E-Discovery And Records Management: A Risk-Based Approach

Sunday, July 1, 2007 - 01:00
Gordon E. J. Hoke
Howard Loos

It's no longer optional: timely production of electronic records. As the demand for records production increases, so rise corporate concerns for legal, business and operational risks. Managing these risks requires records management programs that produce legal records on demand, confirm regulatory compliance, and lubricate operations. The rapid growth of technology, and especially the rise of electronically stored information like email, challenge many corporations' records management systems to keep pace. Firms find themselves at serious risk.

Recent court decisions, amendments to the U.S. Federal Rules of Civil Procedure regarding electronic discovery, and the skyrocketing costs of responding to discovery requests increase the importance and urgency surrounding records management. This comes on top of widespread concerns about an avalanche of government regulations.

Historically, most records were paper, generated locally, and controlled by just a few workers. Now, workers at all levels of an organization - both within the office and offsite - create records anywhere in the world at any time of the day. The digital world brought new complexities and a broader definition of "record." It also brought a dizzying array of media including e-mails, optical storage, voice recordings, mobile storage (laptop computers, thumb drives, smartphones, for example) and others.

Security related to electronic records complicated the situation, as is version control, tracking and maintenance of electronic copies.

What has not changed is the goal: knowing that any record, at any point in its life cycle, is managed to achieve an acceptable risk level.

A Risk-Based Approach

This turbulent records environment requires managing major categories of risk - financial, operational, reputational and regulatory. Unfortunately, many corporations lack a united, focused approach to records management. All too often, no one coordinates these areas or takes responsibility, enterprise wide. This is unfortunate because records management is the one discipline where all of those risks converge. It is the logical place to assess those risks that can most seriously damage an enterprise.

Similarly, many corporations treat all risks as equal and don't know where to start addressing them. In truth, not all records carry equal risks. The principles of risk management rank them.

A risk-based approach to records management identifies and gives priority to risky records, ensuring that those records are protected, managed through their life cycle, available as needed, and appropriately destroyed at the end of their life cycle.

We call this approach Records Risk Management because it addresses the records that carry the greatest organizational risk first. It sets priorities - considering risk and cost - to alleviate the most intense organizational pain and worry, to say nothing of fines and court-ordered awards.

Records Risk Management connects record risk events to business risk events. For example, not being able to produce a record is a record risk event. A business risk event would be a compliance audit. After connecting the two, an organization understands its records by the risk they present. This helps focus records management efforts and sets priorities for records management initiatives.

The Strategy

Records Risk Management requires knowledge of law, business, records management, record production, organizational issues, change management and content management. Applying this knowledge transforms a legacy records program on four levels: People, Process, Controls, and Technology. Records Risk Management asks the key questions:

People: What are the roles and responsibilities necessary to support records management objectives? Is an effective governance structure in place? What training, education, and competencies are necessary to succeed? Does records management have executive support? Is the records management program supported by the right mix of stakeholders with representation from legal, finance, operations, technology, and others?

Process: Is the record lifecycle process well defined and understood? Are the record production and hold processes effective and efficient? Does the enterprise-wide process support specific departmental needs? How is the retention schedule maintained? How are risky records identified? Are business processes evolving to meet new and developing needs? Is the record life cycle process comprehensive, covering digital and physical records wherever they exist?

Controls: Does the organization know if it is in regulatory compliance, especially as regulations evolve? How does it measure its ability to address a record risk event? Which records best test compliance? Is the records risk measurable? Are policies and procedures comprehensive, taking into account content, form, ownership, location, risk, and other data? Does the workforce understand the vital importance of records management? Do workers consistently participate in the program? Are incentives and consequences in place to encourage universal participation?

Technology: How are record and content management technologies most beneficial to achieving risk and cost objectives? Will these technologies integrate into existing information technology? Are the applications enterprise-wide or departmental? How can records management technology help generate a return-on-investment? Are both unstructured and structured digital records addressed? Are e-mails, Web blogs, wikis, voicemails, Instant Messages, text messages and other formats well managed? Are there clear distinctions between IT's long term storage efforts and e-Discovery's need for rapid record production?

Notably, Records Risk Management usually improves business processes. The same capabilities that enable records production for litigation also produce records for internal operations and customer service. The programmatic destruction of obsolete records shrinks search times for useful records and lowers storage costs.

The Challenges In Records Risk Management

Every record has content, form, and is subject to regulatory guidelines or requirements for access or retention. The challenge for organizations is to create reasonable policies, procedures, technology and controls to minimize the risk associated with their records landscape.

Thus, the first challenge of Records Risk Management is to understand the risk of each record or record category and manage that risk over the life cycle of the record. The record's content or information determines usage needs and issue sensitivity. Regulatory requirements surrounding the record coordinate with access, retention, and usage needs. Document form can limit or enhance records management and control.

The second challenge is to know where all the records reside. Rules 16 and 26(f) of the amended FRCP state, "A party must have a comprehensive understanding of the locations of potentially relevant Electronically Stored Information." This suggests that defense attorneys carry into a meet-and-confer a "data map," a comprehensive catalog of records showing locations, storage media, and retrieval times.

The third challenge is to create the policies and procedures - supported by firm execution and controls - that deliver the achievement of the risk goals.

Fourth, Records Risk Management is challenged to educate all groups in an organization about 1) the increasing importance of records management and 2) how each person and business area contributes to the organization's risk as well as its success.

The Operations Department needs to understand how to use the efficiency of a Records Risk Management program to enhance its business processes.

Information Technology needs to understand that its hardware and software systems and applications provide more than processing speed and system storage. IT needs to facilitate legal holds, offer search capabilities for discovery, and provide all employees with functional information. IT also needs to consider the impact of new technologies on the corporate records management process.

General Counsel needs to understand that complying with regulations and responding to discovery requests takes place within the context of a never-ending search for corporate profits.

Records Risk Management is the logical point of convergence. The corporate sponsors of records management, its champions, need to convince and encourage Operations, Information Technology, Legal, Finance, and other departments to work together to develop better records management practices that meet overall business strategies and objectives while reducing risk.

Records Risk Management is an ongoing process, not a goal to be reached. As long as technology advances and regulations change, the need for Records Risk Management will continue. It will be a dynamic discipline addressing people, processes, technology, and controls. Further, it will enhance operations, protect against risks, and enhance corporate value.

James R. Arnold , Esq. a Director of KPMG LLP's Forensic practice, has over 20 years' experience in business and law, including general corporate and commercial work. His emphasis is on records management and records retention. Gordon E. J. Hoke ,CRM, a Senior Associate in KPMG LLP's Forensic practice, has 18 years' experience in records and content management, analyzing and reporting on hundreds of successful and unsuccessful installations. Howard Loos , CRM, CDIA, ECM2 , a Manager in KPMG LLP's Forensic practice, with degrees in both business and technology, has 12 years' experience in the design, development, implementation, and training of records and document risk management solutions. All three authors deliver Records Risk Management through KPMG's ForensicSM Services. The views and opinions are those of the authors and do not necessarily represent the views and opinions of KPMG LLP. KPMG LLP, the audit, tax and advisory firm (www.us.kpmg.com), is the U.S. member firm of KPMG International. KPMG International's member firms have 113,000 professionals, including more than 6,800 partners, in 148 countries.

Please email the authors at jrarnold@kpmg.com or ghoke@kpmg.com or hloos@kpmg.com with questions about this article.