My name is Cheryl Ahrens Young and in my 40 years in the industry, I’ve earned certifications in information governance – CDIA+, APMD, CIP, CTT+, ERMM, ECMP, IGP as well as project management – CPM, CSM, CSPO. I have spoken at ARMA, AIIM, ALA, LegalTech, and DRCA. Across the years of my records and information management consulting, particularly in the aftermath of Sarbanes-Oxley, Graham-Leach-Bliley, GDPR, and CCPA, I’ve found many perspectives to managing records and information while assisting hundreds of companies across industries and government agencies:
“if we don’t have a policy, we can’t be non-compliant”
“we send our boxes/tapes to (commercial record center name here) and they manage our records”
“employees shall use common sense in managing records”
“emails/texts/chats aren’t records”
Fines ranging from $50,000 to $1.5 million, (and in one case, not just fines, but three external auditors assigned to work onsite with a facility cost alone of $144,000 to provide offices and equipment for the year) has taught companies with these perspectives they were opening themselves to fines, litigation, and external audits.
The business requirement to have a robust records and information management program in place isn’t going away and ignorance isn’t an excuse. In March of 2023, the Department of Justice released a guidance document which is focused on an organization’s policies and procedures and what authorities performing an audit or investigation will want to see. to havThis guidance covers all agencies and departments in the federal government who perform audits and investigations, not just the DOJ.
Be prepared: the world is changing, and the timing of the guidance document is interesting. In the aftermath of FTX’s crash, the executive brought in to try to right the course of the company when it was apparent there was trouble, testified there were no policies and procedures in place when he got there. Not even “common sense”!
Are you ready for a changing world? At the start of the COVID pandemic, the legal community expressed concerns about remote workers’ chats, transcripts and recordings being preserved for the record, and the multiple copies out there, unmanaged but which would be considered responsive and discoverable. Google was recently sanctioned for spoliation due to remote workers’ communications.
Are you sure that:
- Your records and information management policies and procedures are current? Do they spell out that content is managed? Do they contain the phrase “format neutral”?
- Your retention schedule is current, and it notes which records are considered vital and which have historic value?
- Your procedures detail how to be compliant with the Policy
- AND, why it’s important to be compliant?
- Your employees can find your Policies and Procedures?
- You can prove they’re actually referencing them?
- A detail specifically spelled out by the DOJ: Are your Policies and Procedures searchable?
- You have automated the processes outlined in the Procedures to improve compliance?
- You can track each step of the process to prove you’ve followed the procedure?
- You have assigned a C-Level position to oversee RIM compliance?
The technology exists to enable you to “Say It, Do It, Prove It”. You may already own it but perhaps you haven’t enabled all those features to make the most of your technology investment. Call on WIS for a RIM Health Check for a Trusted System-based assessment of your current state and to see where you may have a compliance exposure. We can help. Be ready for this changing world!