And the issues themselves have shifted. A decade ago corporations tended not to keep many hard copies of documents because these paper documents took up costly physical space. Now, with 93 per cent of all business documents created electronically and only 30 per cent ever printed to paper, companies save nearly every electronic document and e-mail because it can be stored electronically with relative ease. In response to this techno-reality, corporations are implementing and enforcing document retention policies more than ever before.
This amount of document retention, Lange notes, is landing electronic evidence in the headlines on an almost daily basis, as is evidenced by the "stream of consciousness" e-mails that have been found during the US Securities and Exchange Commission's investigation into Wall Street investment banking practices. For example:
- In one e-mail to US research chief Kevin McCaffrey, star Salomon Smith Barney telecom analyst Jack Grubman admitted: "Most of our banking clients are going to zero and you know I wanted to downgrade them months ago but got a huge pushback from banking. I wonder what use bankers are if all they can depend on to get business is analysts who recommend their banking clients."
- One e-mail revealed what one Merrill Lynch financial analyst thought about impartiality: " . . . the whole idea that we are independent from banking is a big lie."
- Another analyst reportedly wrote that a company being touted to the public as an investment vehicle was, in actuality, "a piece of junk".
So, both keeping documents that should never have been created and deleting documents that should have been kept, can get companies into hot water. Such embarrassing revelations highlight the need for companies to strike a balance between document retention and usefulness of information, Lange says.
"We all know how to manage paper documents: we look in the file and we either shred it or keep it," she says. "With electronic evidence, however, it is much different. Some of the biggest concerns are: Where are electronic documents? How are they being stored? Where are the digital footprints that we don't know about, and where are those stored? So CIOs and other technical people are being faced with a bunch of new problems along those lines."
Taking Nothing for Granted
Experts warn even companies that have achieved a degree of complacency about their electronic records management strategy (because they rigorously back up their data and actively preserve everything possible lest the original files get damaged) are probably fooling themselves. Effective electronic record management, they insist, means taking into account not only the content of those files but for how long they should be saved.
"There's two sides of the issue," says Tom Patterson, head of the security services group for Deloitte Touche Tohmatsu's Middle East and Africa divisions. "There's the data that they keep and the data that they destroy, and on both sides there needs to be a comprehensive policy that looks at not necessarily just the security issues but also at the business requirements, and that in turn means regulatory compliance."
Patterson says a common mistake of companies around the world has been to allow business owners to decide whether to retain or destroy documents. Instead it should be up to the CIO to oversee an efficient, centralised process for document management, preferably via an all-encompassing policy that is rolled out company-wide. The CIO should assign policy, and allocate roles for employees and their management. Under such a scheme a secretary might have authority to create documents, but not be empowered to delete them.
"That whole concept of assigning the employees to certain roles and managing a large organisation that way, will really help enforce whatever policy the company wants to put in place," Patterson says.
Patterson says technology has reached the point where if the CIO really thinks through this issue, and is clearly given direction by their board and executive leadership, they can easily put a centralised plan in place that makes this a very manageable job. Some CIOs are even finding themselves saving money in the process though shutting down ineffective repetitive systems scattered though the organisation and replacing them with a common system that lowers the risk and operates more efficiently.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.