LISTSERV - RECMGMT-L Archives - LISTSERV.IGGURU.US

RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US

	LISTSERV Archives
	RECMGMT-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Condense Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Mime-Version:	1.0
Sender:	Records Management Program <[log in to unmask]>
Subject:	Re: EMail Retention-Financial Institutions
From:	Larry Medina <[log in to unmask]>
Date:	Fri, 25 Jul 2008 07:47:53 -0700
In-Reply-To:	<[log in to unmask] iz>
Content-Type:	text/plain; charset="us-ascii"; format=flowed
Reply-To:	Records Management Program <[log in to unmask]>
Parts/Attachments:	text/plain (82 lines)

>I recently posted a question regarding e-mail retention practices and I
>appreciate the feedback.  However, I would like to expand my question a bit.
>I understand that the practice of grouping emails as a whole and having them
>set up on a "mass" retention basis is not the preferred way to manage e-mail,
>however, I have to believe that many financial institutions are doing just
>that.  In the absence of evaluating content and declaring e-mails as records,
>how are other financial institutions handling their e-mail retention?  Any
>other records managers from financial institutions out there who will provide
>feedback?  Thank you!

Sure, you're right that the proper way of applying retention to 
records isn't always done with e-mails because it isn't easy to do 
and it takes both time and effort to properly accomplish,. and worst 
yet, it takes involvement of the individuals both sending and 
receiving the messages to work.

So, what's the "next best thing"?   Well, a lot of the answer here 
depends on how heavily regulated your organization is, and the 
financial services industry is EXTREMELY heavily regulated... and the 
rest of it depends on how risk tolerant versus risk averse your 
organization is.

There are risks related to retaining information too long, and there 
are risks related to not retaining it long enough.   If you discard 
it before you're allowed to (by regulation, law or statute), then you 
can get in trouble with the regulators- how much trouble and the 
impact it has on your ability to operate (or your executives wearing 
orange jump suits) depends on why they're looking for the information 
and if it can be proven that it was purposefully discarded.  Worse 
yet, is if you have a documented policy or procedure requiring people 
to discard information in time frames shorter than the required 
retention, or if (a'la Arthur Andersen) there is a smoking gun 
directive from someone telling people to destroy information.

The opposite is if you retain it longer than required.  The worst 
thing that happens here is your organizations spends a little extra 
money for storage and management of unnecessary information, and in 
the event o fa legal action, if you have information you could have 
legitimately destroyed in compliance with your retention schedule- 
you will have to produce it.  There could be information here that 
would be damaging to your case, or a client of yours, and the fact 
that it wasn't discarded in the course of normal business and in 
keeping with the retention schedule could be costly.  Also, retaining 
it longer than required increases the scope of the effort to produce 
information because you have a larger than necessary universe of 
information to search through.

Again, a'la Arthur Andersen... they had an approved retention 
schedule allowing them to discard work papers 5 years after an audit, 
but got lazy and just "kept them hanging around".  When they found 
out there was a pending lawsuit and this information could be 
potentially damaging to their client, an attorney of the firm 
notified managers to "ensure they were complying with the retention 
schedule and only retaining information as long as required".  This 
resulted in large volumes of information that was pertinent to a 
lawsuit being purposefully and intentionally destroyed, and we all 
know the outcome of this.

So, someone has to determine the potential negative impacts of 
keeping information longer than required, and then make a decision if 
ALL E-MAIL should be retained for the LONGEST REQUIRED retention 
period... or conversely, the negative impacts of not retaining it 
long enough, and make a decision to discard ALL E-MAIL after some 
arbitrary time period.   The most important thing is whatever 
decision is made, ensure EVERYONE FOLLOWS IT TO THE LETTER, because 
if some e-mail is being destroyed too early or other e-mail is being 
held too long, the whole thing ends up casting a bas light on the 
organization's ability to comply with even their own stated policies 
and practices, and regulators REALLY don't like that.  Selective 
application of policy reeks of wrongdoing.

Larry
---
Larry Medina
A RIM Professional since 1972


List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

ATOM RSS1 RSS2

LISTSERV.IGGURU.US