You’re working electronically; yet somehow you’re still accumulating paper. You’re keeping the paper, “just in case”. Just in case there’s a computer virus, or an audit, or a business need for the records.
Far from being a safeguard, uncontrolled duplication of records is expensive and risky.
Benefits of Electronic RecordsDigitized or electronic documents require less physical storage, they’re easily searchable, and backup for business continuity can be automated. Although many organizations scan paper records as they arrive, most haven’t implemented a disposition policy to destroy the paper. Today, most documents begin life in electronic format, yet many people continue to print hard copies and add them to paper files.
It’s estimated that the volume of information generated by businesses is growing by 60 per cent each year. At that rate, it’s no longer feasible to keep every document forever, and it’s important to minimize duplication and adhere to legal retention requirements.
Multiple copies lead to unnecessary costs and risks associated with:
• Storage – multiple copies fill premium office space, off-site warehouses, removable media, and network hard drives.
• Mismanagement – multiple copies are more difficult to control, file and retrieve. They increase the likelihood of security breaches or inappropriate disposal. This can result in fines and other sanctions for non-compliance with regulatory requirements; and in the loss of competitive advantage if intellectual property or commercially valuable business intelligence is compromised.
• Litigation – multiple copies mean more places to search during the discovery phase (increasing time and costs). It may also raise questions about the evidential weight of records.
• Business Continuity – multiple copies make it more difficult to identify the subset of ‘vital records’ which must be protected at all costs. This can result in a higher risk of accidental loss, deletion or inaccessibility. Liability insurers are increasingly considering retention policies and discovery-preparedness in their underwriting decisions. Poorly managed records can affect the cost or availability of insurance coverage.
Why then are companies investing time and money to maintain parallel filing systems?
Some companies aren’t sure whether electronic records are legally admissible; or whether paper records carry greater evidential weight. Others are doubtful of the quality and reliability of scanned documents. Many are uncertain about the required retention periods for paper records, email and digital documents.
A records management program can clarify these questions and alleviate concerns – allowing an organization to maximize the value of its business information and minimize the associated cost and risks.
The Solution – a Records Management ProgramGaining control over corporate information can seem daunting. Yet it’s absolutely essential for regulatory compliance. A records management program is a key component to reduce the complexity and cost of any GRC (governance, risk management and compliance) initiative.
Reducing the volume of paper records that must be stored and managed is the first step to moving fully into an electronic working environment. If you don’t take the plunge today, it’ll be twice as challenging next year.
A records management program should include:
• An information management policy which sets out the overarching framework of rules and responsibilities for controlling corporate information. It demonstrates to a court of law that information management is part of normal business operations.
• A classification scheme that identifies the different types of records created or received by the organization. It groups similar records together into categories that are easier to find, use and manage. The classification scheme can be used to indicate which categories of records are suitable for scanning (and which are not), based on the regulatory requirements that apply to particular types of documents.
• A retention policy that’s developed through an analysis of the company’s specific legal obligations, business needs for information to support daily operations, and the interests of any additional stakeholders.
• The secure disposal of records should be carried out on a regular schedule, in accordance with an approved procedure. Local and international case law indicates that courts will approve routine destruction of records in accordance with established procedures. Developing a security policy helps to protect the integrity of corporate information and reduce the risk of a challenge to its authenticity.
Legal AdmissibilityLegal recognition and requirements for electronic records are contained in the Electronic Transactions Law and the Evidence Law. Your records management program should provide a framework of policies and procedures to maximize the evidential weight of scanned images, and reduce the risks associated with destruction of paper files.
Where records are required for legal or regulatory purposes, an electronic record is acceptable if it is maintained in an accessible, perceivable form. It must also be accompanied by contextual information (metadata) which substantiates the provenance of the record – confirming the time, place and the person(s) responsible for creating or receiving the record.
Companies should also examine their specific legal or statutory provisions to identify any requirements to keep records in their “original form”. Such requirements can be met by a record that was first generated as an electronic record. If a document was originally a paper record, some industries require that the paper record is safeguarded and retained for a certain number of years.
Organizations should seek legal advice with regard to the types of documents most likely to be disputed in court, and assess the risks associated with maintaining or destroying the original paper records that have been scanned.
Questions about the quality and reliability of scanned images can be addressed by implementing procedures and technical standards for the conversion process, for quality control and IT system administration. It’s necessary to demonstrate that the image is an accurate representation of the source document via:
a) clearly defining the conversion procedure, which explains any changes applied to the image (e.g. conversion from color to black-and-white, de-skewing, cropping, etc.),
b) capturing and managing the image in a system that can control and track its use and prevent any subsequent modification (establishing an audit trail), and
c) maintaining and operating the system properly.
An audit trail of activity for records, users and systems administrators is important for proving authenticity and demonstrating the record’s ongoing integrity.
As a critical corporate asset, information should also be addressed in plans for business continuity and disaster recovery. The classification scheme can be used to identify categories of records that are vital for ongoing operations. Appropriate strategies can then be devised to ensure the backup and long-term accessibility of those records.
ConclusionsElectronic records offer many benefits for business efficiency. However, they may also expose companies to significant risks, if they’re not pro-actively managed.
A robust records management program combined with an electronic document and records management application, with defined policies and implemented procedures, reduces the costs and risks associated with managing corporate information. It can be used to determine whether paper records are suitable for scanning into digital formats, and to enable the disposal of original hard copies – generating a range of potential savings for the organization, and mitigating the risks associated with retaining multiple, uncontrolled copies.
Bob Leonard, our guest blogger, is the managing director of
acSellerant specializing in online, inbound, content and social media marketing for SMB IT providers.
When it comes to in-house security, there are endless measures to take in order to prepare for a disaster or a computer environment threat:
- Are sensitive areas such as server rooms or records storage rooms restricted and secure? What prevents un-authorized access? Is it a key that can be easily copied? A code that is easily shared? Where are your backup tapes stored?
- Do you have a security policy in place that requires employees to keep their desk clear so business critical information is secure when the employee is away from their desk?
- How do you regulate what files employees can take out of the office? Are they saving copies of confidential documents on their desktop or laptop? What happens if they lose a file or their laptop? What happens if that information is stolen? What costs and penalties do you incur?
- If an employee is dismissed and goes into the company system and deletes files how will your business be affected?
Preventative security measures are often time-consuming to maintain and extremely difficult to monitor.
With an online document management system, these threats are no longer issues. In order to access the application, a user must log in with a username and password. Through a multi-level security model, administrators can regulate which employees have access to certain documents. If an employee is away from his or her desk for a designated period of time, the system will automatically log the user out to prevent unauthorized access to the system.
Preventing users from having the ability to delete company files eliminates the worry of rogue employees that may attempt to take this type of action against the company. Traditional software and operating systems inadvertently train the employees to make multiple copies of document files and to save the documents to their desktop or network folder. How many copies of varied versions are out there on your network and on their desktops? Remove their need to copy and save. What if the laptop is stolen? All the information has been copied and available for anyone’s eyes to see. This can be a major risk for the company.
If the information is available and accessible through a secure, online portal from anywhere, anytime, the staff will stop copying files. The application will check-out the document when they are editing, leaving the most recent for others to view and collaborate on but preventing them from editing at the same time. It will manage and retain all versions in one secure location and then the document can be checked back in.
Information back-up is always a concern. The ideal online document management system stores the data within an off-site Tier IV data facility with multiple levels of security, redundant power, and redundant networks, which means by subscribing to this type of system, you have an automatic disaster recovery plan. In the case of a fire, flood or other natural disaster, your information is safe. Another worry that can be removed is your infrastructure security. The application is not accessible from the back end so there is no need to worry that files are being altered. This provides an extra level of security that is difficult to accomplish with on-premise solutions.