Records management is an important part of your overall information governance strategy. Ensuring the authenticity and availability of records over time can help your organization achieve its mission. It also helps you ensure compliance with government laws and industry regulations.
At the center of your records management program are your records management policies. These policies define what information your organization must keep as a record, the procedures for managing those records, their retention periods, and procedures for ensuring their secure destruction. They also serve as the organization’s institutional memory regarding the establishment of the policies.
At Netwrix, we recognize the importance of records management policy for organizations’ data security and management practices, and we understand that creating new records management policies can be challenging. While it is easy to define basic retention rules, it is equally important to document the context for their maintenance and execution. That is why we have created a sample records management policy that your organization can use to get started — it lays out what you need to include in your policies, using financial records as an example.
This article explains some of the finer points of records management.
People Have to Take Responsibility
The most important component of records management is assigning responsibilities to specific individuals. Tracking who officially approved a particular policy is straightforward, but it’s also critical to specify who has long-term responsibility for the various aspects of the policy. Since the people in an organization change over time, your policy should not specify names but roles. If your organization renames or eliminates a role named in a policy, you will need to update that policy.
One role that many people overlook is the Executive Owner. A person with a seat at the executive decision level needs to understand the records management requirements and be involved in ensuring the policies are implemented. When this doesn’t happen, organizations tend to deprioritize their records programs during budget and planning cycles and pay proper attention to information governance only when something goes wrong. Mitigating the damage often requires far more resources than you would have spent to prevent the problem.
Remember the most important rule when assigning roles and responsibilities: Naming more than one person for a specific role will guarantee that nobody takes responsibility.
Explain the Why
It is critical to explain the business and regulatory drivers for your records management policies. They need to be specific, include links to sources and list all the factors involved. This is especially important if they appear to be in conflict. Providing these details does two things:
- It makes your records retention and records storage decisions more defensible. If an auditor or investigator looks at the policy, they will see the rationale behind the requirements.
- It provides the institutional memory of the regulatory and business environment that led to the policies, along with the recordkeeping Knowing how that environment influenced your organization’s information governance will enable the people who inherit the policies to make more informed decisions about what to modify or remove, so they can avoid changes that could land the organization in trouble.
Implementing Your Records Management Policies
We haven’t talked about implementation of the policy yet. You will notice that the sample records management policy doesn’t go into details either. That is because how your organization implements a policy will change over time, since both technology and business needs are constantly evolving, but the policy itself is comparatively stable.
Accordingly, the policy specifies who is responsible for executing policy but not how. The Policy Owner should have a strong voice in how your organization implements the policy even though they may not be directly implementing the solution for managing electronic records. The task of deploying and maintaining any technical tools needed to implement the policy typically falls to the head of the technology support division, which is often the CIO.
Regardless of how your organization implements your records management policies, it is up to the business and technical leadership to work together to make it happen. The technical organization needs to understand why records management is important for the business. The business needs to understand the technical challenges posed by what they are asking. Together they can strike a path forward to meet the organization’s needs and prioritize the work to be done.
If you start with well thought-out records management policies, you can explain to the entire organization what you are trying to achieve. You can then identify which of your records are at greatest risk for information loss or unauthorized access and apply your efforts there. Afterwards, you can slowly expand your organization’s capabilities until all records are properly managed.
While the sample records management policy focuses on financial records, it should help you understand the key concepts required in any records management policy. There may be additional considerations for your organization, but our template should provide you enough to start asking the right questions and begin moving forward.