Reduce Risk with a RIM Program Using AI and RPA

Reduce  Risk with a RIM Program using AI and RPA

Organizations are ethically obligated to manage their information responsibly, and, are bound to do so by federal, state, local, and international laws. Organizations are also obligated to manage their own business information such as client related data in accordance with state and federal regulations. Despite these requirements, your organization may not have a defined, systematic process for effectively managing  information because existing systems were not initially configured to track lifecycle, retention, and security. The maturation of RPA and the explosive growth of Artificial Intelligence means these previously manual and repetitive and sometimes tedious tasks can be automated in compliance with policy in an auditable manner that will satisfy auditors and (should your organization find itself in a lawsuit) frustrate opposing legal counsel!

To be compliant (and to report compliance), your organization must have a comprehensive, enterprise-wide information governance management (IG) or a Records and Information Management (RIM) program in place that supports client services, governance, audit response, and litigation support for individuals as well as litigation preparedness for the organization itself. The maturation of robotic process automation tools and artificial intelligence’s exponential growth has given organizations the tools to search for and find all digital copies of responsive information in a timely, consistent, auditable process. These tools also delete redundant content in an auditable manner.

Improve Your Operations with RIM

A RIM program provides structure to address business concerns, helps to avoid the risk of non-responsiveness during legal discovery or in a right to be forgotten request, and demonstrates the organization’s good citizenship. If your organization has not implemented an enterprise-wide information management system, the tasks of identifying employee-created information and finding how and where it is stored will be challenging. If you are waiting until your organization is audited or subpoenaed, you’ll suffer far worse challenges, to the extent that you may have to shut down the business entirely. Note that courts have ruled that if a records retention schedule does not exist, a portion of the remaining funds must be allocated to permanent storage of the records.

Litigation readiness

Organizations must maintain information that supports business decisions, operations, and services for the length of time required by the regulating agencies, and as dictated by the statutes of limitations to bring a claim. A RIM program communicates these requirements clearly and concisely.

Awareness of communication and education – RIM will help your organization:

• Write “for the record:” no jargon, abbreviations, or slang.
• Write a business email: to the point, one subject per email.
• Dispose of drafts properly: when the final document is approved, delete the drafts.
• Consistently classify and label documents: no jargon, abbreviations, or slang.
• Dispose of information and non-information: shred paper, delete and empty the recycle bin or trash bin in your systems of record, leaving a stub to show that the record was deleted per the retention schedule.

Built-in cost control:

• Better management decision making because the integrity of the record is ensured.
• Paying for storage of (electronic or hardcopy) information beyond the obligation affects the bottom line.
• Disposing of duplicates and convenience copies eliminates confusion about which is the “real” record (a favorite question of both lawyers and auditors).
• Retrieving the right record quickly reduces the time an auditor will be on site.
• Finding and removing specific individual’s information in the time allotted when a right to be forgotten request is received.

Legal case law requires it

Safe Harbor is not available if you do not have a program in place. Per a U.S. District Court ruling in Starbucks Corporation v. ADT Security Services, Inc., 2009 (!), “Failure to adopt a compliant information retention and destruction protocol that permits cost effective access to relevant information and creates an audit trail subjects the non-compliant litigant to sanctions and constitutes spoliation.” It pertains to any business that creates, maintains, and manages information either for internal use or as a custodian of someone else’s information.

Organizations are responsible for instructing their employees, contractors, and third-party vendors on how to manage their information. This, too, is part of the RIM program. Information governance, content management, disaster recovery plans, and knowledge management are related and fall under the “Say it. Do it. Prove it!” approach to reducing risk. Courts have stated that if competitors in your industry have been sued, expect litigation in your company’s future. The same holds true for audits.

Build a RIM Program

Creating a RIM program starts with an information and information policy statement that clearly explains how information is to be managed. Stating that employees should use common sense is not sufficient!

Next, take records inventory: It’s important to know what you have and who uses the information. During the inventory, gather information on why the record is created in the first place, so similar business functions can be subsequently grouped together. ARMA International provides more detailed information about this process, including inventory forms.

After you inventory, you can start grouping similar information. For instance, you might group together “correspondence,” “letters,” and “email.” Email is problematic because it is often used for topics unrelated to business. A clear statement about emails — how to write them, what is or is not a business-related record should be in your email policy.

A records retention schedule is built on your RIM inventory. A good retention schedule will meet legal requirements, legal recommendations, operational requirements, and, include historical value when determining how long a record should be kept. The minimum time a record needs to be kept is the legal requirement. In most cases, it is okay to keep information longer than a legal requirement as long as the need is stated in the retention schedule. However, there are “no longer than” requirements for some records, such as I-9’s. “Just in case” is not a valid operational reason to keep something longer than the legal requirement. It’s also better to use “life of the legal entity (LOE)” instead of “permanent,” for information. “Permanent” causes issues when businesses are dissolved or go bankrupt; avoid them by using “LOE” in your schedule.

The retention schedule can also explain how to dispose of information that has met its retention period. Any record with personal information should be either macerated and/or permanently deleted. These types of records also fall under “right to be forgotten” laws in many states and the EU. You need to be able to find them, where again, RPA and AI can be invaluable tools.

Note: Many software programs offer a recovery period of up to 48 hours after you delete a digital record, allowing the record to be discoverable in an audit or litigation. Other systems move the content you deleted to a trashcan that needs to be emptied by an IT admin, who has that as a monthly task, but, who doesn’t get to it because of other, more urgent issues. Consider automating the task rather than risking reliance on human intervention!

What Is an ERM or ECM?

An application with the ability to track through time and location is required to manage both hardcopy and electronic business information. An electronic record management (ERM) or enterprise content management (ECM) system with an information retention module will track who touched which record, what was done to it, and when. Incorporate robotic process automation and artificial intelligence to ensure that the tedious tasks of finding all records and information copies are actually done. This ensures both the protection of vital and sensitive information, and, the disposition of it when required.

Planning

Executing a Program with related policies, procedures, processes and compliance audits may take as long as eighteen months by the time everyone submits their records inventories, the procedures for preservation and disposition are deployed and everyone is trained on your ECM, RPA and AI. Allot seven to eight hours per employee to inventory the information each creates, three to six months to research retention periods (operational being the longest), to create the schedule, and three months to source and create an ERM/ECM application. Review and update the inventory and schedule every 12 to 18 months, and refresh training on the RIM program every 12 to 18 months.

Remember: Organizations are responsible for instructing their employees, contractors, and third-party vendors on how to manage the organization’s  information.