There are four fundamental questions senior executives must ask about records and information management (RIM) to fully understand the essential components of a RIM program. The answers discovered in the process will provide the foundation for building the RIM program at your organization.
1. Why Do You Need to Keep Records and Information?Records and information leave a footprint of the business activities and transactions of the organization, which can be an asset and liability. There are three compelling reasons for retaining them. Foremost, all organizations must comply with relevant laws, regulations, industry standards, and policies. If consistently out of compliance, it can spell trouble for the organization with regulators and customers, potentially damaging the business.
Secondly, balancing the risk of an organization's ability to defend itself against adversarial actions—such as litigations, claims, investigations, and audits—or to assert itself, such as with intellectual property or contractual rights, are critical drivers for many programs. Lastly, an organization must appropriately retain records and information to operate efficiently and productively and to make informed decisions to drive the business.
Often, these reasons alone justify the need to properly retain records and avoid potential consequences, such as fines, sanctions, unfavorable judgments, or loss of reputation.
2. What Records and Information Should You Keep?To sustain business effectively, an organization must know what to retain or discard. In weeding through the morass of records and information, you should focus on three primary buckets of information. Otherwise, there is no reason to keep them.
- Official Records: These are official copies of records listed in the organization's records retention schedule, which need to be retained for the stated retention period in the normal course of business. They should be discarded at the end of the period.
- Legal Holds: In case of adversarial actions, records and information must be suspended from disposal in the normal course of business and retained until the hold is released. Subsequently, it can resume normal retention and disposition.
- Work Files: Messages, drafts, redundant copies, workpapers, ad hoc reports, and other reference materials should only be retained if they have business value for the purpose they serve. Otherwise, they should be discarded as soon as possible.
3. How Should Records and Information Be Governed and Managed?A legally defensible RIM program must be governed and managed systematically and consistently. It must contain three foundational program elements.
The most important program element is the RIM policy, including the records retention schedule, without which a program cannot exist. The policy sets forth mandates for managing, protecting, retaining, and disposing of records and information in a systematic, consistent, and legally defensible manner. The rules must be easily understood, repeatable, and enforceable.
In addition, there must be defined processes and written procedures. Processes provide guidelines for implementing the policy, and procedures offer step-by-step instructions for tasks that must be executed in a specific order or manner. The RIM process begins with knowing what records the organization has, where they reside, and what to keep.
To implement the RIM program successfully, there must be appropriate communications and training for those expected to execute on the program. This is essential for successful implementation. Employees must know what to do and how to do it. Having a policy and the records retention schedule alone is not sufficient.
4. What Resources Are Needed to Support the RIM Program?Once the foundation is laid, it will take additional resources to implement, support, and sustain the program over time. First, an adequate and consistent budget is vital to support the program and includes funds to run the RIM office, maintain routine RIM activities, and undertake special projects.
Secondly, people are an integral part of the RIM process—it does not happen magically. Engage employees who create and use records and information. Develop a network of RIM liaisons in the business within their area of responsibility. If possible, form an information governance committee or task force with representatives from RIM, legal, information technology services, information security, risk, data privacy, and business unit leaders to coordinate information governance initiatives.
Lastly, tools and technologies are often overlooked to facilitate the RIM process. They can help classify and manage content; search, index, and analyze data; protect sensitive information; provide content storage; implement retention and disposition; migrate or move content; aid in e-discovery; and perform other tasks that would otherwise be manual and time-consuming.
Senior management must understand these essential components to provide executive support for the RIM program. Any mandates, initiatives, projects, program activities, and resources should satisfactorily justify these four questions to provide value on investment. In the coming year, we will review all the necessary components of a RIM program in more depth.