A decision maker's guide to organizational records management strategy

Records management strategy is the cornerstone of meeting IT compliance guidelines and regulations. Learn what resources and characteristics you need to stay up to speed.

In the past, unless you were being sued or were part of some niche industry, records management strategy was often left on the back burner. Of course, that was before federal regulations such as the Sarbanes-Oxley (SOX) and Health Insurance Portability and Accountability (HIPAA) acts started to mandate strict recordkeeping requirements.

It's not unreasonable to expect for some of even the midsized organizations to spend a million dollars when the dust settles.

Add to that the risks associated with the large amount of data the average organization handles, and you would think records management strategy is at the top of many companies' priority lists. That isn't always the case, however.

"A lot of organizations don't do a very good job of it, if they do anything at all," said Jim Just, a partner at Imerge Consulting Inc., about the lack of respect for records management. "They just sort of let it roll along at its own impetus. They need to get control of it, and they are starting to realize it."

So, how do you get started on a solid records management strategy? Like most business initiatives, it starts at the top with senior management buy-in and sponsorship. But which department actually takes the reins is open to interpretation.

Depending on the strategy, records management could be helmed by the CIO, corporate counsel or facilities management; the information management or even risk management departments are other possibilities. IT should definitely be involved, especially when handling records kept in structured applications or big databases.

Records in big applications should be dealt with by systems administrators who can accurately determine when they are no longer needed.

"I think some organizations will have chief compliance officers or a compliance organization to deal with compliance regulations, and will be a key player when developing a records management strategy," said Kenneth Chin, a research vice president at Gartner Inc. covering enterprise content management.

Research and develop your policy

With the leadership team in place, the next step is developing the company's record management policy. Start by asking questions about what records you have, who keeps them and how long they need to be kept. Using this information, the company can set a records retention schedule to determine what can be disposed of and when.

These retention schedules list every record the company has, and include an authorized retention period, a process to review those schedules on a regular basis and an authorization process so the schedules become part of the company policy.

"The very first thing you need is a retentions schedule -- before you put in any systems or procedures, before you put in any hardware or software," said Ellen Zimmerman, president of Naremco Services Inc., a New York-based consultancy specializing in records management.

For the majority of records at most companies, the retention schedule should be based on business needs. The company's records management team can interview departments beforehand to determine what their processes are, how long they need to keep records and for what purpose.

The company's legal history should be kept in mind as well, Zimmerman said. "If they've had a history of issues in a particular area, they might want to keep those records longer, or if they've had some sort of settlement that might require them to keep them for a particular time," she said. "They need to really have an understanding of their legal history when they set these retentions."

Automating as much of the record keeping as possible is very beneficial. Any business processes should have records declared automatically out of those processes, Chin said.

"If you have the ability to categorize and classify the records, you want to be able to do that," Chin said.

Most records management projects are part of broader certified content management platforms, or enterprise content management suites. Typically, the content management system can help classify the records. But this can be challenging when starting out, especially when it comes to shared drives, Just said.

Much of the content on shared drives is poorly classified or completely unclassified, creating what Just calls "feral content."

"Getting control of that can be a challenge," Just said. "You'll find a lot of stuff out there, like 'John's stuff' or 'Jim's stuff' -- that type of thing. That's always a nightmare -- it's pretty hard to classify."

Users have to be properly trained and kept informed throughout the process as well. Simple instructions and procedures, such as what are and aren't records and how to properly maintain them, are a huge help.

"There has to be training, and there has to be procedures for going about the process," Zimmerman said. "People have to know what it is they're supposed to be doing, when they're supposed to be doing it and how they are supposed to be doing it."

Evaluate the costs of records management

When implementing a records management program, the size of the corporation and the type of industry is going to make a difference. But don't expect to be done in six months.

Typically, an organization with about 2,000 to 3,000 users can count on a multiyear process by the time it is done setting the records management schedule and policy, selecting and implementing the technology and training users. This can lead to some significant costs.

"It's not unreasonable to expect for some of even the midsized organizations to spend a million dollars when the dust settles," Chin said.

A majority of the cost is due to the people factor, Just said. When setting up an information architecture, you need classification schemes and a taxonomy of information. These all need to tie into the retention schedule, which must be updated constantly with any new digital content.

"You need to update all of those components, then you need to have the people to support the program itself," Just said. "That's usually where the cost comes in."

Records management maintenance and compliance

Certainly, compliance regulations are a big driver of records management strategy. Adhering to SOX requirements, for example, requires a solid content management system and can have a huge impact on an organization's desire to improve recordkeeping processes, Just said.

"You effectively put in a content management system so you are compliant with Sarbanes-Oxley, not the other way around," Just said.

More on data management

As data proves invaluable, compliance department expands strategy role

The evolution of data protection strategy in the cloud and BYOD era

Adhering to SOX and other relevant compliance regulations should be part of the ongoing records management process, as doing so can help in policy development and maintenance.

"You need to understand [these compliance regulations] on the front end, and you need to look at them when you start developing the records retention and information management policy, because that will determine what you need to keep and what you can get rid of," Chin said.

Compliance programs can also be incorporated into the records management strategy. These programs include audits to keep up with how well people are adhering to the strategy and whether they are following retention schedules.

An internal audit department could complete these processes, or a records manager could examine each department periodically to make sure it's doing a good job.

"You might even have every department head sign off to say that they are aware that reports are following the records management procedure," Zimmerman said.

Let us know what you think about the story; email Ben Cole, Associate Editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Dig Deeper on Information management and governance

Business Analytics
Data Management