'Compliance' is a commonplace term in the records management world. This isn't the first blog post to iterate how critical it is to have a compliant RM program. But we'd like to make something very clear: proper records management is not about ''reaching compliance.' It's about ensuring compliance by implementing and then sticking to the process.
Repeat after me: Reliability ensures compliance.
Reliability stems from a well documented program and simple-to-follow processes. Because building a compliant RM process is great and all, but sticking to it is what actually keeps your organization's records management compliant. You may have already seen our RM Health checklist, now we've created a compliance checklist with simple questions to guide you through two important portions: creating a well-documented compliant process and then taking necessary steps to make sure the program is followed.
Part 1: Create and document a compliant process
For a compliant RM process, it's critical to have developed policies and procedures with both your business values and legal requirements in mind. These should cover records storage, timetables, and roles clearly defining who does what. The most important part of creating this process? Making sure that it is well documented and easy-to-follow so there is no confusion after implementation.
We've marked major steps and encourage you to ask the following questions along the way:
a) Perform a Records Inventory
Before any policies or procedures get drafted up, you need to know what you're working with. Conducting a thorough records inventory to identify organizational records will help you get there. During inventory, it is useful to ask:
What are your organizational records and where are they stored?
Does your organization have both paper and electronic records? If so, have both types been quantified?
Have you identified the business-critical information?
Is this business-critical information easily accessible to your organization?
Has there been any thought towards identifying non-official records (i.e. convenience files)?
b) Build a Classification Scheme and Retention Schedule
Knowing what information you have and where it is stored, you need to set up a classification scheme and retention schedule appropriate for your organization. Ask yourself the following questions:
Have you written a classification scheme for your records?
Do you have too many classifications, could they be cut down and simplified?
Can you align security, including Office of Primary Responsibility/Retention Approvers, with your classifications?
Have you developed a timetable determining scheduling around the lifecycle of your records?
When developing this retention schedule, did you consider best organizational practices?
Are these schedules fitting for appropriate business units?
Does the records retention schedule allow for easy records management and evaluation (ex: external audits)?
Are there opportunities for fusing classifications based on shared retention schedules?
c) Consider Legal and Regulatory Requirements
When creating these retention schedules, it is pertinent to be aware of applicable legal standards and industry standards to make sure that your process not only adds business value, but also follows regulation.
Have you considered relevant laws on federal, state/province, and local municipality levels that could affect your records management program and retention schedules?
d) Ensure Security
How to ensure the security of your records? Having clarity of where your information is stored, how it is safeguarded and who has access. Some questions to ask when building a secure process:
Where is your information stored? Is your data, in all formats, accounted for?
How have access controls been set? Who is responsible for what in the records management process, and have they been given appropriate permissions?
Is your data backed up? Are you able to restore your information in case of a mishap, and if so, how long would restoration take?
Have you identified which records are vital for your organization and developed a Disaster Recovery Plan to ensure they are safe if there are any changes? Do you perform regular Vitals Records Reviews?
Have policies and procedures been developed ensuring that information with all levels of confidentiality are properly safeguarded and marked immutable if necessary?
e) Know and Document Who Does What
For compliance, it's key to have set clear definitions around the roles and responsibilities with your organization's records management so the process is carried out and executed smoothly.
Have responsibilities and roles been established around all aspects of the records management process (content reviews, audits, etc.)?
Have records managers and any other relevant users been given appropriate access and permissions for the content?
Have these roles and responsibilities been clearly communicated and documented so everyone is informed and can refer back to documentation if there is any confusion?
Part 2: Follow Through.
After a simple, well documented process has been created, you must stick with it to truly ensure compliance. This requires maintenance, monitoring, and adjusting the process if necessary. Consider the following questions in the steps that lie beyond implementation:
f) Provide Good End User Training
Having a well documented process, establish a training program to get the appropriate departments aligned on all aspects of this process so it is understood and followed through as efficiently as possible.
With all aspects of the process implemented, has a training program been established?
Is this program well documented? Does it cover all aspects of records management and what is expected of appropriate employees and management?
Does this training program take into consideration new employees and other changes in the organization?
Does this training program get reviewed and updated regularly to stay current? Are the training sessions provided periodically to keep all employees up-to-date?
g) Audit Regularly
Both regular internal monitoring and external auditing are important to keep tabs on whether the process is being followed and where improvements can be made for increased efficiency and added business value.
Have both internal monitoring practices and external audits been implemented with appropriate employees and agencies?
Have these audits been scheduled and implemented to occur on a periodic basis appropriate for your organization?
Do implemented audits consider not only how records are being managed but also look at the overall process to consider what can be improved?
h) Expand and Upgrade with Compliance in Mind
Even beyond implementation, the process is not stagnant. As your organization grows, shifts and changes, the process should be able to grow, shift and change to remain fitting and compliant.
As you build and implement your compliant policies and procedures, are you documenting everything and considering how the program can be further expanded?
Can these policies handle minor and major organizational changes: anything from employee changes to mergers and acquisitions?
Are you using the most current version of your selected RM solution to hold and manage your records? Is this solution meeting your needs? If not, how can you identify a more fitting alternative?
Have you considered how to expand your RM program into the broader, information governance space? For example, improved information architecture, data management, business analysis and procedures.
i) Regular Disposition
With everything implemented and regularly monitored, the final step of the records management life cycle is records disposition. We'll say it plainly: not following through with a scheduled disposition will compromise compliance. Stay reliable, ask the following questions, and execute on your scheduled disposition dates.
Have you created a disposition policy considering relevant organizational practices and regulations?
Are there set responsibilities around who is authorized to preform disposition approval reviews?
Are the disposition procedures scheduled and properly executed?
Breaking down the project and asking the right questions is critical to ensure that you have built out and implemented a compliant process that meets legal requirements, regulatory standards, and of course brings optimal business value to your organization. At the end of it all we can't say it enough (so we'll reiterate once more): compliance stems from reliability. So ensure that after all of your hard work building this process out it is well documented and simple enough to follow, and that you have the appropriate tools and support in place for this process to grow and adapt with your organization.
Want to learn more? Collabware not only provides RM solutions with features that meet legal and regulatory standards and certifications, but our services team of Information Governance experts can provide consulting and planning guidance to help ensure your project is compliant.