Figure 13-1: E-mail with a link to the policy.
Chapter 13
Codifying the Policies
In This Chapter
Developing a policy
Distributing the policy
Auditing for compliance
An effective Records and Information Management policy is essential to the success of your program. Policies provide the operational framework that employees need to make proper decisions. Therefore, it’s important to develop a Records and Information Management policy that not only encompasses key aspects of the program but also provides employees with the guidance they need to manage the life cycle of organizational content. In this chapter, you find out what a policy can do for you, what makes it effective, and how to increase policy compliance.
Developing a Records and Information Management Policy
If you’ve been tasked to help develop your company’s policy — congratulations, you have a great opportunity to shape how your organization will manage its records and information. As you prepare for the process, it’s a good idea to understand what makes a policy effective; the better the policy, the better the compliance. The following sections guide you through the objective of a policy, the basics needed for a good policy, and what not to include in your policy.
Understanding what a policy is (and isn’t)
A good starting point in developing a Records and Information Management policy is to understand what a policy is — and isn’t. A policy isn’t a procedure. A policy instructs employees what to do; a procedure provides steps on how to do it. It’s important as you draft a policy to provide direction, but not the steps to get there. However, as you draft your policy, it’s recommended that you make notes of subject matter included in the policy that will require an associated procedure.
Some organizations refer to their retention schedule as their Retention policy or Records Management policy. It’s important to understand that a retention schedule isn’t a Records and Information Management policy; it’s a tool, like your policy, that supports your overall Record and Information Management program.
The basic characteristics of a good policy
Policies are meant to be communicated and followed. A concise, clear policy has a better chance of being accurately followed than one that’s open to employee interpretation. To create an effective policy, some basic guidelines should be followed:
Simple: Employees need to be able to understand what you’re trying to communicate. Avoid using overly formal wording, acronyms, and long sentences.
Concise: A policy doesn’t have to be long to be effective. Employees have core functions that they’re responsible for performing each day. Many employees will not take the time to review a policy unless it’s mandatory and the company has the ability to monitor participation. To improve your chances that employees will actually review the policy, keep it as brief as possible.
Relevant/specific: The policy should address relevant issues and provide specific direction that will guide the employee’s decision-making. Policies that aren’t specific inevitably lead to inconsistent employee behavior. Inconsistency leads to reduced policy compliance and an increase in organizational risks.
Enforceable: It’s assumed that what’s contained in a policy can and will be followed. Therefore, the policy shouldn’t include any elements or directions that are impossible for employees to follow due to issues such as lack of technology, resources, or training.
Talking records and information
After you have an understanding of basic policy characteristics, it’s time to determine what Records and Information Management topics to include in the policy. You should cover several important areas. The following is a list of specific areas that should be included in your Records and Information Management policy:
Purpose: The purpose states the reason for (or the objective of) the policy. For example, “The purpose of this policy is to ensure the complete life cycle management of organizational information.”
Scope: The scope communicates what and who the policy applies to. For example, “This policy applies to all company employees and governs the management of physical and electronic information.”
Glossary: A policy often includes terminology that’s unfamiliar to employees. It’s recommended that the policy contain an appendix with definitions, or if you plan to post the policy on the company’s intranet, you can create hyperlinks between the terms and their definitions. This eliminates the need for the employee to scroll to the glossary page to look for a definition.
Audits: The policy should inform employees that all topics and matters contained within the policy should be complied with and are subject to internal and external audits.
Vital records: It’s recommended that the policy contain a section on the identification and protection of the organization’s vital records. The policy may indicate that it’s the responsibility of each department head to identify his or her vital records and work with the appropriate parties to ensure that the information is appropriately protected.
Retention schedule: The policy should contain a section that specifically addresses the purpose of the retention schedule and the requirement that the schedule be followed. Additional information can be provided that informs employees that all modifications to the existing retention schedule must be authorized and specifies who to contact if they need to request a modification.
Information hold orders: All employees should fully understand their responsibility regarding information hold orders. The policy should clearly state that any information on hold as part of an active or anticipated lawsuit, audit, or regulatory investigation should be retained, even if its retention period — according to the organization’s records and information retention schedules — has expired.
Record storage: The policy needs to state that organizational records should be stored with approved vendors only. In addition, the policy should inform employees that requirements exist for the onsite storage of records, and that said requirements can be accessed via a link or as a policy appendix.
Hard/shared network drives: The policy should provide guidance on the use and maintenance of hard drives and shared network drives. One such rule could be as follows: “Hard drives (C: drives) are not to be used for the storage of company records or information of business value. These content types must be stored in a repository accessible by employees with appropriate authorization.” The policy should instruct employees to regularly maintain files located on hard drives as well as on shared network drives.
E-mail: How an organization manages e-mail is largely dependent upon available technology. When developing this section of the policy, you should determine what technological resources are available to employees. Some items often addressed in this section include prohibiting employees from forwarding company e-mail to their personal e-mail accounts and/or minimizing the distribution of attachments and retention of e-mails. Often the management of e-mail is addressed in two separate policies. The Records and Information Management policy addresses e-mail from a content management perspective, while Human Resources may issue an e-mail usage policy that instructs employees on the proper use of e-mail — the injunction not to send offensive or harassing messages, for example.
Information destruction: The policy should include a section on information destruction. Topics here could include proper methods for the destruction of physical and electronic information, a stipulation that only those vendors preapproved by the organization be used, or an insistence that certificates of destruction be both received and maintained.
The items listed here are general Records Management topics that should be addressed in your policy. However, depending on your organization and the industry in which it operates, you may need to add additional items.
To develop an accurate and comprehensive policy, it’s recommended that you consult with key departments that have a stake in the policy outcome such as the IT, Legal, Tax, and Compliance departments. Discussing the proposed subject matter with these areas can provide you with additional perspectives and ideas on how to make the policy more effective and ensure that you don’t include items that are unenforceable. After creating your initial policy draft, you should distribute the policy to the stakeholder departments for their review, feedback, and approval.
Making the Policy Available
After your Records and Information Management policy has been documented and approved, it’s time to put it into action. Depending on the size of your organization, it may be a challenge to ensure that employees are aware of its existence. However, creating awareness of the policy is only part of the equation; employees also need to read, understand, and follow it.
The following sections examine options for distributing the policy throughout your organization. Some options may be a better fit for your company than others, but one of them will likely meet your needs.
Distributing the hard copy
Distributing a paper copy of the Records and Information Management policy to each employee is the least recommended option. Like most organizational documents such as procedures and organizational charts, policies are periodically modified. When you distribute a hard copy of the policy, employees may place it in a file or a binder and refer to it as needed. When a modification is made and distributed to employees, they may not update their file or binder, which results in employees following an outdated policy.
However, this approach may be the only option for small businesses. Due to having fewer employees, smaller organizations are normally more effective at controlling the distribution of hard-copy documentation. If you must distribute the Records and Information Management policy in hard-copy format, you should attempt to collect the old policy from employees as you are handing out the updated version.
Attaching a soft copy
A soft copy is an electronic version of a document. So, if distributing a hard copy of the policy is not recommended, distributing a soft copy should be okay, right? Unfortunately, this approach is also not recommended. When you distribute the policy as a soft copy, such as an e-mail attachment, you face the same issues related to hard-copy distribution. Employees may save the policy and periodically refer to it. When changes are made to the policy, employees may still continue to use the old version. Compared to hard copies, it can be more difficult to ensure that previous soft-copy versions of the policy are not used due to the various repositories in which they can be stored.
Although distributing the policy as a soft copy or hard copy has drawbacks, soft-copy distribution offers some advantages over hard-copy distribution. The policy can be distributed efficiently as an e-mail attachment. This approach can help ensure that all employees receive a copy of the policy while reducing paper and printing costs. In addition, distributing the policy via e-mail allows you to provide additional comments regarding the policy and the need to review it. You can also require employees to respond to you via e-mail by a certain date, acknowledging their review of the policy. This allows you to save the responses as evidence of policy distribution and review.
The missing link
The best approach for distributing the Records and Information Management policy is to have employees come to the policy instead of sending the policy to employees. You can accomplish this by using the company intranet. For example, you can send an e-mail to all employees notifying them that the policy has been posted to the intranet. The e-mail should contain a hyperlink that, when clicked, takes the employee to the policy posted on the intranet. An example is shown in Figure 13-1.
Additionally, you can create a Records and Information Management Department page on the intranet that allows you to post other related documents, such as the retention schedule, storage requirements, and request forms. This approach allows you to maintain the most current version of documents on the intranet, eliminating the need to manually distribute updates.
It’s important to remember that employees may still be able to print documents such as the policy from the intranet. To help reduce printing of forms that are periodically updated, you can insert verbiage on the form instructing employees not to print them. In addition, you can include a sentence at the end of the policy that states, “Only current as of date printed.”
Auditing the Policy
Unaudited policies lack credibility. Organizational policies are frequently called into question by the courts and regulatory entities. Companies should be able to provide evidence of establishing relevant policies, training employees to follow them, and auditing their policies for compliance.
Audits are conducted to measure levels of organizational risk. Risks are categorized as compliance, financial, operational, and external. The categories associated with records and information typically involve compliance and operational risks.
Traditionally, audits are intended to determine whether employees are following the organization’s policies and procedures. However, audits can also provide insight into whether a policy or procedure is effective or whether such policies and procedures need to be modified. Organizations should take steps to periodically audit their Records and Information Management program to ensure that the company is in compliance with laws, regulations, and operational mandates — and to determine whether the policy needs to be revised. The policy is the foundation for determining what should be audited, as well as for developing an audit plan.
Developing an audit plan
An audit plan involves developing a strategy or course of action for conducting an audit. Prior to conducting an audit, the auditor will develop an audit plan consisting of the following elements:
Audit areas: A key process in developing an audit plan is determining what needs to be audited. The primary objective of an audit is to identify areas of risk. Therefore, a Records and Information Management audit will typically include policy areas that, if not complied with, create the greatest potential for risks.
Testing: After the elements of the policy that need to be audited have been identified, a process must be established that allows the auditor to accurately test for compliance.
Communication: A communication plan should be created and distributed to company departments and operations that are subject to the audit. The communication provides management with insight into when the audit will occur, what will be audited, and how to prepare for the audit.
Audit findings report: After the audit is completed, the auditors will consolidate their findings into a report that will be distributed to management for review.
In medium to large organizations, an employee from the Internal Audit department normally develops the audit plan in conjunction with the Records manager or company employee assigned responsibility for overseeing the management of records. Companies that don’t have an Internal Audit department may use an external audit firm to conduct the audit or assign the audit task to the Records manager.
Determining what to audit
An effective and comprehensive Records and Information Management policy provides a road map for determining what key areas to audit (audit points). The Records and Information Policy areas that should be regularly audited are listed as follows, along with testing recommendations for each item:
Policy acknowledgment: Policy acknowledgment refers to a process for verifying and documenting employee review of the policy. Proof of acknowledgment can exist in the form of e-mails from employees, communicating that they’ve reviewed the policy and when the review took place. In addition, some organizations require employees to review the policy via the company intranet and use the employee’s network ID to track whether the employee reviewed the policy.
Vital records: During the audit, the auditor may ask the department head to identify which record types have been classified as vital and request information on how the records are being appropriately protected. This may include the creation of digital copies, nightly disaster recovery backups, and hard copies sent to off-site storage.
Retention schedule: To test retention schedule compliance, the auditor can review records in storage and compare them to the schedule to determine whether any content is being retained longer than prescribed by the schedule. A list of information hold orders should be provided to the auditor. This allows the auditor to determine whether records being held beyond their retention period are part of a hold. In addition, the auditor should examine the destruction log to determine whether any information was destroyed or deleted prior to the expiration of its retention period.
Inactive records: An audit of inactive records may include determining whether departments are routinely transitioning inactive records from active storage such as file cabinets to inactive or archive storage to reduce the number of file cabinets that need to be purchased.
Information hold orders: The auditor should review all information hold order notifications and ensure that the appropriate records and information have been placed on hold. Depending on the size of an organization, the auditor may perform a sampling. A sampling is a test population that represents a percentage of the total applicable volume. The auditor should also review the destruction log to determine whether any records associated with a current hold have been destroyed.
Record storage: This portion of the audit involves inspecting all onsite areas used for the long-term storage of company records. The auditor should reference the organization’s on-site storage requirements checklist to ensure that the area meets the necessary standards. The auditor should determine whether any operations are sending their records to an offsite storage vendor. If they are, the auditor should verify that the vendor has been approved by the organization. In addition, the auditor can review invoices to see whether any payments are being made to unauthorized storage vendors.
Hard/shared network drives: The objective of this portion of the audit is to determine whether employees are saving company records and business-value information on their hard drives and whether employees are regularly maintaining information saved to shared network drives. To test compliance, the auditor should visibly inspect all pertinent drives.
E-mail: Typically an e-mail audit doesn’t involve Records Management–related issues, but is focused on areas such as security and proper use. However, for Records and Information Management purposes, an auditor can test to determine whether employees are forwarding work messages to personal e-mail accounts, sending attachments rather than links, and retaining messages for the appropriate time frame. The auditor may have to work in conjunction with IT to view employee e-mail activity. If the organization is using an ECM or e-mail archiving system, the auditor may be able to view audit trail and history reports to collect the needed information.
Destruction: When auditing an organization’s compliance with destruction policies, the auditor should determine whether employees are using approved destruction methods such as shredding for records and content of business value. The auditor can test for compliance by inspecting recycle bins and waste receptacles to determine whether they contain items of a personal, confidential, or competitive nature. The auditor should also inspect shred bins to ensure that they are locked. The company’s destruction log should be reviewed for accuracy and completeness, including the appropriate destruction approvals. If the organization uses a Records Management software application, the log should be compared to the system to determine whether items reflected as destroyed or deleted in the system match the log. Certificates of destruction should be maintained for each vendor that provides destruction services and retained in accordance with the records and information retention schedule.
Communicating the audit
Before conducting an audit, it’s recommended that you notify the management of each department or operation that is subject to the audit. A communication plan should be developed that informs the management team that an audit will be conducted, the proposed dates of the audit, what will be audited, and how to prepare for the event. The communication should also provide auditor contact information in case management has any questions prior to the audit.
Prior notification allows management to ensure that information needed for the audit is collected and made available to the auditor upon his or her arrival. It also allows management to plan for any operational or personnel changes that may be needed to accommodate the auditor during the process.
Documenting the audit findings
The Audit Findings report is a comprehensive document that provides information on the results of the audit. This includes areas of compliance and noncompliance. The auditor will classify the severity and causes of the risks posed by noncompliance and provide recommendations to resolve the issues. When management is notified of noncompliance areas, an action plan should be put into place that provides resolution of the issue by a certain date, at which time the issue may be reaudited for compliance.