Email is one of the fastest growing issues and risk factors in business today. In fact, email has become the number one form or communication between employees as a collaboration tool and with clients as a communications tool. While this is not a terrible thing, it is forcing organizations to reconsider how and when email should be used and captured as a matter of business record. This leads to the discussion of the development and refinement of an email policy to address governance and appropriate use.

One of the first things I like to do when approaching a project like this is to create a Concept of Operations (ConOps), a tool that provides insight and guidance on how to proceed for you and management. The basic ConOps consist of the following elements and serve as a communication tool to gain support and approval to move the project forward.

1. Scope
2. Referenced documents
3. Current system or situation
4. Justification for and nature of changes
5. Concepts for the proposed system and methods
6. Operational scenarios
7. Summary of impacts
8. Analysis of the proposed system/methods
9. Notes
10. Appendices
11. Glossary

Once there is a good understanding of the current and future vision regarding email, the next phase is to develop the policy based on these findings. In the context of email management, your policy should describe how email will and will not be used and managed. You should include statements that reflect the organization's goals and culture, providing high-level guidance on what is expected and required of employees.

Many organizations that have developed email policies include positioning and definition on unacceptable usage, such as sending racist, sexist or otherwise objectionable messages. These often come about in response to specific incidents and are typically driven by HR or management. In addition, your email policy might include guidance on the use of signature blocks, personal use, external account access and privacy.

Development of your email policy should not be developed in isolation but instead, should be included as part of a broader communications or information management policy. Rather, it should be a collaborative effort between corporate counsel and the IT staff, with each seeking to understand the needs and constraints the other faces. The policy needs to be approved by senior management and integrated as part of normal operations. Once approved and established, it needs to become part of the corporate culture through training, oversight and meaningful enforcement. Many employers and organizations do not train or instruct their employees on proper identification and handling of electronic records, information of business value and email usage, resulting in improperly managed corporate information, increased costs of maintenance and higher levels of risk.

Once your policy is in place and your employees have been trained, there is a need to monitor and ensure compliance on the part of the employee base. The only way to ensure that the organization is in compliance with applicable requirements and that it follows its own governance framework is to audit the entire organization. This does not have to happen all at one time, but be aware that exceptions to the audit tend to undermine the purpose and effectiveness of such a review significantly, increasing the potential liability of the organization.

Finally, any discrepancies found as a result of the audit should be documented and prioritized according to the potential impact to the organization. Based on these findings, identify the resources required to effectively address them and develop and implement a plan to correct the discrepancies identified in the audit. In some cases, corrective actions, such as retraining, suspension or even termination, may be the appropriate course of action based on the severity of the infractions.

In my view, governance over email is an essential part of any information management program. Having a solid, enforceable policy in place will aid in the proper management and defensibility of email use in your organization. A policy of no policy is no longer acceptable.

BOB LARRIVEE is director and industry advisor with AIIM International where he lectures and teaches about best practices in information and process management. Follow Mr. Larrivee on Twitter @BobLarrivee.