Bobadilla v. The Paper Trail
On risk assessments nobody acted on, emails nobody deleted, and the documents that are quietly working against you.
Picture this. Management decides to hold an employee accountable for something. Maybe it's a performance issue. Maybe it's a policy violation. Maybe it's something they were told repeatedly not to do. Management is confident. They have emails. They have a history. They're ready.
The employee pulls out the handbook.
Follows it to the letter. Every step. Every requirement. Every standard. Exactly as written.
The handbook that was last updated three years ago. The one that's been sitting in the policy library ever since. The one that nobody owns, nobody reviews, and nobody thought to update when the actual practice changed.
Management looks unprepared. The employee loses confidence in leadership. HR loses credibility. And the original problem, the one that prompted the whole conversation, persists. Because now nobody wants to touch it.
Nobody planned for that document to become the most powerful thing in the room. It got there by accident. Which is exactly how most documentation problems work.
More Is Not Safer
There's a widespread assumption in business that documentation is inherently protective. Write it down. Keep it. The more you have the safer you are. If something goes wrong you'll have a record.
This is partially true and dangerously incomplete.
Documentation without intention isn't protection. It's a warehouse of potential evidence that nobody has reviewed, nobody has organized, and nobody knows the full contents of. It's liability you haven't tripped over yet.
The paper trail works for you when you built it on purpose. When you know what's in it, why it's there, and when it goes away. When it reflects your current practices, your current policies, and your current understanding of your own risk.
When it doesn't reflect those things, when it's just an accumulation of everything you ever wrote down without any structure or intention, it can work against you in ways that are genuinely expensive and deeply inconvenient. And the moment you find out is almost never a good one.
The Risk Assessment Problem
You hired someone to assess your risk. Or you did it yourself. You identified the gaps, documented the findings, and produced a thorough accounting of exactly where your business is exposed.
And then the capacity wasn't there to act on it. Or the knowledge wasn't there. Or the priority shifted because something more urgent came up, which it always does. The findings sat in a folder. The folder sat in a drive. The drive sat there.
Now you have a document that proves you knew.
This matters in two specific scenarios more than any others. The first is regulatory enforcement. A regulator examining your business doesn't just want to know what you're doing now. They want to know what you knew and when you knew it. A gap analysis that identified a compliance problem two years ago, followed by no documented remediation, is not a neutral document. It's evidence of awareness without action. That's a different conversation than simply not knowing.
The second is employee and employer disputes. The handbook story at the beginning of this piece is one version. Another is the harassment complaint that surfaces a prior investigation nobody fully resolved. Or the termination that gets challenged and the HR file reveals a pattern of undocumented warnings that were never formally issued. The documentation that exists tells a story. So does the documentation that should exist and doesn't.
In both cases the problem isn't that you did a risk assessment. The problem is that you did one, found things, and have no record of what you did about it. Identifying risk and sitting on it is worse than not identifying it in some contexts. Not by much. But enough to matter when it matters.
The Email Problem
You've kept everything.
Every email since the beginning. Every text thread. Every draft. Every version of every document. Because deleting things felt risky. Because you might need it someday. Because it was easier to keep than to sort.
Then litigation hits. Or a regulatory request comes in. And you have to produce records.
The cost of reviewing years of unstructured, unorganized email is staggering. Not just in attorney fees, though those are real. In time, in distraction, in the operational disruption of having to reconstruct a history that was never designed to be reconstructed. And somewhere in that pile, in an email you wrote at 11pm after a hard day or a text you sent without thinking, is something that says exactly the wrong thing at exactly the wrong time.
You kept it because keeping everything felt safe. It felt safe right up until the moment someone else got to decide what it meant.
The records you retain without a policy aren't neutral. They're unreviewed evidence. And unreviewed evidence belongs to whoever finds it first.
The Reassuring Part
Here's what's true on the other side of all of this. It's simpler to fix than it sounds.
A records retention policy doesn't have to be a multi-page corporate document with legal review and a steering committee. For a small founder-led business it can be a personal habit with a few clear rules.
December 1st every year, go through your email and delete anything older than a certain number of years. Double delete, meaning empty the trash too. Physical records get kept for seven years as a general rule, though specific document types have specific requirements worth knowing. Digital records outside of email, contracts, HR files, financial documents, get organized by type and reviewed annually.
That's a policy. It's not glamorous. It doesn't require software or a consultant. It requires a calendar reminder and about two hours once a year.
The other piece is the risk assessment problem. If you're sitting on findings you haven't acted on, the answer isn't to destroy the assessment. It's to create a remediation log. A simple document that says here's what we found, here's what we decided to do about it, here's the timeline, here's who owns it. Even partial remediation with documentation is meaningfully better than findings with no response. It shows awareness and effort. Which is a different story than awareness and nothing.
Where To Start
If you read this and felt a low-grade anxiety about what's sitting in your drives and inboxes right now, here's the first move. Just the first one.
Write a list of the systems where your records live. Email, text, shared drives, project management tools, accounting software, HR platform, physical files. All of them.
Then write a list of the record types in each one. Contracts, invoices, employee files, client communications, internal memos, whatever you actually have.
That's your inventory. Everything else, the retention periods, the destruction schedule, the policy document, builds from there. You can't manage what you haven't mapped.
The paper trail is only working for you if you built it on purpose. The good news is that it's not too late to start building it that way.
- m
Morgan Bobadilla, Esq. is the founder of Understory Advising PLLC. She spent over a decade as an in-house General Counsel and Director across aerospace, defense, manufacturing, banking, and staffing, building deep expertise in commercial contracts, regulatory compliance, export controls, employment law, and enterprise risk. She now brings that experience directly to founder-led businesses through retainer and flat-fee engageme
