Prudent attorneys typically avoid absolutes (e.g. we don't like to say "all" or "every" because we worry about what's on the margin). Despite that, I believe it is true that "every" company in the world has what I think of as aspirational records management policies. The lawyers and compliance people define record types and categories, and they map those record types to the legally required retention periods, based on perhaps thousands of statutory requirements from around the world. The problem, however, is that those written policies never fully map to the way the IT department is actually managing the information; the policies are aspirational.
Records Management today is like Prohibition. There's a set of rules on the books that we pay lip service to, but everyone knows that those rules are not going to be fully followed. There are two key problems with this. First, it is risky. Companies that publish their aspirational records management policies face the prospect of having those policies shoved down their throats by regulators, as well as attorneys in the context of eDiscovery matters. The current statutory landscape, and the new Federal Rules of Civil Procedure make the treatment of information much more transparent, thus the gaps are easily exposed. Second, aspirational records management policies in fact lead to cost increases from over-preservation of content. When an unrealisticly short retention policy is established, the reality is that most companies either completely fail to enforce it (they never "push the delete button") or they delete some of the content, but allow duplication in individual and unmanaged repositories (including desktops, files shares and tapes), which in fact leads to over-preservation.
The right approach, in my view, is a risk adjusted approach the relies on what I think of as "frameworks for simplification". There is a critical need for the discipline of records management, but before an enterprise gets to that granular discipline, there's a need for a strategy to policy manage information. If, for example, your enterprise's email and file environments contain 100s of different record types, but you have no way of achieving that classification, then it makes little sense to establish a policy that aspires to be perfect, but in fact results in non-compliance. Rather, why not drive to a policy management classification scheme that only has three categories, instead of hundreds, but that allows the enterprise to take a first cut at classification. There are several key benefits to this "big bucket" approach -- it can be operationalized by the IT department, it allows for systematic deletion of content that has no legal, business or referential value and it allows the identification of priority content, on which records managers and compliance people can focus, apply more granular policies and apply more robust content and information services.
By way of example, I had a discussion yesterday with a very thoughtful group of RM and IT professionals from a large automative company. One example that came up was the treatment of leasing files, and the issue of "event based retention". Essentially, the goal was to keep the files for the life of the lease, plus some fixed number of years, and then delete the files. In fact, the complexity of aligning the "trigger" (in other words, knowing when the lease was up so the retention period clock begins ticking) acorss millions of such files was too complex and the result was that no files were deleted - for fear of deleting the wrong ones too soon. The approach they were considering was in my view spot on - taking the longest lease period, together with the retention period (which was collectively 16 years) and applying it to all of the (millions of) files uniformly. This policy is less than perfect, and it will result in some files being kept "too long", but as compared to not deleting any files, this strikes me as a very smart and very reasonable approach.
It is better to set realistic imperfect policies that can actually be operationalized by IT and enforced, than it is to set aspirational ones.
Comments