Blogs

**Views expressed in this blog are my personal views and not those of my employer. Any reference to any living person or organisation, past or present, is entirely co-incidental**

When they realised technology alone was never going to be the answer it was too late….

So, the enforcement regulator has just arrived in your offices with a warrant and will not leave until they have the information they are looking for…  

Your immediate thoughts may be to summon the Head of IT. However, it is unlikely they will be able to locate all of the Records required. It is common for Records to be retained on different media and in a number of locations such as:-

•    email
•    shared drives
•    systems databases
•    external vendor systems storage
•    microfilm
•    Microfiche
•    hard copy kept on the premises
•    hard copy stored with a professional vendor offsite

The result of failing to identify/provide the Records when required is likely to be:-

•    reputational risk – the risk of damage to your organisation as a result of negative publicity
•    a fine
•    imprisonment
•    a fine and imprisonment

From the above, we can see it is of paramount importance to have a defined (and implemented) Records Management Policy and framework. The requirements of such a Policy and framework will be driven by the laws of the jurisdictions you trade in. The requirements will also be impacted by Regulators body such as:-

•    Financial Services Authority (United Kingdom) – FSA
•    Securities and Exchange Commission (US) – SEC
•    Civil Aviation Authority (UK) – CAA
•    Food and Drug Administration (US) – FDA

Regulatory bodies often have the authority to impose significant fines.

We can see from the above that there is a need for someone to have an organisation wide remit to develop and implement Policy (in collaboration with Legal, Compliance and Tax). This should be a short high-level document supported with advice in terms of Retention Requirements (Retention Periods and, where necessary, specific media types). This programme must have high level sponsorship to succeed.

Some form of inventory should be built across the organisation to ensure there is an understanding of where all the Firm’s Records are retained. This will include, in most cases, a number of legacy systems and records. An important part of this task is to talk to as wide an audience as you can. Pockets of information can be found throughout the organisation.

Once such an inventory has been completed you can start work on determining the most appropriate infrastructure to maintain (and make available) these Records. ECM technologies are great, but proceed cautiously ensuring a detailed cost benefit determination is taken at each step. Bear in mind it is likely that, for some Records, an investment in technology may not be appropriate.