1. Context

Regulations ask organizations to manage records a certain way.

If records are not kept, fines and other problems may result. If an organization cannot explain how it deals with its records, they may be deemed unreliable. This could cause penalties too.

to top | to bottom

2. Needs and Opportunities

The direct need is to comply with regulations. You must collect and produce complete and accurate records.

An opportunity arises if you see the regulations as more than overhead. They may originate for the benefit of the regulatory authority and the constituencies it represents. But you can usually find a useful purpose in them, to your business's advantage.

to top | to bottom

3. Benefits and Costs

The direct benefits of good record keeping are: fewer disruptions when the time comes to satisfy regulatory requests, avoidance of fines, no bad publicity. Some counter-examples (from CIO Magazine Online Edition, Apr. 15, 2003):

• Bell South needs a large staff to process close to 100 requests by law enforcement, daily.
• Western Union was fined $8M for a delay in producing records under the PATRIOT act.

Indirect benefits ensue when you harness good record keeping to further strategic or operational goals. You can:

• Reduce the problems targeted by the regulations (fraud, incompetence, ignorance, ...) and cut their intrinsic costs (those that you incur whether a regulator becomes involved or not).
• Generate trust with outside observers other than the regulators. For example, strong internal controls can decrease risk in the eyes of insurers (and hence lower premiums).
• Port good practices from a regulated area to the rest of the organization. You can prevent getting embarrassed in front of customers if your controls quickly detect and repair mistakes, for example.
• Exploit internally the information originally kept for regulators. You can make strategic planning, for instance, faster and more objective.
• Consolidate information (e.g., remove duplicated effort).

The costs come from two sources:

• Project Costs.

  The research, analysis, design, implementation, and activation of a new approach to record keeping compliance consumes time and other resources.

• New Ongoing Costs.

  The new approach requires new personnel or technology costs that will offset its benefits.

to top | to bottom

4. Approach

The first goal is to collect complete records accurately and in timely fashion. To this end, you must understand the information to be recorded and how it "lives" from creation to archiving. You can then implement consistent means for manipulating and accessing records.

The second goal is to guarantee control over the records. Particularly avoid single points of weakness. Help honest people avoid mistakes or fix them quickly. Dishonest people must be deterred or tracked down.

To reduce the complexity of the project, a staged approach is valuable. Here is a suggestion with four milestones:

• Stage 1: Basic Compliance with One Regulation

  This stage assumes that the record keeping initiative operates under the deadline pressure of a new regulation's effective date.

  Exploit existing solutions to meet the immediate need. Expect the result to be a mixed bag of of solutions (automated or not), in which gaps have been plugged by quick fixes.

  At the same time, prepare the next stages by fully understanding the regulation, inventorying data sources, documenting processes that cover the life cycle of the records, highlighting the most glaring weaknesses, and bringing all concerned organizational entities to each other's attention.

• Stage 2: Improvement and Expansion in One Area

  This stage assumes that complying with the main provisions of a regulation is no longer an issue.

  Address weaknesses in compliance by strengthening controls. Take a first step beyond compliance by using the data for other purposes. This time, aim for a sophisticated solution with streamlined procedures and higher automation.

  While tackling these intermediate goals, identify fundamental issues standing in the way of full integration across areas. Find out the needs of stakeholders other than the regulators. Teach professionals from different backgrounds (e.g., Information Technology and Operations) to work together on a limited problem.

• Stage 3: Fully Integrated Record Keeping

  This stage assumes that one area of compliance is working well.

  Copy the successful model to other regulatory areas. Design a central information asset for compliance and internal performance management. Shared data and process definitions are in place, supported by a standardized infrastructure towards which all solutions migrate in well-defined increments.

• Stage 4: Optimized Record Keeping

  This stage assumes that the enterprise has mastered its record keeping. It can take advantage of ubiquitous computing technology.

  Record keeping becomes fully automated, seamless, and real-time. Replace manual input and output by electronic systems on a large scale. This helps integrate record keeping into normal work routines (thus eliminating all overhead). Processing and transmission delays disappear.

to top | to bottom

5. Team Composition

The Legal and Information Technology Departments are the natural lead agencies. The attorneys understand the regulations. The technologists know the management of records in electronic form, their regular responsibility. Additional reasons to give the IT Department a major say are:

• The streamlining, acceleration, and protection of the entire record keeping operation.

  Technology can help eliminate time-consuming manual steps, speed up the process, and prevent tampering.

• The application of good IT practices to all record keeping.

  Many IT development practices aim at confirming understanding, reducing human error, and improving processes. Ideas from data modeling, requirements tracing, testing, and process maturity can be ported to the whole organization to increase control over information quality.

• Its experience with documenting solutions from requirements elicitation to deployment.

  This can assist in creating good documentation of all projects under the record keeping umbrella. Regulators need this information to follow and validate your approach.