Introduction:
Welcome to a New Era of Information Management

"It might be useful to consider reminding the [Enron] engagement team of our documentation and retention policy. It will be helpful to make sure that we have complied with the policy. Let me know if you have any questions."

Email from Nancy Temple, Arthur Andersen in-house attorney,
October 12, 2001

Under normal circumstances, an email message like this might be considered innocuous, or even commendable. All companies should regularly remind employees of their records retention policies (which typically include records disposal guidelines). However, in Arthur Andersen's obstruction of justice trial, the public learned that Andersen had destroyed numerous documents and email messages related to the SEC's ongoing investigation of Enron. In this context, a seemingly innocuous email "reminder" about the company's retention policy was perceived to be a smoking gun.

By the time a jury found Andersen guilty on one count of obstruction of justice in June 2002, the firm had shrunk by 17,000 employees in the U.S. and had lost 30% of its public company clients.² After its conviction in June 2002, Andersen is no longer in the auditing business, was fined $500,000, and put on five years of probation-the maximum penalty under the law. (See Chapter 4 for an in-depth discussion of the Andersen case.)

The case of Andersen raises many interesting questions. Could the document destruction have been prevented? Were there flaws in their Information Management program that helped precipitate the company's downfall? What could its leaders and its lawyers have done differently? And, perhaps most importantly, why did the entire company go down, and not just a small group of accused wrongdoers?

The U.S. Congress, for its part, responded to Andersen's conviction and the seemingly endless parade of corporate scandals of the same era by passing new laws and regulations that have sent ripples (or perhaps tidal waves) through corporate America. One of these new laws was the Sarbanes-Oxley Act of 2002, a complex law that addresses many issues that have an impact on Information Management.

"Many companies, of course are retooling to meet the demands of the federal Sarbanes-Oxley Act. As the string of corporate scandals unfolded at companies including Enron Corp. and WorldCom, Inc., Congress moved last year to revamp the way boards and company officials run their business and disclose information."

How One Firm Uses Strict Governance To Fix Its Troubles
Wall Street Journal, August 21, 2003

So began the new era of Information Management. An era where properly managing records and other information have become inextricably linked with corporate accountability and transparency, which in turn has become connected to fiscal health and stock market valuation. An era of new expectations, new regulations, new laws, new technologies, and new challenges.

Information Management Compliance

However, this is not a book about Andersen, Enron, WorldCom, Tyco, ImClone, or any of the other high-profile cases where there have been accusations, charges, and/or convictions for improper use and management of company information (although we will examine some of these and other cases in detail). This is a book about changes in the Information Management landscape, resulting largely from cases like these and dozens of lower-profile cases. Most importantly, it is about how we can learn to avoid similar problems in our own organizations by developing and implementing Information Management Compliance programs that anticipate problems and take advantage of opportunities.

This is a book about approaching all types of Information Management activities with a new methodology, one that adopts the principles, controls, and discipline upon which many corporate compliance programs are built. While the world of records destruction is the starting point for our exploration, the book examines a broad range of Information Management activities that serve both legal and business needs, and are central to your organization's ongoing success.

This is a book about Information Management Compliance (IMC), which involves:

1) Developing Information Management criteria based on legal,regulatory, and business needs; and,

2) Developing and implementing controls designed to ensure compliance with those policies and procedures.

The first six chapters of this book define and explore the concepts of Information Management, Records Management, IMC, and the business and regulatory environments that we operate in today.

In the second part of the book we present the Seven Keys to Information Management Compliance-this is the practical, actionoriented part of the book. These Seven Keys are:

1) Good policies and procedures
2) Executive-level program responsibility
3) Proper delegation of program roles and components
4) Program communication and training
5) Auditing and monitoring to measure program compliance
6) Effective and consistent program enforcement
7) Continuous program improvement

As a model for these Seven Keys, we used a section of the Federal Sentencing Guidelines ("Guidelines").³ The Guidelines are used by the federal courts to determine the appropriate punishment for individuals and organizations that violate the federal law. For many years, numerous companies have used the Guidelines to build general corporate compliance programs. However, until now, the Guidelines have generally been overlooked as a source of guidance for Information Management. The time has come to apply the compliance methodology outlined by the Guidelines to Information Management.

In this new era, Information Management requires a proactive approach which recognizes that legal protection and business value will result from taking a formal, disciplined, visible, funded, and sustained approach-an approach that begins with an understanding of how an organization's Information Management activities are likely to be judged by the courts, regulators, auditors, and its own executives and shareholders.

IMC is about more than making sure information is not destroyed due to the malicious or inadvertent acts of a few employees. Rather, it is a holistic approach that covers many areas of concern, including:

• Storage management
• Privacy
• Business continuity and disaster recovery planning
• Records management
• Information security
• Transaction management
• Application development and integration
• Technology purchasing and acquisition
• System configuration and management, and many other areas

We wrote this book for a broad range of readers who have an interest in Information Management issues, with a specific focus on readers who have direct or indirect responsibility for making sure that information is properly used and managed in their organizations. The sphere of people who have some responsibility in this area seems to grow every day, now encompassing everyone from the CEO who needs to sign off on financial reports in accordance with Sarbanes- Oxley; to the IT professional wondering how back-up tapes should be managed; to the compliance officer trying to ensure compliance with emerging privacy laws; to the administrative assistant just trying to decide what to do with all the email messages that his boss has asked him to print out and file; to the lawyer guiding the company through troubled legal waters.

Information Management encompasses management, administrative, operational, technological, human resources, Records Management, legal, and many other areas of an organization. The Seven Keys to IMC that we advance are designed to help professionals in each of those areas understand their responsibilities and what they must contribute to their organization's Information Management efforts.

Notes

¹Exhibit B, as provided in a letter from the U.S. House Committee on Energy and Commerce's Subcommittee on Oversight and Investigations to the U.S. Attorney General, December 17, 2002.

²Eichenwald, Kurt, "Arthur Andersen Convicted of Obstruction of Justice," The New York Times, June 15, 2002.