Records and Information Management Best Practices
Why Do You Need Best Practices for RIM?
As the number of laws and severity of punishment related to governing records continue to increase, it is becoming paramount that organisations implement and execute the best practices for proper records and information management.
While we live in the Information Age, not all information created or received by an organisation rises to the level of being an official business record – this important subset requires deliberate management because these records provide evidence of business transactions, decisions and satisfaction of legal obligations. Management of records has become increasingly complicated due to the wide array of formats we work with: paper, electronic files, email, instant messages, social media, big data and more. It is further challenged by where those records can be found: in numerous applications, file shares, mobile devices, the cloud, tape and the list goes on. In addition, industry and segment-specific regulations around records management continue to expand. A compliant Records and Information Management (RIM) programme is necessary for organisations to proactively and progressively manage all business record content, regardless of its format or location. Organisations need to demonstrate “good faith” intentions to follow these best practices consistently and accurately, with audits playing a vital role for defensibility.
The Iron Mountain best practices initiative is a direct response to requests from our customers for guidance on:
- Best-in-class compliant RIM practices
- Continual programme improvement ideas
- Government regulations that impact RIM.
Now, more than ever, it is critical that organisations have solid records management practices in place for all record types, across all business units and in all countries. These practices should feed into a comprehensive and consistently applied RIM master plan. Organisations that meet and demonstrate regulatory compliance will successfully mitigate litigation risk, while others scramble to protect their corporate reputation and shareholder value.
This RIM Best Practices guide represents the collective experiences of hundreds of thousands of Iron Mountain customers — and more than 60 years of records management history. From those years of experience, records management fundamentals have been tried and proven true, processes and workflows have been crystallised for greater efficiencies and less exposure, and best practices have evolved to cover the many integral aspects of proper records management, including the explosion of electronic records. These best practices are provided here as a practical approach to a comprehensive and compliant records and information management programme.
Key Components of Information Governance
Information Governance is the multi-disciplinary enterprise accountability framework that ensures the appropriate behavior in the valuation of information and the definition of the roles, policies, processes, and metrics required to manage the information lifecycle, including defensible disposition. An organisation with a solid foundation of proven successful RIM practices will foster collaboration among key stakeholders in an environment of comprehensive information governance: legal, IT, business units, records management, compliance etc. It will also:
- Establish ownership and accountability of the RIM programme.
- Retain the right information for the correct length of time, and securely dispose of it when it is no longer required.
- Meet legal discovery requirements faster and more cost effectively.
- Use technology to manage records and improve your programme.
- Archive vital information for business continuity and disaster recovery and long term retention.
- Control and manage records storage and destruction fees.
- Integrate policies and procedures throughout your organisation.
- Arrange for continuous training and communication throughout the organisation.
- Review and audit to improve programme continuously.
These components are integral to a compliant RIM programme. Independently, each represents a good practice. As a unit, they serve as a solid foundation of best practices for RIM.
Why is Consistency so Important?
There is one phrase that resonates as a theme for simple and complex aspects of compliant records and information management programmes: CONSISTENCY IS KEY.
RIM Best Practices
- Policy and Procedures
Records Managers are being advised by judges involved in discovery cases to destroy records that have met their retention requirement, provided they are not on a legal hold and that there is an approved Records Retention Schedule in place.
Steps for consistency begin with developing an enterprise-wide Records Retention schedule for your organisation and implementing it across all business units and countries. Writing, publicising and training employees about your RIM Policy and Procedures will assist with making it a standard in your organisation. Instituting a records coordinator network in the business units or departments will enable compliance. Formalising records destruction practices for both paper and electronic records, and destroying records consistently and systematically with the help of technology are important as well. Regularly auditing your programme and remediating for inconsistent practice is vital to keeping your system working to its most efficient degree.
These and many other aspects of Compliant Records Management are listed after each of the seven Best Practices areas. Keep your programme elements simple: perfection is the enemy of “good” and remember that your programme can evolve over time. Your RIM programme will be judged by the consistency of its implementation and execution, not the details of the programme’s design. For each of these Best Practices areas we have included an overview and tips for compliance.
Where Do We Start
Awareness of RIM is required at every level of the organisation to achieve compliance. Without senior-level sponsorship and commitment, the programme is far less likely to thrive. There should be a corporate records manager to administer the programme for the enterprise, as well as a designee in each business unit accountable for implementation in their area. Finally, each employee should be required to acknowledge that they have read and understood the RIM policies and procedures.
Ideally, a Senior Executive should be named as the owner or advocate of the programme. This person typically sits in the Legal, IT, Compliance or Risk functional areas. He or she should be able to help influence practices, personnel and funding necessary to ensure compliance.
The early creation of a steering or governance committee composed of senior management across key departments is instrumental to the success and implementation of a compliant RIM programme. By creating an active steering committee, your organisation will be positioned to proactively address the changing business climate and the ever-increasing regulatory controls for RIM. And, we have learned that successful and sustained programmes require top-down leadership.
Once your steering committee members have been identified, we suggest they each read and make sure they fully understand the best practices in this guide.
An enterprise-wide RIM programme Steering Committee consisting of eight to ten people, composed of a designated Records Manager and representation from Legal, IT, Compliance, Tax, HR, Risk Management and key business units to be responsible for oversight of the RIM programme, high-level management and strategic insight.
Steering Committee meetings at appropriate intervals to assess the current state of the RIM programme. Specific responsibilities include providing high-level management and oversight of the programme, and ensuring that the RIM programme is properly maintained and adhered to, and updated by recommending/approving staff and system resources.
A Corporate Records Manager to administer the programme and facilitate accountability throughout the entire organisation.
The records management function with the appropriate resources and experts, both internal and external, by providing online RIM training for all employees, testing for certification and engaging the business units in the process early and often, as they are ultimately responsible for making compliance happen.
RIM programme information regularly to employees through engagement with internal marketing and communications resources.