Fri, May 23, 2008
—
CIO
—
The 2002 Sarbanes-Oxley regulations served as a wake-up call for CIOs to formalize document retention policies to meet compliance requirements. But regulatory demands—and the number of documents produced daily—continue to grow. So a solid document management process is a necessity. CIOs struggle with creating the policies, getting buy-in from the end users and managing the technology. Members of the CIO Executive Council, who meet regularly to discuss compliance approaches, share techniques that have made document retention policies work for them.
Get the Policy Right
The first step is making sure that the right items are covered in your document management policies. For this, CIOs can rely on business peers, outside counsel and special regulatory tool kits.
Tips for Crafting A Policy That Works
Offered by Ron Bonig of George Washington University, and Rajiv Jain of American Greetings Interactive
Properly define "document" to include information of all types—electronic or paper, historical or transient business record. Clearly state who and what function is the relevant retention authority for the most widely used categories of documents. Indicate the specific duration of retaining different types of documents. Identify specific staff or functions that have appropriate read, write and edit access. Clearly state the reasons that retention is necessary (e.g. Sarbanes-Oxley rules, HIPAA regulations). As those requirements change, the rationale for retention should be reviewed, and any changes to the retention period should be made. State that if a file or folder contains multiple types of documents necessary for a coherent record, then the whole file or folder must be retained for the duration of the longest-held item. Except when absolutely necessary, do not allow (or at least strongly discourage) the mixing of digital documents in storage. If document A needs to be retained for five years and document B needs to be retained for 20 years, keep them separate. You will reduce the cost of long-term storage and will avoid legal risks inherent in a failure to follow retention policies. Give individual divisions or offices the authority to set retention policies for their own operational documents if approved by or coordinated with the General Counsel or Compliance Office. -C.M.
"Initiating a high-level review of our document retention policies had to be a joint effort between myself and the general counsel. If we weren't both involved, I don't know how the effort could succeed," says George Washington University CIO Ron Bonig. For instance, GWU receives subpoenas and e-discovery requests around contracting and personnel questions. To ensure colleagues' participation and buy-in, Bonig stresses the fiscal importance of good policies and compliance. "The cost to the university in a federal lawsuit could be huge if we don't properly address retention," he says. "I put it in dollars, which really woke people up."
