Auditor or Lawyer? Which is the Bigger Fear?

By Dan Elam posted 07-01-2010 10:24



Records managers can be a belligerent lot.  As organizations increase their emphasis on records management, industry professionals not only have developed more confidence to speak out, but do so with stronger statements.  That is good, but sometimes there is a balancing act involved for the big picture.  Records management is very important, but sometimes it isn’t most important.

Recently I was in a meeting with the CIO of one of the world’s largest financial institutions.  It was a standard review of the new records management policies that had been jointly developed by the customer and consultants working on the project.  It included all of the usual updated retention schedules and duties of the records manager, but also addressed new issues like email, social networks, and ECRM.  It was pretty typical of what a leading organization would want to implement in an era of intense legal fears and diverse information sources.  Suddenly the CIO turned to me and said, “We can’t do this.”

Now when a CIO says “can’t” that is usually not-so-subtle language for “we can’t do this without getting more money”.  Records management – and ECRM – projects have always struggled for funding, but this business-savvy CIO had a good understanding of records management issues and risks.  He explained that his concern was that the new policies would cause more problems with the regulators because it would take time to get in full compliance.  A member of the records management team spoke up and pointed out that these policies were needed to reduce legal risk issues and generally to meet best practices.  The CIO balanced the arguments and summed it up neatly:  “Lawsuits are occasional; audits are yearly.”

The basic idea is that regulators and auditors are actually the bigger risk to most organizations.  Indeed, regulators have become increasingly aggressive in certain situations.  The Financial Industry Regulatory Authority (FINRA) announced last week that it was fining several companies a combined $4.3 million in connection with improper communications and records management violations, in addition to other sanctions.  FINRA said these were “for failures with related supervision, document production and record retention violations.”  In 2009, FINRA fined MetLife Securities $1.2M for failures related to email record keeping.  They found that MetLife not only was unable to follow the procedures, but that the internal audits were flawed in that they didn’t properly check the level of supervisory control.

Being able to defend the regulatory and audit requirements is likely to evolve to be the basis for most organization’s records and legal strategy for managing information.  With the current political climate, regulatory demands will increase and lawsuits will inevitably stem from failures to fully comply with those regulatory requirements or best practices.  Records management will continue to evolve because what meets today’s requirements will be inadequate tomorrow.  Organizations are quickly learning that RM and ECRM programs are not one time efforts.


So what is it in your organization?  Who do you fear more:  the auditor or the lawyer?

#records #ECRM #FINRA #Management #ElectronicRecordsManagement #auditor