Paul Mullon, a SA consultant in records management, looks at what it is that makes business records important, and how to think about them to handle them better. How long must you keep a record if you’re a business? Give me a number. Three years? Five years? Seven years? Ten years? How about forever and ever?
The correct answer is all of the above. It’s obvious if you think about it. Title deeds on a fixed property? Company incorporation documents? Those are never things you would throw away. Other documents have various prescribed retention periods. Some are best to throw away ASAP.
Records management starts with being clear what a record is, and when it matters to have them.
In terms of the first part of this, a record is evidence of an activity. Any activity, from minutes of a meeting to a recorded phone call to an agreement of intent to purchase. For the second half, a primary reason you keep records is to use as evidence in court (or other hearing). This is important – it’s not a yes/no, do-I-have-it-or-not? thing. It’s evaluated in terms of “will the judge believe the evidence my lawyer provides, or the evidence the opponent’s lawyer provides?” Evidence has weight. The more weight, the more useful. So quite apart from statutory requirements to keep records (they’re in a folder in a box in a warehouse, or on a hard drive? Tick? Ok!), records must also be useful, with provable authenticity and integrity.
This means that a record must firstly reflect what happened in a communication, or decision, or action. It must have the necessary content, but it must also have the correct context, so that it makes sense when examined. A record must have a known structure, so that you can work out how it links to other records or record sources.
This is the challenge in records management, and especially regarding electronic records – you must not only show the record, but also what it means, where it came from, and what other records must be viewed in conjunction with it.
Once you have these foundations, a set of nice, neat, labelled, indexed record, you now have to worry about four other things.
Authenticity. Reliability. Integrity. Useability.
These are the pillars built on the basic foundation. If you can’t prove a record is authentic (such as with clear ‘chain of custody’ information), it’s not worth the magnetic particles it’s written on.
If a record was created (or filed) months after a meeting was held, a deal was concluded or an order placed, then it’s probably not reliable.
If a record’s integrity can be called into question, if it can be changed or annotated without leaving clear tracks, it could be useless if there is an investigation or legal case.
Lastly, it must be useable. A record is almost useless if someone has to fly across the country, descend 15 levels into a basement lit by a with a guttering candle, un-lock a rusty gate and try find a crumpled piece of paper at the bottom of an unsorted box.
The first question for the IT department is how to take all of this into consideration with the least effort and expense in resources. The biggest challenge is to make sure that what the IT group does helps solve the records management requirement, rather than just ticks the compliance boxes.
It is vital that the technology people talk to the office management people who are most often tasked with managing paper-based records.
Surprisingly (or unsurprisingly if you work in a corporate), the two groups often never talk, partly because people have a “compliance tick-box” rather than the “how will we actually use these records?” mindset.
Some records are best left to record-keeping experts – deeds, contracts, etc. Some records keeping is almost a purely technology function, such as backing up “born digital” records: spreadsheets, documents, databases, scans, recordings and emails, and making sure they are stored in properly protected and managed repositories.
Most of these kind of documents are created by individual users every day, users that are seldom, if ever, trained in even basic records management. Arguably, they should not need to be. Apart from strictly applying ground rules, like that company email can’t be used for private messages (so you’re not backing up gigabytes of birthday and holiday pics), staff should be left to get on with their jobs. In the ‘born digital’ space, technology should take care of the records keeping function automatically, in the background, to best-practice records management standards.
Of these, email is the most critical to archive correctly and be able to recover quickly, firstly because it’s usually the records set that is managed the worst (even though it’s technically easiest), and secondly because email generally contains the most “smoking guns” in litigation. This is because email is now by far the primary correspondence tool, people are inclined to just bash them off carelessly, and even try delete them in an incriminating way when they think they’re in trouble.
To do records management on email is not terribly hard these days, using systems that are 100% compliant with evidentiary and compliance legislations. Mimecast, a hosted, cloud-based service, is one of these. It has been specifically designed for records retention, so it includes technology to prevent tampering with stored records, to prove chain of custody and where (or if) it may have been changed, with Web-based search to make it easy to retrieve by users.
By using suitable technology like Mimecast on suitable areas, by using well-understood data management technology for databases and documents, and by ensuring that the IT people and office management people are in sync, records management can go from being a costly exercise in compliance box-ticking to a genuinely useful asset to the business.
Paul Mullon is MD of COR Concepts, specialists in enterprise information management.About COR Concepts:
COR Concepts, founded by Paul Mullon, offers a range of Records Management and Enterprise Content Management (ECM) consulting services. The company is built on the belief that any Information, Records or Document Management initiative should be designed to extract the maximum business benefit for the organization. COR Concepts bring together Compliance, Risk Management and Operational information requirements in a way that delivers benefits to each one of these diverse business units. Making use of an array of industry standards and best practice methodologies to ensure that each implementation will stand the test of time.