E-Commerce compliance and the Four C's of Business

Transcription

1 Compliance: It s Real, It s Relevant, and It s More Than Just Records AIIM Industry Watch Survey Prepared by John F. Mancini, President, AIIM Wayne Avenue Suite 1100 Silver Spring, MD Survey results are provided courtesy of

2 ABOUT THE SURVEY AIIM AIIM is the international authority on Enterprise Content Management (ECM), the technologies used to capture, manage, store, preserve, and deliver content and documents related to organizational processes. ECM tools and technologies provide solutions to help users with the four C s of business: Continuity, Collaboration, Compliance, and Costs. For over 60 years, AIIM has been the leading non-profit organization focused on helping users to understand the challenges associated with managing documents, content, records, and business processes. Today, AIIM is international in scope, independent, implementation-focused, and, as the representative of the entire ECM industry - including users, suppliers, and the channel - acts as the industry s intermediary. As a neutral and unbiased source of information, AIIM serves the needs of its members and the industry by providing educational opportunities, professional development, reference and knowledge resources, networking events, and industry advocacy. Information about AIIM can be found at AIIM provides: Market Education - AIIM provides unbiased information through its ECM Solutions Seminar (held throughout the U.S. and Canada); the Managing Information and Documents Road Show (held throughout the UK); InfoIreland (held in Dublin); AIIM Webinars; AIIM E-DOC Magazine and our online Solution Centers for financial services, healthcare, and state & local government. Professional Development AIIM s industry education road map offers business and government professionals a variety of training opportunities. Our ECM & ERM Certificate Programs provide instruction on the Why?, What?, and How? of Enterprise Content Management and Electronic Records Management via Web-based and/or classroom courses. Peer Networking - Through chapters, networking groups, programs, partnerships, and the Web, AIIM creates opportunities that allow, users, suppliers, consultants, and the channel to engage and connect with one another. Industry Advocacy - As an ANSI (American National Standards Institute) accredited standards development organization, AIIM acts as the voice of the ECM industry in key standards organizations, with the media, and with government decision-makers. Our Industry Watch research reports provide intelligent information about user trends and perceptions. and It s More Than Just Records Page 2 of 17

3 THE AUTHOR John F. Mancini has been President of AIIM since May Working together with the AIIM Board, staff, and thousands of volunteers around the world, his goal is to help AIIM connect the users and suppliers of enterprise content management (ECM) technologies and services. Prior to joining AIIM, John spent 11 years in various positions at the American Electronics Association in Washington, D.C., most recently as Executive Vice President and Chief Operating Officer. The American Electronics Association is the nation s largest technology trade group. John holds a Bachelor s degree from the College of William and Mary and a Master s degree from Princeton University. ABOUT THE SURVEY This Industry Watch survey was conducted during May and June The survey was administered through an online survey instrument, zoomerang.com. A total of 741 end users participated in the survey. 582 of the 741 survey participants were from the US or the UK. Distribution of responses by organization size was as follows: 1 to % 101 to % 501 to 1, % 1,001 to 10, % 10,001 to 50, % Over 50, % Major vertical industries represented in the survey were: Government & Public Services Provincial, State, or Local Level 17.0 % Banking & Finance 9.7% Utilities, Oil & Gas 9.7% Manufacturing & Engineering 8.4% Government & Public Services Central or Federal Government 7.2% Insurance 6.5% Healthcare 5.9% and It s More Than Just Records Page 3 of 17

4 EXECUTIVE SUMMARY Key Finding #1 Organizations are still at the beginning stages of determining compliance requirements. To paraphrase Churchill, they are perhaps approaching the end of the beginning, but there is a great deal of work still to be done. Over 50% of end users describe themselves at a very early stage in considering compliance requirements either as we have not yet begun or we have begun, but much remains to be done. Key Finding #2 End users have a disturbingly narrow view of compliance and what it means for their organization, perhaps because of an over emphasis in the media on such legislation as Sarbanes- Oxley and HIPAA. When users view the term compliance in their organizations in relation to information management, their recognition is limited primarily to government regulations (84.2%), litigation (62.1%), and paper records management (52.0%). Key Finding #3 Users have an intuitive feel that something is wrong within their organizations relative to managing electronic information, but are having a difficult time mounting a systematic and disciplined approach to meeting the challenge. Nearly 2 out of 3 end users (63.3%) have not yet analyzed the risk they face from the mismanagement of electronic information. Less than 4 in 10 end users (38.6%) have created a central group focused on managing compliance efforts across the organization. 42.6% say their organization does not yet have a clear approach toward meeting compliance requirements. Key Finding #4 When it comes to compliance, Records Managers have a seat on the bus but they aren t driving it. When it comes to the question of who has the MOST influence in driving compliance decisions, the top decision makers are executive staff (25.1%), Legal (22.4%), and IT (17.7%). Records managers across the implementation continuum play a supporting, not a lead role. Those categorizing themselves as records and document professionals represented 53% of survey responses. Key Finding #5 Contrary to popular belief, when it comes to compliance, the weakest link is electronic, not paper documentation. Nearly 64% of end users believe that there is widespread understanding of what PAPER records are and how they should be retained vs. 34% when considering ELECTRONIC records. 65% of end users believe they have clear policies in place related to PAPER information in the event of litigation vs. 39% when considering ELECTRONIC information. and It s More Than Just Records Page 4 of 17

5 KEY FINDING #1 Organizations are still at the beginning stages of determining compliance requirements. To paraphrase Churchill, they are perhaps approaching the end of the beginning, but there is a great deal of work still to be done. Over 50% of end users describe themselves at a very early stage in considering compliance requirements either as we have not yet begun or we have begun, but much remains to be done. Some believe that compliance-related demands of information management have crested. The data suggests that most organizations have only just begun to seriously consider compliance related to organizational content. End users in the US are further along the implementation curve than their counterparts in the UK. This is likely the result of two factors: 1) there were more large organizations (>1,000 employees) in the US sample; and 2) the closer linkage of large US-based organizations to Sarbanes-Oxley requirements. How would you characterize your organization s status with respect to implementing compliance initiatives? US N=359 UK N=223 already completed one or more compliance initiatives. 32.3% 38.0% 23.4% begun to implement one or more compliance initiatives, but much remains to be done. 38.4% 34.2% 42.8% completed implementation of compliance initiatives across the entire organization. 11.3% 13.2% 10.8% not yet begun. 18.0% 14.6% 23.0% As a result of such government driven requirements as Sarbanes-Oxley, end users in large organizations are much more likely to have begun a compliance initiative. As might be expected, small organizations (<100 employees) have yet to seriously examine compliance, with nearly 75% still at a very early stage of implementation. Even among some large organizations (1,001 to 10,000 employees), there is still much room for action. Nearly 60% are still at a very early stage of deployment of compliance solutions. How would you characterize your organization s status with respect to implementing compliance initiatives? # of employees N= N= ,000 N= ,000 N=213 10,001-50,000 N=126 Over 50,000 N=68 already completed one or more compliance initiatives. 17.4% 26.8% 33.3% 31.5% 43.7% 48.5% begun to implement one or more compliance initiatives, but much remains to be done. 37.4% 43.5% 38.1% 42.7% 34.9% 23.5% completed implementation of compliance initiatives across the entire organization. 8.7% 10.9% 6.0% 9.9% 13.5% 23.5% not yet begun. 36.5% 18.8% 22.6% 16.0% 7.9% 4.4% and It s More Than Just Records Page 5 of 17

6 Users DO believe that compliance concerns related to information management are here to stay and that they are not just a passing fad. AGREE of DISAGREE: Compliance concerns related to managing electronic information are here to stay. US N=359 UK N=223 Strongly agree 57.7% 62.9% 52.5% Somewhat agree 31.5% 26.8% 42.4% Somewhat disagree 7.8% 6.8% 3.4% Strongly disagree 2.9% 3.5% 1.7% and It s More Than Just Records Page 6 of 17

7 KEY FINDING #2 End users have a disturbingly narrow view of compliance and what it means for their organization, perhaps because of an over emphasis in the media on such legislation as Sarbanes-Oxley and HIPAA. User awareness of what constitutes compliance is extremely narrow. When users view the term compliance in their organizations in relation to information management, their recognition is limited primarily to government regulations (84.2%), litigation (62.1%), and paper records management (52.0%). This may be due in part to the press and publicity surrounding government regulations like Sarbanes-Oxley and HIPAA that have created a dual-edged sword. While these regulations have moved compliance concerns to center stage, particularly in the executive suite, a byproduct may be that end users do not yet understand that compliance extends beyond regulatory concerns. There is little awareness, for example, that compliance requirements extend to processes. For example, only 21.9% of end users see information in an ERP system as being subject to compliance scrutiny. Only 20.4% see information in a CRM system in that way. When the term compliance is used in your organization in relation to information management, which types of information are usually included? US N=359 UK N=223 Information required by government or industry regulations 84.2% 83.9% 92.0% Information that could be needed in a legal action 62.1% 65.8% 57.8% Information on a web site 25.7% 28.4% 24.4% Information from 39.9% 45.6% 37.3% Paper information 52.0% 58.5% 45.3% Information in a content repository 33.5% 39.9% 26.2% Information on a shared network drive 32.5% 35.0% 28.4% Information in an ERP system 21.9% 25.4% 15.6% Information in a CRM system 20.4% 21.9% 17.8% When asked to rate a variety of business drivers related to technology investments in compliance initiatives, end users exhibit the same narrow definition of compliance. Their top compliance related business driver is specific government regulations or mandates (1.94 on a 4 point scale from 1 = extremely important to 4 = not important at all). Privacy and security concerns rank surprisingly low, especially considering the recent market focus on identity theft and security: 2.62 = privacy failure 2.77 = information theft 2.80 = intellectual property theft How important have each of the following been in driving TECHNOLOGY and SERVICES investments in your organization related to compliance? (only includes those having an opinion, 1 = extremely important to 4 = not important at all) and It s More Than Just Records Page 7 of 17

8 How important have each of the following been in driving TECHNOLOGY and SERVICES investments in your organization related to compliance? (only includes those having an opinion, 1=extremely important...4=not important at all) not begun N=108 begun, but much needs to be done N=298 completed one or more compliance initiatives N=166 implemented across the organization N=166 Lawsuit or other court action Regulatory action or penalty Destruction of information needed for a lawsuit or audit Inability to find information needed for a lawsuit or audit Information theft Intellectual property theft Privacy failure Security breach Issues discovered through internal investigation or audit Specific government regulations or mandates and It s More Than Just Records Page 8 of 17

9 KEY FINDING #3 Users have an intuitive feel that something is wrong within their organizations relative to managing electronic information, but are having a difficult time mounting a systematic and disciplined approach to meeting the challenge. There are strong indicators that end users realize they have a problem. For example: 63.5% strongly or somewhat disagree with the statement, There is a low probability that content on an employee s hard drive could put my organization at risk. o 57.9% of UK users; 68.6% of US users. 63.5% strongly or somewhat disagree with the statement, Content created by employees who leave our organization is actively reviewed and archived appropriately. o 70.5% of UK users; 68.3% of US users. 44.4% strongly or somewhat disagree with the statement, Employees understand how to access the most current version of policies, procedures, and other critical corporate information. o 47.0% of UK users; 40.4% of US users. Even though end users realize they have a problem, they often have not yet transferred this concern into action. Well thought out plans and strategies are the exception rather than the norm. For example: Nearly 2 out of 3 end users (63.3%) have not yet analyzed the risk they face from the mismanagement of electronic information. o 64.3% of UK users; 61.6% of US users. Less than 4 in 10 end users (38.6%) have created a central group focused on managing compliance efforts across the organization. o 37.1% of UK users; 47.7% of US users. 42.6% say their organization does not yet have a clear approach toward meeting compliance requirements. From a technology viewpoint, which basic approach does your organization take toward meeting compliance requirements? not begun N=108 begun, but much needs to be done N=298 completed one or more compliance initiatives N=166 implemented across the organization N=166 A point solution approach (using a solution that is specifically designed to solve a particular compliance requirement, e.g., FoI, Money Laundering, SEC 17-a or Basel II) 17.7% 8.2% 13.5% 26.2% 22.9% An infrastructure approach (using a software platform to solve multiple compliance requirements throughout the organization, e.g., an ECM solution) 39.7% 17.9% 36.5% 48.9% 59.0% We do not yet have a clear approach 42.6% 73.9% 50.0% 24.9% 18.1% and It s More Than Just Records Page 9 of 17

10 Among those who DO have a clear approach to meeting compliance requirements, the norm is to view compliance-related technologies as core infrastructure rather than part of a point solution. Nearly 70% of end users (69.2%) take an infrastructure approach (using a software platform to solve multiple compliance requirements throughout the organization, e.g., an ECM solution). The remainder (30.8%) take a point solution approach (using a solution that is specifically designed to solve a particular compliance requirement, e.g., FoI, Money Laundering, SEC 17-a, or Basel II). The most experienced end users tend to view compliance-related technologies as core infrastructure rather than a point solution. Lastly, technology expenditures are NOT the most significant compliance expense facing end users. Solution providers would be wise to make sure their solutions also help address the softer and more significant costs facing end users. Nearly 40% (38.7%) of end users report that with respect to meeting compliance requirements, their SINGLE greatest investment is in documenting policies and procedures. This is followed by 25.2% who report that training employees is their most significant expense. Purchasing technology cited by 22.3% of end users ranks 3rd. As end users move along the implementation continuum, training employees becomes an increasing concern. This is consistent with past AIIM studies showing the rising importance of change management and employee commitment concerns as the scale of implementation increases. From a technology viewpoint, which basic approach does your organization take toward meeting compliance requirements? not begun N=108 begun, but much needs to be done N=298 completed one or more compliance initiatives N=166 implemented across the organization N=166 Documenting policies and procedures 41.4% 48.0% 37.5% 43.8% 38.5% Engaging with outside consultants and services 7.8% 6.9% 9.4% 7.8% 4.6% Purchasing technology 23.9% 26.5% 29.0% 17.7% 21.5% Training employees 26.9% 18.6% 24.1% 30.7% 35.4% and It s More Than Just Records Page 10 of 17

11 KEY FINDING #4 When it comes to compliance, Records Managers have a seat on the bus but they aren t driving it. Records Managers play a role in determining compliance strategies for organizations, but they are not the MOST important community involved in reaching a final decision. In response to the question, When compliance policies, procedures, and investments relative to information management are discussed, which departments are generally involved? the most likely participants in discussions are IT (81.6%), Legal (64.4%) and Records Management (56.7%). When compliance policies, procedures, and investments relative to information management are discussed, which departments are generally involved? US N=359 UK N=223 Legal Department 64.4% 74.3% 51.1% IT 81.6% 83.3% 81.8% Tax and Audit 27.8% 28.7% 23.1% Records Management Department 56.7% 63.7% 49.3% Administration 33.5% 35.0% 29.3% Compliance or Risk Department 41.4% 43.7% 40.0% Business Units 35.6% 32.2% 38.2% Financial 36.5% 30.9% 42.2% Executive Staff 48.1% 45.4% 51.1% Regardless of implementation status, IT is always at the table. The likelihood of a broader participation (bringing in legal and records management staff and dedicating staff directly to compliance) increases as the depth of commitment to a compliance solution grows. not begun N=108 begun, but much needs to be done N=298 completed one or more compliance initiatives N=166 implemented across the organization N=166 Legal Dept 64.4% 49.3% 59.1% 77.5% 77.4% IT 81.6% 78.4% 81.5% 86.7% 81.0% Tax and Audit 27.8% 14.9% 24.8% 35.4% 39.3% Records Management Dept 56.7% 38.1% 59.8% 63.8% 63.1% Admin 33.5% 38.1% 36.4% 26.3% 39.3% Compliance or Risk Dept 41.4% 19.4% 36.4% 51.3% 70.2% Business Units 35.6% 17.2% 36.0% 39.6% 53.6% Financial 36.5% 32.8% 37.1% 36.7% 45.2% Executive Staff 48.1% 44.8% 47.6% 45.8% 64.3% When it comes to the question of who has the MOST influence in driving compliance decisions, the top decision makers are executive staff (25.1%), Legal (22.4%), and IT (17.7%). Records managers across the implementation continuum play a supporting, not a lead role. Those categorizing themselves as records and document professionals represented 53% of survey responses. and It s More Than Just Records Page 11 of 17

12 As organizational sophistication with compliance grows, a key transformation in role and responsibility takes place. The likelihood of a specific group or department dedicated to compliance grows, as does the likelihood that this group will take the leadership in driving decisions. In addition, as the influence of this dedicated group grows the influence of IT declines. Across the continuum, organizations realize that Executive Staff play a key role in driving compliance decisions likely because many organizations have realized that the Executive Staff is ultimately held accountable for these decisions. not begun begun, but much needs to be done completed one or more compliance initiatives implemented across the organization Legal Dept 22.4% 21.8% 21.2% 25.1% 21.4% IT 17.7% 15.8% 23.7% 15.5% 7.1% Tax and Audit 3.2% 3.8% 2.5% 4.6% 1.2% Records Management Dept 9.0% 9.8% 6.7% 10.5% 10.7% Admin 2.0% 0.8% 4.2% 0.4% 0.0% Compliance or Risk Dept 12.3% 4.5% 8.8% 16.3% 26.2% Business Units 4.8% 6.0% 4.6% 3.8% 4.8% Financial 3.5% 6.0% 3.9% 2.1% 2.4% Executive Staff 25.1% 31.6% 24.4% 21.8% 26.2% There is some variation between the US and the UK in terms of compliance decision-making. In most organizations in the US, the legal staff is much more likely to drive these decisions, and executive staff is more likely to drive these decisions in the UK. When compliance policies, procedures, and investments relative to information management are discussed, which department generally has the MOST influence? US N=359 UK N=223 Legal Dept 22.4% 32.3% 15.8% IT 17.7% 17.4% 17.6% Tax and Audit 3.2% 3.3% 1.8% Records Management Dept 9.0% 8.3% 9.0% Admin 2.0% 1.9% 0.9% Compliance or Risk Dept 12.3% 12.2% 13.5% Business Units 4.8% 3.0% 6.8% Financial 3.5% 2.2% 3.6% Executive Staff 25.1% 19.3% 31.1% and It s More Than Just Records Page 12 of 17

13 KEY FINDING #5 Contrary to popular belief, when it comes to compliance, the weakest link is electronic, not paper documentation. The Weakest Link in user efforts to control information for compliance purposes clearly is their handling of electronic information. In a series of questions focused on individual responsibility for retention of records, user understanding of the definition of records, and policies governing management of information, end users indicate that they are much more comfortable managing PAPER information than ELECTRONIC information. Nearly 3 in 4 end users agree that the individuals responsible for retaining PAPER records are clearly identified in their organization vs. barely half when considering retention of ELECTRONIC information. Nearly 64% of end users believe that there is widespread understanding of what PAPER records are and how they should be retained vs. 34% when considering ELECTRONIC records. 65% of end users believe they have clear policies in place related to PAPER information in the event of litigation vs. 39% when considering ELECTRONIC information. Agree or disagree? Strongly agree Somewhat agree Somewhat disagree Strongly disagree Individuals responsible for retaining records are clearly identified--paper 35.0% 37.5% 15.9% 11.6% Individuals responsible for retaining records are clearly identified--electronic 21.4% 31.0% 18.8% 28.8% There is widespread understanding of what records are and how they should be retained-- PAPER 20.6% 43.2% 21.7% 14.6% There is widespread understanding of what records are and how they should be retained-- ELECTRONIC 7.3% 27.1% 28.5% 37.1% In the event of a lawsuit, we have clear policies in place PAPER information 26.0% 39.2% 20.2% 14.7% In the event of a lawsuit, we have clear policies in place ELECTRONIC information 11.5% 27.4% 27.5% 33.6% Organizations report a fairly high level of confidence in their management of paper-based information. Users were asked, How would you characterize the overall environment related to managing and retaining the following types of critical PAPER information? For most forms of important PAPER documentation, 70-80% of end users feel a high level of confidence (or at least some degree of confidence) in their systems and processes. The real compliance gap in most organizations comes when users think about how they handle ELECTRONIC information. and It s More Than Just Records Page 13 of 17

14 Completely under control Somewhat under control Good intentions; limited results Complete chaos Customer documents--application forms 34.5% 48.5% 15.4% 1.6% Customer documents--records 35.8% 46.2% 16.5% 1.6% Financial Documents--Invoices 54.9% 37.2% 7.1% 0.8% Financial Documents--Contracts 45.4% 43.1% 10.1% 1.4% Financial Documents--Purchase orders 50.9% 39.7% 8.1% 1.4% Legal and HR documents--hr records and resumes 43.8% 42.7% 12.5% 1.0% Legal and HR documents--correspondence 36.1% 45.8% 15.5% 2.6% Operations Documents--Maintenance documentation 21.1% 48.4% 26.3% 4.2% Operations Documents--Product documentation 21.7% 47.5% 25.4% 5.4% For ELECTRONIC information, the results are far more sobering. A majority (over 50%) of end users report very weak efforts relative to: 1) Information on individual computer hard drives; 2) Information on individual portable devices (phones, PDAs, Blackberrys, etc.); and 3) . Clearly, the decentralization of information is getting more profound and more baffling by the day for those concerned about compliance, with 41.5% describing their handling of information on individual portable devices as complete chaos. The message here is that the elephant in the middle of the table relative to compliance is electronic information. Until organizations get serious about managing electronic information, they cannot hope to get serious about compliance. Completely under control Somewhat under control Good intentions; limited results Complete chaos Information on individual computer hard drives 5.5% 30.2% 39.1% 25.2% Information on individual portable devices (phones, PDAs, Blackberrys, etc.) 2.7% 21.9% 33.9% 41.5% Information on networked drives 18.3% 41.7% 27.8% 12.1% 10.9% 32.5% 31.7% 24.9% Forms 14.5% 42.2% 34.0% 9.3% Images and logos 17.3% 47.7% 26.6% 8.5% Information posted on organization web sites 27.6% 43.9% 22.6% 5.8% Organizational information accessed from home computers 21.4% 40.0% 25.8% 12.9% Lastly, there is a great deal of confusion in organizations relative to what constitutes an electronic RECORD and what simply useful business information is. For example, 77.2% strongly or somewhat disagree with the statement, People in my organization generally understand the difference between electronic RECORDS and electronic INFORMATION. There appears to be a bit more confusion among US than UK users, with 73.4%% of UK users disagreeing in some form with the statement vs. 81.3% of US users. and It s More Than Just Records Page 14 of 17

15 Selected Comments from Survey Participants Compliance is here to stay, and there are business and competitive benefits in meeting the requirements now, as the amount of work and complexity will increase radically as time goes on. Our organization understands and embraces that concept. Accountabilities are identified and roles are assigned to deal with compliance/regulations. However, Information Management is haphazard, (e.g. locating/retrieving information is difficult, time consuming and costly). Most of control is from IT. No centrally coordinated policies. Widely varying understanding of compliance across the organization. No overall senior management sponsorship. Compliance is recognized as necessary, but there is little real investment in people to enforce it. Generally it is a case of try and hope no one really delves into it too deep. In a healthcare environment which is looking to cut services to meet a budget deficit, it is difficult for this subject to be seen as having any sort of priority. We are in the process of implementing a Records Management System and employing a Records Manager so we should soon get better at information and records management. As a small company, there is a feeling that compliance does not apply to us as much as larger organizations which makes it harder to get everyone motivated. Should be better but authorization for investment difficult to obtain due to obstructive internal processes. We have recognized that we need to do something and are formulating an Information Management Strategy and Corporate Records Management Program based on ISO There are efforts made to comply but it does seem rather confused. Inconsistent across departments, inconsistent knowledge of compliance, lack of training. Currently patchy across the office but there are new initiatives underway to completely overhaul information management practices and improve compliance. Only starting to evaluate the scope of the problem. Good intentions but very little progress. Compliance information management is recognized as a need but has no priority. It's in a mess; a central group exists to address issues but has produced very limited results as yet. No clear central strategy or drivers. We are only at the beginning of defining our compliance and records management strategies. Compliance is not seen as an issue by senior management. Electronic information is not managed well, with a resulting lack of trust in such sources. We have a Board of ostriches. Ongoing battle but we are keeping up with most major issues. Information management is still not a high priority in this organization with senior management. Little time, effort, or attention is spent on records management by senior management. Upper management committed to improving compliance and information management by hiring a document and records management staff. Our IT staff has yet to realize the importance of compliance and network security. After 2 years, we are finally getting it all under control. Compliance in general has a high level of visibility and resources at our company. RIM is considered a compliance/risk area but until just the past year, it has not garnered much support other than lip service. When the bi-annual risk assessment was conducted recently, RIM as a compliance risk was placed in the critical area on the risk profile with the statement that residual risk trend remained constant but needed to be monitored closely due to increasing need for enhanced management direction and oversight. However, we have yet to see any money for implementation of programs. Records, and their maintenance, are an important aspect of compliance. Good system controls around retaining the correct records lower legal risk and may reduce cost, but proportionality must be a guiding rule. and It s More Than Just Records Page 15 of 17

16 We are in the early stages of looking at records management systems and reviewing ways of implementing such a system. Paper records are here to stay. Any form of electronic repository must be through this media be it , fax or native documents. PDF/A has been a major saving grace for organizations such as ours who want to secure paper records into electronic content. There is gradual acceptance that more must be done to improve the way we handle our information and the advantages of doing this properly are starting to be greatly appreciated, although this requires a major change in business practices, the will for change is growing! Depending on the group within the company, there are varying degrees of maturity in terms of compliance activities. None of the current solutions would be viable across our enterprise. We are actively investigating improvements and potential solutions. We need to mirror our paper records policies to our current electronic policies. While doing so, employees need to be informed and understand this process. We have a long way to go. The first step is making sure that the IT group understands the need for driving this. We have started the journey - a long way to go. We need more than written policies; we need implementation. I love this survey; it really got me thinking about other things we need to be concerned about and probably need to address in policy and procedures. Paper records management has been able to identify key document types to retain but we have failed to do that with electronic records and . We are still in the implementation stage and meetings are conducted on a monthly basis. So we have lots more to accomplish. In New Zealand compliance is less about legal risk management than compliance with government regulations as we are not as litigious as Americans. Information Management is not a big issue in my organization but I found it to be a 'future disaster' in the near future with the current practice. We are in the early stages of implementing an enterprise records retention policy that is very wide in scope for all records (paper, electronic, voice, and data). So large of a scope will take many years to implement. We have a cross functional team (IT, Legal, Records Management) working on data management procedures for all electronic records with the goal of implementing ILM in the near future. We are in the process of implementing a formal electronic records retention program. Records management software has been selected and a contract is in negotiation. Policies are being developed and should be ready for implementation soon. We are starting an ECM initiative that is using compliance as part of its main drivers. We are in the beginning stages of forming a committee consisting of Legal, IT & Records Management to develop a policy that talks about information in all formats. Compliance and information management cannot be effective without a complete and thorough understanding of top-down/bottom-up policies which are backed by well-planned technology solutions. We do not understand records management and getting to where we understand this is our greatest challenge at this point in time. the dollars we are spending to implement ECM solutions cannot compensate for this fundamental deficiency. We don't even understand that we do not understand records management, and I have had a very difficult time getting even that concept across. Our response to compliance is generally point-specific and based on specifically identified legal requirements. Our approach tends to be based on software solutions, rather than policies, training, or communication. We are currently evaluating advanced technology to provide a comprehensive, enterprise-wide compliance infrastructure to replace point solutions and manual processes. Such a solution is perceived (from the CEO down) to be of paramount importance for the future competitiveness of the corporation: reputation risk is the number one driver. and It s More Than Just Records Page 16 of 17

17 SURVEY SPONSORS Total Document Management for Your Business. As your needs for document management change, your provider should change with you. Xerox Global Services (NYSE: XRX) offers end-to-end, integrated document management from services to help you engineer more effective communications to managing all your office and large volume print operations to digitizing document-driven business processes. No other company has more comprehensive experience delivering total document management for results you can see and measure. Find out more at and It s More Than Just Records Page 17 of 17