Companies Struggling to Adapt to New Compliance Environment

Legal, regulatory and business requirements driving most enterprises to make major changes in how they manage information

Legal, regulatory and business requirements driving most enterprises to make major changes in how they manage information

Silver Spring, MD — July 16, 2004 — Compliance concerns are driving the vast majority of organizations to make major changes in the way they manage information, but most companies are in the early stages of adapting to new compliance concerns and many are struggling to address the new legal, regulatory and business requirements, according to a new survey.

The survey, conducted by AIIM, the enterprise content management (ECM) industry association, and Kahn Consulting, indicates that many organizations face clear internal and external barriers in carrying out information management compliance programs.

"The Current State of Information Management Compliance: An Industry Study" is based on the seven "keys" of information management compliance that were advanced in "Information Nation: Seven Keys to Information Management Compliance," a book written by Randolph A. Kahn and Barclay T. Blair of Kahn Consulting and published earlier this year by AIIM. The seven keys are based on guidelines used by the federal court system when sentencing organizations for wrongdoing.

"Information management compliance has significant financial urgency," said John Mancini, president of AIIM. "Regulatory deadlines are everywhere. For example, compliance is getting down to the wire in the healthcare industry. On July 1 the government began delaying payment to healthcare providers who treat Medicare patients and fail to submit electronic claims using a standard HIPAA reporting format. Many publicly traded companies are struggling to meet the November 15 deadline to comply with Sarbanes-Oxley."

"It's tempting to think of this as just a Sarbanes-Oxley or HIPAA problem, but it really is part of a long-term trend toward defining what transparency and accountability means in an electronic era," said Kahn, founder and principal of Kahn Consulting. "Organizations need to look beyond their current practices and adopt a broader framework for managing their information assets, namely, a framework of information management compliance."

Key survey findings included:

  1. Good policies and procedures: Internal and external pressures are causing organizations to address compliance concerns. Fully 80 percent have made, or are planning to make, changes to the way they manage information, with 82 percent creating or updating information management policies. Regulatory compliance is a major force behind these changes, with 37 percent making changes because of Sarbanes-Oxley and 26 percent because of HIPAA.

  2. Executive-level program responsibility: While senior executives and managers are getting more involved in the information management program (78 percent of business unit and IT executives participate in its development and administration), at many firms executives clearly need to take a more visible role. More than a third of responding organizations haven't received any guidance on information management issues from an executive in the last 18 months, and nearly half do not provide an executive statement of support for the information management program.

  3. Proper delegation of program roles and components: In some cases organizations are failing to bring the right people to the table to develop and administer the information management program. Only 35 percent involve lawyers when developing program elements. Organizations have done much more in the areas of information security and paper-based records management than they have in the area of electronic records management, a huge inconsistency given that most of the documentation of business and organizational processes is now conducted electronically.

  4. Program dissemination, communication and training: Gaps in communication and training threaten to undermine the effectiveness of many information management programs. Over 60 percent fail to provide regular employee training, and the training that is conducted often focuses on records and information managers rather than executives and IT staff. Over 52 percent of records and information managers report receiving training, but only 31 percent of general business executives and 30 percent of IT staff.

  5. Auditing and monitoring to measure program compliance: While only a minority of organizations involve auditors in the development and administration of the information management program (34 percent), internal auditing and monitoring programs seem to be somewhat successful, with 41 percent of organizations making changes as a result of problems found through such programs.

  6. Effective and consistent program enforcement: Even though employees acknowledge good intentions by their firms, they recognize that good intentions alone are not sufficient. Only 34 percent of those surveyed agreed with the statement, "my organization's records and information management directives are consistently enforced." IT executives (29 percent in agreement) are more skeptical about performance than either records managers or general business executives.

  7. Continuous program improvement: Less than one in six survey respondents are firmly convinced their firms would uncover records management failures, indicating that there is much room for improvement in records management procedures and programs.

More than 400 end users completed the online survey for the research study. Respondents represented a mix of public sector, large, medium and small companies, as well as industry sectors such as financial services (16 percent), local, state and federal government (23 percent), professional practices (12 percent), manufacturing (10 percent), utilities, oil and gas (8 percent), and others. Of the respondents, 23 percent were senior-level management (CXO, vice president, director), 35 percent were in information/records management, and 17 percent were from IT/IS departments and other functions.