The 2002 Sarbanes-Oxley regulations served as a wake-up call for CIOs to formalize document retention policies to meet compliance requirements. But regulatory demands—and the number of documents produced daily—continue to grow. So a solid document management process is a necessity. CIOs struggle with creating the policies, getting buy-in from the end users and managing the technology. Members of the CIO Executive Council, who meet regularly to discuss compliance approaches, share techniques that have made document retention policies work for them.
Get the Policy Right
The first step is making sure that the right items are covered in your document management policies. For this, CIOs can rely on business peers, outside counsel and special regulatory tool kits.
Tips for Crafting A Policy That Works
Offered by Ron Bonig of George Washington University, and Rajiv Jain of American Greetings Interactive
"Initiating a high-level review of our document retention policies had to be a joint effort between myself and the general counsel. If we weren't both involved, I don't know how the effort could succeed," says George Washington University CIO Ron Bonig. For instance, GWU receives subpoenas and e-discovery requests around contracting and personnel questions. To ensure colleagues' participation and buy-in, Bonig stresses the fiscal importance of good policies and compliance. "The cost to the university in a federal lawsuit could be huge if we don't properly address retention," he says. "I put it in dollars, which really woke people up."
Strict HIPAA regulations govern patient medical information security in healthcare organizations. To create policies consistent with those rules, Michael Gaskin, director of information services at Sequoia Community Health Centers, purchased a HIPAA security toolkit. "The toolkit made it easy for me to review documents and know what I must include in my plan, " says Gaskin. The kit's workflow examples continue to inform Gaskin about compliance needs and how to refine his document retention policies.
Balance Stakeholder Interests
For ArcelorMittal Americas CIO Leon Schumacher, the challenge is making sure the interests of different stakeholders—users, legal, IT—are considered when developing a retention policy. "Each has specific issues that they want to address. Good communication before and during such definition phases is critical for success," he says.
The delicate balance between users' storage needs and retention guidelines is hard to strike. For example, Schumacher's team created management policies for personal storage limits, including how much e-mail people can maintain. But the team heard complaints that users weren't getting enough space. Schumacher responded by introducing policies at two levels: one for management, which gets 500MB of storage, and one for general users, which get 250MB. The team is working on newer archiving solutions to further ease these constraints.
Plan for the Long Term
Policies must cover document retention over a long period. For a university, this is a huge issue given the length of time it must keep student loan data, transcripts and other federally mandated data. "One of the issues is to make sure that the documents in their electronic form can be upgraded and transitioned from one technology to the next over decades," says GWU's Bonig. So his team watches the storage landscape to stay abreast of any technology that would necessitate a business decision about whether to transfer retained documents.
Make It Pay
A good document retention policy can do more than avoid legal fines. At American Greetings Interactive, Senior VP and CTO Rajiv Jain has policies to archive everything on the desktop and retain all executive e-mails indefinitely. "Our e-mail retention policy has definitely come in handy. There was a disagreement over the fees associated with vendor negotiation. We were able to find the original archived e-mail from the vendor, which proved that we were right and did not owe the amount of money they claimed," says Jain.
The effort to build and enforce good document polices can provide a strategic advantage.
Most of GWU's back-office staff work at its Virginia campus 30 miles away. Only representatives for financial aid, undergrad admissions and other student offices sit in the D.C.-based Student Union. If a student has a difficult question, the rep may consult a staff expert in Virginia. Now they can look at the same document simultaneously, since Bonig and his team are digitizing documents for retention. "We improved our business process dramatically and can confidently say that we offer student services from anywhere," says Bonig.