Enterprise Content Management Compliance a Struggle

5 minute read
Brice Dunwoodie avatar
Recent joint study by AIIM and Kahn Consulting indicates Enterprise Content Management (ECM) compliance is underway, but heavily burdened by new requirements and a lack of executive-level involvement. Sarbanes-Oxley and HIPPA are the driving forces with 37% of those surveyed focused on the former and 26% on the latter.The Current State of Information Management Compliance: An Industry Study" is based on the seven "keys" of information management compliance that were advanced in "Information Nation: Seven Keys to Information Management Compliance," a book written by Randolph A. Kahn and Barclay T. Blair of Kahn Consulting, Inc. and published earlier this year by AIIM. The seven keys are based on guidelines used by the federal court system when sentencing organizations for wrongdoing. "Information management compliance has significant financial urgency," stresses John Mancini, president of AIIM. "Regulatory deadlines are everywhere. For example, compliance is getting down to the wire in the healthcare industry. On July 1st the government began delaying payment to healthcare providers who treat Medicare patients and fail to submit electronic claims using a standard HIPAA reporting format. Many publicly traded companies are struggling to meet the November 15th deadline to comply with Sarbanes-Oxley." "It's tempting to think of this as just a Sarbanes-Oxley or HIPAA problem, but it really is part of a long-term trend toward defining what transparency and accountability means in an electronic era," explains Randolph Kahn, ESQ., founder and principal of Kahn Consulting. "Organizations need to look beyond their current practices and adopt a broader framework for managing their information assets -- namely, a framework of information management compliance." Key Survey Findings 1. Good policies and procedures: Internal and external pressures are causing organizations to address compliance concerns. Fully 80% have made or are planning to make changes to the way they manage information -- with 82% creating or updating information management policies. Regulatory compliance is a major force behind these changes, with 37% making changes because of Sarbanes-Oxley and 26% because of HIPAA.2. Executive-level program responsibility: While senior executives and managers are getting more involved in the information management program (78% of business unit and IT executives participate in its development and administration), at many firms executives clearly need to take a more visible role. More than a third of responding organizations haven't received any guidance on information management issues from an executive in the last 18 months, and nearly half do not provide an executive statement of support for the information management program. 3. Proper delegation of program roles and components: In some cases organizations are failing to bring the right people to the table to develop and administer the information management program. Only 35% involve lawyers when developing program elements. Organizations have done much more in the areas of information security and paper-based records management than they have in the area of electronic records management -- a huge inconsistency given that most of the documentation of business and organizational processes is now conducted electronically. 4. Program dissemination, communication, and training: Gaps in communication and training threaten to undermine the effectiveness of many information management programs. Over 60% fail to provide regular employee training, and the training that is conducted often focuses on records and information managers rather than executives and IT staff. Over 52% of records and information managers report receiving training, but only 31% of general business executives and 30% of IT staff. 5. Auditing and monitoring to measure program compliance: While only a minority of organizations involve auditors in the development and administration of the information management program (34%), internal auditing and monitoring programs seem to be somewhat successful, with 41% of organizations making changes as a result of problems found through such programs. 6. Effective and consistent program enforcement: Even though employees acknowledge good intentions by their firms, they recognize that good intentions alone are not sufficient. Only 34% of those surveyed agreed with the statement, "my organization's records and information management directives are consistently enforced." IT executives (29% in agreement) are more skeptical about performance than either records managers or general business executives. 7. Continuous program improvement: Less than one in six survey respondents are firmly convinced their firms would uncover records management failures, indicating that there is much room for improvement in records management procedures and programs. About the StudyOver 400 end users completed the online survey for the research study. Respondents represent an appropriate mix of public-sector large, medium, and small companies; as well as industry sectors such as financial services (16%); government -- local, state, federal (23%); professional practices (12%); manufacturing (10%); utilities, oil, and gas (8%); and others. Of the respondents, 23% were senior-level management (CXO, vice president, director), 35% were in information/records management, and 17% were from IT/IS departments and other functions. The industry watch study is available as a complimentary download at http://www.aiim.org/documents/currentstateofimc.pdf. The book "Information Nation: Seven Keys to Information Management Compliance" is available for purchase at http://www.aiim.org/product.asp?ID=667.