Most large organizations have a global records and information management (RIM) program, even as simple as just a basic policy, a retention schedule, a computer use policy, limited in-house counsel time, and outside counsel or consultants responsible for updating the policy at set intervals or in the wake of new laws and regulations.
Now, more than ever, RIM needs to work hand-in-hand with Compliance, IT, InfoSec, HR and the DPO. To do that, RIM needs to be a part of a comprehensive Information Governance (IG) program. Often RIM programs focus solely on mission-critical records maintenance, especially in companies and industries subject to a direct reporting requirement to a government or other external agencies and regulators.
Policies and Procedures
How does a company understand how to create, maintain, and dispose of records in a defensible manner? Solid policies are needed to establish the necessary guidance, such as a RIM policy and the associated retention schedules. These include definitions of record types, how those records should be maintained, and procedures end-users need to abide by to comply. These guidelines may be influenced by user input, government regulations, business requirements or other various mandates – including legal hold.
Program Governance and Reporting
A successful RIM program is usually an enterprise function. For the program to be able to gather information and report on how the program is functioning, it needs to partner with many other parts of the organization, such as lines of business (LOBs), HR, IT, compliance, executive leadership and other functions. As records become more important and regulated, even some corporate boards are starting to take notice. Whether for an audit, litigation, investigation or business support, employees should be able to locate and access the information they need, when and where they need it. They also need to be able to share that information easily when requested by external auditors.
Stakeholder Engagement
Anyone with a stake in the company’s records are to be involved at some level. It also can be a diverse grouping. The RIM program needs to manage across that broad population of constituents.
Too Much Data and Too Many Records
Often, more data is retained than necessary because records managers may not be enforcing records maintenance principles with the business and stakeholders. Sometimes, they fear being blamed if something deleted is “needed” at a future date. Not only can this create unnecessary day-to-day storage costs, but in the case of litigation or regulatory investigations, too much data can cause delays in responding to discovery requirements, create a nightmare scenario for legal personnel tasked with discovery, and result in significant costs, not the least of which are processing, review and production of the in-scope documents.
Retrieval Challenges
Without a consistently defined RIM process, standard retrieval tools may not be used, making it difficult to find and retrieve relevant records in a cost-effective manner. Even if a company has a robust Document Management System (DMS) in place, they still need to pay attention as circumstances change, companies evolve, and regulations change. Not to mention the information and records that end up outside the DMS. And how many companies still have boxes and boxes of physical records in storage facilities, warehouses and offices around the world?
Non-compliant Data and Records Disposition
Data and other records are frequently disposed of without consideration of potential consequences, sometimes to avoid maintenance or real estate costs. This can create legal or regulatory exposure and the potential for significant fines and other penalties. Documents and records may be needed for litigation, to comply with environment laws, for patent protection, etc. This doesn’t mean that records should not be disposed, only that a solid RIM program will help differentiate between what can be destroyed and when it can be destroyed.
Privacy Concerns
If you don’t know what data you have or where it is, how can you comply with the various privacy regulations such as GDPR, CCPA, NYDFS 500 and others? How can you know what you need to do as new regulations are passed and take effect? How can you handle data-subject access requests (DSARs)? The inability to answer these questions can create legal or regulatory exposure and the potential for significant fines and other penalties.
In the absence of a broad-based RIM program, these risks can materialize very quickly. A pressing question for leadership of multinational businesses is what level of investment might produce an effective RIM program that aligns with corporate objectives and risk appetite? Whether a centralized, decentralized, or hybrid federated model, an effective program can support compliance, transparency and visibility that is vital in a world that increasingly values data protection, privacy and cyber security.
Talk to a Kroll expert today.
Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.
M&A advisory, restructuring and insolvency, debt advisory, strategic alternatives, transaction diligence and independent financial opinions.
World-wide expert services and tech-enabled advisory through all stages of diligence, forensic investigation, litigation, disputes and testimony.
Enriching our professional services, our integrated software platform helps clients discover, quantify and manage risk in the corporate and private capital market ecosystem.
Expert provider of complex administrative solutions for capital events globally. Our services include claims and noticing administration, debt restructuring and liability management services, agency and trustee services and more.
Advisory and technology solutions, including policies and procedures, screening and due diligence, disclosures and reporting and investigations, value creation, and monitoring.