Nearly everything we do in business produces a record – whether it is a document, email, or transaction. These records help us make decisions in our organizations. Records are important for establishing what is known and when a person or the organization knew of an issue.
It is important to make sure that the control, storage, and use of records occurs in the “normal course of business” and demonstrate that the records accurately reflect a particular state in time.
Records can also be a liability!
Third party audits of records management policies, procedures, and technologies are important to demonstrate that the organization complies with the regulations, standards and best practices of the industry. How often you audit is based on risk, changes in laws and regulations, and changes in business processes or staffing.
Here are 10 steps to consider:
1—Develop an Electronically Stored Information (ESI) Data Map
Your ESI data map should:
- identify custodians of records and affected electronic systems
- cover data sources across the organization
- be defensible and maintainable
Your ESI data map is not an IT Disaster Recovery Data Map; however, it may integrate with automated data feeds from existing applications such as the HR system or broad master data management (MDM) solutions.
2—Analyze Your Policies
Information governance or records policies, a records management plan, and a records management program are all necessary for records compliance.
Review your policy statements, as they are the foundation of any records management strategy. Review and revise your records management plan to ensure awareness of the details of the rules for creating and capturing records and metadata, to include:
- receipt of records from other organizational or outside entities;
- maintenance of records and associated metadata;
- disposition (destruction or archival) activities; and
- appropriate documentation of those activities.
You should also review your destruction policies to ensure that they are defensible.
Ensure your records management program includes guidance on the record status of working papers or files and drafts, guidance concerning personal papers, the use and removal of records.
The program should also provide guidance and instructions for documenting policies and decisions.
Remember, a written policy for email and instant messages as well as for social communications via Twitter, LinkedIn, etc. is needed. Make sure your policies address corporate email being forwarded to personal accounts. This is not a good idea!
Co-mingling corporate and personal email is not a good practice either.
3—Review Your Records Inventory
All organizational records need to be identified and quantified, regardless of whether they are in paper or electronic or digital format. This is accomplished by conducting a records inventory, which is the first step in establishing a records program.
As you are reviewing the records, analyze them to ensure they follow the records retention schedule and comply with regulatory guidance.
Now is also a good time to identify areas for improvement in the handling of records. If you have conducted an inventory, you are not ready for a records audit.
You may want to use or modify an industry standard template for conducting your inventory.
Don’t forget to inventory your records including but not limited to file shares, network drives, thumb drives, computer drives, CDs, DVDs, microforms, and the cloud.
4—Review the Vital Records Plan
Every organization has vital records, which are the records necessary for the continuation of operations under emergency conditions.
Examine your organization’s vital records policies and procedures.
Do they identify which records are considered vital records and how they should be handled?
Review the backup and disaster recovery procedures for these documents. Examine the policies and procedures related to confidential information as well.
Be sure the policies and procedures for these special records are documented and address off-site storage, as well as backup and disaster recovery, for paper, electronic and digital vital and confidential records.
5—Develop a File or Filing Plan
In your file plan, document the indexing and classification schemes for arranging, storing and retrieving records.
Identify the regulatory laws, legal compliance, best practices and tests/metrics you are using with your records system.
It is best to organize your file plan via records series or categories.
Each records series or category should include a description of the category or series and/or document types/form numbers, the record keeping requirements, roles and responsibilities of those involved in the process, disposition requirements and associated non-records collections.
6—Review Retention Schedules
Review your retention schedules to make sure they include current references to statutes and other regulations for the records series. Make sure the retention schedules apply to paper, electronic and digital records.
Evaluate your records for:
- Administrative purposes: include control and review (i.e., external audit), fiscal and tax purposes
- Regulatory, Tax and Legal purposes: compliance-based including statutes of limitation considerations and the rights and obligations of the respective counterparties
- Informational purposes: research value typically determined by business units themselves
While you are reviewing your retention schedules, take this opportunity to review your backup/disaster recovery plans, as well, to make sure:
- Records are protected and backed up (Remember – not only the record needs to be protected but the metadata as well)
- The frequency of the backups is adequate; determine if your organization needs to have a backup site
Also, I cannot emphasize enough the intersect with regulatory requirements that govern your industry.
It is important to safeguard your information. You must ensure the protection of all confidential information, including information that is proprietary to the organization.
Check your records systems and communications to ensure proper:
- Treatment of security designations
- Internal and external access privileges
- Labeling of documents and communications
- Tracking of record creation, access, modifications, deletion, and transfers
- Identification and protection of records under hold orders
8—Review Your Disposition Procedures
It equally important to discard information when no longer needed for business, legal, fiscal, historical or regulatory value, as it is to protect and store it while it retains those values.
Destruction of information must be carried out in accordance with the established records procedures and policies. Those procedures and policies should document the method of destruction in accordance with the confidentiality of the records.
Whether the organization is destroying or archiving records, it must determine the extent to which it is necessary to retain record metadata.
The steps for destroying information must also be documented and maintained as a record.
Plan for checkpoints in the destruction process that evaluate the record against the disposition information in the records retention schedule.
Decide if information will be destroyed on the exact date that it achieves its maximum life span or if it can be postponed until a defined date and time, such as, quarterly.
You should have a defensible destruction policy.
9—Establish an eDiscovery Response Plan
Steep penalties are levied for not providing information as requested in litigation. To ensure you will not have to pay fines, it is best to set up a Discovery Response Team that includes key members from Legal, IT, Records Management, and Compliance.
The team is engaged to ensure reasonable and proportional responses to legal holds, collections and production that minimize costs while complying with legal responsibilities.
The Discovery Response Team should develop resources such as guidelines, workflows, and templates that cover:
- legal hold distribution
- release of holds
- collection of information
- collection and processing forms, including Chain of Custody and Release of Holds
Additionally, the team should develop a process that provides a defensible and consistent process with metrics, auditing, and routine data reduction that can be used any time an eDiscovery effort is required.
Your Discovery Response Team can ensure that you can be responsive should you receive a legal hold request. This team remains inactive until you receive the notification of an eDiscovery action. The team must be activated if there is a hint of pending litigation.
10—Train, Monitor, & Audit
Establishing your records program is only one part of ensuring your records will be maintained correctly. The records program must be documented and have training materials.
Records training should be a part of the onboard training that all new employees receive. Provide refresher-training sessions for those who have been with the organization for a while. It is often a good idea to refresh everyone’s understanding of records management on a regular basis.
Do not wait until an audit from a third party is knocking at your organization’s door. Perform a self-audit at regular intervals to recommend opportunities for improving the processes or procedures you have in place.
Dust off the training materials and run a refresher training session.
If you have followed all the steps I’ve listed here, you should be ready for an audit, whether it’s a self-audit or an audit conducted by a third party organization.
Let 10XTS Help!
Let us help you organize your information chaos and simplify your transition into a digital-first organization with a comprehensive digital asset governance, risk and compliance solution.