The Devil’s in the Emails: Where Records Management Meets Risk Management

February 18, 2020by Matt Kelly

Subscribe to the Smarsh Blog Digest

Subscribe to receive a weekly digest of articles exploring regulatory updates, news, trends and best practices in electronic recordkeeping.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

People often say the devil is in the details. The more you look at corporate compliance or governance failures, however, the more you realize that’s not quite right.

The devil is actually in the emails.

Seriously — when was the last time we saw a corporate misconduct scandal without damning evidence emerging from some obscure corporate record? Whether the scandal is workplace bullying, sexual harassment, misleading regulators about product safety, peddling bad investments, overseas bribery or whatever else comes along, a record pointing toward the bad behavior is always in there somewhere.

That idea has been on my mind lately because it’s yet another example of how regulatory compliance and risk management are blurring into one messy challenge.

That is, businesses have long labored under various regulatory requirements to preserve records. When a company receives a lawsuit or notice of regulatory investigation, it needs the ability to put a litigation hold on all relevant communications. Broker-dealers and other financial firms face a host of record-keeping rules enforced by FINRA, the Securities and Exchange Commission, and other industry regulators. Ditto for pharmaceutical firms and the Food & Drug Administration, or any business and its tax returns.

All of those examples, however, spring from compliance obligations. Companies have built enormous and sophisticated records-management systems — complete with classification systems, storage, text analysis, audit trails — because a law required them to do so.

That’s changing. The drivers for good records management are becoming more urgent, which means developing strong records management capability is becoming more important.

Technology, Transparency, and Stakeholders

The root of this change is (as always), new technology. In the last decade we’ve seen breathtaking leaps in social, mobile and collaborative communication, and the digital transformation of historically manual business processes.

Taken together, those two forces allow a corporation’s stakeholders — employees, business partners, customers, the public, regulators and investors — to exert much more power against a company.

We’ve all seen this in practice: selective leaks of damaging information, hashtag campaigns on social media, demands for more data from regulators evaluating a compliance program or corporate leadership’s potential liability in misconduct. As different as all those actions are, they all spring from an ability to discover information about a company and then to hold the company accountable in new, more forceful ways.

Boards and the C-suite want to avoid that. They want to get ahead of it. They want better ability to identify potential regulatory, legal, or reputation risks before they strike, so the company can respond accordingly.

Which brings us back to those corporate records, and the warnings they contain if a company can find and understand that information in a timely manner. That’s how record-keeping and data management have gone from a compliance obligation to a risk management necessity.

Better Risk Identification in Practice

This need goes beyond storing all data into one repository and hitting “Control F.” The ability to classify and retrieve information is important, sure, but the most insidious risks don’t declare themselves plainly. Companies need to get better at understanding the significance of information — an offhand remark in an email, a strange emoji tacked onto a text message, a sudden change in tone or flow of an email chain.

That requires strong capability in data analytics as much as it does in recordkeeping and data management. Businesses will need technology that can analyze large swaths of records (perhaps from multiple sources, in multiple formats) and then help managers draw conclusions about what risks are suggested by the information, and how severe the risk is.

Call that sentiment analysis, artificial intelligence, record-keeping on steroids — whatever the solution itself is, that’s only a smaller detail in the bigger picture that compliance and risk professionals need to paint for senior management.

The bigger picture is that the calculus of holding companies accountable is changing. More groups can press their complaints about corporate conduct more assertively, and they will. To prevent that, companies need a better ability to extract understanding about risk from the information they have.

And really, the information you need is out there on a record somewhere. It’s just about understanding the significance of that information before others do.

Share this post!

Matt Kelly
Archiving and Compliance Blog

Our Blog explores the news, trends and best practices in electronic recordkeeping. It’s about managing and getting value from your electronic communications data. It’s about satisfying legal and regulatory obligations. It’s all about turning compliance liability into business insight.

Recent Posts

regulations compliance search review laws featured img
How to Supervise Your Suddenly Remote Broker-Dealers and Investment Advisers
Read more
mobile text communication sms channel featured img
Lessons From the EPA's Lack of Text Message Preservation
Read more
government columns federal building featured img
How CCPA May Impact the Future of Public Records Management
Read more

Get a Quote

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Contact Us

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.