Document Management: For the Record
No software exists that will make your firmpresto!Sarbanes-compliant.
Bob Tillman is worried. At a recent tech conference in New York, Tillman, director of public affairs for the Association of Records Managers and Administrators (ARMA), found himself surrounded by vendors hawking hardware and software that promised to help companies get smarter about managing their documents. Offering scanners to smart pens to workflow and routing software as well as full-range governance application suites, the array of technology could overwhelm even the most informed CIO. The most common pitch? Regulatory compliance.
"It gives me a little angst that all these companies are running around and saying their software is Sarbanes-Oxley compliant," Tillman says. "There is no such thing as 'Sarbanes-Oxley compliant.' It's not like HIPAA, which has this litany of rules. The SEC has not laid down a regimen of things that you as a company have to do for Sarbanes-Oxley, other than the certification and the 404 section of the act."
With analysts calling document management one of the cornerstones of Sarbanes-Oxley compliance (the other is business process management), vendors are looking to cash in on what has become the big tech issue of the moment. But, as Tillman points out, there's no off-the-shelf program that qualifies as the proverbial "turnkey solution," because the scope of Sar-banes is too broad.
Under the act, public companies are required to archive any and all financial data, and also to keep a record of a document's lifecyclewho within the company had access to, viewed or amended a given document. What's more, all this information has to be retrievable upon request by the Securities and Exchange Commission, and in just two business days. Sure, the SEC may grant individual firms extra time to gather the data on a case-by-case basis, but it's not backing down on enforcing the policy. Several major banks and investment firms have already been fined, most notably Bank of America Corp., which in early March was fined $10 millionthe largest fine ever levied by the SEC for failure to produce documentsfor refusing to produce e-mails and compliance forms concerning trading activities. According to SEC reports, Bank of America refused to provide documents and "engaged in dilatory tactics that delayed the investigation." Moreover, some requested documents had been destroyed after regulators requested them a move that Bank of America claims was inadvertent. And $10 million proved just the beginning: After agreeing to create a special department to handle data retention, B of A consented the same month (March, 2004) to pony up $375 million$125 million in fines and $250 million to investorsto settle SEC claims that it traded mutual funds improperly. The bank also agreed to exit the securities clearing business by 2005.
Still, if Bank of America may be one of the latest to feel the SEC's sting on document retrieval, it's not the first. Another notable precedent for such fines came back in December 2002, when the commission, in a joint action with the New York Stock Exchange and NASD, fined several Wall Street firmsGoldman Sachs, Salomon Smith Barney, Deutsche Bank Securities and U.S. Bancorp Piper Jaffray among them$1.65 million each for failing to produce requested e-mail records fast enough.
"That's the one place where the SEC has an amazingly short tolerance," says ARMA's Tillman. "When the SEC says they want information, you better be able to bring it up."
The two-day turnaround presents a significant challenge. "It really raises the bar in terms of what management needs to do," Bruce Winters, a senior manager at PricewaterhouseCoopers, says. "Most of the world is not ready for that."
Ask your records manager:
Ask your business managers:
Tell your compliance department:
Use DM to achieve compliance, but with an eye toward what else you can accomplish.
There's at least one way Sarbanes is extremely helpful: It got everyone's attention. Take advantage of this focus and use the following steps to develop an effective document management strategy. First, figure out which documents at your company need to be tracked under federal regulations. Next, talk to your business unit managers to find out what software is already in place (some departments may be using some form of document management under the CIO's radar), and how departments without a document management system could make use of one. Finally, sit down with a team that includes your internal auditor, general counsel, records managers, business unit managers and your company's compliance officer to set a detailed policy about how records will be routed, archived and eventually deleted.
What documents need to be tracked under Sarbanes-Oxley? The SEC mandates that companies archive and maintain records for everything relating to their finances. This includes not just annual reports and quarterly filings, but also sales receipts, inventory lists, and communications such as e-mails, instant messages, faxesin short, any and all documents containing or relating to financial or customer-specific data. Audit-related data must be stored for seven years; communications such as instant messages and e-mails must be kept for three.
As far as the SEC is concerned, there are no set rules as to how you should store data. "Sarbanes-Oxley covers a whole raft of issues," says John Heine, spokesperson for the SEC. "There has been a fair amount of writing in the technical press about whether the records retention requirements apply to electronic records of all sorts. I don't know that there's anything in particular in [Sarbanes-Oxley] that speaks to electronic archiving." In other words, it doesn't matter if your files are stored in boxes, burned on CDs or chiseled in stoneas long as you've got them and can produce them quickly.
The amount of data you will need to digitize depends on how frequently you refer back to it. But keep in mind, there's no law that says you have to digitize every document your company has ever created. Many companies opt to create digital search engines that simply tell them where hard copies of documents have been stored; they create digital records only for new data.
To get a green light, chances are you'll have to demonstrate the value of the document management system to upper management. You can. Take the experience of Tim Fives, manager of global content solutions for $4 billion York International Corp., a Pennsylvania manufacturing company. Fives was hired in October 2001 to create a Web-based content-management system, but "after a month or so," he says, "I realized we had no handle on content processes in general."
Fives took a step back, regrouped and em-barked on a companywide document/content management project with Documentum Inc. His first goal was to prove the value of the project by digitizing all of the company's authorization-for-expenditure formsforms which must be filed whenever a department requests funds for a project. These documents filled about 20 filing cabinets. "The goal was to create a repository that was searchable so we could save time when auditors ask us for information," he says. Before the document management system was in place, Fives says, the company often had to bring in part-time employees to help comb through the hundreds of files requested by federal authorities, a process that could take days. "Now, instead of someone having to hunt for all of them, the system returns them in a matter of seconds," he says. This expenditure-forms project alone has saved York about $100,000 to date.
When you've identified which records you want to automate, sit down with your legal, human resources and finance departmentsas well as your internal auditors and business unit headsand develop a plan that details not only how each department can best leverage the system, but also how records should be managed, stored and eventually deleted.
"You've got to have a retention policy and a destruction schedule," says Tillman. "Because you don't want records laying around forever. What a good way to get sued!"
Ask your CFO:
Ask your legal department:
Explain to your executive team:
Yes, Virginia, there is an upside to compliance.
David Dietz, CIO of Stillwater National Bank in Stillwater, Okla., well remembers the days before his company installed a document routing system. "We had between 300 and 400 forms that needed to be changed every day," Dietz says, "and it seemed like something was always getting lost." The company, which has seven branches and 340 employees, also wanted to reduce its error rates on all its interoffice, paper-based forms, so, nearly two years agobefore Sarbanes passedDietz bought a suite of products from Movaris Inc. and Foxtrot, a back-office system from EnableSoft Inc.
While this system now helps Stillwater comply with Sarbanes, and with other new regulations, the routing system has also helped the bank reduce its error rates by 50 percent, and it makes sure that only the right people can access certain forms. In addition, Dietz says, Foxtrot has improved customer service because stop payments can now happen almost automatically. "Many times a stop payment would be filled out at a branch, and it would take about a day to get here by mail, so it wouldn't post until the next business day, which causes problems sometimes," he says. "Now, it happens in about 30 minutes."
Over at Albuquerque, N.M.-based PNM Resources Inc., the state's largest electric and natural gas provider, with more than 1.3 million customers and $1.5 billion in revenue, documents used to be stored on an old mainframe indexing system. But as a utility company regulated by more than a dozen state and federal agencies, PNM realized that it needed greater routing and archiving capabilities than the indexing system could provide, says Carl Seider, PNM's senior analyst and head of the company's document management compliance efforts. To ensure the investment would be worthwhile, Seider sat down with each of his company's business unitsincluding procurement, legal, accounting and human resourcesto figure out how to integrate a document management system from Hummingbird Ltd. into each unit's work processes. "We asked, 'If you could be rid of these file cabinets and have it the way you wanted it, how would you do this?' " he says.
Seider found plenty of ways to leverage document management inside the company. For one thing, the company has saved $36,000 on off-site storage fees by digitizing 10,000 boxes' worth of physical documents. The document management program also allowed Seider to retire their microfiche system, saving the company $12,000. In addition, the company's cash-remittance department, which processes customer checks and archives check stubs, needed to upgrade its equipment. They installed imaging hardware that enables check stubs to be digitally photographed and entered into the document management system within 24 hours of processing.
"Previously if you called and said there was a problem with a check, we would have to get your phone number and call you back after we did our research," Seider says. "[The DM program] was a big cost savings because now if a customer calls and says their check didn't post correctly, our call-center folks can pull that up and see the image. It saves us about 40 minutes of labor time on every request." The company also takes PDF images of all printed bills "so our call-center people can see exactly what the customer received in their mailbox," he says. "Those files are accessed about 5,000 times a month." Today, the company has more than 20 document libraries and is adding roughly 1.2 million new documents each month. And the company is saving nearly $1 million annually in reduced labor time and storage costs.
Tell your CEO:
Tell your executive team:
Tell your line of business managers:
One word: Flexible.
As companies endeavor to comply with Sarbanes-Oxley, vendors are scrambling to bundle governance, content management and business process tools together in one package. Best-of-breed document management vendors are either buying or creating strong ties with companies offering storage and imaging ser-vices. And the market is hugemore than 33,000 people attended this year's Association for Information and Image Management (AIIM) conference, a record-breaking figure according to the association. Gartner Inc. estimates that 50 percent of all global 1,000 enterprises will have document management systems in place by 2005, and that those companies will budget, on average, roughly $2 million for Sarbanes-Oxley compliance through 2005.
But think twice before you select a vendor offering Sarbanes-Oxley-specific applications. Though those systems may include a document management capability, they are often difficult to extend beyond the accounting department. What's more, they don't necessarily address the other laws with which you may need to comply, such as HIPAA and Basel II. According to Gartner, which fields hundreds of calls a month regarding Sarbanes, companies that invest this year in a specific Sarbanes solution will likely retire or replace those systems by the end of 2005. "If you buy a SOX-specific solution," says Toby Bell, a Gartner research director, "the likelihood of it being replaced is fairly high."
When evaluating tech options, Bell and other analysts say, look for specific functions. Version controlthe ability to track who has seen and made changes to any particular documentis one, says Jim Murphy, a senior analyst at AMR Research Inc. "That's a baseline requirement. The other thing is the ability to take documents at a certain point in time and make them static records so they can't change anymore."
PwC's Winters adds that workflow and routing capabilities are also important, "but most companies are not ready for that. They just want the stamp of approval that their controls are adequate." Strong keywording and search capabilities are also must-haves, analysts say.
As always, beware of how volatile start-up software firms can be. As York International's Tim Fives says, "Don't forget to consider the viability of the vendor company itself."
Ask your general counsel:
Tell your executive team:
Ask potential vendors:
Go to www.cioinsight.com/extras for a Q&A with: Bob Tillman Head of public affairs for the Association of Records Managers and Administrators.