Information management is crucial, but how long should you keep documents for - and how? Simon Stammers writes

When computing arrived at the desktop, there was a sea change in how organisations worked. Documents were created digitally, stored locally and duplicated at almost zero cost. As the cost of hardware ownership plummeted, there was a huge wave of expectation that the paperless business would drive down document creation and distribution costs, and that the print production industry was doomed. Everything was to be digital - and it was assumed that digital documents would be easier to manage than paper.

The reality has proved very different. Firstly, analogue document formats still play an important role in today's organisation - and investment in print is larger than ever and growing. Secondly, the digital world has created new challenges and is by no means easier to manage. It has brought with it an explosion in information volumes, and the cost and risk exposure of controlling the new state of affairs is substantial.

Information contained within business documents has gained recognition as one of the most valuable business assets. In any governmental or commercial operation, managers manage assets on behalf of their stakeholders - and information therefore needs to be classified, structured, validated, valued, secured, monitored, measured and managed - just like any other asset.

Initially, strategy concentrated on managing and protecting information repositories such as databases. But it is now widely recognised that over 70% of corporate knowledge resides in unstructured data, and companies' attention is on finding an appropriate document storage strategy to mitigate risk.

Risk exposure

Let us review some of the document risks facing the average company.

Firstly, managing documents effectively is an integral part of maintaining operational efficiency. The last few years have seen information volumes proliferate at staggering rates, and aggregated sources point to further annual increases in volumes of between 35% to 50%. Companies that fail to put systems and procedures in place to cope will undoubtedly damage their competitive position. For instance, there has been much press attention recently reporting that data storage is taking up huge proportions of the IT department's time, blaming the confusion surrounding appropriate storage policies

But information management has become increasingly central to managing external risks, such as reputation management. For example, it is very easy for large brands to be subjected to damaging press stories. Losses measured in customer defection and decreased share value can be substantial.

These losses can be caused by small document related incidents - such as the utility that loses a customer's letter and takes unnecessary and unpopular action; or the building firm that cannot adequately prove that the design of its bridge followed good practice established 40 years ago, because it cannot locate the document.

Safeguarding information is also at the core of disaster recovery and business continuity plans that have been put in place as security fears heighten across the globe. But what has really brought document control into sharp focus in management minds is the recent flood of information-related legislation, such as the Freedom of Information Act and the US Sarbanes Oxley Act (SOX). No longer simply an internal operational matter, it has become a legal responsibility in most European companies to ensure that important data and documents can be easily accessed, down to a very granular level and over protracted periods of time. For instance, if a business manager has to go to court to protect the assets of the organisation, how can he or she demonstrate that old digital documents, such as e-mails, are authentic? How can a defence operate if relevant e-documents cannot be found?

Finding a balance

These various areas of business risk require documents to be kept for differing lengths of time and in different ways. For instance, to mitigate legal risk, the audit obligations of much legislation tend to focus on the integrity of long-term stored information. But information availability and retrieval are also important. In some cases it may be necessary to be able to demonstrate that all information on a specific topic is available for review at any time. Within any one enterprise, there is a need for both long and short-term document storage provision.

The first step is for companies to conduct an audit of document control capabilities and identify their exact storage and retrieval needs. Many companies choose to work with an objective third party who can periodically review, validate and ensure that policies are being followed. The audit should be an in-depth process, interviewing key personnel and performing comprehensive reviews of sample data using forensic tools.The results fundamentally affect underlying technology choices, especially document capture (scanning) business rules and frequencies, categorisation and indexing, and the requirements for microfilm-digital (conversion) capabilities.

The wrong technology decisions could actually expose the company to further business risk. Such audits frequently highlight that an effective storage strategy requires organisations to bridge the much-maligned gap between the IT, finance and business management teams - to prevent situations where the compliance manager is not in touch with IT and to ensure that all technology decisions accurately reflect business needs.

A balanced document archive strategy for an organisation of any size or complexity will include frequent back-ups to remote locations, periodic transfer of documents to archive servers, and an analogue component comprising paper and film. The precise balance between long and short-term archiving can only be defined once the company has identified exactly what needs to be kept, and for how long. It should be emphasised that a company does not need to store everything, nor is rapid access and retrieval always the norm. The important point is that organisations assess the differing retention requirements for their information assets, and define IT strategy accordingly.

In fact, most documents have a value for a short period of time. A good example might be an e-mail confirming an appointment next week. Some documents have value in the medium term, for a year or so; and these documents can be managed in filing cabinets or on secure IT systems that are regularly backed-up. Documents that have a permanent significance are increasing in number, can represent the company's most valuable information assets and should be the focus of long-term storage. An example might be a special offer announcement on a financial services company's website that could have legal significance for decades.

The importance of analogue

A technological obstacle is that modern computing life-cycles tend to be much shorter than document retention requirements; for instance it is unlikely that an e-document created in the 1980s could be read, without modification that affected its authenticity, in a contemporary software product. Yet many digital documents created in the '80s are still valid now and could be for another decade. For certain industries, such as insurance, retention requirements span many decades and technology obsolescence poses a serious threat. Furthermore, modern fiduciary controls mean that individuals, teams and companies are now commonly measured on a quarter-by-quarter basis. For this reason, it has been difficult for managers to invest in a long term document archive. Managers feel that if there is a document-related problem six years from now, they will be long gone and the problem will rest with their successor's successor. This has resulted in a serious under-provision of archives in many organisations.

It is therefore recommended that long-term storage should depend upon at least two technologies, and the greater their diversity the better the spread of risk. On the basis that one format will be digital, the other should be analogue. Despite huge advances in the price performance of magnetic storage, microfilm remains a cost effective long term storage medium that has recently been re-discovered as a reliable method to spread document risks. Some states in the US now demand that all e-documents that have a significant life cycle should be stored in analogue format in addition to digital. The Government of Singapore has also made this a requirement for firms operating in their country.

The demise of the floppy disk drive provides proof that although mid-term electronic storage media are vital, the march of technology often makes electronic media and formats obsolete. SOX requirements are not a US-only concern, with around 200 US-listed European companies having to comply, and an EU auditing directive on the way which is predicted to be in some ways more stringent than SOX. Fines amounting to millions of dollars cannot be expected to remain an isolated American phenomenon.

And some European organisations have already discovered their inability to retrieve certain documentary evidence.

For over a century microfilm has enjoyed a reputation of being an excellent long-term, analogue storage medium. Recent claims by media manufacturers have extrapolated a usable life expectancy for microfilm from accelerated aging tests. The results showed that microfilms produced today will store images in human-readable format for up to a hundred years or more. Consequently, Gartner also recommends that any record stored longer than 10 years should be stored in an 'analogue, human-readable form' such as paper or microfilm.

Analogue formats are inexpensive; the media are relatively stable; the storage method is bi-directional, and, most importantly, it spreads the risks involved with long-term storage.

Role of outsourcing

We have already established that storage is no longer simply about long-term archiving. Before the 1970s, documents tended to be printed and filed in cabinets and periodically archived. Duplicates and worthless items would be destroyed, and only a small number of documents packed and sent to the archive many miles away. Thus the archive was towards the end of the document lifecycle.

Now, archiving begins as the documents are created. They are placed digitally straight into a repository from which copies can be distributed. Most users are happy with a representation of the original, and document proliferation is avoided. The integrity of the original can be protected.

On this basis, there has been a huge growth in web services where trusted third parties hold the original, and all authorised users can access the information on demand via a web application. The dusty, remote and expensive archive has been transformed into a valuable front line resource. Some organisations, particularly in government, are outsourcing the storage of documents that are still involved in current transactions. They benefit from known costs and service levels, plus the advantage of having their documents stored securely.

The current focus of the business community on compliance and legalities, in combination with the flood of digital information, has made document control a board-level issue. It is vital that every company assesses their exposure to document risk - encompassing reputational, legal and operational concerns - and defines a document storage strategy accordingly.

- Simon Stammers is UK sales director, Anacomp Limited, Tel: 0118 9361600, www.anacomp.co.uk KEY ISSUES

- Organisations must strive to maintain integrity for the whole life cycle of a document The longer the life cycle the more difficult is this task.
- Regulators are now showing greater interest in document risk, and managers should review their long term document storage policy annually as part of their audit process.
- Long term storage is fraught with risk, and organisations should mitigate it as they do all other risks by spreading and sharing it.
- Despite the current industry fashion to focus on digital documents, a balanced strategy that includes paper and microfilm is justified as a reasonable risk mitigation investment.
- There is currently a significant disparity between the IT development cycle and long term document retention periods. This, together with the separation of the stakeholder's desire for profit and the need for adequate investment in long term document storage, are contributing to the under-provision of archives in many organisations. This is building up unquantified and unmanaged risks.
- Government, regulators, and boards of management should create an environment where medium and long term document risk is measured more precisely, and better managed. Recent legislation in the wake of the failure of Enron, heightened by controls on operational risk recommended by the Basel Committee on Banking Supervision, have enhanced awareness of document risk. Stakeholders in document assets should now ensure that their investment enjoys the appropriate risk/reward ratio.


WHEN TO USE MICROFILM

Many factors should be used to determine which records to microfilm.

These include the need:

- to retain records for a long period of time
- to secure records with a duplicate file in an alternative technology to mitigate risk
- for low cost search and retrieval of records
- for demonstrable record integrity
- for sharing information with other departments, auditors or regulators
- to control access to records and to maintain strict confidentiality of records
- to preserve historical records from aging and abusive wear and tear.

Topics