Reducing Risk Through Records Management

Gregg Bieri


December 12, 2012

In most companies, records management is often taken for granted or viewed simply as a matter of convenience and organization. But records management programs can also protect an organization from significant risks such as compliance issues, disaster recovery, public relations crises, confidentiality breaches and security threats. A well-executed records management program helps mitigate these risks in much of the same way that legal counsel or an insurance policy does—by acting as a safeguard against unexpected future events.

Take, for example, a large food manufacturer that did not have a records management program in place. Somewhere buried deep in boxes of unorganized records was a decades-old, long-forgotten insurance policy that protected the company against legal action requiring it to clean up a site in which toxic materials were found.

Knowing that the company was potentially at risk for such litigation, a concerned records manager pushed the company to audit, organize and manage its records and put in place an advanced records management program. Shortly after implementing the program, the company was hit with a multi-million-dollar class action lawsuit. Within days, the company was able to produce the insurance policy, which paid for nearly the entire settlement amount at virtually no cost to the company.

It is no longer simply an industry best practice to retain vital records as part of a business plan, however. There is now legislation that imposes severe penalties for not producing valid information when requested. This could then lead to liability issues if damages are suffered by the corporation or any third party that relied on the documents. This failure to maintain procedures can cause financial pain and reputation damage. For example, under certain legislation, such as the Sarbanes-Oxley Act, regulators can levy large monetary fines on any company that alters, destroys, falsifies or covers up entries in records.

Companies should educate employees about their organization’s records retention strategy. If an employee unknowingly fails to retain an important document, that employee will not be held liable. Rather, it is management who will be held responsible and, if the mistake is egregious enough, prosecuted.

Unfortunately, compliance with all of the laws and regulations pertaining to records management is not always simple. Although most of the compliance risk comes from documents that have been destroyed prematurely, there is equal risk in keeping documents for too long. Files can and should be destroyed after a certain number of years, depending on the type of information. If a file is retained beyond a certain date when it legally could have been destroyed, it can still be used against an organization in legal proceedings.

Further complicating compliance efforts is the increasing digitization of information. A variety of federal, state and local regulations dictate whether documents are stored physically or electronically and when how to archive emails, text messages and tweets. Navigating these intricacies can be just as difficult as understanding a lengthy legal document or insurance policy.

To this end, organizations should consider retaining qualified records management professionals to help ensure compliance. Although the investment may be significant, it will help mitigate the even more substantial legal and financial risks that could arise from criminal allegations.

Another important records management concern is data security. There has been much discussion around the vulnerability of cloud-based and virtual storage options, but the physical data protection should not be overlooked. Paper-based documents can be lifted off of a desk, lost on a train or burned in a fire—with no option for recovery.

For the most effective data security, a records management program should also include the ability to digitize all important invoices, incoming mail, contracts and other records into a searchable archive as soon as they are received. Combined with a well-protected IT system, this can ensure that the data is safeguarded and will be available whenever it is needed.