Best Practices in Records Management and Regulatory Compliancewestminster-mo.edu/academics/assessment/Documents/BestPracticei… · Best Practices in Records Management and Regulatory

Best Practices in Records Managementand Regulatory Compliance

KMWorldSupplement to September 2005

Premium Sponsors

Andy Moore . . . . . . . . . . . . . . . . 2 The Chilling Effect: How RM is Changing the Way We WorkNot that long ago, the only “records management” I knew anything about was alphabetizing myMonkees LPs. And I am not alone. Records management (RM), once the domain of a specialized,trained population of information experts, has intruded into the mainstream with unexpected and disruptive consequences . . . .

Michele Kersey, Hummingbird. . . . . . . 4 Content Volume and Records Management: More and LessThe volume of information entering, traveling within and leaving organizations has many IT, RM,legal counsel and compliance professionals seeking and debating best practices . . . .

Mark L. Moerdler, MDY . . . . . . . . . . 6 Managing Documents of Record in Information-driven BusinessesThe recent and increasing drive of regulatory agencies and government legislation to mandate corporatecompliance has generated substantial requirements for organizations to manage their records. . . .

Dean Berg, Stellent. . . . . . . . . . . . 8 Leveraging Compliance to Drive Company-wide Business EfficienciesFrom the Sarbanes-Oxley and USA PATRIOT Acts to EPA regulations, government is increasinglylegislating how companies run their businesses . . . .

Johannes C. Scholtes, ZyLAB. . . . . . 10 From Records Management to Knowledge ManagementNew compliance drivers have prodded many firms into committing extensive resources to align theirbusiness processes with recommended transparency measures . . . .

Jan Rosi, TOWER Software . . . . . . . 12 Retention, Records Management and Legal ComplianceQuality records management that includes document retention policies is essential in ensuring legalcompliance and business efficiency. Compliance to those policies is vital . . . .

Jens Rabe, Open Text . . . . . . . . . . 14 The ABCs of Records ManagementMaintaining impeccable records throughout their lifecycles can be a difficult task, especially inglobally dispersed organizations that require files to be stored for decades . . . .

Rich Buchheim, Oracle . . . . . . . . . 16 Content Management for the Rest of UsIn the past few years, major changes have been taking place in the content management marketplace.Organizations are increasingly requesting true enterprise deployments . . . .

Mark Gilbert et al., Vignette Corp. . . 18 From Compliance Chaos to Universal Governance ManagementIn the 1990s, the standards set out by the federal Clean Air Act were widely bemoaned by the autoindustry; compliancy was sure to raise the retail cost of vehicles . . . .

Peter Mojica, AXS-One . . . . . . . . . 20 Records Management & Regulatory Compliance: Finally on the Front BurnerAt first glance, it’s difficult to see how much has changed in records management and regulatorycompliance during the past couple of years . . . .

Colman Murphy, Xerox DocuShare . . . 22 Get Going with Electronic Records Management: Six steps to successMany regulations and guidelines are driving compliance initiatives in the enterprise. Seniormanagement in corporations and institutions has spent a staggering amount . . . .

Sharon Hoffman Avent, Smead . . . . 24 Automation + Best Business Practices = Minimized RiskHow many times have you heard “let the computer do the work?” When it comes to recordsmanagement, this statement can increase risk for your company . . . .

Bassam Zarkout, Mobius. . . . . . . . . . 25 Bringing Records Management to the EnterpriseA recent cartoon features an executive’s office, in which the subordinate is saying, “Good news,chief, a computer virus has destroyed all our documents . . . .

Adam Wilkins,Yaletown Technology . . 26 Remodeling for Compliance: How to Address Content ComplianceIn today’s real estate markets, many homeowners are remodeling their existing properties instead ofmoving. Similarly, many organizations are remodeling their technology . . . .

waters. And records management is onlyone component of compliance. Sarbanesdoes have stringent record managementrequirements, but only for a small subset ofyour records. Records programs in generalare more driven by risk avoidance. Thepeople buying Sarbanes solutions and thepeople buying records programs are twovery different groups,” insists Datskovsky.

“There’s a lot of trepidation because ofthe volume of new regulations...from theSEC, from the states, internationally...” saysHarald Collet, principal product manager,records management and compliance supportfor Oracle. “That’s tangible. People are look-ing for commonalities among all the regula-tions, and there ARE some common require-ments. These affect our customers’ basic ITarchitectures. They were already thinkingabout service-oriented architectures (SOAs),but now they’re looking at ‘compliance archi-tectures’ that extend much further thanrecords management, but include businessprocess management, specific complianceapplications, the ability to provide data secu-rity and encryption...all of these are beinglumped together into a set of compliancerequirements. We are not just talking recordsmanagement; we’re talking about recordsmanagement connected with these other keyareas into a long-term strategy,” says Collet.

Isn’t there a portion of the market that ismaking a cost/benefit evaluation, and hopingto skate under the radar of the investigators?I ask. “There have been two kinds of

customer, and they have reacted differentlyfrom year-one to year-two,” says Stellent’sBerg. “One wants to just ‘get by’ with thebare minimum. But there’s another groupthat knows it has to invest to comply, so it’slooking for ways to get additional businessbenefit from its investment.”

And that concept—gaining businessvalue from an obligatory investment—setoff bells among the panel:

“The process of documenting your busi-ness processes, identifying risks and docu-menting your controls helps you locateredundancies, which you can reduce or elim-inate, and better understand your processesand optimize them,” insists Berg.

“Records management is document man-agement on steroids,” says Mark Gilbert, VPand general manager, compliance solutions forVignette. “Specifically, that is the addition oflifecycle management.” That would be thesteroids, I’m guessing. “When you add elec-tronic documents, e-mails, even video clips,into a records and document managementenvironment, you create—many times for thefirst time in corporations—a single source ofthe truth. The ability to associate data from allthese different environments, add a bulletproofaudit trail in a hierarchical file structure andthen apply a lifecycle to it, is very valuable.”

Gilbert continues: “What does it take toget a comprehensive view of a prospect or acustomer? How many systems do you have totouch? Our largest customers have to touch30-50 different systems in order to get a com-prehensive view. But if your RM is an inte-grated repository for key information, you canreduce the number of systems you need toreach out to. That efficiency—avoiding thelabor costs of managing multiple touch-points—is one of the hidden benefits of RM.”

Basement to the Boardroom“Records management has gone from

the basement to the boardroom,” says Dr.Johannes C. Scholtes, president and CEO ofZyLAB North America LLC. “I used to talk

Supplement to

The Chilling EffectHow Records Management is Changing the Way We Work

Not that long ago, the only “records management” I knew anything about wasalphabetizing my Monkees LPs. And I amnot alone. Records management (RM), oncethe domain of a specialized, trained popu-lation of information experts, has intrudedinto the mainstream with unexpected anddisruptive consequences.

But—good news ahead—the panel ofexperts I recently convened believes thereis more value to be derived from recordsmanagement than you’d think. Join me fora more-or-less transcript of our talk:

“Before Sarbanes-Oxley, confidencewas shaken...quite shaken,” says Dr.Galina Datskovsky founder and CEO ofMDY. “Congress felt it had to push legis-lation through quickly, because without it,it could undermine the US economy. Andthey did it! I think it has had a great effecton restoring confidence.”

“In year-one of Sarbanes (was it onlylast year?) businesses didn’t want tochance that the legislation didn’t haveteeth. So they went a little overboard, andnow they’re trying to cut back, and figureout how to reduce the number of controls,eliminate redundant controls...the pendu-lum is starting to swing back,” adds DeanBerg, director of business development forStellent. “I’ve seen both extremes,” saysDatskovsky. “Those who don’t go all-out,or perhaps doing the minimum, as well asthose who are reacting very strongly.That’s because Sarbanes is uncharted

September 2005S2 KMWorld

By Andy Moore, Editorial Director, KMWorld Specialty Publishing Group

The CastDean Bergdirector of business development, Stellent

Michael Cliffgeneral manager of sales and marketing, TOWER Software

Harald Colletprincipal product manager, records management and compliance support, Oracle

Dr. Galina Datskovskyfounder and CEO, MDY

Mark GilbertVP and general manager, compliance solutions, Vignette

Peter MojicaVP product strategy and management, AXS-One

Andrew Perychief marketing officer and senior VP, Hummingbird

Jens Rabedirector of compliance solutions, Open Text

Dr. Johannes C. Scholtespresident and CEO, ZyLAB North America

September 2005 S3

to facilities managers. Now I talk to CFOs,compliance officers, CEOs and legal coun-sel. They make decisions much faster andthere’s more money available. At first theysee it (RM) as a burden, but once it’s up andrunning, they suddenly understand the long-term benefits,” says Scholtes.

Andrew Pery, chief marketing officerand senior VP for Hummingbird, agrees:“Everyone is now cognizant of the impor-tance of managing electronic records. Asorganizations have implemented RM to becompliant and manage risk, they also rec-ognize the inherent value in managingenterprise content. Even though recordsmanagement is the primary motivation, thereal benefit comes from efficiencyimprovement and responding more effec-tively to customers. It is quite costly to putin a records solution, so they are leveragingtheir initial investment,” says Pery. “Thisrealization has led to a consolidation in themarketplace,” he says. “Records manage-ment is no longer viewed as a stovepipeapplication. It’s really in the context of amuch broader set of requirements. That’swhy vendors offer records management aspart of a suite, with a shared repository, acommon framework for managing contentand records and the ability to publish thatcontent out. Only partly has this consolida-tion been driven by regulatory compliance;a much broader market driver has been effi-ciency and managing content as a criticalcorporate asset.”

Mark Gilbert agrees: “If you think youcan leave multiple systems in place, withsometimes redundant and contradictorydata in them, there’s a risk—and a costassociated with that risk. If you make achange in one system, and it’s not mirroredover into other applications, there’s a riskin that lack of integrity.”

“Records management has gone from adepartmental need, used in the financialand legal departments, to a facility thatneeds to be available to all the content in anorganization,” explains Oracle’s HaraldCollet. “That change needs to be reflectedin how we vendors price our solutions.That’s very important: In order to supportbroadbase deployment of RM, a few thingsneed to happen. First of all, the averageECM project for 100 users costs $500,000.If you’re thinking of rolling out to, say,10,000 users, very quickly the majority ofyour IT budget can be tied up in a recordsmanagement deployment.

“The other thing that needs to happen,”continues Collet, “is the ability to push itinto the infrastructure. Don’t look at it as astovepipe application. Look at it as a datamanagement problem and as a facilitythat’s available as a service.”

Michael Cliff, general manager of salesand marketing for TOWER Software,identifies a humanistic aspect: “Records

management is now more of a philosophy,as opposed to a functionality or product.There’s a whole change-management hap-pening within organizations regarding thepractices and procedures they’re putting inplace to manage their information...what-ever that information might be. In somecases, it’s becoming as important as an HRor financial system. You could stop payingstaff for about a month, and they wouldprobably accept that until they couldn’t pay

their bills. But take away the informationthey need to do their jobs, and you’re luckyif they last 24 hours before the businessstarts to be critically affected.”

The “people theme” gets picked up byJens Rabe, director of compliance solutionsat Open Text. “Our customers are over-whelmed, and quite desperately looking forguidance. The highly regulated businesseshave it pretty much under control; it’s thegeneral regulations that have emerged thatare not understood. What really scares peo-ple are the unspecific regulations regarding‘communications’ that—at the time of gener-ation—make it very hard to tell where thosecommunications need to be put. The docu-ments generated by general businessprocesses used day-by-day are making peo-ple nervous. I think it will be quite some timebefore companies are compliant with thisdocumentation, because it demands so muchinterpretation, and demands so much changein the way people work,” predicts Rabe.

What’s the ROI?“Customers are still in a quandary, still

thinking of this as a ‘spend,’ versus tryingto figure out how to get efficiencies,” saysPeter Mojica, VP product strategy andmanagement for AXS-One. “And it’sunfortunate, because they’re in kind of ahaze, deciding between what they have todo and what they can do from a bigger cor-porate perspective. We tell them there’s amonumental paradigm shift, making thingsdifficult not just for the customers, but forthe vendors as well.

“We are in a ‘storming phase,’” Mojicacontinues. “We’re trying to get from the

storm to the calm, where we can get clarityof decision. But we’re still dealing with thecolliding factors that have led to monumen-tal shifts in records management. Two orthree years ago, people didn’t consider e-mail a corporate record. People are now ask-ing ‘What is it? How do I deal with it?’In acouple of years, we’re going to have storagearea networks (SANs) just handling corpo-rate records which will dwarf the largestSANs we’ve seen for the last 10-15 years.

It’s just a matter of a couple years. It really isa tremendous shift for both the business sideand the IT side,” says Mojica.

“The big driver for records management islitigation...trying to find information that youknow you have somewhere in the form ofdocuments and e-mails and contracts and for-mal as well as informal communication, that’sconnected to the case,” explains Open Text’sJens Rabe. But it’s not all stick and no carrot.“What records management allows you to dois group information around certain classifica-tions, while assigning a lifecycle to it. Twentyyears ago, there were commonly plans inplace to store paper documents for the rightperiod of time, and for when you would bringthem down to the basement and eventuallydestroy them at the proper time. But with theadvent of e-mail, electronic document man-agement and the growth of file systems andthe like, suddenly that culture disappeared.Reintroducing that culture due to regulatorypressure is certainly a good thing.”

“Records management needs to bedefined as a comprehensive solution thatincludes document management capabilitiesas well as lifecycle capabilities—they gohand-in-hand,” says Vignette’s Mark Gilbert.“With this type of approach, the labor sav-ings are huge, especially if you’re automat-ing a specific vertical process. For regulatedenvironments—finance, insurance, bank-ing—the labor savings are derived from thetime it takes to locate a document, share thedocument with only the people who need towork on it, force versioning on the docu-ment. But it’s not just the documents andlifecycles and versions, etc....it’s the ability

KMWorldSupplement to

THE CHILLING EFFECT continues on page 27

“Sarbanes is uncharted waters.

And records management is only one component

of compliance.”

(ECM), with vendor consolidation echo-ing the business demand for seamless inte-gration with and merging of the corebuilding blocks of knowledge commerce.

What’s ensued is an explosion of contentmetadata tracked across these coalesced sys-tems and processes. Frequently, metadatahasn’t been rationalized to bring value tovarying constituencies working in today’senterprise. IT seeks to avoid cost and per-formance issues in storing unnecessary data,while RM seeks data to classify informationfor business, legal and retention purposes.And business users simply want to find theinformation they need quickly, independentof lifecycle concerns.

Despite consolidated repositories, vari-ances in departmental metadata can makecross-enterprise searching difficult, if notimpossible. And monolithic records tax-onomies originally built to find and managephysical records are not effective at managingelectronic records. The consolidation of dis-parate systems and the evolution from physicalto electronic records management is drivingsimplification in records categorization.

Simplification: Big Bucket vs.Little BucketThe amount of metadata tags needed to

find a piece of paper in a file in a drawer ina cabinet on a floor in the records centercould result in a records file plan with thou-

sands of elements. Granted, custodians ofphysical records were and are constrainedby storage limitations that drive detailedcontainer management and tracking. Butdoes this translate to electronic records,where custodial functions have given way torisk management concerns?

Many managers of electronic recordsare finding that retention taxonomies ofany size aren’t used as a search tool to findinformation; they’re used to appropriatelyidentify information lifecycle properties—the rules defining content value and busi-ness, legal, or knowledge management rea-sons for retention.

Finding enterprise information is facilitat-ed instead by tools for indexing, searchingand presenting metadata and content, deliver-ing on-demand access to users on an abun-dance of content channels (via the Web, fromWindows desktops and e-mail applicationsand from mobile devices). As a result, recordstaxonomies are being flattened. Recordsmanagers are strategizing how to bring athousand “buckets” down to a hundred (orfewer), separating what is valued from theoperational, mission-critical perspective fromthe administrative one. Records and informa-tion management professionals are recogniz-ing that little buckets are no longer effective,and even alienate an already overburdeneduser community in the capture, identificationand use of content.

Records Categorization: Less UserInvolvement, More Automation?

So the good news is that users are see-ing relevant record metadata based on theirbusiness function. The bad news is that usersmay not see the point. With the volume

Supplement to

Content Volume andRecords ManagementMore and Less

The volume of information entering, travel-ing within and leaving organizations has manyIT, RM, legal counsel and compliance pro-fessionals seeking and debating best practices.Keep everything forever or purge everythingas soon as possible? Both bring equal risks andcan vex knowledge workers struggling toglean relevance and value out of the contentchaos. Across industry sectors, consensus isbuilding on consolidation, simplification anddefining and adhering to processes surround-ing records and information management.

Consolidation: Repositories,Technologyand Metadata

Legacy networks and content silosdesigned and implemented a decade agowere built to service local users, resulting inlocal servers, local applications, local contentstores and significant requirements for localadministration. Advancements in perform-ance and functionality that cost less are hap-pily met by cost-conscious IT departments,as centralization of systems and contentstores has improved performance for userswhile alleviating administrative burdens.

Complementing system consolidation intoday’s enterprise is technology convergence.Separate platforms and processes for docu-ment management, image processing, recordsmanagement and workflow have coalescedinto enterprise content management


Michele Kersey is asenior productmarketing managerwith HummingbirdLtd. and representsHummingbird’sEnterprise ContentManagement offeringin the areas of e-mailand recordsmanagement,compliance and relatedsolutions.

Kersey has worked in information managementtechnologies for more than 17 years in marketing,technical pre-sales and customer support roles withclients across industry sectors. She is actively involvedwith key industry associations such as ARMAInternational, where she serves as the chair of theTechnology Advisory Committee (TAC), on the 2005Conference Program Committee, and speaks frequentlyat ARMA, AIIM and other industry events.

Michele Kersey

By Michele Kersey, Senior Product Marketing Manager, Hummingbird Ltd.

“What’s ensued is an explosion

of content metadata across systems

and processes.”

September 2005 S5

of data they receive, search through andprocess every day, are users going to beexpected to be trained and held accountableto recognize a “record-worthy” item andassociate its appropriate record bucket?And if so, will the technology make it fastand easy for users to interact with therecords process?

The debate of user-based versus auto-mated records categorization continues in ITand RM circles, but leaders in both fieldsagree that information velocity and innova-tion tip the argument in favor of automation.So much is known about records from meta-data and content alone—and even moremetadata is made available from the busi-ness process flow of content—that at leastsome measure of automation is in wide-spread use today. This may be driven by userinteraction at the core, but not as a discretequestion posed to the user about retention.Rather, retention is determined by the valuesassociated with the content—the businessfunction, the type of document and the con-text—elements already exploited by simpleusage, capture and process.

Improvements in user-independent meth-ods for records capture and categorizationcontinue to be deployed, from rules engines toknowledge management indexing and more.Increases in content volume are being met bythe maturity of categorization technology, andtrust in these methods is growing in the infor-mation management community. The simpli-fication of retention taxonomies combinedwith the increasing automation of record cap-ture results in more consistent application ofrecord policies, optimizing organizational per-formance while minimizing risk. Successeshave been realized and aren't just strategy forthe future: examples of organizations thathave used Hummingbird solutions to simplifytheir records taxonomies while minimizinguser involvement in records identificationinclude the General Accounting Office (GAO)and the Office of the Comptroller of theCurrency (OCC), Department of Treasury.1

Compliance: Process Adherence and ROIContent volume and global compliance

mandates illustrate the critical need foreffective management of information capi-tal, and increasing concerns for accounta-bility and transparency are driving infor-mation management practices. Provisionsrelated to the Freedom of Information Act,privacy acts, financial accounting practices,anti-money laundering legislation and oth-ers expand the context of what types ofinformation need to be tracked, and at whatpoint in time. Organizations need to meetgovernance requirements for making busi-ness content traceable, secure and auditableat the same time as they invest in aligningbusiness processes and content to optimizeperformance and reduce risk exposure.

Content and records stakeholders cham-pion the services available in enterprisecontent management (ECM) solutions tomeet requirements to capture, manage andaccess knowledge assets throughout theirlifecycle, with business-driven rules forrecords retention. At the same time, ITstakeholders laud the benefits of informa-tion lifecycle management (ILM) solutionsto cope with content volume, relying onfacilities for migrating data across storageplatforms with care for preservation andavailability. So ECM or ILM? RM or IT?The answer is both.

Enterprise content begins and ends withdefined business processes. These businessprocesses determine what content is man-aged, and why, when is it captured and forhow long it is retained (mainly, aspects ofECM), combined with processes that deter-mine where content is stored, for how longand when it may move to alternate storagelocations (aspects of ILM).

Business processes also determine howknowledge users interact with and benefitfrom content solutions, including bettersearching, knowledge mining and contentorganization that improve efficiencies andcustomer service. These elements aren’t inconflict—the organization must meet themin tandem to meet today’s content compli-ance demands.

ECM and ILM have discrete benefitswhile missing key elements needed for acomplete content lifecycle solution. ILMcan regiment where content is stored,where it migrates over time and how it isstored (compression, encryption, security).And ILM is engineered to relieve the stor-age burden that e-business volume creates.But ILM is weak in business process inte-gration, in the enforcement of legal holdsduring inquiries, in the administration ofrecords disposition and in enterprise accessacross information and content stores.

The good news? ILM’s weaknesses areECM’s strengths, and the two combine inthe form of content lifecycle management

(CLM) to reduce risks, lower storage costsand improve organizational agility withregular, reliable lifecycle management anddisposition processing of content assets.CLM enables processes for checks and bal-ances to prevent tampering by internal orexternal parties as well as reductions in thecosts of both ad hoc compliance and phys-ical storage assets...all while improvingaccess to information.

One Centralized System, Accessible,with Records for All?

The remaining debate on volume ininformation management circles concernsthe concept of true “enterprise” recordsmanagement. IT and RM solutions tend tofocus on unstructured content, but struc-tured data, legacy system data on main-frame systems and Web content (both staticand transactional) all have governanceapplications. No one system can housethese disparate types of records, but admin-istrators can realize consistent use ofrecords metadata, lifecycle processing andconsolidated searching across these infor-mation stores using ECM technologies.

Managing content volume while adheringto information management compliance is abalancing act that IT and RM professionalswill continue to perform. Success lies in thesetwo functions collaborating to understandbusiness requirements and the possibilitiesand innovations that technology blended withprocess can achieve. ❚

Hummingbird Ltd. is a leading global provider of enterprise contentmanagement (ECM) solutions, enabling organizations to manage thelifecycle of enterprise content from creation to disposition.Hummingbird Enterprise™ solutions enable organizations to addresscritical business needs, such as information management,business continuity, compliance and risk mitigation. Please visitwww.hummingbird.com.

1 Case studies on these agency solutions are detailed in “Lifting the Burden,” an article by Timothy J. Sprehe and Charles R.McClure in ARMA’s July/August 2005 issue of the InformationManagement Journal.


Business Process ECM + ILM = CLM

What content is captured? • • •What metadata is associated? • •What business rules apply? • • •When is content captured? • •When does content expire? • • •When is content a record? • •When does content change locations? • •Where is content stored? • •Why is content captured? • •Why does content expire? • •Why is content a record? • •How is content stored? • •

managed and the complexity of the recordsmanagement requirements.

This white paper will define recordsmanagement best practices; how theserelate to records management softwarerequirements; and how this will aid anorganization in meeting its corporate com-pliance requirements.

What is Records Management Best Practices?

At the heart of implementing anyrecords management system, especiallyone specifically mandated by regulatoryand/or legislative compliance, is recordsmanagement best practices. This assures thatany system, whether manual or electronic,encompasses those policies and proceduresthat assure that records are correctly managed. Unfortunately, some organizations are installing software products without sufficient best practices in place, leading to“check-box” implementations that willleave the organization open to substantiveliability.

In order to understand what policies andprocedures must be created, an organizationmust first define the “WWH” of recordsmanagement (“what, when and how”):WHAT

1. What legal and regulatory require-ments are specifically applicable to theorganization? One must not only look at themajor regulatory agency for the industry inwhich the organization does business, butalso all other federal, state and local agenciesand any international laws and regulationsthat may be applicable. The requirements insome states or countries may be contradicto-ry (e.g. US and UK privacy laws as theyrelate to e-mails are very different), thereforepolicies and procedures will be specific perlocality or department.

2. What documents need to be managedas records for business or organizationalefficiency reasons? It is very important tounderstand that an organization’s documents

of record are generated by virtually everydepartment within the organization andencompass a wide range of formats fromphysical documents (e.g. forms contracts,correspondence, plans, microfilm) to adiverse set of electronic documents (e.g.spreadsheets, graphics, voice mail) and elec-tronic communications (e.g. e-mail, instantmessaging, mobile text messages). Some ofthese may be a record in one departmentwhile constituting a communication or non-record in another (e.g. instant messaging of abroker/dealer is considered a record underNASD 3010 but instant messaging within ITmay not be a record).

3. What defines a document of recordas it specifically relates to the organiza-tion? An explicit definition of what consti-tutes a document of record within theorganization is critical and must be com-municated throughout the organization inorder to assure compliance. This will, infact, aid in any future regulatory review orlitigation. The definition must relate to theinformation garnered in the two previousitems (e.g. as stated earlier instant messag-ing may be a document of record in oneorganization or one department but not inanother).WHEN

1. When can documents of record bedestroyed? Please note that keepingrecords for too long can be as damaging toan organization as destroying the docu-ments before their time. Furthermore, thedocument destruction process must be suf-ficient to assure that “destroyed” documentsare not recovered as part of discovery. Audittrails may also be required to prove that thedocument(s) existed and were destroyedbased on the organization’s retentionschedule and not as a response to potentialregulatory review or litigation, which couldbe damaging.HOW

1. How are documents of record createdand managed? Documents of record arecreated throughout the organization andmust be managed throughout their lifecycle

Supplement to

Managing Documents ofRecord in Information-driven Businesses

The recent and increasing drive of regula-tory agencies and government legislation tomandate corporate compliance has gener-ated substantial requirements for organiza-tions to manage their records. Some of therecords management mandates are directlydefined in regulations (e.g. FDA 21 CFRPart 11, SEC 17(A)) and laws (e.g. Sar-banes-Oxley) while in other cases (e.g.communication with employees as definedin the Equal Employment Opportunity Actof 1972) the only way of meeting the regu-lations and laws is to implement some formof records management.

Records management attempts toassure that an organization manages itsdocuments of record, whether physical orelectronic, in accordance with business,regulatory and/or legal requirements.Specifically, the requirements include:

◆ Documents of record are maintained in amanner such that it can be proved thatthey were not modified;

◆ Documents are destroyed in accordancewith the organization’s retention schedule,which is mandated by a combination oflaws, regulations and business practices;

◆ Documents can be found when requestedby regulatory agencies, the courts or forbusiness reasons; and

◆ Documents can be placed under dispositionhold. As has been seen in numerous casesdocumented on the front page of almost anynewspaper, organizations must have amechanism to assure that if the potential oflitigation or regulatory review exists, alldocuments must be placed under a hold.

Records management is not just a featureset or a technology. Rather, it is a combina-tion of policies and procedures specificallytuned to the requirements of an organization,often best implemented in cooperation withsoftware that is specifically designed to meetrecords management requirements. Thesoftware is often necessitated by the sheervolume of information that must be


Dr. Mark Moerdler,president of MDY, Inc.,has guided organizationsin a wide variety ofindustries to improvebusiness and ITinitiatives, includingrecords management,document management,network and systemmanagement, disasterrecovery and businesscontinuity planning. Dr.

Moerdler speaks on many records management topics,such as e-mail records and physical recordsmanagement.

Dr. Mark Moerdler

By Mark L. Moerdler, Ph.D., MDY, Inc.

September 2005 S7

within the organization. When documentsof record leave the organization as part ofthe business process, records must be cre-ated and maintained to assure compliance.All of this must be charted and defined inorder that the processes correlate to reality.

2. How will the organization easilyfind documents of record in order to meetdiscovery requirements? This is veryimportant considering the cost of regulato-ry or legal discovery. If the organizationneeds to search separately in many differ-ent systems then the costs will increase,and furthermore the potentiality exists thatdocuments will not be found by the organ-ization leading to potential adverse claimsagainst the organization (e.g. Zubalake v.UBS Warburg LLC). In the event that thediscovery process is found to be inconsistentor inaccurate, the additional fines and liabili-ty could increase the costs many times over.

3. How will documents of record beplaced under disposition hold? This is thecorollary to item 2 above, since when thereis the potential for regulatory or legalinvestigation an organization is bound bycompliance requirements to assure that thedocuments under investigation are notmodified or destroyed. Holds must beplaced on all records relating to the subjectmatter under investigation.

Once an organization has researchedthese seven key points, the next step is todevelop the policies and procedures toassure that all of the organization’s docu-ments of record are correctly managedthroughout their lifecycle. The policiesshould be in written form and fully docu-ment the WHAT, WHEN and HOW ofrecords management. A key componentof this will be the organization’s reten-tion schedule which, depending on theindustry, states and countries that theorganization operates within, can be verycomplex.

Procedures can then be created to assurethat the policies and retention schedule areimplemented, maintained and enhancedbased on changes in regulations and laws.Together this becomes the backbone of theorganization’s records initiative. For thisinitiative to be effective, management buy-in is a must, not only at the beginning,but throughout the project and beyond.Employees must understand that this is acritical organizational initiative and that fol-lowing outlined procedures is mandatory.

On-going training is also required inorder to ensure continued compliance. Thisis most evident in United States v. ArthurAndersen where training was a key elementin the jury’s verdict.

Best Practices and SoftwareConcurrently with determining its records

management best practices policies and

procedures, one must consider how these willbest be implemented. Since most organiza-tions have substantial volumes of both elec-tronic and physical documents of record,specialized software is virtually mandated. Itis key that the software selected is powerfuland flexible enough to meet the variedrequirements that will be developed duringthe best practices process. Software mustcontain the following components:

◆ The software must be capable of manag-ing all of the organization’s documents ofrecord. This includes physical files, mixedmedia, electronic documents, images,e-mails and any other form of record.Otherwise the organization will not con-sistently manage all records, leading to alack of compliance and future liability forthe organization. It is important to notethat even though organizations are at-tempting to move to a paperless environ-ment, paper records are going to exist andmay in fact be mandated by regulationsand laws.

◆ A wide range of information needs tobe managed relating not only to thedocuments of record but also other re-lated information pertinent to meetingthe different regulatory requirementsand laws. Therefore the system must behighly flexible and extensible to allowthe easy addition of substantial data andmetadata.

◆ Flexibility is key to a smooth imple-mentation and meeting changing re-quirements. The software product mustmeet the organization’s requirementsrather than having the organization attempt to change its processes and pro-cedures due to limitations in the softwareproduct.

◆ Retention requirements will be complexand will change over time. This necessitatesa time and event based retention rules engine that encompasses the following requirements:

◆ Rules can be tied to any date or event(e.g. employee retirement, contractcompletion, invoice date);

◆ Rules must be easily modifiable andmust scale across large volumes ofrecords as applicable. Since there can be millions or billions of records,scalability is key; and

◆ Rules should be created for all lifecy-cle actions (e.g. archive, review,destruction).

◆ Since organizations create and maintainrecords in multiple applications, or silos,of knowledge, the software product mustbe capable of managing records withinthe different silos. This means that thesystem must be tightly integrated or capable of integrating with the organiza-tion’s e-mail system, existing document

management systems (DMS), potentialDMS, archiving systems and anythingelse that the organization uses to create or manage future documents of record.Installing a records system that only man-ages the records within a single documentmanagement, content management orarchiving system will not allow the or-ganization to manage all of their recordswithout substantial initial and on-goingcosts as well as productivity losses whilesystems are replaced, information is migrated or employees manually performsearches, etc.

With software in place, providing theappropriate functionality, records manage-ment best practices can be implemented toassure that an organization manages itsassets in accordance with business, regulatoryand/or legal demands.

Conclusion

Records management is not simply a setof features within a software product.Rather it is a combination of policies andprocedures that assure that the organizationmeets it legal, regulatory and businessrequirements for managing documents ofrecord. Software automates and assists inimplementing these policies and proce-dures and for virtually any organization isgoing to be a mandatory component ofimplementing records management.

Since records management is key tomeeting legal and regulatory compliancerequirements, a careful and completeprocess must be used to assure that allrequirements are defined and then imple-mented in conjunction with a sufficientlypowerful and feature-rich records manage-ment product. Fully defined policies andprocedures, combined with the appropriatetechnology, will assure that your organiza-tion is prepared for its compliance chal-lenges of today, but just as important, wellprepared for the ever-changing challengesof the future. ❚

MDY, Inc. is the leading provider of records management innovation.MDY FileSurf® integrates all physical and electronic files—including e-mails—regardless of media type, source of origin or storage location, into a single, scalable and extensible enterprise-wide system.MDY FileSurf tightly integrates various repositories of content,including many e-mail and document management systems, and provides a server based rules engine, that combined with flexibleschedule creation tools and powerful discovery and disposition holdcapabilities,assures that all content is managed according to governmentregulations and organizational policies. MDY FileSurf is certified underthe U.S. DoD 5015.2 Std. for records management applications (Ch. 2/4). The MDY Best Practices Consulting Group is comprised of former records managers from Corporations, Law Firms andGovernment agencies as well as numerous Certified RecordsManagers who are available to assist clients in Best Practices consulting on records policies, procedures and retention scheduledevelopment. For more info visit www.mdy.com.


3. Utilize the same business processesand information to support multiple com-pliance efforts;

4. Reduce risk by automating complianceprocesses and providing visibility into theresults of those processes;

5. Mature its controls environment byautomating controls through a businessprocess management infrastructure;

6. Minimize the costs of legal discovery inthe event of litigation or a legal investigation;

7. Avoid fines for violating laws andregulations;

8. Proactively manage emerging com-pliance requirements;

9. Migrate toward an enterprise riskmanagement (ERM) environment; and

10. Ultimately create a competitiveadvantage and increased value for share-holders, customers and employees.

There are three primary components ofa compliance framework that will helpcompanies attain these objectives: people,process and technology. Companies mustdetermine their organizational structures(i.e. which staff members report to whatemployees), and define their complianceprocesses for activities such as documenta-tion, testing, remediation and reporting.Organizations should work with their auditor risk-management consulting firms tocomplete these tasks. And finally, compa-nies must implement a technology architec-ture to help drive and support sustainablecompliance processes.

Compliance From Content Management

After an organization has defined itsoverall compliance approach and method-ology, a technology architecture can thenbe created.

Regardless of the regulatory require-ments a company faces, there are certainfundamental, technology-based activities itwill need to perform in order to best optimize

compliance processes and business effi-ciencies. These include:

1. Creating a framework for creating,sharing and distributing various types ofcompliance-related content, including e-mailand instant messaging;

2. Establishing a comprehensiveapproach for document retention andrecords management;

3. Developing an enterprise-wide securityarchitecture to ensure only authorized indi-viduals access certain compliance content;

4. Optimizing controls so they becomepart of business processes and are executedpredictably and repeatedly;

5. Determining the scope of testing,including what types of control testingmust be performed and which results mustbe tracked;

6. Automating compliance activities, suchas self-assessment, testing and design review;

7. Keeping audit trails of the changesmade to documentation;

8. Instituting a process to accommodatethe needs of company executives and thecompliance team for monitoring compli-ance and reporting activities or results; and

9. Identifying the potential requirementsof new regulations.

Increasingly, companies are turning toenterprise content management (ECM) sys-tems to support these activities and providethe technical capabilities necessary for opti-mizing compliance processes and businessefficiencies.

Leveraging a Unified CompliancePlatform to Increase Efficiencies

Companies can best drive company-widebusiness efficiencies by leveraging a unifiedcontent management platform to support allcompliance initiatives. Rather than using dis-parate products from multiple vendors tomanage various types of compliance man-dates and their associated content—whichoften results in unnecessarily complex

Supplement to

Leveraging Complianceto Drive Company-wideBusiness Efficiencies

From the Sarbanes-Oxley and USA PA-TRIOT Acts to US Food and Drug Adminis-tration (FDA) approvals and US Environ-mental Protection Agency (EPA) regulations,government is increasingly legislating howcompanies run their businesses. Complyingwith a broad spectrum of mandates can oftenbe an overwhelming task companies simplywant to “make it through.” Instead, organi-zations should look beyond merely survivingcompliance and use it as a driver to improvecompany-wide business efficiencies.

While every regulation is unique andinvolves specific requirements, there arefundamental information technology (IT)capabilities and business processes that canbe instituted to not only support each initialcompliance initiative, but also generate costsavings and significant business efficiencieswell into the future.

Building an Enterprise-wideCompliance Framework

The first step toward driving businessefficiency through compliance processes isbuilding an enterprise-wide complianceframework to tackle all relevant mandates.This framework compels organizations toinventory, align, develop and manage com-pliance content, processes and controls in aconsistent and efficient fashion. As a result,companies save money, avoid operationsheadaches, optimize resources and implementa strong policy regarding ethical businesspractices.

An effective and comprehensive com-pliance framework should help an organi-zation achieve the following objectives:

1. Support the overall compliance initia-tive along with individual or departmentalcompliance efforts;

2. Manage all compliance information ina centralized, enterprise-wide solution, whileeliminating project-level silos of content;


Dean Berg has been inthe contentmanagement industryfor five years and hasover nine yearsexperience in theengineering softwaremarket.While atStellent, the makers ofthe Stellent ContentManagement system,Berg has held thepositions of director of

product marketing, director of product management,and is currently Stellent's director of complianceapplications.

Dean Berg

By Dean Berg, Director, Compliance Applications, Stellent

September 2005 S9

implementations and high integration, supportand maintenance costs—companies shouldimplement an ECM suite with componentsthat truly are unified, not simply integrated. Aunified ECM architecture eliminates theissues described above and provides a single,standard platform and infrastructure foraddressing a variety of compliance and con-tent management needs across an enterprise.

An ECM architecture, such as StellentUniversal Content Management, providesthe required functionality for compliancefrom one platform and eliminates the needfor integrations between various ECM com-ponents. It can support any content manage-ment-based compliance application requiredby an organization. And, its unified architec-ture ensures all compliance applications canbe deployed on the same platform, and spe-cific components are interchangeable,extensible and complementary to each other.This single-architecture approach allowsusers to easily and efficiently access, shareand leverage all content, applications,processes and content services from a com-mon user interface.

Because an ECM suite reduces the numberof separate applications needed for compli-ance, it decreases the total cost of ownershipfor organizations. And, by offering a single-user interface for business users and leveraginga common skill-set for administration acrossall compliance applications, an ECM suiteminimizes training and administration costs.

Lastly, by improving business processeswith consistent automatic routing and approvalcycles and 24x7 self-service access to securedbusiness content, ECM elevates efficiency andproductivity across an enterprise.

Overall, a unified compliance platformcan help organizations turn compliancetasks into ongoing processes convenientlyand transparently carried out during thenormal course of business. ❚

Stellent, Inc.(www.stellent.com) is a global provider of content management software solutions that drive rapid success for customers by enabling fast implementations and generating quick,broad user adoption. With Stellent Universal Content Management,customers can easily deploy multiple line-of-business applications—such as compliance initiatives, public Web sites and secure intranetsand extranets—and also scale the technology to support multi-site management and enterprise-wide content management needs.

More than 4,400 customers worldwide—including Procter &Gamble, Merrill Lynch, Los Angeles County, The Home Depot, BritishRed Cross, ING, Vodafone, Georgia Pacific, Bayer Corp., Coca-ColaFEMSA, Emerson Process Management and Genzyme Corp.—haveselected Stellent solutions to power their content-centric businessapplications. Stellent is headquartered in Eden Prairie, Minn. and maintains offices throughout the United States, Europe, Asia-Pacificand Latin America.


The Stellent® Universal Content Management™ suite provides a widerange of core technologies along with specific applications that have helpednumerous companies across a variety of industries comply with governmentand regulatory mandates. Stellent technology enables organizations toaddress documentation and identification of key processes and controls asrequired by various regulations, and automates testing processes to easeongoing resource requirements. Its key technology components for supporting compliance initiatives include:

◆ Stellent Document Management—enables organizations to securely capture, share and distribute digital and paper-based documents and reports. It automatically converts native content (e.g. spreadsheets, wordprocessing documents, etc.) into Web-viewable formats that can be easilyaccessed via a browser by members of the compliance team, as well as anyother authorized user. Stellent Document Management also facilitates quickand easy access to retention policies, escalation flows and audit trails forindividuals sanctioned to see them. Additionally, the technology providesversion-control features that allow companies to save previous drafts of content for archiving and rollback purposes. Full-text and metadata searchcapabilities empower users to quickly retrieve critical business information.

Stellent Document Management’s business process management capabilities connect all enterprise systems to efficiently manage entire, end-to-end business processes—from accounts payable to journal entries to capital expense requests. The system automates discreet control procedures, such as quarter-closing activities, and automatically routes andmanages transaction information, such as purchase orders, claims, invoicesand applications. It also facilitates process modeling and documentation,activity monitoring, and auditing and reporting.

◆ Stellent Records Management—allows users to control the creation, declaration, classification, retention and destruction of active electronic andphysical business records. The Department of Defense (DoD) 5015.2 Chapter 2- and Chapter 4-certified solution enables companies to easily classify any piece of content as a record by simply assigning it to an appropriate record category or folder. It also generates sophisticated reportsrelated to retention schedules and file plans. In addition, users can seamlesslydeclare e-mails and e-mail attachments as records. And, Stellent Records Management utilizes a common interface to reinforce business-user awarenessand responsibility that their content and e-mails are considered records.

◆ Stellent’s workflow capabilities—provide periodic “check-ups” on theprogress toward compliance goals by automating assessment, audit, remediation, approval and review processes. The workflow function automatically triggers and sends e-mail notifications to appropriate compliance team members when they must be alerted to a specific issue,a report is required, or a concern or process must be escalated, amongother things.

◆ Stellent Digital Asset Management—helps companies quickly and easily access, manage, share, optimize and re-use corporate digital assets, such astraining videos, conference call recordings, videoconferences and depositions.

Stellent also offers applications built to support specific regulations. Forexample, the Stellent Sarbanes-Oxley Solution is a COSO-based applicationthat enables chief financial officers (CFOs) and compliance teams to quickly deploy an intuitive, Web-based solution to manage and track theirSarbanes-Oxley compliance processes. The solution automates long-termSarbanes-Oxley compliance methodologies, enabling companies to efficiently manage, approve and access documentation, including disclosurecontrols documents, internal controls matrices, testing procedures andresults, and remedial actions. It is highly personalized for non-technical businessusers, allowing auditors, accountants and CFOs to easily create, manage, share,track, approve and archive information with minimal training, using only aWeb browser.

Stellent for Compliance

tendency still existed to overcompensate andfocus their compliance solution primarily onstorage, on making sure that every piece ofinformation was retained regardless of itsactual importance or how much it would cost.But this approach begs the question: even ifyou are able to store everything, does thatequate to actually being able to manage it?

Overshooting Need Fulfillment forCompliance Management

Aside from the huge expendituresrequired by storage upgrades, the “just stor-ing everything” instinct increases the chancethat information repositories become liabilityvaults: in other words, information is retainedthat doesn’t, by law, need to be kept, whichincreases risk, and overall competitivenessdiminishes in terms of search accuracy,retrieval efficiency and cost-effectiveness.This problem is compounded by the fact thatcompliance needs are not always readilyapparent or static. Unfortunately, some firmsbecame so intimidated by the imposing scopeof compliance initiatives, and the perceivedrange of compliance tools needed to actuallysupport these measures, that they just decidedto take the “safe” route and sign off on costlyreorganization of their IT infrastructure.

Specifically, where overcompensation ofthis sort can really cause problems is withrecords management (RMA). Even if a firmdoes have some type of RMA tools embed-ded in a huge storage solution, are the RM-related capabilities performing on a scale thatis necessary and consistent with establishedprocesses, or has the “overcompensation”mentality become the de facto standard forRMA, too? Related questions arise: Howcomprehensive does the RMA capabilityactually need to be? What is the requiredbreadth and scale of RMA functionality?What RMA-related tasks can staff reasonablybe expected to perform, and how long will ittake them to be trained to perform at thisexpected level? How easy and cost-effectiveis it to deploy and integrate this RMA

solution? Is the RMA solution opening up thecompany for unnecessary liability?

Given the impulse to overcompensate,some firms buy rigid and complex RMA sys-tems that comply with the US Department ofDefense’s (DoD) 50125.2 standard forrecords management to ensure the high levelof RMA security that a firm thinks is need-ed. But, many firms soon realize that theirneeds don’t actually require this level ofsophistication. For instance, staff who mustactually use this type of solution need to betrained extensively on how to create andmanage a file plan, a process which, again,can exceed a firm’s realistic budgetary, man-power and accountability capabilities. Undera DoD-compliant RMA solution, every e-mailis a record, which can require additional attention in terms of maintenance, storageand accountability. Many firms simply wantto file a full project folder as one record,which makes a DoD-compliant solutioncompletely inappropriate for them.

Certainly, some firms actually do need themost comprehensive components of RMAfunctionality, but even in these cases, they maynot need them right away. Firms may want theflexibility to address their RMA needs on anincremental level that they can control and feelconfident about as it’s slowly integrated intobusiness processes and employees get accli-mated to it. Bottom line: RMA can be one ofthe most complex business activities, andbecause it is embedded into key organization-al processes, a complete RMA system cannotbe integrated overnight. Integration is gradual,both in terms of matching technical capabili-ties to actual levels of need and in being ableto effectively deploy and train people.

Taking these issues into consideration,firms need to be forthcoming in their ability torecognize, answer and address the followingquestions:◆ What type of RMA capability is actually

needed?◆ What data is involved (paper, e-mail,

electronic)?

Supplement to

From Records Management toKnowledge Management ...Coupling Modularity and Compliance as Drivers for ImprovedEfficiency and Cost Savings

New compliance drivers have proddedmany firms into committing extensive resources to align their business processeswith recommended transparency measurespertaining to financial, structural and pro-cedural activities. Now that these activitieshave started to become integrated, in part orin full, by a large number of firms, a “sec-ond phase” of transparency-related issueshas moved to the forefront. Firms shouldnow evaluate the potential byproducts oftheir compliance-inspired initiatives—par-ticularly in terms of whether they decreaselong-term costs and increase overall effi-ciency, such as in the area of knowledgemanagement—and adapt processes, toolsand infrastructure to optimize performancewithin a compliant business context.

Capitalizing on the Byproducts ofCompliance Drivers

One of the most beneficial byproducts ofgetting compliant with new transparency reg-ulations is firms being forced to “get theirhouse in order” in terms of improvingprocesses, making operational activities moreefficient and interconnected and creating anoverall better organization. These improve-ments should position companies to be morecost-effective, competitive and responsive tocustomer and shareholder needs.

However, an area in which the push forbetter performance is compromised is theability to accurately evaluate how any imple-mented information storage and retrieval sys-tem works in terms of meeting actual knowl-edge management needs, which leads firmsto address how and why certain informationshould be stored and used in the first place.All forms of retained data, whether they arepaper-based documents, e-mails and attach-ments, presentations or video conferences,are all parts of the larger, integrated contentmanagement arena and need to beaddressed in that context. Because manyfirms were not sure about the exact scale andeventual effects of new regulations, the


Dr. Johannes C. Scholtesis the president andCEO of ZyLAB NorthAmerica LLC and is incharge of ZyLAB’sglobal operations.Since Scholtes tookover the leadership in2002, ZyLAB hasenjoyed double-digitexpansion as well asconsistent annualgrowth in profitability.Before joining ZyLAB in

1989, Scholtes was an officer in the IntelligenceDepartment of the Royal Dutch Navy. Scholtes holds anM.S. degree in Computer Science from Delft Universityof Technology (NL) and a Ph.D. in ComputationalLinguistics from the University of Amsterdam (NL).

Dr. Johannes C.

Scholtes

By Johannes C. Scholtes, President & CEO, ZyLAB North America

September 2005 S11

◆ Is DoD-compliant RMA necessary?◆ Can an RMA system realistically be

implemented?◆ Will users accept and use a new RMA

system?◆ Is there an RMA mindset?◆ What is the real budget? and◆ What is the implementation timeline?

Addressing RMA in a Compliance-influenced Business Climate

To answer these questions, it’s importantto identify the organizational types concernedwith these issues. Motives for embracingcompliance initiatives may vary, but all theseorganizational types must honestly appraiseactual RMA needs and the level at which theneeds must be addressed. The types are:◆ Those still evaluating their necessary levels

of RMA capabilities so they can continuesolidifying processes and building up ITinfrastructure to meet expectations;

◆ Those that installed processes and infra-structure to meet SOX requirements buthave, in time, decided to reassess theirapproach’s effectiveness; and

◆ Those not required to conform to compli-ance initiatives in particular but who are stillcommitted, for efficiency and/or competi-tiveness, to adhering to its basic tenets;these firms have the “luxury” of taking in-cremental approaches to addressing thescale and scope of RMA they need.Given the level of need these firms

have, three basic approaches to RMA exist,from the basic to complex:◆ Personal RMA—individual responsibility

for personal storage of key records;◆ Departmental RMA—medium to large

scale retention of all records; and◆ Corporate or Enterprise RMA (DoD,

PRO/TNA or ISO compliant)—the mostextensive and rigorous RMA construct.

Making the Case for Modularity

Based on the predominance of firms over-shooting or overcomplicating their approachto RMA (in the short or long term), ascaleable, incremental approach to RMA ispreferable in nearly all instances because itanticipates the “organic” adjustments firmsmust routinely make as needs fluctuate.Firms and compliance regulations are sodynamic that change must be accommodated,so the structure of a selected RMA solutionmust take this reality into account. To helpfirms address variable RMA need levels, ven-dors such as ZyLAB offer a variety of modu-lar, intuitive, and integrateable tools thatenhance search and retrieval efficiency (fuzzysearch, text mining, and so on) along withspecialized tools for dedicated functions likeredaction. All or some of these components

can be bundled into whatever configurationmatches a firm’s needs.

Defining an RMA solution through thislevel of modularity means that users can con-trol and operate RMA functions in the appro-priate context, at the right scale. EmpoweringRMA in-house professionals is especiallyimportant now that firms are relying more ontheir own people to handle RMA tasks thanon external personnel. Users can be trained tomake proper decisions on what to keep andwhat to destroy, which optimizes the reten-tion of records deemed relevant by internal,compliant processes. Simply put, a modularapproach enables workers to benefit fromscalability, integrateability and “learnability.”

These basic levels of control and flexi-bility are not always available in high-end,super-storage solutions that many firmspurchase due to their “overcompensation”mindset. Firms can effectively perform all

of their content management tasks withoutpurchasing monolithic, feature-heavy solu-tions that can adversely affect overallaffordability and usability. Scaleable, flexibleand open solutions offered by vendors suchas ZyLAB enable firms to handle theirrecords at whatever level of complexity isactually needed, whether those records aredigitized paper, e-mail or other types ofelectronic documents. ❚

ZyLAB is an innovative developer of affordable content management andcompliance solutions for paper-intensive organizations.ZyIMAGE, ZyLAB’sflagship solution, helps small and medium-sized businesses (SMBs) andgovernment organizations digitally file and manage millions of pages ofpaper, electronic documents and e-mail.High-quality search and retrievalfeatures (which support over 200 languages) give users the ability to easily organize,investigate and distribute information.

With more than 7,000 installations worldwide and more than300,000 users,ZyLAB has a wide breadth of experience and knowledgeacross a variety of different industries and business applications.For more information visit:www.zylab.com.


For over 20 years, ZyLAB has worked alongside organizations with immensedata repositories to develop the best information management solutions. Thisexperience has shown that, although some RMA-related issues may ebb andflow, core concerns remain constant and need to be addressed:

◆ Just because e-mail is, according to a recent IDC report, the “elephant in thecorner,” doesn’t mean managing it should be intimidating or viewed as exceptional within a larger RMA context. In fact, efficient and measured e-mailsolutions that are consistent with internal processes and allow for automatedfiling and selective disposal of e-mails help optimize available storage, makebusiness processes run smoother, and lessen overall organizational liability.

◆ The paperless office does not exist and won’t anytime soon. Paper still existsin mass quantities, which demonstrates that organizations still realize the multiple benefits offered by paper documents. ZyLAB has long specialized inretaining the benefits of paper while relieving the burden of paper (storage,transportation, accessibility and so on), as well as also allowing digitized paper to be searched in tandem with other archived data types, like e-mail.

◆ Open technology and open formats, like XML and TIFF, enable better data security and availability throughout document lifecycles, regardless of original file types. Organizations need assurance that their information is always accessible without having to worry about upgrading or continually revamping their systems.

◆ Expectations for efficiency and cost-effectiveness are as high as they are forsystem performance. Efficiency-focused organizations demand software thatis easy to use, install, deploy, support and maintain. Solution deploymentshould take days, not weeks or months.

◆ Meeting compliance requirements is a cost factor, so RMA solutions must beflexible and integrateable, supported by fast and usable searching, retrievingand organizing capabilities. Being able to optimize records information makesorganizations more competitive and cost effective, particularly in terms of secondary costs like legal fees and staffing.

◆ A key to effective and affordable solutions is being able to buy only what isneeded. Vendors must respect an organization’s understanding of its RMA requirements and how to address them, particularly in terms of scale (i.e. lowerupfront costs, quicker deployment and ROI and better positioning for incremental future growth).

◆ Integration with existing systems is preferable to comprehensive overhauls.Replacing significant parts of existing systems is costly and time-consuming.New RMA components should also seamlessly integrate into specialized tooling (such as case management tools for legal professionals).

Key Considerations for Evaluating Modular RMA Systems

Lawsuits involving business informa-tion are increasingly dominated by “digitalfights” as opposed to paper fights, aslawyers find more and more of their usefulevidence in digital form.1 Organizationshave frequently opted for purchasing inex-pensive storage facilities for their digitaloutput. This choice has encouraged aregime of “no policy” and the retention ofpotentially incriminating information. It ismore and more apparent that all documentsand records, both paper and digital, pro-duced within an organization in the courseof business must be managed within aframework that recognizes, amongst otherthings, the relevant legal requirements.

Some lawyers suggest as a solution morediscrimination in the information committedto electronic memory. This may alleviate theproblem, but it will not take care of the massof possible digital evidence that organizationscreate. A philosophy of selective capturerelies too heavily on individual judgment. Anenterprise-wide policy for defining exactlywhich documents and records are to be kept,and for how long, is essential. And to enactthe policy, an organization requires arecords management system that facilitateseffective application of these policies tobusiness records.

What are Document Retention Policies? From a legal perspective a document

retention policy is “a set of guidelines that

a company follows to determine how longit should keep certain records, including e-mail and Web pages. This is importantfor many reasons, including legal require-ments that apply to some documents.”2

Retention policies may be designed in-house to meet business needs, laws and regu-lations or, in the case of government agencies,they may be defined by an archival institutionor a Public Records Office.

Applying the decisions concerning whichrecords to keep, why and for how long hastraditionally been the work of archivists andrecords managers and is referred to as“appraisal.” Appraisal focuses on maintainingrecords to meet business needs, accountabili-ty requirements and community expectations.The appraisal process examines the interestsof all stakeholders. With the advent of digitalinformation, there are more players involvedand the traditional structures for ensuringthat appraisal takes place and that retentionrequirements are correctly defined andapplied has been neglected. The retentionpolicies of an organization must be system-atically applied in the creation, maintenanceand storage of records, in other words, aspart of the recordkeeping system.

Items to consider when researching a document and records management system:

1. The ability to import, define andapply retention schedules. Every organi-zation has different records with differingretention requirements, depending on theircontent. Records management systemsshould provide for these different require-ments. You will want to be able to specifythe schedule according to administrativeand regulatory (internal or external) condi-tions. The schedule can be defined toinclude the details of how long the recordor file shall be retained, the source of therequirement, the unique number of theschedule and the retention or destructiontrigger dates that control the operation ofthe schedule. The schedule may be auto-matically attached at the time of creation or

Supplement to

Retention, RecordsManagement and LegalCompliance

Quality records management that includesdocument retention policies is essential inensuring legal compliance and business effi-ciency. Having a system in place to executeand monitor compliance to those policies isvital to the long-term credibility of your organization.

A quality document and records man-agement system that facilitates effectiverecord keeping in an organization must havethe capacity to design, apply and enact doc-ument retention policies. The best solutionwill enable an organization to seamlesslycarry out retention and disposal activitiesfor both paper and electronic documents inany format, in a planned and predictableway, and in accordance with legal require-ments. It will provide the functionality andin-built business rules that make first-classrecords management easy.

Compliance with the legal and regula-tory framework in which an organizationoperates is a vital part of doing business.This is not a new concept. What is new isthe present level of non-compliance, ofteninadvertent, due to the current lack of con-trol in the digital environment where mostbusiness documentation is being generat-ed. There are numerous examples of mis-managed information in today’s businessworld and it is not difficult for organiza-tions to fall foul of the law, resulting in heavy fines and damaging publicity.Recent legislation mandates greater care ofall business critical information.


Jan Rosi has more than25 years of global IT,strategic sales andbusiness leadershipexperience. Rosi led thedevelopment of theReuters MonitorNetwork, at one timethe world’s largestprivate datacommunicationsnetwork. Rosi served asthe national sales and

marketing manager for TOWER Software in Australia.She moved on six years ago to lead the Australianfederal government business unit for Compaq andHewlett-Packard and returned to TOWER in August2004 to become president of its North Americanregional office.

Jan Rosi

By Jan Rosi, President, TOWER Software North America

“Compliance with the legal and

regulatory framework is a vital part of doing

business. This is not a new concept.”

September 2005 S13

later, when the decision about retention hasbeen made.

2. Manage the legal requirements asso-ciated with court actions and can prevent“spoliation of evidence” charges. The poli-cies and procedures which ensure that docu-ments and records are managed according toorganizational requirements prevents inad-vertent destruction. The current widespreadpractice of managing e-mails in organizationsby purging individual holdings on a routinebasis takes little or no account of the actualrequirements for evidence that may bestored in these holdings. This kind of actioncan have damaging legal repercussions.Appraisal of e-mail and the use of retentionpolicies will prevent this. Documents can beinadvertently destroyed after the request fromthe court as been made. And this can result inprosecution. However, if documents can beseen to have been destroyed in accordancewith a well-documented policy, the suspicionis removed that deliberate destruction hastaken place in order to avoid possible legalconsequences.

An essential feature of a retention policyis the ability to respond quickly and easily toan ad hoc request for preservation of docu-ments. A feature called “litigation hold” isavailable in TOWER Software’s product,TRIM Context, which enables an immediateresponse to a court request by suspending thedocument retention policy for the duration ofthe hold. In this way documents cannot beinadvertently destroyed.

3. Retaining documents that are nolonger needed may expose a company tounnecessary risk. Sometimes referred to as“removing smoking guns,”3 retention policescan control the existence of e-mails whichturn out to be incriminating sources of evi-dence. Many of the cases that have come tocourt and caused embarrassment have beenbuilt on damaging e-mails.4 E-mail can easilyescape the attention of record keepers andretention requirements. As a frequent andeveryday occurrence (and one which containsevidence of business decision-making) it isvital that policies for e-mail are applied. Yoursystem should provide a user-friendly in-builtintegration of e-mail with the records man-agement system. Storing e-mail and applyingdocument retention may be completely auto-mated if required and important business e-mails can be immediately transferred to therecords management system. At the sametime appropriate document retention and dis-posal policies are applied.

4. The integration of classification andretention policies meets business needs andsaves money. The application of document-retention policies can lower the costs of anylitigation involvement. Policies are part of anenterprise-wide information and records man-agement policy to ensure the proper adminis-tration of records. Only those documents thatneed to be kept are retained. Although the

implementation of enterprise-wide documen-tand records policies may initially increasecosts, in the longer term there will be signifi-cant cost savings.

For fewer integration and license manage-ment issues plus faster user acceptance, use asystem that provides document and recordsmanagement in one system and through oneinterface. Classification tools such as the fileplan and thesaurus and the facility to applydocument retention schedules to the planstructure enable seamless application ofretention controls. Using a classification planmeans that documents are much easier to findand retrieve.

The application of retention policies todocumentary evidence ensures that they arekept for the necessary period and not beyondtheir “use-by date.” This reduces the need forthe costly “discovery” process. Discoveryrequires an organization to search all its files toprovide necessary evidence in the event of liti-gation. This job frequently falls to the ITdepartment to carry out and staff may notknow what is required. “It is unrealistic toassume that IT professionals can pay attentionto all the nuances of litigation, manage the lifecycle responsibilities associated with e-mail,and enforce an overall e-mail archive policy.Companies will be caught off guard by assum-ing that IT can shoulder this burden alone”says Kevin Craine in his white paper Herecome the Lawyers. Is your IT DepartmentReady? The discovery process itself can be avery costly exercise for a company. Trying todiscover the evidence “can become an eco-nomic and operational nightmare,” accordingto Mr. Craine.

Conclusion Software to manage records and infor-

mation must provide in-built business

processes and tools to manage records in afully accountable way. It must enable theroutine application of document retentionpolicies to records. While a lot of attentionhas been focused on the negative impact ofnot having a document and records man-agement system in place, much more canbe said about the benefits of having yourorganization’s information available at theclick of a mouse. Decisions can be madefaster and with more confidence becausethe information is available in your proven,well-tried and tested, fully integrated solutionthat also meets your organization’s legalcompliance requirements. ❚

TOWER Software, the leading enterprise content management (ECM)provider to the public sector, delivers electronic document and recordsmanagement (EDRM) solutions. TOWER Software’s award-winningsolutions empower organizations to manage and secure their vitalinformation assets. By relying on its proven domain expertise, strongstrategic partnerships and powerful solutions, TOWER Softwareenables organizations to improve the accuracy of information onwhich business decisions are made; maximize efficiency by findingbusiness critical information more quickly and easily; and achieve andmaintain standards compliance across industries, resulting in sustained competitive advantage.TOWER Software is a privately heldcompany with operations in North America, Europe and Asia-Pacific.

1 Jacobs,Jerald A.(May,1999),“Legal:Reducing Risks Posed by ElectronicRecords.” Available online at http://beta.asaenet.org/newsletters/display/0,1901,229,00.html

2 Weil Gall, Barbara (September, 2000), “Document Retention Policies:Legal Reasons to Keep E-mail, Web Pages and Other Records.”Accessed online March 31, 2003 at http://www.gigalaw.com/articles/2000-all/gall-2000-09-all.html

3 Bartlett,David F.(June,2002),“Document Retention Policies in the Wakeof Enron,” Illinois Bar Journal accessed online, http://www.gouldratner.com/resources/articles/bartlettarticle.pdf

4 Olsen, S. (May, 2002), “Email: When E stands for embarrassing.”Available online http://news.com.com/2100-1023-916257.html?legacy=cnet


TRIM Context is an integrated electronic document and records management (EDRM) solution capable of managing and securing the fullrange of corporate information assets TRIM Context provides the total solutionfor any enterprise content management project. Integration to common desk-top authoring applications is provided out-of-the-box, as is integration to common e-mail applications. Finally, the powerful SDK enables integration toother line of business and specialist applications, while the solid foundation ofrecords management means you can be sure your project is built on a platformthat is stable and solid enough to grow with you. TRIM Context is a proven solution used by hundreds of organizations, and thousands of people, aroundthe world to manage and secure their vital information assets.

Quality records management has been the consistent aim of TOWERSoftware for the 20 years of its history and its product TRIM Context continues to evolve to meet the International Standards in the field. Withmore than 1,200 sites worldwide, TRIM Context is a dominant player in thegovernment sectors of Australia, the US, the UK and Canada and is the preferred choice in a range of leading organizations in government, utilities,resource and pharmaceuticals sectors.

TOWER’s TRIM

The ABCs of Records Management:With the daily pressures to comply with

regulations, changes to legislation and thepace of today’s global market, managing thelogical lifecycle of content has become acrucial component to ECM. When organiza-tions utilize records management function-ality to better manage and track the lifecycleof both their electronic and physical content,it can not only help achieve compliance,but boost productivity and create return oninvestment (ROI) as well.

Achieve Compliance and ReduceBusiness Risk

Compliance is an issue that spansacross all industries and many countries,therefore organizations are increasinglychallenged with finding solutions that cancarefully track, manage and ensure thatcontent complies with the growing numberof regulations.

Records management enables organi-zations to manage content from initialcreation through final archival anddestruction stages. It also enables users towork collaboratively across the globe, toquickly find vital information, as well asaudit and report on regulated activities.Without an effective records managementsolution, many organizations would simplycollapse under the weight of their existinginformation and the risk associated withuncontrolled content.

B oost Productivity and ImproveOperational Efficiency

Organizations that cannot efficientlymanage their information not only risk los-ing new business, they may also fail toadequately support existing business oper-ations. Effectively managing contentempowers organizations to succeed byboosting productivity, improving opera-tional efficiencies and reducing expenses.

Using a records management solutionto manage a corporation’s content alsoallows for better automation of businessprocesses, providing greater efficiency andcontrol over processes such as the electronicdistribution of content. Through integration

with other systems, content can be includ-ed for review when collaborating on otherdocuments. Information must be accessibleenterprise-wide through secure desktopand Web-based interfaces by all businessusers, but the control of the informationlifecycle is maintained by the records man-agement system.

In order to succeed, companies need toknow how to use the information and con-tent that exists within and around theirorganizations to deliver better productivityand achieve competitive advantage. Simplycreating a global network and gatheringmountains of information is not enough. Tomake effective decisions, data must be putinto context and turned into information.The contextual information is addedthrough the regime of a fileplan, whichensures that the users of company recordscan appropriately make use of its state,context and lifecycle stage.

C reate ROI and Optimize ExistingInvestments

Implementing a records managementsolution can deliver ROI by reducing the timeit takes to locate vital information for corpo-rate decision-making. A records managementsolution enforces the structuring of informa-tion and also provides the users of thoserecords with important meta informationaround the content. This ensures that corpo-rations base decisions on the right piece ofinformation as opposed to a disorganized mixof shared files without structure sent over fordecision-making via e-mail. With a compre-hensive ECM platform that incorporatesrecords management functionality, organiza-tions can expand their opportunities and pro-ductivity, optimizing their existing investmentsand generating greater ROI.

The increase in ROI highlights the needfor companies to invest in ECM solutionsthat deliver a variety of technologies to theorganization through a standard platform.ROI, as opposed to simply perceived need,drives the spread of ECM solutionsthroughout the company. Senior manage-ment is able to deliver value to shareholdersmaking each employee’s day-to-day taskssimpler and more effective.

Supplement to

The ABCs of RecordsManagement

Maintaining impeccable records throughouttheir lifecycles can be a difficult task,especially in globally dispersed organizationsthat require files to be stored for decades. Or-ganizations are increasingly challenged withfinding new ways to effectively preserve valu-able data and ensuring the destruction of ob-solete records. Minimizing exposure to therisks associated with audit, regulatory com-pliance and litigation issues and enhancingcorporate accountability are just a few of themany reasons to put an effective records management solution in place.

The integrity and security of informationis open to considerable risk when files anddocuments that represent corporate recordsreside on local drives across heterogeneouscomputing environments and retention anddeletion decisions are left to individuals. Lossof valuable information—which is potentiallycritical to an organization’s defense—and theloss of vital corporate knowledge when peo-ple leave an organization can also significantlyimpact the bottom line.

In order to meet stringent regulatorystandards, the tracking of content through-out its logical lifecycle is becoming anincreasingly complex activity that requiresthe integration of records managementpractices and procedures with collabora-tion and content management. Informationis a vital corporate resource, and, as such,organizations are demanding the ability togather, view and analyze informationthrough a common, user-friendly interface.

To act as the foundation for other docu-ment systems, records management solu-tions must be enterprise-worthy; that is,capable of running on a number of operatingsystems, open to integration, and allowingusers access from desktop and Web-basedenvironments.

Investing in an enterprise content manage-ment (ECM) solution that incorporatesrecords management functionality will alloworganizations to integrate sophisticated recordclassification and lifecycle management intotheir collaborative processes. Audits canbe performed in an efficient and cost-effectivemanner, and information is destroyed on aconsistent basis.


Jens Rabe joined OpenText in October 2004when the companyacquired IXOS. In hisrole as segmentmanager for OpenText’s recordsmanagement and e-mail archivingsolutions, Rabe is alsoresponsible for OpenText’s lifecycle

management solutions strategy and execution.

Jens RabeBy Jens Rabe, Director of Compliance Solutions, Open Text

September 2005 S15

What is Records Management?A record is any and all recorded infor-

mation contained in any medium thatbelongs to an organization and may be usedto arrive at a business decision. In the cor-porate environment, records are used tosupport the decision-making process, com-municate information, ensure accountability,and document organizational memory.

Records management is the disciplineof managing records to meet operationalneeds, accountability requirements andcommunity expectations. Records man-agement solutions work by allowing youto attach logical rules to information.These rules tell the system when it is OKto delete documents or move them to adata archive, either physically in boxes orelectronically on storage devices such asCD-ROMs.

The difference between a piece of con-tent or information and a record is that thefirst is rather unspecified in its meaning,form and relevance whereas the latter is animportant piece of information which iskept within an associated taxonomy (thefileplan) and lives along a specified lifecycle.In essence, all records are content or infor-mation, but not all information or contentare records. A records management systemas part of an ECM system therefore helpsto gain control over the content created aspart of daily business.

Records Management and ECMWhen integrated as a core component to

a comprehensive ECM solution, recordsmanagement enables organizations to man-age the complete logical lifecycle of alltypes of corporate records and informationholdings, regardless of their media, physi-cal or electronic.

ECM helps to take away the complexi-ties of records management, as it integratesthe classification process into the contentcreation process. An ECM system inte-grates search, e-mail and document man-agement and presents users with a commoninterface to access all forms of information.This makes the records management

processes transparent and accessible to theend user and not just the records manager.Since electronic documents are created andused by a number of different applications,the records management platform mustcommunicate with these applications inone form or another and become the foun-dation or common point of lifecycle controlfor all applicants.

ECM extends records management toother information management applica-tions by offering solutions that are tightlyintegrated with groupware or other docu-ment management systems. This ensurescontent integrity, minimizes risk and helpsto ensure compliance with varying regula-tions. Beyond regulatory issues, recordsmanagement allows for the migration ofcontent from high-cost disk storage to

low-cost storage devices when it reaches acertain point in its lifecycle, reducing oper-ational costs. Because it can be extended tosupport full document lifecycle manage-ment, ECM improves total cost of owner-ship, eliminating the need to invest in newhardware to address content growth andlifecycle issues. ❚

Open Text™ is a market leader providing enterprise content management (ECM) solutions that bring together people, processesand information in global organizations.Throughout its history, OpenText has matched its tradition of innovation with a track record offinancial strength and growth.Today,the company supports more than20 million seats across 13,000 deployments in 144 countries and 12 languages worldwide

To learn more about Records Management and ECM,request a copy of ourbook—Enterprise Content Management: Turning Content intoCompetitive Advantage at www.opentext.com/kmworld/ecm-book.


Open Text’s Livelink ECM—Records Management’s system is functional,intuitive and simple for all levels of organization to use.

Open Text delivers the business benefits associated with effective records management-complianceand risk reduction—through Livelink ECM—Records Management™. At the same time, it provides thebasis for a secure and scalable records management platform that is capable of integration into otherdocument-related technologies.

Open Text provides a comprehensive, policy-based solution that enables you to manage the complete lifecycle of all of your corporate records and information holdings, whether they are documents in paper or electronic format, or physical objects such as CD-ROMs or videocassettes.

Livelink ECM—Records Management is a Web-based optional module for Livelink EnterpriseServer that lets you to apply records management classifications to all objects in the LivelinkEnterprise Server repository, as well as to physical objects that are represented by records in therepository. Livelink ECM—Records Management enables you to create and maintain classifications/fileplans, records management database tables, retention and disposition schedules, as well as providing themwith the ability to conduct and audit the circulation (check-in/check-out) of all physical objects, managethe cycle of vital records, generate color labels and barcodes and to run predefined reports, such asclassification, recall listing and disposition reports. Livelink ECM—Records Management also enablesyou to perform disposition searches and to place “holds” on items. Livelink ECM-RecordsManagement integrates into the leading groupware platforms to also manage e-mails and provides forintuitive classification methodologies for the end users, guaranteeing user adoption throughout theentire enterprise. Livelink ECM-Records Management integrates with the Livelink Enterprise Archiveto map logical lifecycles onto connected storage platforms, which ties the concept of tiered storageto the importance and relevance of the underlying content.

A records management solution must provide organizations with the ability to:

◆ Define corporate retention policies and schedules and the underlying legal and/or corporate justification for these policies;

◆ Apply these retention schedules to all relevant physical and electronic objects within their organization,without impacting business users;

◆ Create “holds” in the case of an existing or impending legal action or audit;◆ Suspend the lifecycle of objects that are subject to a hold;◆ Prepare all relevant materials for delivery to the requesting party (for example, an auditor); ◆ Find all objects that should and may be destroyed, and facilitate their approval and destruction;◆ Keep an audit trail of all actions including destruction;◆ Support the tracking and transfer of physical objects as they move from location to location;◆ Support the management of physical storage space such as warehouses;◆ Support the capture of e-mail as records; and◆ Support the definition of different storage mediums based on an object’s use and retention.

Characteristics of Records Management

Open Text’s Livelink ECM—Records Management

inappropriate destruction of documentsand e-mails has dramatically increasedawareness about the risks resulting from theproliferation of poorly managed content.

Finally, a plethora of government andindustry regulations emerged—largely inresponse to these scandals—that dramaticallyincreased the costs of compliance as well asthe risks of non-compliance.

The net impact has been to transform con-tent management from a niche market, cater-ing to content specialists at the very top of the“user pyramid,” to a mainstream technologythat serves virtually every user in an enter-prise. The term “enterprise content manage-ment” (ECM) was, until now, a misnomersince it originally meant a solution specifical-ly for content-production specialists thatmanaged the different types of content in theenterprise—not one that met the needs of abroad range of users.

The capabilities required of a true enter-prise-wide content management solutioncan be summarized into four categories asfollows:

1. File and Document ManagementTo serve all knowledge workers in an

enterprise, the solution must provide sig-nificant file and document managementcapabilities with rich user interfaces, flexibleaccess control and user management andpolicy-based management behaviors.

The solution should deliver a rich andhighly interactive experience for both Web and Windows desktop users. The userinterface should appear instantly familiar,with a dynamic tree view, right-click andpull-down menus and other familiar desktoptools. Ideally, the solution should be integrat-ed with popular navigation tools such asWindows Explorer, and provide seamlessoffline content management capabilities sothat users can easily access and manage con-tent when disconnected from the network.

A flexible security model is essential,with the ability to specify fine-grained per-missions and access at the folder and doc-ument level. To support the needs of abroad range of participants and processes

in multiple lines of business, the solutionalso needs customizable, role-based accesscontrol that can be applied to individualsand groups of users.

Behaviors controlling management of theinformation lifecycle, such as versioning,attribution and records management, need tobe specified through policies that can beestablished on a folder-by-folder basis. Itshould be possible for versioning to be dis-abled, applied to content manually by users orautomatically applied based on the occur-rence of a specific event such as check-in.Category attributes must similarly be manuallyor automatically applicable, with default val-ues (set as user-editable or not) assignable toindividual categories. Records management(detailed below) is also managed throughpolicies on a folder-by-folder basis. Whilepolicies will normally be managed by a smallsubset of users with specific administrativepermissions, the tools for setting up policiesshould be straightforward and consistent,allowing delegation of policy managementappropriate to the needs of the business.

By utilizing automated policies instead ofrequiring users to remember to perform extrasteps, these important lifecycle managementcapabilities become truly useful and the riskof user rejection often associated with con-tent management deployments is minimized.

2. Web ServicesTo support cost-effective integration of

content management capabilities withinenterprise applications, the solution should bebased on a service-oriented architecture(SOA) to provide programmatic access toapplication functionality via J2EE- andMicrosoft.NET-compatible Web ServicesAPIs. This facilitates automation of businessprocesses (see below) and extension of appli-cation logic so that users can take advantageof content management functionality directlyfrom their application environment ratherthan switching context to specific contentmanagement applications.

3. Business Process AutomationTo provide maximum benefit in terms of

improved productivity and business agility, anenterprise content management solutionneeds to provide business process manage-ment (BPM) capabilities to automate businessprocesses through the use of workflows. Bothstandard workflow templates and customiz-able workflows are needed, so that organiza-tions can continue to optimize processes toadapt to changing business requirements.

Content management solutions shouldprovide the ability to use workflows to drivereview and approval cycles, notify users thata new document version has been checkedin, or prevent the deletion of a documentwithout a manager’s permission. In addition,workflows can invoke Web services to

Supplement to

The Next Wave

Content Managementfor the Rest of Us

In the past few years,major changes have beentaking place in the content management mar-ketplace. Organizations that previously con-sidered content management a niche applica-tion focused on workgroup or departmentaldeployments for meeting specialized publish-ing-oriented requirements are increasingly re-questing true enterprise deployments that de-liver content management capabilities to alltheir users. These changes have created a needfor a scaleable, affordable and highly usable so-lution that bridges the huge gap between lim-ited-capability file servers and specialized,expensive and complex content managementand records management applications. Oraclerefers to such a solution as content managementfor the rest of us. This article discusses the drivers of market evolution and identifies keysolution requirements for the changing market.

Evolution of the Content Management Market

The products that most people think ofwhen they hear the term “content manage-ment” began to emerge about 15 years ago tosupport the creation, management and publi-cation of unstructured data (or content) forusers who specialized in content productionin highly regulated industries. However, thevast majority of content is actually used bythose of us who are not content specialists(about 95% of all business users) and thatcontent mostly resides on desktops and fileservers—without any real management at all.

In the past few years, three conditionsbegan driving major changes in the marketand have given rise to a need for solutionsthat bridge the huge gap between limited-capability file servers and specialized, expen-sive and complex content management applications. First, the rapid and acceleratingexplosion of all types of content—docu-ments, e-mails, instant messages, images,etc.—has driven a need for putting bettercontent tools in front of all enterprise users tohelp them make sense of the flood of data...orat least keep them from drowning in it.

Second, a series of corporate scandalsfocusing on the discovery, alteration or


By Rich Buchheim, Senior Director,Enterprise Content Management Strategy, Oracle Corporation

September 2005 S17

perform management actions, thus enablingthe automation of business processes.

4. Records ManagementWith regulatory compliance issues

becoming increasingly important, recordsmanagement (RM) capabilities are essentialin a successful enterprise content manage-ment solution. Records management pro-vides the ability to specify that a documentor other content entity is to be retained for acertain period of time, prevents or controlschanges to the document during the reten-tion period and disposes of the document in

a prescribed way once the retention periodhas expired.

Records management capabilitiesrequired as part of a content managementsolution include file plan-based record organ-ization, record search and flexible classifica-tion and retention policy management. It mustbe possible for records to be declared manual-ly by users or automatically through policy-based record declaration.

Today’s technologies enable RM sys-tems to be based on a SOA that leveragesbusiness process management standardslike BPEL, incorporating RM into theinfrastructure as a Web service consumableby any user or application in the context of

the business process. This addresses threemajor challenges for next-generationrecords management deployment:

◆ Capturing business-critical records enter-prise-wide becomes possible when RM isincorporated as services in multiple envi-ronments and the records stored in ahighly scalable and available repository;

◆ RM becomes accessible to knowledgeworkers in the context of their normalwork without having to access specializedRM applications; and

◆ Records can be captured programmaticallyfrom business applications, portals, and ad-hoc data sources through RM Web services.

The market for content management andrecords management is evolving from spe-cialized vertical applications to true enter-prise deployments. These changes willexpand the market substantially and requiresolutions that can bridge the huge gapbetween ubiquitous file servers and tradition-al high-end ECM products. Such solutionsmust provide horizontal functionality acrossthe entire enterprise and complement existingdepartmental content management focusedon specific vertical applications.

The requirement for enterprise-widerecords management means organizationsshould view records management not as amonolithic stovepipe application, but as anextension of their information infrastructurebuilt on a SOA. This new way of thinkingabout records management opens the way toactually provide records management foreveryone and every process in an enterprise.

To meet the requirements for true enter-prise deployments, a solution must delivercontent management for all enterprise users,everywhere they want it, and for every busi-ness process that requires it. It must provideusers precisely the functionality needed with-out changing the way they work, and it mustscale to support the largest enterprise—atcosts that finally make enterprise deploymentaffordable. ❚

Rich Buchheim has more than 38 years of leadership experience incontent management and related areas. His current role at Oraclefocuses on leading product management and setting the overallstrategic direction in the areas of enterprise content, records,and compliance management. Prior to Oracle he was president of LaunchWay Consulting, a consulting firm focusing on content management and enterprise computing strategies. He has previously served as president and chief executive officer of iHarvestCorporation, a provider of Web content capture and annotation technology (acquired by Interwoven) and Integrated ComputingEngines, Inc. (ICE), which developed rich media production and management products.

For nearly three decades, Oracle, the world’s largest enterprise software company, has provided the software and services that letorganizations get the most up-to-date and accurate information fromtheir business systems. Oracle Collaboration Suite brings together theessential components of collaborative productivity:Web conferencing,content management, e-mail, voice mail and an integrated calendar.

For more information, please visit www.oracle.com


While this market evolution and expansion was unfolding, Oracle was steadilybecoming more interested in the opportunity. It was also steadily improving its ability to eliminate the arbitrary distinction between structured (transactional) data,and content. Unlike other content management products that use a complex conglomeration of database-managed metadata and a flat file-system for actual content storage, Oracle used the database to store all content-related information—metadata, relationships, indices, system state—and the content itself. As a result, thereliability, security and scalability of the Oracle database, together with its tools forbusiness continuity, access control, search and query, auditing and tracking, etc.could be applied to content as well as transactional data. A new paradigm emergedwhere all information could be managed using the same tools and made availableto all applications whenever and however needed.

Oracle’s Internet File System (iFS), its successor the Content ManagementSoftware Developers Kit (CM SDK), and the Oracle Files component of OracleCollaboration Suite were milestones during the paradigm shift.

By mid-2003, Oracle Files had become a robust and highly scalable solution forconsolidated file management and sharing and lightweight document management.Oracle’s own internal adoption of Files is a powerful example of the product’s capabilities. One Files application running on a single Oracle Database instancemeets virtually all the file management and sharing needs of Oracle’s 55,000+employees worldwide, managing over 22 million documents and 7 Tbytes of storageand growing at a rate of more than 30,000 new documents a day.

What the Market NeedsExperience with its successful internal implementation, coupled with reviews of

the requirements of over 200 customers, gave Oracle an excellent perspective ofwhat the market needs for a content management solution with true enterprise-wideadoption. This perspective has been valuable in building Oracle Content Services10g, the next generation of Oracle Files.

A fundamental requirement for any content management solution to be successfulis to provide a high level of functionality, usability and expandability. In order to be adopted by business users and knowledge workers throughout an enterprise, a content management solution must provide precisely the tools and facilities customers require, seamlessly surfaced in familiar environments when and where users need it and without negatively impacting the way they work. Such asolution must:

◆ Increase productivity by making information throughout the enterprise easier tofind, manage and share;

◆ Reduce risk through better control of information and establishment of consistentinformation policies and processes;

◆ Facilitate compliance with government and industry regulations through recordsmanagement; and

◆ Lower costs through consolidation of server hardware, software licenses andadministrative support.

Mass Adoption at Oracle

cover that. And then what about archivinginstant messaging generated by CustomerService? Yet another product to beinstalled. By acquiring these band-aids, thecompany is simply incurring a cost to com-ply rather than making an investment increating new efficiencies.

AMR Research recently predicted thatin 2005 alone $15.5 billion will be spent ona wide range of compliance programs and$80 billion over the next five years. Bearwith the auto industry analogy for a bitlonger: with that kind of money in the bal-ance, companies must start seeing the needto comply as an opportunity to fine-tuneand improve the entire engine under thehood. As AMR Research concludes in thesame report, “...leading companies are con-necting the dots between overall compli-ance requirements and their own enterprise performance management activities.”(John Hagerty, Fenella Scott, “RegulatoryCompliance: An $80B Opportunity,” AMRResearch, January 2005)

Driving a Lower Total Cost of GovernanceNotice that it is not called “total cost of

compliance.” Fine tuning the entire enginemeans we look at how compliance tech-nologies—from documents and records

management to e-mail and Web page cap-ture—can drive greater efficiencies andgreater ROI across all areas of a companywhere electronic information is created,stored or exchanged.

We’ll label this “universal governancemanagement.” It crosses typical departmentalboundaries, combining strong complianceinitiatives with overall strategic planning andgoal setting. It creates better visibility into thestate of the entire company, not just for riskmitigation, but to drive efficiency improve-ments department by department. It empow-ers not just the compliance team but everymanager, putting them in the driver’s seat tobe more successful.

A Turbocharged Return on InvestmentThere’s no doubt that your organization

will be contributing a portion of the $80billion companies will spend on compli-ance over the next five years. The return onthat investment when creating universalgovernance management can be augment-ed by considering several steps:

1. Look to the next generation of com-pliance solutions. Today’s compliance appli-cations tend to be implemented as standalonepoint solutions. This presents several limita-tions, such as the lack of robust integrationcapabilities, weak portal resources and theinability to manage data as an electronicrecord. A more forward-thinking approach isto look to a solution where all information,from a wide array of sources and in many formats, can be stored in a single securerepository, and then pulled together and personalized for the end user. Then the infor-mation can be tapped for far more than simply compliance needs.

2. Make it sustainable compliance.Compliance is an ongoing process, not a sin-gle event. To be more than just a quick fix,compliance solutions must also enhancebusiness processes and readily adapt tochange. This “sustainable compliance” solu-tion must use a single infrastructure to satis-fy multiple and converging compliancerequirements (SOX, SEC, Basel II, HIPAA,etc.) to bring efficiency to the compliance

Supplement to

From Compliance Chaosto Universal GovernanceManagement

In the 1990s, the standards set out by thefederal Clean Air Act were widely be-moaned by the auto industry; compliancywas sure to raise the retail cost of vehiclesto unacceptable levels and make cars lesssafe on the road. Customers would be lost.Manufacturers would go out of business.

As of this date, none has closed itsdoors. Car sales continue to grow, even inCalifornia, the state with arguably the moststringent vehicle emissions laws. And,now, many believe that the new technolo-gies the auto industry has been forced todevelop are actually improving overallcustomer satisfaction, bolstering their cor-porate image and giving them a kick startin creating the next generation of products.

There’s a lesson that can be learnedfrom this. Compliance doesn’t have to be atremendous burden. Compliance can evenbring about new and surprising profitabili-ty and customer satisfaction. And it can bea catalyst for positive changes across yourorganization.

Shifting How You Think AboutCompliance

In just the past five years, it is estimatedthat nearly 10,000 regulations have been cre-ated by federal and industry entities; allmandating the capture and control of elec-tronically stored documents (which nowmake up 80% of all business information).

To service this sudden and growingneed, a plethora of companies have sprungup offering products to solve every regulatorydirective imaginable.

But these point solutions are quicklybecoming a liability for companies withmany silos of information spread acrossmany departments. For example, the out-of-the-box document archiving systemused in Finance may be working for them,but what about e-mails created in Sales?Another product has to be purchased to


By Mark Gilbert, Scott Reed, Phil Ayres, Robert Hill, & Gay Thompson,Vignette Corp.

“Point solutions are quickly

becoming a liability for companies with many

silos of information.”

September 2005 S19

problem and provide a single source of thetruth for compliance information.

3. Consider the human side. One of thebest ways to ensure success of any compli-ance initiative is to see that it is as user-friendly as possible. Any solution chosenshould create a common user experiencearound risk and compliance, so that it can beextended quickly as the need arises. It shouldalso provide enterprise-wide interfaces/portalsfor management to easily access.

4. Consider the technology side. Firstand foremost, find a provider who sees thesame big picture potential. They should bepresenting a group of solutions and technolo-gy partnerships which put all the puzzlepieces together, yet are flexible enough tomeet your unique industry needs.

This provider should offer:

◆ An open compliance architecture. Com-pliance efforts will typically demand theintegration of information from multipleenterprise systems. To do this most costeffectively, it is best to use a common ar-chitecture designed with interoperabilityin mind. For example, the J2EE architec-ture has been adopted by many vendorsto achieve this goal. It eases integrationefforts and enables application interoper-ability via Web services, which is essentialto functioning within the service-orientedarchitecture (SOA) environments thatcustomers are rapidly adopting.

◆ A single source of the truth. Many effortsto provide accountability in compliancesuffer from a major flaw: the enterprisenever establishes a single source of truth.The most fundamental way of achievinga clean audit trail for compliance infor-mation is to implement a records anddocument management layer as the foun-dation of the architecture. The benefits in-clude detailed security at a document orobject level. Time stamping, versioningand other basic library services establishwho touched what document when, creat-ing an unalterable audit trail. DOD standard5015.2 sets a model that many enterpriseshave relied on in building their recordsmanagement strategy.

◆ Vast integration potential. Think lever-agability. Once the single records management system is implemented, theenterprise has a secure repository onwhich to build. Next, planners should ex-amine the core systems that contain datathat will need to be secured to provide acomplete compliance snapshot. For ex-ample, a manufacturing company mayfind that its work-in-progress inventorylevels will have a significant effect on thequarterly financials. They might integratetheir ERP system into their records man-agement repository so that relevant datais “locked down,” creating a single sourceof the truth for that point in time. As

companies look to make their records management system the hub of their com-pliance architecture, they may have to integrate with many key applications.

◆ Far-reaching visibility. Another essentialelement of an effective compliance archi-tecture is the insight and accessibility toinformation gained through portals anddashboards. A portal view into compli-ance information should be tailored to theneeds of the individual knowledge workerand should be limited to the informationthey are allowed access to by the securitydictates. A CFO dashboard might focuson high-level indicators of the status andrisks associated with the financial closeprocess. An internal auditor might haveviews into site-audit status. Finally, aworker might log in to see the list of tasksthat they must complete and attest to intheir daily work, plus e-learning modulesavailable or required for their professionaldevelopment.

5. Keep your eyes on the road ahead.Where do you want your company to be nextyear, in five years, 10 years? Make sure yourcompliance solution can handle whateverchange/growth comes your way. Rememberthat many of the regulations we must nowmeet are five years old or less. They are like-ly to evolve and grow, and the infrastructureyou put into place must be adaptable. Find asolutions provider that can help you extendyour investment beyond just compliance, toone that takes advantage of being able tolock down and manage data across disci-plines, and can deliver that data in the verybest way possible—from e-learning toemployee and customer portal, to collabora-tion capabilities and expanded customerrelationship management.

The Keys are in Your HandsFederal and industry regulations are here

to stay. How you approach complying withthese mandates can mean the differencebetween simply meeting the bare minimum

and taking your organization to new levelsof efficiency and productivity.

You must shift your compliance view-point to one of universal governance man-agement, where solutions reach acrossdepartmental boundaries, combining strongcompliance initiatives with overall strategicplanning and goal setting.

Your compliance partners should holdthe same vision. And they should havealready assembled best-of-breed solutionsand services from many sources to enablegreater automation and tracking of all com-munications as well as delivery of individ-ualized and prioritized information to theright people at the right time.

In other words, don’t depend on a quickfix at the end of the tailpipe. Work on theentire engine to increase the overall perform-ance, and while you’re at it, improve the dash-board to let you see how far you’ve come. ❚

Vignette’s Compliance and Governance Solutions Unit delivers focusedexpertise to help their clients solve regulatory compliance business issues.The unit is comprised of five individuals representing core areas of expertise. Vice President and General Manager Mark Gilbert, drives thegroup’s strategic vision and go-to-market leadership. Prior to joiningVignette,Gilbert spent 10 years as a highly respected analyst with Gartner.

Senior Account Executive Scott Reed is the primary conduit of information between clients and the team. His broad knowledge inenterprise solutions, business development, and global business strategies give him deep insight into how to best grow successful customer relationships.

Tapping years in the field as technical lead for a range of enterprisedocument management and workflow system implementations, PhilAyres serves as principle solutions architect.

Business Analyst Robert Hill is responsible for product development,sales, and partner relations. Prior to this, he oversaw the developmentand execution of Vignette’s Sarbanes-Oxley compliance initiative.

Senior Field Marketing Manager Gay Thompson provides worldwidemarketing support to the team. She brings experience in programmanagement, new product introduction, product marketing and customer support.

For more information about Vignette’s Compliance and GovernanceSolutions Unit, e-mail [email protected].


EDS chose not to simply install a records and documents control softwareapplication for compliance. Instead, they looked for a wider-reaching multi-productsolution that not only helped them meet regulations, but actually improved internalcommunications and operational efficiencies.

◆ Combined the power of more than 4,000 internal Web sites into one, easy-to-useemployee information portal;

◆ Empowered employees with critical operational and governance informationdelivered through personalized dashboards; and

◆ Launched a new reorganization-focused internal portal from concept to launchin less than 90 days.

Driving more efficiencies through compliance

more recent example, which involved verydifferent litigation, the fine reached $1.45billion.

It’s important to remember that in boththese cases, the companies caught in thecourt’s headlights were hardly novices;they had billions in reserve, sophisticatedexecutives in the boardroom, high-pricedcounsel on the payroll, stringent e-mail andcontent retention policies in place and anexpensive technology infrastructure. Itcould almost be argued that these compa-nies were doing everything right. Yet bothwere essentially caught flat-footed.

The judgments sent shock waves downWall Street, and perhaps throughout corpo-rate America, as many other enterprisescame to the sobering realization that they,too, might be helpless to comply with thesame directives.

So what’s going on here? How didthings go so wrong?

First, let’s accept that the content uni-verse looks very different than it did evenfive years ago. There’s a lot more of it, andnew mandates for having to keep and man-age it over a long period—and destroy it ata precise time—have changed everything.

Take e-mail: No one could have predictedhow this would become the cornerstone ofbusiness communication. IDC estimates theaverage number of e-mails sent each day willhit 36.2 billion next year. Then there’s instantmessaging. It’s now on just about every busi-ness desktop, yet many public corporationshave virtually no policies or means of IMretention. Overall, from an IT perspective,organizations don’t have true archiving poli-cies, while on the business side, companiescan’t figure out what they need to keep, forhow long and in what ways.

Second, it’s obvious that requirementssuch as Sarbanes-Oxley, the SEC, HIPAAand others are just the tip of the iceberg. Themost sensible mandates—for example, thate-mail shouldn’t be used for private commu-nications—are also the least practical. Whatcorporations need instead is a global hierar-chical data archival and retention manage-ment system that governs both the technolo-gies and the users involved. This should bedone strictly according to regulatory require-ments, risk measures and other corporatemandates that allow an organization to build

clear lines between risk, profit, systems andpeople. But in the real world it’s never soneat. Just as government regulations contin-ue to evolve and litigation tries to zero in onthe “smoking gun,” corporations work toimplement policies and technologies thatmake sense, protect the corporation whilemaintaining investor confidence and manageit all without overwhelming those responsi-ble for compliance, legal issues and informa-tion technology. That’s a hard balance to findeven at the best of times.

Third, it’s vital to remember that no twoindustries are exactly alike. What do the reg-ulations governing your particular businessrequire relative to your corporation’s infor-mation? That’s not an easy question toanswer, since many corporations have found acompetitive advantage in developing com-plexity across their diverse systems: moreintegration, more customized applications,etc. However, with respect to compliance, thiscomplexity creates challenges in audit abilityand controls. Bottom line: simpler is better.

Finally, since technology is the founda-tion of many of these processes, don’t forgetwhat these systems can and can’t do. Manyof the technologies that now make up the ITinfrastructure in corporate America weredeveloped when compliance issues were nota top priority, and when content didn’t comein as many types as it does now. This is a crit-ical weak spot.

At the most basic level, many companiescontinue to back up content when they shouldbe archiving, managing and destroying it.They surely learn the difference when there’sa court order mandating a huge search at shortnotice. On a broader scale, the archival sys-tems many companies have in place simplycan’t handle the kind of search and retrievefunctionality needed to quickly respond torequirements that a judge might deem routine.Going further, even fewer technologies candeliver a comprehensive platform for address-

Supplement to

Records Management & Regulatory Compliance

Finally on the Front Burner

At first glance, it’s difficult to see howmuch has changed in records managementand regulatory compliance in the past cou-ple of years. Naturally, some new laws andregulations have been introduced and olderones have continued to evolve, particularlyin the multinational context. More compa-nies are putting compliance-related policiesin place, and some are taking the trouble toenforce them. And while a few technologieshave improved significantly, many still can’tdo what’s needed. But without a close look,it might be hard to tell what’s truly differ-ent and what’s needed now.

In the real world, however, just abouteverything is different. There’s a newurgency in the air, and they can feel it allthe way to the boardroom.

Once confined to the back of the businesssection, issues related to records manage-ment and regulatory compliance now domi-nate the headlines. Either directly or indirect-ly, these issues have caused companies to belevied huge financial penalties, been the rea-son for executive turnover (even throughprosecution and conviction), led companiesto actively enforce policies that have longbeen in place, been the recipient of signifi-cant budgetary resources and, perhaps mostimportantly, become a companywide priorityrather than one essentially relegated to the ITdepartment.

Unfortunately, the stories are often nega-tive. Earlier this year, a financial servicesconglomerate was hit with a huge fine, inpart because it couldn’t guarantee that it hadturned over every relevant e-mail. In its owndefense, the company clearly tried hard totrack down all the relevant content. Yet back-up tapes kept turning up in closets, yieldingmore e-mails that had to be combed through.Eventually, the judge lost patience.

Only a few months earlier, in anothercase involving a major financial servicesfirm, it was found that despite counsel’sinstructions, employees had deleted somerelevant e-mails while the defendant hadwithheld others. The judge subsequentlyinstructed jurors to presume that the with-held information was prejudicial.

In that case, the jury awarded the plain-tiff a total of $29 million in damages—astaggering amount by any measure. In the


By Peter Mojica,Vice-President, Product Strategy and Management AXS-One Inc.

Peter Mojica is vicepresident of productstrategy andmanagement for NewJersey-based AXS-One,a leading provider ofrecords compliancemanagement software.Mojica is a thoughtleader in the fields ofrecords management,corporate complianceand risk mitigation, and

speaks at numerous industry events annually.

Mojica has more than 18 years of informationtechnology experience, primarily in the financialindustry. He brings a broad range of sales, technologymarketing, and information technology managementexpertise to AXS-One.

Peter Mojica

September 2005 S21

ing the global issues surrounding archival,compliance and legal discovery with the flex-ibility to address “what’s next.”

Best PracticesOf course, there are still plenty of things

organizations can do. Despite the very differ-ent terrain, many of these best practiceshaven’t changed much. Maybe it’s becausecompliance is like old-fashioned investing:It’s all about the fundamentals.

Exhibit real leadership: Failure toensure true and effective records manage-ment and regulatory compliance representsa failure of management. Even the bestpolicies and technologies won’t work with-out companywide adoption and buy-in, andit is management’s job to get it.

Make compliance and governance ano-brainer: Wise companies will build andsupport a high-visibility compliance compe-tency training program that has the authorityand resources needed to develop, implementand enforce participation across all levels.Roles, responsibilities and accountabilitymust be clearly defined.

Keep it transparent: Make it as easy aspossible for employees to retain, preserve andarchive all the necessary content, but alsoensure that your company has the ability todetect policy violations and do what is legal-ly required if and when that happens. Theproblem won’t go away if you don’t.

Prioritize the content, not the contenttype: The medium doesn’t matter; the factthat one relevant piece of content was in e-mail form while another was in an SAP reportmakes no difference in the final analysis.

Put the right tools in place: Conduct athorough needs analysis and ensure that thetechnology can do the job. The infrastructuremust be scalable; it must have the ability tohandle multiple content types; and it musthave the capacity to meet the records man-agement and regulatory compliance tasks thatcome down the pike today, such as global riskand e-mail search-and-retrieve.

Stay ahead of the curve: Accept that weare in the midst of ongoing paradigm shiftsin the way we perceive our technologicalinfrastructures, as well as the applicationsand data they are designed to deliver.Technology evaluation is routine in mostcorporations, but balancing it with compli-ance needs is a new twist. That’s why manycompanies often believe that their backupprocesses are sufficient; measured againstcompliance directives, they’re usually not.For example, a compliance and archivalstrategy with data expiration policies is ahuge waste of time if the expired data con-tinues to exist on multiple back-up tapes, aswell as at disaster recovery sites.

These processes have to be reviewed withan eye toward managing both the regulatoryrequirements and the risk associated with the

content. Similarly, the underlying operatingsystems might allow security breaches that, inaddition to other problems, violate compli-ance policies. Bottom line: The entire technol-ogy infrastructure, from the smallest applet tothe largest server, needs to be assessed alongstrict compliance metrics. At the same time,it’s vital that companies implement both con-tinual process improvement and reliable auditcapabilities. We’re long past the point wheresilos can continue to grow virtuallyunchecked, each with its own domain. Build asingle platform that can be expanded, thenevolve when necessary. This will allow tech-nologies, processes and business needs tokeep pace with incoming regulations andchanging market conditions.

No company will ever say it doesn’ttake records management and regulatory

compliance seriously. Now, most of themactually mean it. Still, there’s no absolutescale of corporate compliance, just as there’sno completely right or completely wrong wayto do things. Far from being just another chorefor the IT shop, compliance needs to beembedded in the corporate DNA. That’s whenthings happen the way they should. ❚

AXS-One Inc. (AMEX: AXO) is a leading provider of high-performancerecords compliance management solutions.The award-winning AXS-OneCompliance Platform enables organizations to implement secure,scalable and enforceable policies that address records managementfor corporate governance, legal discovery and industry regulationssuch as SEC17a-4, NASD 3010, Sarbanes-Oxley, HIPAA, USA PATRIOTAct and Gramm-Leach-Bliley. It delivers digital archiving, businessprocess management, electronic document delivery and integratedrecords disposition and discovery for e-mail, instant messaging,images, SAP and other corporate records. Visit AXS-One athttp://www.axsone.com.


Testing the LimitsMeasuring Your Company’s Compliance Readiness

Like most organizations, you take compliance seriously. The more complicatedreality is that even with general policies and some technologies in place, manyorganizations aren’t doing enough or enough of the right things to protectthemselves for the growing risks associated with managing electronic records.

Here’s a quick test to gauge your company’s compliance readiness. Noone’s looking over your shoulder, so be honest. Score it any way you like, butwe recommend a scale of 1 to 10 points on each answer, with a 25 for thebonus question.

1. Do you classify data contained within business systems in such a waythat it is easily accessible—for example, by retention periods per datatypes?

2. Do you have compliant non-destructive media in place?3. Does your electronic archiving policy include content generated via

e-mail, IM and MS Office? 4. Are the archival policies explicit per groups?5. Do you have a supervisory review process for e-mail/IM communications

for some/all users?6. Do you have checks and balances for all of the above?7. Are you able to suspend retention cycles/put records on legal/litigation

hold and electronically manage your legal case holds?8. Do you run tests for records recovery, including audit logs?9. Is all your data that needs to be compliant—for example, relating to financial

transactions—readily accessible online for back-office reconciliation andother front-office business functions?

10. Is senior management (CEO, CIO, CFO, CCO, corporate counsel)actively involved in your company’s compliance and IT alignment strategiesand operations?

And for the bonus question: Does your company have the capability to rapidly develop value-added front

office applications (for example, dynamic web publishing, portal integration,decision systems support) from its compliance data?

Compliance Readiness Scorecard: ◆ 80 Congratulations: Your company is a leader in the field◆ 70 Very good: Your company has an excellent state of readiness◆ 50 OK: Your company is toeing the line◆ 30 Not good: Your company is at high risk for non-compliance◆ 20 Bad: Your company needs to drastically overhaul its compliance practices

managers and C-level executives, as wellas the departments generating the contentcan stall or kill deployments.

◆ Time to deployment—Promises ofavailability of the RM solution can oftenbe wildly optimistic, resulting in disillu-sionment and loss of confidence.

◆ Unforeseen costs—Many activities, suchas setting up automated rules andprocesses for getting content into theERM system, can take a lot of time andrequire a lot of costly, outsourced serv-ices. This can put some initiatives on holduntil additional funding has been secured.

◆ Slow adoption—Staff may be reluctantto learn radically new processes and canslow or halt implementation before iteven gets started. In other instances, high-priority areas such as legal and financehave significantly influenced the overallrequirements, resulting in other depart-ments feeling like the company is coveredand is therefore less interested in sup-porting an ERM deployment.

◆ Balkanization—IT often feels they ownthe solution’s infrastructure and contentbut typically thinks of compliance as“someone else’s job.” RM teams mightunderstand managing paper records forcompliance, but may be uncomfortabletaking the lead in shaping ERM tech-nologies and processes.

◆ No champion—Upper-level managementcan buy into records management but notfully understand the complexity of an en-terprise-wide ERM solution and fail to sup-port and promote it when necessary.

Don’t give up: regulatory compliance isnot going away, and the pace at whichorganizations are generating documentsand content requiring corporate controlisn’t slowing down either. You can breakthrough the existing barriers that are under-mining your success and you can do it now.The key to success is in starting small andsystematically extending your deploymentacross your organization.

Six Steps to SuccessYou can avoid the difficulties of pleasing

too many stakeholders and getting approvalsfor big ERM budgets by kicking off yoursolution as a pilot program. Start by under-standing the capabilities and scope of today’sERM technologies, and specifically howERM and enterprise content management(ECM) systems interact. Learn how the vari-ous components can work together to addressdocument-centric business processes in yourenterprise and feed content into your organi-zation’s RM system. Leverage the need forbetter content management in these areas topilot your ERM solution without a largebudget or waiting for buy-in from the entirecompany. Apply these six smart steps topiloting a successful ERM solution andyou’ll be enterprise-wide in no time.

STEP 1: Select an organizational part-ner that has funding available and is strug-gling with document-intensive processes.Finance and accounting groups are a goodchoice, as they are under particular pres-sure to ensure their internal procedures arecompliant with various regulations. Byshowing them how they can automate oneof their processes from start to finish witha content management solution that alsoenables electronic declaration of records,you should find it much easier to get theadditional funding required to invest inyour ERM solution.

Legal is another department that isoften looking to control the cost and liabil-ity associated with documents. A contentmanagement solution that enables them toscan paper files and handle them electroni-cally is an ideal project on which to “pig-gyback” your ERM initiative. Identify akey legal proceeding underway or an areaof significant concern and offer to supportthe process. This will be much easierwith a document management system thatincludes scanning hardware, indexing capa-bilities, document routing, review, electronicstorage, retrieval and distribution—the under-pinnings of an ERM program.

STEP 2: Perform an audit of yourexisting hard-copy records. Research indi-cates most organizations are storing con-tent far longer than they need to, at signif-icant cost and legal risk. If you can identi-fy these kinds of inefficiencies, you maybe able to justify your ERM initiative bydemonstrating how electronic documentmanagement can lower the requirements(and the cost) for outsourced storage—and enable greater compliance withdestruction policies.

STEP 3: Find out if your IT group isalready looking at an ECM solution andhelp them understand how your pilot canbe integrated into their plans. Offer to workwith IT to identify costs for deploymentand configuration and offer to share the

Supplement to

Get Going with ElectronicRecords ManagementSix steps to success

Many regulations and guidelines are driv-ing compliance initiatives in the enterprise,from Sarbanes-Oxley, to the FDA’s 21 CFRPart 11, to the Freedom of Information Act(FOIA) and the Health Insurance Portabil-ity and Accountability Act (HIPAA). Seniormanagement in corporations and institu-tions has spent a staggering amount on high-profile initiatives such as risk assessment,continuity planning and information cata-loging via corporate taxonomies. By someestimates, the average corporation spent$4.5 million to meet just one part of Sar-banes-Oxley (Section 404) in 2004. Amidstall this spending, funding for electronicrecords management (ERM) initiatives haslagged. In an ARMA survey published in2004, 87% of respondents stated that Sarbanes-Oxley had NOT resulted in an increased budget for RM.

Even when funding is committed, thereare still significant hurdles to overcomebefore benefits can be realized—hurdlesthat can sometimes cause the entire projectto grind to a halt:◆ Too many stakeholders—Conflicts of

opinion and priority amongst IT, records


By Colman Murphy, DocuShare Product Manager, Xerox DocuShare Business Unit

1. Zero-in on document-intensiveprocesses in key departments;

2. Find cost-savings in replacinghard-copy storage with an ERMsystem;

3. Gain IT’s support by includingERM with ECM deployments;

4. Select a solution that is easy toacquire, easy to deploy andeasy to use;

5. Ensure pilot success before rollingout to a larger audience; and

6. Demo the pilot to other depart-ments and invite participation.

Six Steps to a Successful ERM Pilot

September 2005 S23

expense of the pilot. Point out that goodECM solutions offer powerful recordsmanagement modules, but great systemsemphasize usability, especially for non-records managers.

One cautionary note: never sell the needfor ERM by making claims to managementabout your projected compliance level oncethe software is in place. Records manage-ment is a corporate process, driven by regu-latory requirements—a process that impactsalmost every employee in the company. Thescope is too broad and the variables too greatfor any one department to accurately meas-ure compliance, let alone calculate projectedgains. Focus your ROI message on the tangi-bles instead: steps removed from a process,minutes removed from retrieving a docu-ment, or dollars saved by reducing the needfor hard-copy storage space.

STEP 4: Select an ERM solution that’seasy to use. Almost every knowledge work-er deals with corporate records on a dailybasis. Even with automation, employeeadoption will only be achieved if yourERM application is straightforward, easyto use, and ideally helps employees workfaster overall. If your pilot requires workersto adopt new processes it’s not likely togenerate a high adoption rate.

Don’t ask users to jump to a differentapplication or interface to classify ordeclare records or make any significantchanges to the way they are used to work-ing. With this in mind, select a Web-basedERM application that doesn’t require newsoftware on the user’s desktop. Keeptraining requirements to a minimum. Ifthese criteria are present, users can morerapidly see how ERM can speed and sim-plify processes, and interest in adopting itwill increase.

Also ensure your pilot solution can easilyscale up to handle ERM needs corporate-wide and that employees can be “RM-enabled” quickly. Ideally users need onlyopen a browser and log-in to benefit from afull range of capabilities: document man-agement, collaboration, workflow, imagingAND electronic records management.

STEP 5: Keep a low profile during ini-tial deployment. Focus the success of yourpilot at a tactical level, rather than spendingtime on broad plans for an enterprise-widerollout. Pilot expansion will depend onyour demonstrating a flexible, streamlinedsolution that can be easily adopted forenterprise-wide use. Don’t jump the gunand start showing the solution to otherstakeholders until you have moved wellpast your beta-phase and can demonstratereal process improvements and increasedproductivity.

STEP 6: When the time is right, inviteothers to take a look. Encourage, ratherthan mandate, adoption and offer access on a “trial” basis to the key stakeholders

you identified in Step 1. Showcase the pilotby holding internal demos, and developinternal success stories to drive interestbeyond the initial installation. In a modestamount of time, your pilot ERM projectwill help drive funding and deploymentbroadly in your organization—and yourcompliance system will have some realweight behind it.

Get GoingAbove all, ensure success by selecting a

vendor that provides the ease of acquisi-tion, deployment, use and scalabilityyou’re looking for from day one. XeroxDocuShare with DocuShare RecordsManager lets you deploy an ERM pilot thatprovides a full range of essential contentand document management capabilities atan affordable price and with minimal IT orprofessional services overhead. You can

also add scanning applications and Xeroxmultifunction devices to capture and man-age hard copy documents as part of yourrecords management program. ❚

Colman Murphy has more than 15 years of product management andmarketing experience in imaging,document and content management.Currently Colman is responsible for the DocuShare product line, theECM and compliance software offering from Xerox. Prior to joiningXerox, Colman worked at a number of Silicon Valley-based companiesincluding Visioneer (developer of PaperPort) and Caere Corporation(developer of OmniPage OCR software).

DocuShare® is an intuitive,Web-based enterprise content managementapplication designed for organizations, regardless of size, to collaborativelycapture, manage, store and deliver information contained in documents, from creation through final disposition.An industry leaderin ease-of-use, deployment and administration, DocuShare providesthe essential functionality required to accelerate document-intensivebusiness processes, meet regulatory compliance requirements andoptimize information flow and productivity. Coupled with Xerox scan-enabled devices, DocuShare delivers an end-to-end documentlifecycle solution from one trusted brand.


Renowned in the industry for its benchmark ease of acquisition,administration and use, DocuShare is a powerful Web-based enterprisecontent management (ECM) application that enables organizations ofevery size to rapidly deploy scalable ERM solutions. In fact, more than4,000 organizations worldwide have purchased over a million DocuSharelicenses to address their ECM challenges. DocuShare delivers value-richfunctionality for document management, records management, collaboration,Web distribution, workflow, search and imaging, allowing customers tosecurely capture, manage, share and deliver critical information easily.

DocuShare Records Manager allows users to easily declare all typesof electronic content as records, while still maintaining access for use inother business processes. Records are visible to permitted users withinpre-determined contexts and security is simple to set up and maintain.Worker adoption is encouraged by offering a familiar user interface thatmaps to everyday applications like Microsoft Outlook, offering “drag anddrop” functionality and intuitive file management. DocuShare is built onopen industry standards such as XML, WebDAV, JDBC and HTTPS, andsupports multiple platforms, making it ideal to deploy to a large numberof users regardless of their computing environment.

DocuShare is highly flexible and doesn’t require dedicated ITresources to manage and administer, so pilot deployments can be managed and controlled by key stakeholders for maximum success.Xerox provides a full range of easily integrated imaging and scanninghardware to bring hard copy documents into the repository, andadvanced routing and handling options to support a wide range of busi-ness processes. Xerox and DocuShare offer a scalable, comprehensive solution that enables you to capture, manage, control, share and delivercritical content and documents at all points in your organization.

Piloting ERM Solutions with Xerox DocuShare

“do we need to be compliant?” or “do weneed a records management program?” buta matter of “how do we do it?”

The fact is, today, a solution does notexist that takes out all human intervention,or automates completely, all aspects ofrecords management. Remember, as wesaid above, IT is being held responsible forimplementing records management solu-tions, and, traditionally, they are not versedin records management principles.Corporations are still responsible for hav-ing a reliable and compliant records man-agement program. That’s the dilemmamany organizations face today.

We have learned that it is difficult, atbest, to expect employees to consistentlyclassify records, if it is left as a manualprocess. The strength of records manage-ment comes when consistently applyingits principles to business documents with-in the organization. This is how the risk ismanaged. Because employees do not con-sistently classify records within therecords management system, automationmust be considered whenever possible tomaintain a trustworthy, reliable recordsmanagement program. Technology, at thecurrent time, does not ensure all recordtypes within the organization will beautomatically classified. Whenever possi-ble, organizations need to carefully auto-mate the records classification process.Manual classification should only be usedwhere automation cannot be achievedtoday. Manual classification is the step anemployee takes to formally declare busi-ness records into the organization. Whendocuments are created or received, theemployee must determine whether it is abusiness record, and then define its recordtype. In this case, when the employee isleft to his or her own discretion, inconsis-tency and lack of reliability come intoplay with a manual process.

Auto or Manual?

So you may ask, “How should we dealwith records management automationtoday?” Because full-scale automation(auto classification) is still a few yearsaway, it is important to be able to live witha mix of automated and manual processes.At this time, applications will not success-fully support automation for all recordtypes. However, auto classification of cer-tain types of records can be accomplishednow. You can start using existing technologytoday, for:

◆ Incorporating records management pro-cedures into existing business processesusing tools, such as workflow; and

◆ Auto classifying records using metadataor user roles to apply retention rules.

To achieve best practices, you mustcombine the use of automation for recordsclassification, with records managementbest practices:

1. Establish records management policiesand procedures;

2. Conduct a records inventory (list of allelectronic and paper records);

3. Determine a records retention schedule;4. Define security to control user access to

records;5. Ensure preservation hold order capability

to prevent the unauthorized or accidentaldestruction of records;

6. Train users on policies and procedures;and

7. Audit to ensure the organization is makinga good faith effort to consistency applyrecords management policies and proce-dures to the organization. ❚

Smead is uniquely positioned to apply over 98 years of records management experience into recordkeeping solutions. Committed toproviding innovative solutions for the management of information,Smead has developed a comprehensive line of recordkeeping software.

Supplement to

Automation + BestBusiness Practices =Minimized Risk

How many times have you heard “let thecomputer do the work?” When it comes torecords management practices, this state-ment can be the exact mentality that couldincrease risk for your company.

In reality, we currently do not have theluxury of fully automatic computer solu-tions that truly manage all of the basicrecords management processes. In today’sincreasing regulatory environment, theneed for companies to be able to demon-strate compliance is escalating. CIOs andCFOs are under increased scrutiny to man-age corporate risk. More often, IT depart-ments are being pulled into projects withthe objective of managing corporaterecords. The trouble lies with delegatingthe responsibility to a group that is nottrained in records management and lacksthe basic understanding of its philosophies.Is this truly the best solution to complianceand risk issues?

The Compliance ChallengeRegulatory compliance has joined the

forefront of issues facing CEOs today.According to a recent survey by AIIMInternational, 11% of the top executive’ssurveyed said managing information tomeet regulatory compliance was one of thethree biggest challenges businesses facetoday. We are seeing courts more seriousabout records management and compli-ance issues. Courts are demanding organi-zations to be in control of their records,and are showing signs of becoming intol-erant of those organizations that are notattempting to comply. An example of non-compliance, from the courts’ perspectives,is the inability to produce records afterbeing subpoenaed. Changes in legislationare underway to improve the way in whichrecords are requested by, produced for anddelivered to the court system. For manyorganizations, it’s no longer a question of


Sharon Hoffman Aventis the owner, presidentand CEO of SmeadManufacturingCompany, Hastings,MN. Avent joined thefamily-owned businessin 1965 as an hourlyemployee, and wasnamed president andCEO in 1998. SmeadManufacturingCompany has been

woman-run since 1955, and Avent, just as her motherbefore her, continues on with the company’s legacy ofproviding high-quality organizational products.Founded in 1906, Smead grosses over $500 millionannually and has 2,600 employees worldwide.

Sharon Hoffman Avent

By Sharon Hoffman Avent, President and CEO, Smead Manufacturing Company

Supplement to September 2005 S25

lunch,” which could potentially be evidencein a fraud or harassment case.

Legal discovery is expensive and timeconsuming. Years of e-mails and otherdocuments are difficult to restore, filterand produce according to case or investi-gation criteria. Many organizations havebeen fined or forced to settle because theywere not able to produce the recordsrequired for legal discovery, or becausethey could not find the key content thatmight have decided the case in their favor.The problem is compounded by the factthat the needed information is not just inthe records management system, but incontent management systems, databases,e-mail applications, file cabinets andscribbled notes.

Enterprise-wide Records ManagementIn a recent survey, 43% of companies

had more than five content repositoriesand 25% had more than 15. Should youconsolidate content in a single repository?Maybe. Robust, scalable repositories likeMobius’s ViewDirect TCM can managethousands of terabytes of diverse content.But there may be business advantages tokeeping content in its current repository orit may simply not be practical to move it.For example, country jurisdictions mayprohibit moving content across borders.Further, since there is no rule that man-dates that all records must be stored in asingle records management system, manyorganizations have multiple systems: acorporate system, usually controlled by acorporate records management group, andmultiple operational records managementsystems used and controlled by depart-ments or divisions.

With content and records dispersedthroughout the global enterprise, it becomesclear that a single record repository

isn’t always necessary or feasible. The idealsolution provides the best of both worlds:

1. A highly scalable repository that housesall records that can be moved; and

2. The ability to apply records managementfunctionality to records in their originalrepositories while maintaining the abilityto manage those records via a single sys-tem. This next-generation, enterprise-widerecords management solution offers com-pelling advantages:

◆ Lifecycle management for all content:Functionality for declaring, managing, re-taining and disposing of records can beapplied to a wide variety of content in-cluding application-generated content,desktop documents, e-mail and paper;

◆ “In-place” records management: Con-tent can remain in its original repositoryor it can be migrated to an inactive repos-itory at the end of the active phase of itslifecycle, while maintaining lifecyclemanagement and user access; and

◆ Content and records integration: Ad-vanced search and retrieval across all dis-parate repositories from a single point ofentry facilitates legal discovery as well asbusiness operations.

This vision for enterprise-wide recordsmanagement is being realized by vendorswho have a strong heritage in integratingand accessing diverse content and who have a clear understanding of thetechnology implications of legal and reg-ulatory requirements. For example,Mobius’s ViewDirect TCM offers maxi-mum flexibility in deploying an enter-prise-wide records management solution.ViewDirect TCM integrates all recordsand content across the enterprise in two ways: in the world’s most scalablerepository and/or by applying recordsmanagement functionality to records intheir original repositories and managingthose disparate repositories through asingle system. This solution breaks newground in addressing real-world recordsmanagement issues. ❚

Bassam Zarkout has 15 years of professional experience in enterprisecontent management, specializing in records management, e-mailarchiving, document imaging and document management. He hashelped companies around the globe define and implement corporatefile classifications and retention schedules. Bassam can be reached [email protected].

Mobius is the leading provider of software solutions for total contentmanagement. The ViewDirect® TCM suite includes integrated e-mailand records management as well as facilities for Web content management,business process management,and content integrationacross the enterprise. For more information, visit: www.mobius.com.

Bringing RecordsManagement to theEnterprise

A recent cartoon features an executive’s of-fice, in which the subordinate is saying,“Good news, chief, a computer virus has de-stroyed all our documents.” What’s not sofunny is the realization that many executiveswould indeed consider it a boon to be re-lieved of the anxiety of figuring out whichrecords to keep, for how long, where to keepthem and who should have access. And howmuch time and money will it take to find theneedle in the haystack when called upon todo so for legal discovery or to meet regula-tory requirements?

While there is no magic bullet that willguarantee a good night’s sleep, there arewell-established guidelines that will miti-gate risk and minimize costs. This articletalks about two real-world considerationsthat are often overlooked:

(1) Legal discovery may affect any contentwhether declared as a business record ornot; and

(2) While a scalable records managementsystem is a must, migrating all contentitems that become records from their mul-tiple, disparate repositories to a single,centralized repository isn’t always neces-sary and may not be feasible.

Coping with Legal Discovery

In addition to managing the normalrecord lifecycle, most organizations will berequired at some point to engage in discov-ery—the process of collecting, processingand reviewing information that might bepertinent to a regulatory request or litiga-tion. And it is virtually certain that there willbe a requirement during discovery for con-tent that was not declared as a record andnot housed in the records management sys-tem. The most famous example is theinnocuous e-mail that says, “Let’s have

KMWorld

By Bassam Zarkout, Director, Records Management Solutions, Mobius

and expensive—if not impossible—and theorganization may end up storing content thatshould be destroyed under legal or recordsmanagement principles.

A Smarter ApproachEffective content compliance first

involves bringing together only content ofbusiness value into an enterprise contentmanagement and records management sys-tem. This approach establishes a contentcompliance foundation from which organi-zations can build out compliance tool layersand enforce various policies for compliance.For example, e-mail archiving is a criticalcompliance initiative for most organizations.However, most automated e-mail solutionstend to catch everything, and store it in astandalone information silo, isolated fromother business content. A better approach isto automatically and selectively archive onlyrelevant business records, then link thearchive directly to a records managementsystem for both compliance and businesscontinuity requirements.

While the overall design or technologyfoundation is critical for content compliance,a culture of compliance also needs to be estab-lished, otherwise even the most sophisticatedcompliance strategy may fail, ultimately.Organizations must embed a philosophy ofcompliance into the fabric of their organiza-tions by creating, communicating and enforc-ing compliance policies. In fact, according tothe U.S. Sentencing Commission’s FederalSentencing Guidelines, stiff penalties mayresult if an organizational culture that conveysthe adoption of effective compliance andethics programs is not effectively promoted.

Technology Plus TrainingTo help promote and establish such

cultural changes (in addition to ongoing

employee education), organizations shoulduse a combination of technology andmethodology to implement and automateprocesses, enforce policies and manage content. For instance, organizations canimplement tools that automate the captureand declaration of corporate records, whethere-mail, documents or other content. Securitytools can prevent noncompliant content fromleaving the organization (or non-businesscontent from being captured) and integratedworkflow systems can simplify compliancemonitoring of e-mail and instant messages.These tools can also be expanded to preventthe accidental or deliberate disclosure of cor-porate intellectual property to unauthorizedexternal parties. By implementing such sup-portive compliance tools around a centralenterprise content and records managementsystem, organizations can ensure that bothcompliance and business requirements areeffectively met.

Remodeling—whether a house or anorganization—requires a balance betweenshort-term necessities and long-termrequirements. In terms of content compli-ance, organizations must strive for the rightbalance between meeting compliancerequirements and managing their contentin a business-effective manner. By keepingthe overall compliance design in mind, anorganization can achieve both complianceas well as operational improvements andcreate, ultimately, a more competitive busi-ness model, all under one “roof.” ❚

Yaletown Technology Group Inc. (YTG) provides content complianceinfrastructure to ensure that e-mail, instant messages, intellectualproperty and documents are managed using records managementbest practices and tools. With fifteen years experience, and the most innovative approach anywhere, YTG has solutions deployed incompanies worldwide.

Supplement to

Remodeling for Compliance

How to Address ContentCompliance

In today’s hot real estate markets, manyhomeowners are remodeling their existingproperties instead of moving. As a result, ar-chitects and builders are swamped in theirefforts to meet the needs of many home-owners for “new” redesigned homes. Simi-larly, many organizations are faced withhaving to remodel their existing technologyarchitecture to comply with the ever-in-creasing number of legal, privacy and reg-ulatory requirements relating to the man-agement of content. Because of pressingregulatory mandates such as Sarbanes-Ox-ley, HIPAA, The USA PATRIOT Act andthe Gramm-Leach-Bliley Act, content com-pliance, or the management of varioussources of unstructured content in a mannerthat meets both external and internal com-pliance requirements, is top of mind formany organizations.

In most organizations, information isstored on a variety of unconnected or onlyloosely connected systems such as account-ing, enterprise resource planning, customerrelationship management, supply chain man-agement, legal, human resources, e-mail andengineering files, among others. Ideally, thesystems should adhere to an overarching planor design, like the blueprint for a house. Theunfortunate reality is that such systems havebeen implemented over time to meet differentbusiness needs, so the challenge for organiza-tions is to bring together content from thesedisparate systems and archives, and manage itintelligently from a compliance perspective.

One approach to content compliance isfor an organization to use a “black box”approach and store everything, regardless ofcontext. In terms of remodeling, this is akinto an architect incorporating everything thata homeowner wants in the design withoutregard to basic design principles. For anorganization, such catch-all archives mayactually become a source of risk and liabil-ity. The search and retrieval of relevant con-tent for business purposes becomes difficult


Adam Wilkins is asenior partner withYaletown TechnologyGroup Inc., a provider ofcompliance solutionsfor content, policy andprocess management.Responsible foroverseeing thecompany’s product,sales and marketinginitiatives,Wilkinsprovides guidance on

aligning existing and anticipated market and customerneeds with strategic product direction anddevelopment.

With 25 years of experience in the IT industry,Wilkinsconsults, lectures and presents to organizations aroundthe world, and has written extensively on how to applytechnologies and best practices to comply withevolving regulatory and business challenges.

Adam Wilkins

By Adam Wilkins, Vice President, Business Development, Yaletown Technology Group

September 2005 S27

to save the process that went into the creationand handling of that document. Should yoube called up on a Sarbanes-Oxley issue, youcan say ‘these were the controls in place atthe time, this is the process we used, it wasreviewed by these accountants and financepeople at these different times, this is how itchanged over time and the rationale behindimproving the process...’ You can more accu-rately mitigate the risks that underlie theprocess surrounding each document. That’swhere the benefit really pays off.

“Sure, there are substantial costs inimplementing records and document man-agement software,” Gilbert continues.“But 10 years ago they were three timesthat. So the market is asking the vendors tobring down costs to the point where theyCAN have enterprise records management.Unlike 1995, when a records managementsystem had eight seats, today it could havea thousand seats, or more.”

ZyLAB’s Johannes Scholtes puts it intoanother perspective: “The cost of a lawyer isinfinite, so ROI calculation is really easy!”(Laughter ensues.) “As a manager under alegal discovery request, you cannot do any-thing else except focus on the lawsuit. Youdon’t stand for your business anymore...youspend more money and have less money com-ing in. I always say, if you find fraud before itfinds you, that’s a great benefit.”

But What Will it Cost?There are a number of ways to look at

cost avoidance and value, as we’ve learned,but there are a few more we haven’t tackledyet: “Most content sits on hundreds ofservers across enterprises,” reminds Collet.“That means records management allowsfor server consolidation, a benefit on thehardware side. You have the ability, withrecords management married with contentmanagement, to lower your storage costs.”

Galina Datskovsky from MDY agrees:“Absolutely—an optimized records programreduces storage costs, allows your users to getat records faster in a more efficient way,allows you to know that the record you haveretrieved is the correct one and eliminatesmistakes. Sarbanes, etc., may be making itmore visible, but I’m finding that companiesare embarking on records programs for thosereasons and beyond purposes of regulation.Very seldom is the records program Sarbanes-driven. The example of Morgan Stanley, andthe concern companies have around litigation,has done more for records management thanSarbanes-Oxley has,” she says.

Collet adds another aspect or two: “Thecost for a legal discovery effort is around$400,000 for each effort. But a harder numberto pin down is ability to craft an effectivelegal strategy, based on your knowledge of

the information you have. If you knowyou’ve got something responsive to discov-ery ahead of time, you can review it earlyon and create a legal strategy to address it.Perhaps you can get a settlement, ratherthan go to court, where something inappro-priate could be revealed.”

Hummingbird’s Pery adds “Section 404(of the Sarbanes-Oxley Act) doesn’t neces-sarily mandate that you have an automatedsolution...just that you comply. But if youdon’t have an effective system in place,estimates are that you’ll use 1,000 person-hours to create a 404-compliant environ-ment and a minimum of $100,000...proba-bly much more. The costs of implementingare quite high, but the risks of NOT doingit makes it imperative.”

Open Text’s Rabe adds, “A law firm wework with estimates it costs $2 to locate asingle e-mail message in a legal discovery.With all the news surrounding MorganStanley, Philip Morris and the rest, you canimagine the costs of a legal discovery.Then, without rigor in the organization ofinformation and records, your companymay STILL not be able to find pertinentinformation, and face huge fines on top ofthe costs of discovery! So it’s obvious thatputting rigor into your records plan willhave a huge cost avoidance.”

Mojica concurs: “Legal discovery isone expensive proposition. Once a cus-tomer realizes they can use the same sys-tem for regulatory compliance AND toaddress a legal discovery, that’s where a lotof the ROI comes from. We have customerswho have paid for their entire system byavoiding the costs from one legal discoveryrequest. I wish we’d have charged more!”

The Chilling EffectIt’s tempting to look at the recent regula-

tory flurry as merely another pain in the ...pocketbook. But there have been subtlereffects, not the least of which has been theshift in the relationship between corporatefinancial officers and their auditing firms.Formerly, a company and its auditors couldbe termed “partners” in the sense of an old-boy’s network of you scratch my back and I’llscratch yours. But not anymore. Auditors arenow as liable for financial misdoings as theCEOs who face the perp walk into a USDistrict Court. And that has created a chillingeffect between companies and auditors. “Yes,it’s become an arm’s-length relationship,”confirms MDY’s Datskovsky. “A lot of ourcustomers have changed auditors, becausethey either felt uncomfortable with the newrelationship forced onto them, or they feltthere were too many internal loyalties.However, with the reduction of the number ofauditing firms, it’s hard to change auditors...atleast in the larger arena. An interesting sideeffect of Sarbanes is that the largest auditing

firms (the “Big Five or So”) have been seek-ing larger clients and telling smaller clients togo elsewhere. The audit companies are alsohiring like crazy...it’s a great time to be anaccountant,” Datskovsky says.

Hummingbird’s Pery adds, “Organizationsare much more cautious recognizing revenue,and every time there’s even a small contentiousissue, they have to go to the auditors for com-ment. And they (the auditors) in turn may needexecutive approval within the auditing firm tomitigate their own risks. And that costsmoney.”

“Companies are spending twice as muchif not more to their audit firms post-Sarbanes,so that doesn’t sit well,” says Gilbert. “Theyused to send draft-work to their auditors, andask for their thoughts. Now they want it to belocked down first. If they send something indraft form, the scrutiny they’ll be under laterwill be immense.”

Harald Collet puts another spin on it:“There is a much more aggressive auditing ofIT controls, typically using CObIT (ControlObjectives for IT). We see records manage-ment right up there at the top as a red flag,because once you start going through the 250or so control objectives of CObIT, you oftenrun into areas where you have to retainimportant information as part of the change-management process, for example. Thechange in the relationship between auditorsand companies can be seen and is felt direct-ly in the IT department, and that translates inhow people look at these technologies. It’s allconnected.”

“Every company that has been fined orinvestigated under the SEC and other regu-lators has had heavy-duty compliance offi-cers and heavy-duty IT that were mindingthe store,” says Mojica. “They were tryingtheir best to mitigate the very risk they gotdinged for. And they don’t know what wentwrong! It’s all about the changing of thebusiness climate.”

It sure is. And that’s what the rest of thisWhite Paper is all about. The good news:we’re all trying to sort it out together. ❚

Andy Moore is a 25-year publishing professional,editor and writer whoconcentrates on business process improvement through document andcontent management.As a publication editor,Moore most recently waseditor-in-chief and co-publisher of KMWorld Magazine. He is nowpublisher of KMWorld Magazine and its related online publications.

Moore acts as chair for the “KMWorld Best Practices White Papers”,overseeing editorial content, conducting market research and writingthe opening essays for each of the white papers in the series.

He has been fortunate enough to cover emerging areas of appliedtechnology for much of his career, ranging from telecom and networking through to information management. In this role, he hasbeen pleased to witness first-hand the decade’s most significant businessand organizational revolution: the drive to leverage organizational knowledge assets (documents, records, information and objectrepositories) to improve performance and improve lives.

Moore is based in Camden, Maine, and can be reached [email protected].


THE CHILLING EFFECT continues from page 3

www.infotoday.com

Produced by:

KMWorld MagazineSpecialty Publishing Group

For information on participating in the next white paper in the “Best Practices” series. contact:[email protected] or [email protected] • 207.338.9870

Kathryn Rogals Paul Rosenlund Andy Moore207-338-9870 207-338-9870 [email protected] [email protected] [email protected]

For more information on the companies who contributed to this white paper, visit their Web sites or contact them directly:

www.kmworld.com

Hummingbird Ltd.1 Sparks AvenueToronto ON M2H 2W1

PH: 877.FLY.HUMM or 416.496.2200

FAX: 416.496.2207E-mail: [email protected]: www.hummingbird.com

AXS-One Inc.301 Route 17 NorthRutherford NJ 07070

PH: 800.828.7660 or 201.935.3400FAX: 201.935.1443E-mail: [email protected]: www.axsone.com

Mobius Management Systems, Inc.120 Old Post RoadRye NY 10580

PH : 800.235.4471 or 914.921.7200

FAX: 914.921.1360E-mail: [email protected]: www.mobius.com

Open Text Corporation185 Columbia St. WestWaterloo ON N2L 5Z5

PH: 800.499.6544 or 519.888.7111FAX: 519.888.0677E-mail: [email protected]: www.opentext.com

Oracle Corporation500 Oracle ParkwayRedwood Shores CA 94065

PH: 800.ORACLE1 or 650.506.7000FAX: 650.506.7200E-mail: [email protected]: www.oracle.com

Smead Software600 Smead BoulevardHastings MN 55033

PH : 800.216.3832 or 651.437.4111FAX: 800.216.3837E-mail: [email protected]: www.smeadsoftware.com

Stellent, Inc. 7500 Flying Cloud Drive, Suite 500Eden Prairie MN 55344

PH: 800.989.8774 or 952.903.2000Fax: 952.829.5424Web: www.stellent.com

TOWER Software12012 Sunset Hills RoadTwo Discovery Square, Suite 510Reston VA 20190

PH: 800. 255.9914 or 703.476.4203FAX: 703.437.9006E-mail: [email protected]: www.towersoft.com

Vignette Corporation1301 South MoPac Expressway, Suite 100Austin TX 78746-5776

PH: 888.608.9900 or 512.741.4300

FAX: 512.741.4500E-mail: [email protected]: www.vignette.com

Xerox DocuShare Business UnitM/S PAHV-1323400 Hillview Ave, Bldg 5Palo Alto CA 94304

PH: 800.735.7749FAX: 650.813.7406Web: http://docushare.xerox.com

Yaletown Technology Group Inc.1190 Homer Street, Suite 401Vancouver BC V6B 2X6

PH: 604.683.8781 or 888.683.8781

FAX: 604.683.3829E-mail: [email protected]: www.yaletech.com

ZyLAB North America LLC1577 Spring Hill Road, Suite 420Vienna, VA 22182

PH: 866.995.2262FAX: 703.991.2508E-mail: [email protected]: www.zylab.com

MDY, Inc.21-00 Route 208 South Fair Lawn NJ 07410

PH: 888.639.6200 or 201.797.6676

FAX: 201.797.6852E-mail: [email protected]: www.mdy.com