The Devil's in the Emails: Where Records Management Meets Risk Management
People often say the devil is in the details. The more you look at corporate compliance or governance failures, however, the more you realize that’s not quite right.
The devil is actually in the emails.
Seriously — when was the last time we saw a corporate misconduct scandal without damning evidence emerging from some obscure corporate record? Whether the scandal is workplace bullying, sexual harassment, misleading regulators about product safety, peddling bad investments, overseas bribery or whatever else comes along, a record pointing toward the bad behavior is always in there somewhere.
That idea has been on my mind lately because it’s yet another example of how regulatory compliance and risk management are blurring into one messy challenge.
That is, businesses have long labored under various regulatory requirements to preserve records. When a company receives a lawsuit or notice of regulatory investigation, it needs the ability to put a litigation hold on all relevant communications. Broker-dealers and other financial firms face a host of record-keeping rules enforced by FINRA, the Securities and Exchange Commission, and other industry regulators. Ditto for pharmaceutical firms and the Food & Drug Administration, or any business and its tax returns.
All of those examples, however, spring from compliance obligations. Companies have built enormous and sophisticated records-management systems — complete with classification systems, storage, text analysis, audit trails — because a law required them to do so.
That’s changing. The drivers for good records management are becoming more urgent, which means developing strong records management capability is becoming more important.
Technology, Transparency, and Stakeholders
The root of this change is (as always), new technology. In the last decade we’ve seen breathtaking leaps in social, mobile and collaborative communication, and the digital transformation of historically manual business processes.
Taken together, those two forces allow a corporation’s stakeholders — employees, business partners, customers, the public, regulators and investors — to exert much more power against a company.
We’ve all seen this in practice: selective leaks of damaging information, hashtag campaigns on social media, demands for more data from regulators evaluating a compliance program or corporate leadership’s potential liability in misconduct. As different as all those actions are, they all spring from an ability to discover information about a company and then to hold the company accountable in new, more forceful ways.
Boards and the C-suite want to avoid that. They want to get ahead of it. They want better ability to identify potential regulatory, legal, or reputation risks before they strike, so the company can respond accordingly.
Which brings us back to those corporate records, and the warnings they contain if a company can find and understand that information in a timely manner. That’s how record-keeping and data management have gone from a compliance obligation to a risk management necessity.
Better Risk Identification in Practice
This need goes beyond storing all data into one repository and hitting “Control F.” The ability to classify and retrieve information is important, sure, but the most insidious risks don’t declare themselves plainly. Companies need to get better at understanding the significance of information — an offhand remark in an email, a strange emoji tacked onto a text message, a sudden change in tone or flow of an email chain.
That requires strong capability in data analytics as much as it does in recordkeeping and data management. Businesses will need technology that can analyze large swaths of records (perhaps from multiple sources, in multiple formats) and then help managers draw conclusions about what risks are suggested by the information, and how severe the risk is.
Call that sentiment analysis, artificial intelligence, record-keeping on steroids — whatever the solution itself is, that’s only a smaller detail in the bigger picture that compliance and risk professionals need to paint for senior management.
The bigger picture is that the calculus of holding companies accountable is changing. More groups can press their complaints about corporate conduct more assertively, and they will. To prevent that, companies need a better ability to extract understanding about risk from the information they have.
And really, the information you need is out there on a record somewhere. It’s just about understanding the significance of that information before others do.
Professional Archive
Retain critical information in a single, secure, search-ready repository where it can be actively monitored and produced on-demand.
Share this post!
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US