The drivers of organizational email risk
The organization as an entity incurs risk because of the email activity of its employees. This risk is expressed as exposure to legal proceedings where the company is the defendant. The costs of hosting a system containing users who produce or distribute inappropriate material such as jokes or offensive language or wrongly produce and share commercially sensitive information are large and can run into hundreds of millions of dollars. This excludes any reputation damage.
There are two areas to this risk, compliance and litigation.
Compliance
According to AIIM (2007), the international authority on Enterprise Content Management (ECM), more than a third (38%) of large organizations (more than 1000 people) in the UK admit their email management system is in 'complete chaos'.
They found the same number of respondents (38%) had no company policy (or it was not communicated) on email archiving. A quarter of companies have not begun to develop an email compliance strategy and more than 90% do not realize that email is an enterprise data compliance issue.
The AAIM survey highlights that employees do not understand (or know how to access) their organization's policies and procedures for email. Only 27% of organizations archive email outside Outlook in a searchable repository; disconcertingly, 7% delete all email after three months and rely on back-up to recover emails.
80% of organizations leave email management to the IT department. 66% of records managers and IT managers report a marked increase in the time spent on email compliance and for 10% most of their time is spent on email compliance. This is manifestly inappropriate in the face of such widespread ignorance and inaccessibility.
Litigation
Email can be documentary evidence and is discoverable in litigation. Seemingly innocuous comments can come back to haunt an organization, possibly many years later. Deleting an email is not equivalent to shredding - email is (semi) permanent. Deleting or tampering with email can come under "spoliation" and is illegal also.
Recent cases suggest the outcome of any litigation has been dependent on the extent of user compliance and the extent to which the employer is seen to have attempted to ensure the compliance is universal ...
Gottschalk neatly summarizes the risk of email in a legal context:
"The text of email has caused lawsuits, bolstered arguments, and even provided the quintessential smoking gun needed to prevail in court. For example, Monica Lewinsky was forced to accept an immunity deal because of the infamous "talking points" that she thought she had deleted from her computer. Moreover, at least one sexual harassment suit, and probably thousands more, has been settled because of an email from a company's president to the head of human resources directing her to "[g]et rid of that tight-assed bitch." Most notably, the recent Microsoft antitrust trial illustrates how email correspondence between Bill Gates and Andy Grove, of Microsoft and Intel, respectively, provided the smoking gun that the government needed."
Managing organizational email risk
As with individual email stress, organizational email risk needs to be regulated rather than maximized.
Email risk can be reduced by performing restrictive procedures, for example, management approval for all external emails. However the cost of doing so would be to reduce organizational email effectiveness.
Clearly some risk is taken and is necessary for organization to function. Senior management needs to be aware of the risks that email exposes the organization to. They need to then decide on a level of risk that is acceptable (within the optimal region) by defining corporate email policies and then taking demonstrable steps to increase compliance and awareness of litigation.
