Liability mitigation is an important motivator pushing organizations to destroy business records that they are not required to keep. Records that have been properly destroyed in compliance with a well-designed corporate records-management policy are not open to legal discovery. On the other hand, from a business operations and business management perspective, organizations are often motivated to retain any business records that will enable the organization to sell more goods or services, understand customers better, or enhance customer service. After all, most organizations exist to make money or to provide a service. Business owners have an inherent bias to retain information because it may be useful, and while the inherent bias among corporate attorneys, records managers, and corporate compliance officers is to destroy records as soon as allowable, because retained records increase risk.
In some organizations, the business owners are required to personally authorize the destruction of records in compliance with corporate standards. Because they never want to destroy information that might be useful, this often leads to a retention of records beyond the required retention period, or worse, a near standstill in the records destruction process.
In other organizations, where records management and corporate governance are given a stronger hand, policies and processes have been implemented to enable the automated destruction of records in compliance with corporate policy. This strong-arm implementation of corporate policy often leads to the unintended consequence of increasing the distribution and leakage of corporate data, as business-unit employees save unauthorized copies of paper records or electronic data because they might need it in the future.
Policies for records management must consider both legal and business operations concerns. Ultimately the organization must chose between automated policy administration for records management and records destruction and a more manual process, in which the business owner either authorizes destruction of records in accordance with corporate policy or authorizes the retention of records beyond the period defined in corporate policy.
Action Item: Records managers and compliance officers must collaborate with business owners to weigh the operational benefits of retaining records versus the legal and regulator risk of failing to destroy. Once established, they must also assign responsibility for authorizing exceptions to corporate policy for digital and hard-copy records destruction. One thing is certain, keeping all records is both costly and risky.