Minimizing Risks through a Corporate Information Compliance-Initiative: Corporate Governance Programs for Information Management Are a Crucial Risk-Management Investment for Organizations

Article excerpt

The Enron scandal that involved shredding of documents in anticipation of a government investigation and the subsequent passage of the Sarbanes-Oxley Act of 2002 (SOX)--which makes corporate executives accountable for certifying the accuracy of their organization's records--have dramatically heightened organizational awareness of the need to manage information properly.

In this new era of corporate accountability, many organizations are establishing corporate governance programs for managing records and information as part of their risk management and compliance strategies. In fact, although the final numbers had not been reported when this magazine went to press, an AMR Research report earlier last year projected that the total governance, risk management, and compliance spending in 2007 would exceed $29.9 billion--with about 20 percent of that allocated to SOX compliance.

While SOX holds executives accountable, organizations have begun to recognize in this technology-enabled world that every employee has responsibilities surrounding records and information. With the exploding volume of electronic records they are generating, employees must adhere to the controls provided by an information management policy to ensure the integrity, accuracy, and reliability of their organizations' information assets, intellectual property, and capital. Developing such a program begins with creating a formal policy statement.

Creating a Policy Statement for Corporate Governance

As a first step, it is essential to get senior management support for the initiative. If senior management is vested in the effort, they will direct management to dedicate time, resources, and budgetary funding to it.

The next step is to write a policy statement. According to ISO/TR 154892:2001 Information and Documentation--Records Management--Part 2: Guidelines, "A records management policy statement is a statement of intentions. It sets out what the organization intends to do and, sometimes, includes an outline of the program and procedures that will achieve those intentions."

The policy statement defines the charter for the program and should include:

* Purpose, scope, and applicability.

* Roles and responsibilities.

* Ownership, legal status, access rights, and privacy

* Goals, objectives, and principles

* References to other and related program documentation

It is imperative that senior management clearly communicates the policy statement to all levels of the organization so all can see that the initiative is being taken seriously. The message can be further supported with recent news items about the consequences suffered by Organizations because of their faulty recordkeeping. To find internal examples to support the need for the program, consult the legal department about discovery actions and the audit department to find out how the program initiatives can be integrated with the organization's compliance initiatives.

Defining Important Terms in the Policy

In today's electronic world, the concept of managing "records" (evidence of business transactions) is expanding to include managing "content," which can be anything from free-floating virtual text in cyberspace to official language contained in corporate acquisition due-diligence work papers.

How an organization defines "content" is key to managing it, so those definitions must be dearly articulated in the organization's corporate governance policy. For example, some organizations may consider works-in-progress (drafts) to he just "documents" and only final transactions to be "records" (evidence of business transactions). In other organizations, documents, records, information, and data may all be considered evidence of business transactions. How these terms are defined will affect how an organization's content is captured as final documentation for business transactions. …