Many organizations had policies and procedures in place when their business processes ran primarily on paper documents, but they never quite got around to addressing the electronic counterpart. They ve now had as much as 25 years in which to accumulate ESI, and the sources and formats of this information, not to mention the volumes, are only proliferating. Figure 1: The Evolution of Discoverable Content The result of this poor management of ESI is the compromise of the integrity, confidentiality, and accessibility of business-critical information. From the compliance standpoint, many organizations are unable to attest to the maintenance of business records that s now required to demonstrate compliance with regulations such as Sarbanes-Oxley, HIPAA, or the many other requirements of local, state, federal, or international regulatory bodies. Nor can they easily produce the relevant records when requested (and failure to produce them in a timely fashion may be regarded as obstruction). Likewise, from the litigation discovery standpoint, the absence of effective information management means a long, arduous, and costly process to retrieve and produce the specific ESI that s requested in the discovery phase of litigation a process known as e-discovery.

5 The Proactive Organization: Managing Information for Compliance 5 Those miscellaneous costs can be significant. E-discovery requires that you first identify the potentially discoverable information, then preserve and collect it, then review it and perform forensic analysis to assess the relevance of the information. This forensic analysis can be very costly. Consider that the earlier stages of the discovery process identification, preservation and collection, and some preliminary review can be performed by services firms and by automated tools, all of which narrow down what could be petabytes of potentially discoverable information, to the relevant data set. But it s likely that data set will still be voluminous. Detailed sorting and forensic analysis is then required to determine which information is responsive and which is non-responsive, and to further sort the responsive information into privileged and non-privileged information. This analysis may well require the expensive expertise of inhouse legal staff. It makes sense to use technology to manage your ESI, because it can reduce the costs and the time required for the earlier stages of the e-discovery process. Factors to Consider Poorly managed ESI is leading to escalating costs for response to both regulatory actions and to litigation. Specific cost components include the costs associated with search and retrieval, information preparation, production and forensic costs, as well as the hardware and systems costs. Then there are the miscellaneous costs: the costs of hiring services firms to restore, search, and de-dupe (i.e. remove duplicate documents from) backup tapes. Consider, too, the cost of disruption to normal business processes during an ongoing search, as well as the opportunity cost the money that could be put to other uses. Then there s the business impact of unfavorable rulings. Companies that don t have a handle on their ESI can pay for it twice: in the financial penalties, and in the loss of public and shareholder confidence. For some actual dollar figures, consider that in 2002, several financial services firms were each fined $1.65 million for failing to maintain all business-related s for three years as mandated by SEC rules. In 2003, another financial services organization was charged a total of $605,000 to restore, search, and de-dupe a total of 124 backup tapes (that s almost $5,000 per tape). For the average mid-to-large enterprise, industry estimates for e-discovery costs range from $100,000 to $600,000 per lawsuit. And organizations can no longer easily make the claim that searching through their ESI represents an undue burden (see Question 2). In some industries, litigation costs have long been regarded as one of the costs of doing business. But the implications of e-discovery are far broader than the examples we ve just cited from the financial services sector (see figure below). Consider that many organizations can face charges of liability, copyright or patent infringement, discrimination or harassment, or compliance or legal actions under the statutes of regulatory agencies such as OSHA or the Department of Labor. Discovery is also an important part of criminal investigations conducted by the Department of Justice and civil investigations conducted by government agencies such as the SEC. The bottom line is that organizations of all sizes should concern themselves with how they manage their ESI. Type of Discovery Predictable Type of Request Unpredictable Internal Scheduled Internal Audit Human Resources Issue Regulatory Litigation Certification/Licensing; Market Conduct Exam Due Diligence (Merger Review); Investigation Lawsuit Figure 2: Common Types of Discovery

6 6 Doculabs White Paper Doculabs Opinion What s striking about litigation costs in particular is that they are all repetitive, without leverage, on a per-litigation basis which is to say that the abovementioned costs will continue to be incurred until such a time as the organization has repeatable processes and systems built, implemented, and enforced to address the steps of the litigation discovery process. The absence of a repeatable process increases the likelihood that, faced with litigation, an organization will find it difficult to determine the level of risk and to decide whether to settle or to contest the suit. If the litigation proceeds, that organization could be sanctioned for failure to produce evidence in a timely fashion. Even worse, a company could face sanction for destruction of evidence, or spoliation whether willful or inadvertent, because of inadequate records retention policies and procedures. And spoliation can lead to a number of sanctions, ranging from fines or payment of the other side s attorneys fees, to refusal to allow testimony, to dismissals and default judgments. What s needed is a documented, repeatable process for addressing e-discovery a process that s consistent across the enterprise. Investing in the development of policies and procedures and the technology infrastructure for e-discovery will greatly reduce discovery costs, while also reducing your organization s exposure to fines and adverse judgments (see figure below). $25,000,000 $20,000,000 Expected Annual Savings $15,000,000 $10,000,000 $5,000,000 $- Avg. Cost per Litigation without E-discovery Expected Savings with E-discovery $100,000 $225,000 $350,000 $475,000 $600,000 15% 30% 35% 40% 50% Figure 3: Typical Annual Litigation-related Savings with E-discovery Program and Infrastructure

7 The Proactive Organization: Managing Information for Compliance 7 2. How should the new Federal Rules of Civil Procedure affect the way our organization manages information? The challenges of dealing with ESI involve both technology and people. Managing ESI involves the same duties as those for paper documents. The difference is that while ESI is very voluminous, it s not as physically intrusive as boxes of paper files. Additionally, ESI can be poorly structured, and in formats that require some effort to manage. From the people side of the equation, employees tend to resist efforts toward formal management of ESI, as well as policies requiring the purging of their electronic documents. Historically, people manage ESI very poorly, resisting even simple measures such as filenaming conventions or file management policies. Discussion Organizations could previously claim that searching through their ESI represented an undue burden. But the amendments to the Federal Rules of Civil Procedure (FRCP), enacted at the end of 2006, now make ESI subject to discovery, so long as the information can be obtained, translated if necessary, by the respondent into reasonably usable form. Moreover, the request may specify the form or forms in which the electronically stored information is to be produced. And the rules now require a pre-discovery conference in which both sides provide a list of the relevant ESI, including certain characteristics of the information and the repositories that house it. Factors to Consider The problem for most organizations is that their unstructured data cannot easily be searched; it tends to be stored not just on servers, but in places such as hard drives, a multiplicity of shared drives, tape, and personal files (PST files in Microsoft Exchange and NSF files in Lotus Notes), all of which makes it difficult and costly to retrieve. But then the unstructured data must be analyzed for relevance, then compiled and produced in a format that will be usable by the regulators or by opposing counsel. Consider, too, the real risk that some of the content should not have been retained in the first place, or that large portions of the content may have been retained for periods that extend far past the legal retention requirements. Doculabs Opinion While the FRCP rules pertain only to federal court and are still relatively new, it s likely that other jurisdictions will begin to adopt similar rules. Accordingly, we recommend the following basic guidelines to prepare your organization: Map out all places where electronic information is stored. This repository inventory is a first step toward determining the extent of your organization s exposure with respect to ESI (see Question 3). Update your records retention policy to include all electronic information. This is a step that many organizations have yet to undertake, despite the fact that they may have detailed and effective retention policies for their paper records. Determine what is to be retained, and for how long. Ensure your hold policy (for retaining documents relevant to litigation) fully covers all electronic information, including backup tapes. Failure to do so could result in charges of spoliation, if backup tapes are the sole source of certain requested information. Establish systems that simplify the identification, retrieval, and production of potentially relevant data. This includes establishing systems of record, as well as records management and management systems. It could also include system consolidation, to reduce the number of repositories in which ESI can be stored.

8 8 Doculabs White Paper 3. What s involved in doing a repository inventory? The repository inventory is also part of an ECM strategy. A repository inventory is necessary for planning the enterprise implementation of ECM in large organizations, where large subsets of the total content in the enterprise are candidates for management, and where such content may reside in many different repositories. A repository inventory provides a systematic, sound way to: 1. Prioritize repositories (among the thousands of shared drives, Microsoft SharePoint sites, Lotus Notes databases, and applications housing content) 2. Determine what approaches to take to manage the types of content in the various repositories e.g.in-place (remote vs. federated repository); centralized repository management 3. Identify the repository capabilities and solutions that are required for the various types of content Discussion One of the first steps toward proactive information management is to take an inventory of all of the repositories in which your organization s unstructured content now resides. The purpose of the repository inventory is to identify content repositories in the enterprise (such as shared drives, applications, databases, systems), prioritize them, and recommend a strategy for each repository that determines the following: 1) The level of management necessary for the content in each repository (basic to advanced content management capabilities) 2) Where the content should reside (in-place system or migrated to another system) 3) How the content should be managed (by the in-place system or by an external system) 4) The kind of solution to use to manage the content (basic, advanced, specialized) Depending on your organization s size, these repositories could easily number in the thousands, when you consider all the Microsoft SharePoint sites, Lotus Notes databases, applications, and shared drives throughout the enterprise. Factors to Consider The repository inventory is more than just the basis for coming up with a strategy to address the management of repository contents. Remember that one of the requirements of the new FRCP is that both sides in a litigation matter meet in a pre-discovery conference to provide a listing of the relevant ESI, a listing that includes characteristics of the information and the repositories that house it (see Question 2). This means that your corporate counsel need to know how and where your organization s ESI is stored and where it is backed up. The repository inventory provides the basis for meeting these requirements. Many organizations are now taking steps to develop some kind of inventory of where their unstructured content is now stored. But in some instances, the inventories are too shallow or too narrow to be effective in meeting the requirements of the FRCP let alone for use in developing a repository strategy. Doculabs Opinion Following are the steps for performing a repository inventory: Evaluate your organization s document types. Do this first, because evaluating your document types helps you to determine the business requirements and the policies that the repository strategy must fulfill. It also gives you information about the relative importance (the value and risk) of the documents, as well as information about the level of effort (complexity) that will be necessary to fulfill the business requirements and policies. Note, however, that some document types may be inventory resistant (see Question 4).

9 The Proactive Organization: Managing Information for Compliance 9 Different approaches for managing different categories of content Most organizations have a need for general-purpose, user-friendly content management capabilities such as those provided by Microsoft Office SharePoint Server (MOSS) But for certain types of content (such as records and vital records), they also require the specialized capabilities of an advanced ECM solution for features such as records management functionality to meet regulatory requirements. What s needed is a strategy that allows for the co-existence of both levels of content management functionality within the same IT environment. For more information about how to leverage the advantages and the functionality of MOSS 2007 and advanced ECM solutions within your environment, see Doculabs white paper, The Co-existence of Microsoft SharePoint and Advanced ECM Platforms: What You Need to Know. See our web site at You will likely have some information to use as the basis for this evaluation, such as enterprise or departmental taxonomies, or document inventories of your paper documents, which provide category information about the various document types. Also take a look at your organization s retention plan and records management policy, including the record status for each document type (i.e. official record or non-record), as well as the rationale for record status (legal, litigation, vital, other) and the specific policies for retention, disposition, holds, security, and access for documents designated as records. In addition to distinguishing records and non-records, a best practice is to define a category consisting of the organization s potentially discoverable information i.e. all records, plus a subset of other non-records consisting of other business-related information that s potentially discoverable (see Question 6). Assess the risk and value of each of your document types to the organization. As part of the evaluation of document types (above), evaluate the level of risk and value associated with each document type. For example, vital records the documents you need to run your business are high risk, as are any documents containing confidential, proprietary, or personal identifiable information (such as social security numbers). Risk can be further subdivided into probability of risk, versus seriousness of damage. A best practice is to focus the first pass of the repository on high-risk records (particularly those records that are typically requested for litigation, which could include and unregulated business records) and on those departments that produce the majority of these high-risk records, moving these documents into an ECM system with records management capabilities. Then define policies and procedures for PSTs/NSFs and for content on shared drives, hard drives, and USB drives, moving this content to a system with basic content management capabilities, such as Microsoft SharePoint. Inventory your organization s repositories. Inventory and document the characteristics of the repositories where unstructured data is stored throughout your organization. The inventory should include the following: System and technical information, such as the vendor, product, and the degree of customization or complexity; information on the volume of content stored and numbers of users storing content in each repository The current status and future trajectory of repository (growing, maintain, replace, etc.), to understand what the IT organization plans for the each of the associated systems A profile of your applications and content, noting whether it is transactional or collaborative, dynamic or fixed, actively accessed or inactive, regulated or not regulated The functional capabilities of each repository for example, whether it serves consumers and/or contributors; whether it provides short- or long-term repository management; whether it has records management functionality; its categorization/indexing complexity and flexibility, etc. The technical capabilities of each repository (scalability, performance, reliability, security, integration, etc.)

10 10 Doculabs White Paper Repository Strategies Leave in Place; Don t Manage Low-value, low-risk content Leave in Place; Manage with In-Place System Content archived by lineof-business systems Leave in Place; Manage with Remote System High-value, high-risk content stored in a repository that can be integrated with remote system to provide records management Migrate to Remote System for Management High-value, high-risk content stored in a repository that lacks the records management capabilities to be managed with the remote system An assessment of the in-place management complexity you require, based on capabilities of your candidate master system and the inplace system (capabilities such as JR 170 connectors, APIs, adaptors) to determine the feasibility of continuing to store information where it is currently housed, but using a master system to manage it remotely Make repository strategy recommendations. For the content in each repository, recommend one of the following options: Leave in place don t manage: For content that you have assessed as low value and low risk (i.e. non-records that are not potentially discoverable information) Leave in place manage with in-place system: For content such as transaction data that is archived effectively in line-of-business systems, or marketing materials that are being managed in a digital asset management system Leave in place manage with remote system: For content that has more stringent records management requirements, deploy a remote system with sophisticated records management functionality that can issue commands to the in-place repository, directing tasks such as classify, hold, and delete, thereby applying your organization s retention schedule to the content stored in the in-place repository Migrate to and manage with remote system: For high-value or high-risk content that s stored in a repository that lacks the functionality to allow its content to be managed with the remote system For content in each repository, determine what kind of system to use. This could be an ECM system with advanced content management capabilities, an easy-to-deploy solution such as Microsoft SharePoint for basic content services, or a tool for specialized content services such as management.

11 The Proactive Organization: Managing Information for Compliance What are the pockets of electronically stored information that we may not have thought of? The dangers of rogue repositories Removal storage devices such as USB drives (also known as thumb drives) are, of course, unmanaged. Not too many disasters have happened yet, but the potential exists for a highprofile disaster for instance, employees using thumb drives to move ESI between the office and home. One behavior we ve seen is the use of USB drives for storing archive files for (because corporate policy sets individual mailbox quotas that employees find too low). These files, known as PST and NSF files, are a general vulnerability, typically inventory resistant, and thus represent a concern primarily as a general vulnerability, rather than directly relevant to FRCP. But PST and NSF files can contain very high-risk ESI. Companies that allow the proliferation of PST and NSF files on laptops, USB drives, and home computers put themselves at great risk of exposure in litigation discovery, with the potential for very serious damage. Discussion Most organizations are conducting repository inventories to identify where their ESI is now stored. However, make sure that your inventory doesn t miss important items that leave your organization vulnerable. Beyond the more obvious locations and items of ESI, there are two categories of items organizations are likely to miss: those that can be called inventory amenable, and those that are inventory resistant. Factors to Consider The inventory amenable documents and data are those that can be captured in a thorough-going repository inventory; if you missed them, it s probably because your initial net was too shallow or too narrow. Identify and manage such documents by broadening or deepening your inventory. Items in this category include application-embedded s and documents. But many ESI items are inventory resistant, because they don t result from standardized, documented business processes. They may be ad hoc, highly variable, and unknown to higher layers of the reporting structure. These items are difficult to inventory, manage, discover, and produce, and there s often little obvious cost justification to try to manage this content. The problem is that this inventory-resistant content is precisely the content that can get an organization in trouble. These items are potentially very damaging if they get into the wrong hands; plus, they demonstrate to a regulatory body or to a court that your company policy is not being followed in practice. Doculabs Opinion In the initial step of your repository inventory, assess the inventory resistance of document types. Process-embedded documents are more likely to have been captured in the initial inventory, so look in particular at places where ad hoc document types are likely to be stored. Those places are USB or thumb drives and other removal storage devices, PST and NSF files (see Question 5), instant messaging, discussion boards, and blogs all channels for which many organizations have yet to develop effective policies and procedures. But your organization is likely to have other inventory-resistant document types out there types you may not have thought of. Consider the following: The Audit business unit and systems. Large organizations typically have Audit units that are responsible for evaluating other business units, processes, and systems for various types of compliance. They may use Paisley or other compliance software to manage their audit process and document their findings. In addition to its own findings and documentation, the Audit unit may also store documents and s relevant to compliance or noncompliance. The irony is that audit systems may be a good source of damaging ESI moreover, ESI that s easily discoverable and readily accessible.

12 12 Doculabs White Paper Repositories maintained by remote parties, agents, or third-party contractors. Many organizations understand the need for effective management of the ESI in the repositories that are under their direct control, but have little control over or visibility into the documents that may be held by their contractors, by remote employees, or (in the insurance industry) by captive and independent agents. Typically, these parties aren t required or motivated to follow the company s internal records management or document management policies; for instance, they may be using multi-function devices to scan in documents and then storing those documents in an ungoverned manner. So take these remote and third parties into consideration when you do your repository inventory and not just for inventory-resistant items, but also for content that s generally inventory amenable within the home organization. Attorney-client privilege. We see many organizations in which the common practice is to mark paper documents and ESI as privileged or confidential, when in fact they are not. Authors or reviewers of the ESI may believe the documents are covered by attorney-client privilege when they are not, either because no in-house counsel were involved in the transaction, or because in-house counsel were involved, but the transaction wasn t actually privileged. Addressing this issue is important for properly addressing the FRCP requirements for privileged and confidential ESI. Inventory-Amenable ESI Inventory-Resistant ESI in an system Structured data Application-embedded documents Documents stored on USB drives and other removal storage devices PST and NSF files Instant messaging, discussion boards, blogs Audit systems Repositories maintained by remote parties, agents, third-party contractors Privileged or confidential documents that in fact are neither privileged nor confidential Table 1: Summary of Potentially Vulnerable Electronically Stored Information

13 The Proactive Organization: Managing Information for Compliance We re deploying an management tool. Will that cover the issue? An estimated 65 percent of companies don t have an retention policy, and 37 percent of employees say they don t know which messages should be retained and which ones should be purged. (Source: InformationWeek) Discussion Among the most problematic of inventory resistant items we ve seen are personal files PST and NSF files. PST (for Microsoft Exchange) and NSF (for Lotus Notes) files are archive files for that employees use to offload extra, old, or special s. Such files are common, and employees may even maintain multiple PST/NSF files typically on their personal hard drives. Another way that may elude your management tool is if it is embedded in business systems such as line-of-business systems or in the customer relationship management systems used by your sales, marketing, or customer service departments. Finally, some organizations, particularly financial services firms, have deployed encryption technology for outbound s technology that can present problems if your organization is relying on discovery and production software products. Factors to Consider Let s consider the implications of these issues one at a time: PST/NSF files. PST/NSF files are particularly rampant in organizations that do not have defined policies, but we have found they are at least as common in organizations that have a well defined policy particularly if that policy restricts mailbox size or content, or automatically deletes . The PST/NSF file is where users put that content, and the result is lots of unmanaged, potentially harmful s. PST/NSF files are frequently searched in discovery, but not always as part of an automated search approach. They may be backed up as part of an enterprise PC backup approach rather than the enterprise system backup. In either case, PST/NSF files can account for a significant amount of volume. These files may well be the highest area of unaddressed vulnerability for organizations trying to address litigation exposure. embedded in business systems. In many organizations, incoming and outgoing can be embedded in business systems (for example, s received by customer service representatives in the company s customer relationship management system). As such, it may be generated in a separate system and never hit the enterprise system, or it may be generated by the enterprise system, but is then duplicated in the business system. The point is that the s in these systems are typically not archived well, so they aren t searched well for discovery or the systems retain copies of s that the company may believe to have been purged. Such systems are not inherently inventory resistant (see Question 4), as they result from a standard process, but most organizations don t think of them as being a litigation risk or as relevant to disposition as part of the corporate retention policies.

14 14 Doculabs White Paper Encryption technology for outbound . Many financial services firms apply encryption technology to outbound s for example, for communications regulated by the SEC ( which require filtering, quarantine, and review), but also for unregulated messages. A recurrent problem is that the tools used for discovery and production can t search or view the contents of encrypted files, which have been encrypted for digital rights management purposes. (The same is true for any other encrypted files the organization may maintain.) The vendors don t yet have solid answers for this problem. Doculabs Opinion For personal files, a best practice is to first prohibit users from creating local archives/copies of mailboxes. Increasing the use of base Microsoft Exchange functionality in managing PSTs/NSFs is an approach that can work in the near term, but management systems have specific functionality designed to manage PST/NSF files for compliance. Then you can begin finding and migrating old PSTs/NSFs to the archive, either manually or using automated tools from vendors such as IBM, EMC, Symantec, and Autonomy, among others. If your organization has yet to deploy an management solution, we suggest moving the PSTs/NSFs to the network, along with rollout of basic content services, such as Microsoft SharePoint all mandated by relevant policies and supported by relevant procedures, training, and auditing to ensure that it happens. As for embedded in business systems, Doculabs recommends identifying these s, extracting them from the business system, and then storing them in an ECM repository with other related content for those transactions.

15 The Proactive Organization: Managing Information for Compliance Where does records management fit into the compliance and litigation discovery picture? Types of Electronically Stored Information Declared Records Always manage, in a system with records management capabilities Example: contract, policy filing Vital Records Always manage, in a system with records management capabilities Example: final budget, final design Other Businessrelated Information Manage in a generalpurpose content management system Example: memo, agenda, trip report Non-businessrelated Information Never manage in a content management system Example: from spouse Discussion It s true that compliance does not equal records management alone. However, records management is a key component of any compliance program and is essential for managing potentially discoverable information in the event of litigation. Regulatory compliance requires that you manage and maintain a fairly well defined set of documents. The ability to manage this set of business records according to a classification plan and retention schedule helps to ensure that those records can be recovered easier, faster, and at less cost to the organization when the regulatory authorities ask you to produce them. Thus management and retention are critical to meeting compliance requirements. In contrast, litigation requires that you manage a broader set of documents those documents that are considered potentially discoverable information. This information, while discoverable, may include document types that are not even declared as records (see Question 3 on assessing the risk and value of document types). Thus, discovery for litigation requires not just effective management and retention, but also destruction of documents according to the disposition rules of your corporate records retention schedule, as well as capabilities for hold and release to ensure that the relevant information is preserved and preserved only as long as you need it to respond to a specific instance of litigation. Factors to Consider From a litigation discovery standpoint, there are some important distinctions to keep in mind among the various types of ESI distinctions that have implications for how you manage your organization s information. Declared records: These are the business documents that the organization has defined ( declared ) as its corporate records for example, contracts and policy filings. Declared records also include vital records: those records that contain information essential to business continuity or disaster recovery. Vital records are organization-specific, but might include accounts payable and accounts receivable records, customer files, and tax records. All of your organization s declared records should be managed under the corporate records management policies and procedures, with a records retention schedule covering their respective lifecycles. Other business-related information: These are business documents that your organization has not declared as records, but which contain content that could be relevant in the event of litigation. Examples include memos, agendas, and trip reports. These documents, while not declared or managed as corporate records, should be managed in a content management system to ensure they can be easily searched, retrieved, and produced if they become the subject of discovery in a legal action. Note that non-business related information, such as personal s from family, should never be managed in the corporate ECM system and your records management policies and procedures should make this clear to your employees.

16 16 Doculabs White Paper Evaluate the guidelines and practices of your records management program according to the following objectives: Do they ensure compliance? Do they reduce the cost of compliance? Do they reduce the impact of compliance on the organization? Do they impact performance or worker productivity? Are they consistent with your organization s mission? Potentially discoverable information: In the event of litigation, this category of information encompasses portions of both categories above i.e. certain of those documents your organization declares and manages as records, and that portion of your other business-related information which is potentially relevant to the litigation in question (see figure below). The documents in this category will be specific to each litigation; you need to be able to move the applicable other business-related information into the repository with your declared records in order to hold it and manage it for the duration of the litigation. Doculabs Opinion Figure 4: Potentially Discoverable Information within the Universe of ESI Records management is not a plug-and-play proposition; it takes more than just deploying the records management module of a content management solution to ensure that all of your organization s corporate records are being captured and properly managed throughout their respective lifecycles. Certainly the records management software products are now more mature and will go a greater distance toward helping you meet your compliance goals. But Doculabs advises that you develop an approach to records management that gives proper attention to process, people, and technology: Process: Define records retention schedules for the organization and its departments; develop foundational principles, definitions, and policies and socialize them throughout the organization. People: Create oversight committees or other bodies to coordinate all RMrelated efforts and establish accountability for key aspects of records management across the organization; publish and promote retention guidelines and best practices for all types of records. Technology: Identify the system of record for each record and develop approaches for automating application of appropriate records management requirements, using relevant technologies such as ECM, workflow, management, records management, enterprise search, portals, electronic forms, storage.

17 The Proactive Organization: Managing Information for Compliance How does enterprise content management technology serve as the foundation for compliance and litigation discovery initiatives? Using ECM to manage ESI The components of ECM technology records management, management, document management, enterprise search, portals, and workflow provide the capabilities that an organization needs to quickly find and produce records or other ESI. And ECM technologies can greatly streamline your organization s ability to search, compile, review, analyze, and produce ESI in response to a compliance action or in litigation discovery. ECM technologies ensure that your organization s content is appropriately managed, and that your corporate retention policies are being appropriately applied to that content. Discussion As we ve already seen, effective management of ESI is essential to compliance and e-discovery. Enterprise content management (ECM) technology, including components for records management, is a cornerstone of any compliance program. It provides the capabilities to manage unstructured content, such that it can then be searched and analyzed for relevance, then compiled and produced in a format that will be usable to the other party, whether a regulatory body in a compliance action or opposing counsel in litigation discovery. The figure below shows the stages of the discovery process, along with the ECM technologies that can be used to facilitate the actions required within each stage. Records Management Identification Preservation and Collection Processing, Review, and Analysis Production Presentation Manage business records Identify physical location of data with a document inventory Records Management, Management Receive discovery request Develop search criteria Review document inventory; conduct search Send notification to record owners Enterprise Search, Document Management, Management, Records Management, Workflow Record owners place a hold on requested records Requested records are collected, indexed, stored Review and catalogue records Perform forensic analysis Enabling Technologies Enterprise Search, Document Management, Management, Records Management, Workflow Document Management, Management, Records Management, Workflow, ediscovery Tools, or Third-party Service Process follows the Electronic Discovery Reference Model Generate records with index and catalogue on appropriate Document Management, Workflow, ediscovery Tools or Third-party Service Deliver records on appropriate media and communication method to court hearing Document Management, Workflow, ediscovery Tools or Third-party Service Figure 5: Stages of the Discovery Process, with ECM Enabling Technologies Factors to Consider Consider workflow or business process automation tools, which can be used to facilitate e-discovery. Today, most large organizations rely on third-party service firms within the legal community to assist in discovery efforts. The process used is very manual and very costly: crude searches are performed, and the results are reviewed one by one (open a document, scan through the content, and determine its relevance).

18 18 Doculabs White Paper Taxonomy: providing structure for unstructured content What does it take to create an enterprise taxonomy a classification that reflects the business-critical documents of the organization as a whole? Doculabs white paper, Ten Questions on Taxonomy, helps you understand the key concepts and the issues involved in creating and implementing an enterprise-wide classification of your organization s information assets, and helps you plan a taxonomy initiative for your organization. Visit the Doculabs web site at Like other business processes, e-discovery has discrete triggers that initiate the process. It also has specific tasks and time dependencies, and defined roles for participants. Workflow or business process automation can help address these challenges. Best-in-class firms are recognizing this and are taking steps to leverage existing capabilities to lower their e-discovery costs, perhaps with the same tools they ve been using to automate transaction-processing type tasks. Doculabs Opinion All of the above-mentioned components of ECM technology serve the objectives of compliance and e-discovery. The ECM system provides the repository the means of control for the unstructured content. But it s also important to provide a logical structure for that unstructured content a taxonomy to classify it within a common hierarchy for the organization. Deployed with an ECM system, a taxonomy allows your ECM system(s) to apply a consistent set of keywords and metadata to every piece of content, thereby ensuring more efficient retrieval of information, as well as search results that are more accurate and consistent. Keep in mind that a taxonomy allows you to address where and how content is stored in advance. Whereas a search tool attempts to locate information after the fact, a well-thought-out enterprise taxonomy defines the places for ESI and helps users put it in the right place the first time an important consideration for faster and more efficient information retrieval for compliance and e- discovery. The bottom line is that implementing a taxonomy along with the content management capabilities of an ECM system provides a predetermined context that supplements the powers of the system s search tools. That s why we recommend that you take on the upfront effort required to develop an enterprise taxonomy as part of any enterprise-wide ECM deployment. It helps you make sure that your ECM system provides not just control, but also gives structure to your unstructured content.

19 The Proactive Organization: Managing Information for Compliance Why do we need a program to address compliance and litigation discovery? Discussion In Question 7 we outlined the ECM technologies that we recommend as part of a compliance and e-discovery initiative: records management, document management, management, enterprise search, portals, and workflow. But by now, it should also be clear that technology alone is not the answer. Becoming a proactive organization requires that you develop and implement a compliance program a program that encompasses policies and procedures, governance, information organization, architecture and technology, processes, and communications. Factors to Consider An effective compliance program includes: Development of rules for the compliance program developing policies, procedures, and guidelines Development of a governance structure defining the roles and responsibilities for compliance (e.g. Legal, Compliance, Risk Management, Records Management) and how they should interact with the non-corecompliance functions (e.g. for ECM, for infrastructure, etc.) Information organization including taxonomy development, development of records retention rules and records schedules, and the repository inventory (see Question 3). Development of an architecture and technology strategy including an architecture strategy for compliance, selection of required capabilities (such as records management, management, search, etc.) Process evaluation and strategy defining processes for records lifecycle management, e-discovery, processes for records types with particular requirements (e.g. for structured data, for externally created information, etc.) Development of a communications strategy defining approaches for socializing the compliance program and policies and procedures and for ensuring that policies continue to be effectively followed in practice Doculabs Opinion A successful compliance initiative involves not just IT and Legal; it involves executive commitment and end-user buy-in. Rolling out the specific parts that your organization needs to meet its compliance and e-discovery challenges requires a long-term plan that addresses process, people, and technology a program that takes into account your current state in each of these areas and that also defines a future state, as well as a realistic road map for making that future state a reality.

20 20 Doculabs White Paper 9. What does it take to develop and implement a compliance program? Discussion The development and implementation of a compliance program involves a considerable number of moving parts, not to mention the buy-in of a number of key individuals and not just from IT, but from your legal, compliance, risk management, and records management functions. Within your own organization, you ll need to develop policies and procedures covering all forms of records and potentially discoverable information; you will also need to create a governance structure to support and maintain your compliance program. There may be various technology components of ECM technology to procure and deploy; you may also need to develop a taxonomy to organize your content within the ECM system. Finally, you will need a well-designed and communications and training program to ensure that users throughout your organization understand their own roles in the compliance process. Factors to Consider Consider whether you need outside expertise to provide an objective assessment of where your compliance program stands today, and to provide your organization with an understanding of best practices from each of the relevant perspectives: process, people, and technology. Your consultant can then help you map out an approach that will help you achieve a near-term future state, with clearly defined priorities, as well as a long-term future state that addresses those initiatives that require longer timelines to complete. Beyond the definition of these future states, you may also need some assistance in developing the road map to help you achieve those objectives. Doculabs Opinion The figure on the following page shows potential initiatives and technology components of a compliance program. The top portion of the figure, the compliance summary, shows the categories of initiatives Document Policies, Document Procedures, Taxonomy Development and Maintenance, Records Management Program, Organizational Structure, and Records Management Architecture and Updates that Doculabs regards as the key components of a compliance program. The bottom portion of the figure, the technology summary, shows the technology components that an organization may require in order to implement an effective compliance program. These technology components include technologies in the categories of Content Creation/ Presentation/Access, Process and Collaboration, Data and Content Middleware, and Data Management. Altogether, the figure provides a color-coded overview of how Doculabs might assess a hypothetical organization s capabilities in each of these areas: red for basic, yellow for moderate, and green for advanced. It also indicates some of the specific types of projects that this organization would need to undertake, both from the program and the technology perspectives.