The Devil’s in the Emails: Where Records Management Meets Risk Management
People often say the devil is in the details. The more you look at corporate compliance or governance failures, however, the more you realize that’s not quite right.
The devil is actually in the emails.
Seriously — when was the last time we saw a corporate misconduct scandal without damning evidence emerging from some obscure corporate record? Whether the scandal is workplace bullying, sexual harassment, misleading regulators about product safety, peddling bad investments, overseas bribery or whatever else comes along, a record pointing toward the bad behavior is always in there somewhere.
That idea has been on my mind lately because it’s yet another example of how regulatory compliance and risk management are blurring into one messy challenge.
That is, businesses have long labored under various regulatory requirements to preserve records. When a company receives a lawsuit or notice of regulatory investigation, it needs the ability to put a litigation hold on all relevant communications. Broker-dealers and other financial firms face a host of record-keeping rules enforced by FINRA, the Securities and Exchange Commission, and other industry regulators. Ditto for pharmaceutical firms and the Food & Drug Administration, or any business and its tax returns.
All of those examples, however, spring from compliance obligations. Companies have built enormous and sophisticated records-management systems — complete with classification systems, storage, text analysis, audit trails — because a law required them to do so.
That’s changing. The drivers for good records management are becoming more urgent, which means developing strong records management capability is becoming more important.
Technology, Transparency, and Stakeholders
The root of this change is (as always), new technology. In the last decade we’ve seen breathtaking leaps in social, mobile and collaborative communication, and the digital transformation of historically manual business processes.
Taken together, those two forces allow a corporation’s stakeholders — employees, business partners, customers, the public, regulators and investors — to exert much more power against a company.
We’ve all seen this in practice: selective leaks of damaging information, hashtag campaigns on social media, demands for more data from regulators evaluating a compliance program or corporate leadership’s potential liability in misconduct. As different as all those actions are, they all spring from an ability to discover information about a company and then to hold the company accountable in new, more forceful ways.
Boards and the C-suite want to avoid that. They want to get ahead of it. They want better ability to identify potential regulatory, legal, or reputation risks before they strike, so the company can respond accordingly.
Which brings us back to those corporate records, and the warnings they contain if a company can find and understand that information in a timely manner. That’s how record-keeping and data management have gone from a compliance obligation to a risk management necessity.
Better Risk Identification in Practice
This need goes beyond storing all data into one repository and hitting “Control F.” The ability to classify and retrieve information is important, sure, but the most insidious risks don’t declare themselves plainly. Companies need to get better at understanding the significance of information — an offhand remark in an email, a strange emoji tacked onto a text message, a sudden change in tone or flow of an email chain.
That requires strong capability in data analytics as much as it does in recordkeeping and data management. Businesses will need technology that can analyze large swaths of records (perhaps from multiple sources, in multiple formats) and then help managers draw conclusions about what risks are suggested by the information, and how severe the risk is.
Call that sentiment analysis, artificial intelligence, record-keeping on steroids — whatever the solution itself is, that’s only a smaller detail in the bigger picture that compliance and risk professionals need to paint for senior management.
The bigger picture is that the calculus of holding companies accountable is changing. More groups can press their complaints about corporate conduct more assertively, and they will. To prevent that, companies need a better ability to extract understanding about risk from the information they have.
And really, the information you need is out there on a record somewhere. It’s just about understanding the significance of that information before others do.
Share this post!
Archiving and Compliance Blog
Our Blog explores the news, trends and best practices in electronic recordkeeping. It’s about managing and getting value from your electronic communications data. It’s about satisfying legal and regulatory obligations. It’s all about turning compliance liability into business insight.