In-house counsel are often tasked with ensuring company compliance with record retention regulations. Sometimes the actions of the corporate legal department not only do not help their companies achieve this compliance, but actually hurt it. Seemingly doing good can sometimes make things worse.
Given this paradox, here are five ways in-house counsel can hinder record compliance:
1. Focus on the language of the policy. One large, Northeastern technology company spent many months updating and tweaking its record retention schedule. Again and again it updated the schedule to include the latest citations, case law, etc., striving for the “perfect” schedule and believing the more perfect the schedule, the greater the degree of compliance. However, given the schedule was constantly “under review,” it was never published or executed. While updating a record retention schedule is often a good thing, excessively focusing on the schedule detail to the detriment of execution puts the organization at risk.
2. Create policies in the vacuum of the legal department. A Midwest retailer created and published its record retention policy and schedule without consulting with IT or any of the business units. While the legal department did have the corporate mandate to create the schedule, it never got “buy in” from the rest of the business. The new schedule then sat and collected dust on a shelf, ignored by nearly all the rest of the business. Mandate does not make right. Good policies require building a consensus.
3. Throw policies over the transom. The IT team of a large transportation company sat in a conference room, staring at the detailed, 90-page record retention schedule sitting on the middle of the conference room table. The legal department had created the schedule and delivered it to the IT organization, instructing them that it was now the IT department’s job to execute this schedule for all the electronic records in the organization. (Note: electronic records typically comprise more than 90 percent of an organization’s records.) The schedule had not been created with an eye toward execution, especially for electronic records. Therefore, the IT team strategized the most politically astute path to not execute the schedule. Compliance is achieved through policy adoption.
4. Dictate processes employees are not likely to follow. The legal department for a Northwest manufacturing company decided it did not like e-mail, and purposely created a manual process for employees to save e-mails: All e-mails needed to be printed as a PDF and manually saved and categorized in the company’s enterprise content management system. The process took about two minutes for each e-mail. Around the same time this archiving policy was announced, many employees started carrying USB drives. These drives could be used to save electronic information, including copies of e-mails. If the company’s policy says one thing, and employees are doing something else, compliance trouble is not far away.
5. Omit employee training programs. After a series of regulatory problems, an auditor reviewed a pharmaceutical company’s record retention practices, including interviewing employees for the program compliance. The most common feedback from employee: “What record retention program?”
In-house counsel need to ask themselves whether, in trying to increase companywide compliance, are we helping or are we hurting? First do no harm.