Risk Assessments and Records Retention

At a recent Compliance and Ethics conference, I asked another attendee what they hope to gain while they were there. Keeping in mind, the audience has hundreds of experts in their own right and they are coming to both share their own experiences as well as learn from others.

I was quickly reminded as I listened to the reply that records retention programs and schedules needed constant vigilance – why you wonder?

The response to my questions brought back one of the key concerns that I encountered nearly 10 years ago when I was a new CCO. The company was beginning to establish risk management practices and were in the midst of performing enterprise wide risk assessments.

This attendee was in the early stages of developing an ERM program and while discussing the status of the effort with the General Counsel, she was informed that all the responses to the risk assessment questionnaires should be destroyed – fear of the double edge sword.

On one hand, you are doing the right thing by finding your problem areas so that they can be addressed in a timely manner. On the other hand, you are documenting issues that may be held against you.

In my mind, it is a matter of ethics and doing the right thing. If the tone of the company is one of the highest ethical standards, the decision is not quite so difficult. Search for risks, prioritize them, address them – you should be rewarded for your efforts.

A similar situation arises when drafting company policies. The working versions may have all sorts of statements that are changed or omitted from a final version. However, companies often worry that if they get in trouble, these working versions will be discovered and they could get in trouble as someone obviously knew about this yet, the company decision was to do something else that could have prevented a problem.

These are both valid concerns that must be researched and decisions made.

In both of these scenarios, consider the risk of having the information versus not having the information.

1) No company can go error free
2) People (even judges and prosecutors) recognize real effort
3) You must be able to demonstrate reasonable due diligence
4) Doing the right thing will pay long-term dividends
5) Regulations wouldn’t require risk assessments if companies didn’t have risk that needed to be identified and addressed.

The other thing I remembered was to make sure that these record types were included in your records retention schedules. Superseded policies, prior version risk assessments, supporting documentation, etc. should all be accounted for in your records retention program.

So ask yourself, how can you show evidence of good risk and compliance practices if you throw away all your report cards that don’t have gold stars? You should be proud of your efforts if you are truly doing the right things and only hope that you get the chance to let it protect you when something goes wrong.

I'd be interested to hear how your company is managing these types of records so, please send me your comments.