Technology is changing rapidly as industries experience theaccelerated adoption of cloud-based platforms. Organizationssqueezed by a tight economy see opportunities for increasedbusiness productivity and huge potential cost savings by moving tovirtually hosted platforms including Google Apps. Meanwhile, thepace of technological change dictates a need for new strategies tohandle the influx of data. Careful planning is the first and mostessential step in meeting enterprise risk management (ERM) needs and avoidingserious compliance issues when transitioning to cloud applications,however improbable they may seem.

The recent flurry of activity surrounding WikiLeaks databreaches and other hacking incidents signifies the importance ofaddressing ERM as it relates to new technology. Organizations leftin the wake of such incidents include McDonald's, Walgreens, GawkerReport Systems and Honda. All were targets for customer databasehacking late last year. Taking an immediate and strong stance is apriority for government agencies and other corporations trying torebound from these attacks. The reality is that the pace oftechnological change will continue to pose difficulties for datamanagement. In order to understand how to manage risk, it isimportant to first know where the weaknesses lie.

Many organizations are concerned over managing increased volumesof data and the growing cost of retention. Organizations mustconsider that data transfers and stores in the cloud can be moredifficult to track if the proper systems are not in place. Inshort, ERM is becoming more complicated. As a result, it is moreimportant than ever that organizations plan to avoid exposure byanticipating new approaches to ERM.

These considerations are particularly applicable to agencies andbrokerages inundated with records that must be carefully maintainedto manage risk and comply with government mandates. A well-plannedERM process should account for the likelihood of compliancemissteps in several ways. Planning will not only help avoidcompliance violations with Sarbanes-Oxley, ISO 15489, DoD 5015.2 orMoReq2; it can save a company a great deal of risk and expense inthe long run. It is essential for organizations migrating to theuse of a cloud-based platform to have a reliable, well-organizedrecords management program. This starts with a thorough evaluationof existing procedures; analyzed side by side with proposedenterprise technology, procedures will need to incorporate new riskmanagement processes and controls.

Litigation ande-discovery

Litigation is one of the riskiest and costliest events abusiness can encounter. Although insurance agencies might like tothink it improbable, the truth is that agencies encounter suitscommonly enough to allocate a considerable portion of annualbudgets to the effect. In the recently released “7th AnnualLitigation Trends & Report” by Fulbright and Jaworski(www.fulbright.com), nearly 40 percent of industry sectorrespondents were insurance agencies that reported having more than20 suits commenced against them. The study accounts for 403participants interviewed across multiple industries.

When such suits are filed, e-discovery quickly follows. E-mail,corporate records, internal memos and even social media activitybecome evidence of an organization's activities and arediscoverable. The intrusiveness and breadth of e-discovery canimpose both direct costs on the organization, as well as collateralcosts in loss of time and efficiency.

The same report cited above found that 50 percent of U.S.companies surveyed spent $1 million or more on annual litigationexpenditures this past year. Wouldn't it make sense to budget foran ERM process with front-end protection that mitigates costlyback-end expense? Risking penalties, claims of spoliation andpossible contempt citations during litigation as a result of nothaving or following compliance and records management standards isnot a risk worth taking.

Records management and automated ERM

Policies and systems are what protect an organization frome-discovery risks. Especially important is having a reliablerecords management system in place. There are several options forhow they may be applied. Manual application can be risky because itis inconsistent. We no longer live in a world where carbon copiesand a few filing cabinets are all an organization needs. Automatingrecords management processes is the key to simplifying recordsmanagement, guarding against litigation and minimizing hasslesurrounding otherwise expensive and time consuming e-discovery.Ultimately this means less risk.

For one thing, there is an inherent element of human error.There is simply too much data to be managed and too manycommunication avenues to expect that mistakes will not be made. Aneven greater risk is misuse. Technology makes it easier than everto exchange data faster and between more parties. This meansadvertent and inadvertent exposure to leaks of confidentialinformation. The KPMG 2010 Data Loss Barometer Report cites thatone in five data leaks in early 2010 came from malicious attacksinside the organization.

A final concern is lack of awareness. Insurance professionalswould be appalled to know how many people are unaware of thedocument management policies in place. Without the properimplementation of records management policies, any organizationfaces greater risk of violation. The Assn. for Information andImage Management addresses this issue in a document, “Principles ofReal World Records Management”:

In the past companies have put the onus and the burden (not tomention risk) of making key decisions about records management onemployees—a major deterrent to RIM policy enforcement. The majorityof employees are ill equipped to make these decisions, because theyare unaware of records management policies and/or the impact oftheir actions (or inaction).

Related: Read “Clearing Confusion on Cloud Computing”

Many organizations will instead use software to automate recordsmanagement processes. Fewer organizations, although the number isincreasing, will embrace the change wholeheartedly and turn to thecloud. If choosing a cloud-based SaaS (software-as-a-service)application, consider how well it addresses the following threeconsiderations:

1. An automated records management application should providecomplete compliance and records management with features designedto meet standards for regulatory compliance.
2. The application must be easy to deploy and simple to integratewith existing document management processes.
3. The application should be intuitive and easy to use, as well astransparent to the user if possible.

Records management is a back-office function that need notconsume countless work hours, space and mental capacity. The goalof automated systems is to achieve a level of confidence in thesystems that are in place, minimize the risk of violation frommismanagement, and free up staff to handle more critical issues athand.

Requirements for regulatorycompliance

Five requirements for regulatory compliance must be met in orderto avoid unnecessary e-discovery risks.

1. Centrally controlled document access management is one of themost essential elements of compliance; it is the ability tocentrally control which users have access to the shareddocuments.
2. Document classification policy management allows you to controlthe classification of records for better logical grouping andsecurity. The ability to locate data efficiently is half the battleof e-discovery.
3. Retention policy management is the application of specifiedretention schedules to records of any type from a centralapplication. This helps you keep the records for the requiredamount of time, and delete them when the retention policy requiresit.
4. Destruction and disposition policy management is importantbecause you should be able to track all stages of destruction toshow a history of approvals (if required) and adherence topolicies. This ensures you meet compliance regulations requiringthe destruction or archiving of records after a certain period oftime.
5. Legal hold management is a function that prevents destructionof documents if they are under litigation hold. Legal holds ensurethat an organization will not fall out of compliance with courtorders and risk fines, claims of spoliation or contemptcitations.

All five requirements support the principles outlined in theGenerally Accepted Recordkeeping Principles, created by the Assn.of Records Managers and Administrators. These principles arestandard for IT and records management departments across allindustries. They certainly apply to agencies and brokeragesresponsible for managing extremely sensitive information, whileadhering to strict government mandates.

Backlash from WikiLeaks and growing information managementissues, including incidents of fraud, are inspiring new regulationsand mandates that pertain to the insurance industry, among others.Agencies and individual brokers are particularly vulnerable torisks associated with E&O exposure. Currently, “negligentactions” can be described as an agency's lack of adequate controlover client documents and files. Failing to secure sensitive clientrecords can be the fast track to costly arbitration.

With identity theft and mismanagement of classified informationon the rise, the Federal Trade Commission “red flags” ruling setsmeasures to help organizations identify early signs of potentiallydamaging activity. The rule is just one example of a new ERMapproach mandated by the government to help organizations protecttheir customers and avoid compromising reactive situations.

SaaS and ERM: Need to know

The transformative growth of SaaS applications also affects ERM. SaaS is the only technologygaining considerable traction in the current market. It offersbusinesses cost savings and real-time support to help them beproductive in a host of scenarios. For these and other reasons,vendors like Microsoft, SAP and Oracle are moving to the cloud tocapitalize on the growth. A forecast analysis released in July 2010by Gartner reported worldwide growth of SaaS will have a 15.3percent compound growth rate for the enterprise application marketsthrough 2014.

One of the most popular SaaS applications to date is GoogleApps. More than 30 million users in three million businesses,government agencies, schools and other organizations worldwide haveswitched to Google Apps. Among those considering the switch areagencies and individual brokers seeking cost savings and theincreased flexibility to access documents from any location.

However, Google Apps does not have any built-in documentcompliance or records management features to meet organizationalstandards and legal regulations. Simply put, this means that GoogleApps users can use some but not all of the available featureswithout risking serious issues with compliance violation. Millionsof users might already be in compliance violation if they are usingGoogle Docs without another records management system in place.This is a considerable concern for businesses looking to mitigaterisk.

Fortunately, vendors recognize the hole and are developing SaaScompliance applications for Google Apps. RecMan for Google Apps isthe only application currently available, but we can expectapplications from other vendors in the future as Google Appscontinues to grow.

Before adopting a cloud-based platform, IT departments andcompliance officers should be involved in cross-departmentalconversations. These are the very people who have the expertise toprotect your organization from potential litigation and e-discoveryissues. With carefully planned compliance measures that account forthe integration of new technology, ERM processes remain intact. Infact, SaaS makes it easier and more affordable than ever forbusinesses to stay on the cutting edge with software that mightotherwise be too costly or too disruptive to integrate withexisting systems.

Planning

A great debate over the move to the cloud brings forth questionsof enterprise security and proper records management. Thefundamentals of records management don't change. However newtechnology presents enterprise risks, which must be considered. Inshort, an overabundance of information makes it exceedinglydifficult to keep track of sensitive records that have thepotential to expose companies to areas of weakness, should a suitbe filed.

Using hosted business solutions in the cloud only has to be ascary prospect for organizations that have not first anticipatedhow their ERM process will translate. Planning is essential toavoid e-discovery issues; otherwise, plan to spend a lot of money.The good news is that SaaS applications are making it moreaffordable than ever to integrate targeted solutions into the ITplatform, increasing productivity, efficiency, and expanding youroptions for doing business in a virtual world. In addition, manyorganizations consider cloud-based applications to keep their workforce on the cutting edge.

Related: Read “ERM Stands Test of Time”

Although there are sure to be some sticky issues with any ERMplan involving enterprise-wide records management, the mostdifficult step is making sure that the company IT department andrecords management individuals or department are on the same page.Departments should work together to establish a plan for theapplication of retention policies. In the long run, this shouldalso save on legal expenditures.

Organizations considering the move to a cloud-based platformshould consider several factors:

1. What processes are already in place and how might they beadapted for monitoring digital info and materials shared via theweb?
2. What procedures are missing to mitigate e-discovery risk iflitigation occurs?
3. The company should establish a unique plan for the internalcontrols over your organization's processes.
4. The best ERM program an organization can have is a cleardefinition of purpose and the processes and tools in place to makesure these are met without fail every time.

By applying your agency's retention policies consistently andsystematically, the cost of e-discovery is reduced. Think of itthis way; records, which are merely evidence of an organization'sactivities, are a trail of breadcrumbs that lead back to anyinfraction. The fewer stale breadcrumbs that are forgotten, thebetter the chance of avoiding costly legal repercussions.