This document provides guidance on developing and implementing an effective records and information management (RIM) policy. It discusses key elements such as understanding what constitutes a policy versus a procedure, basic policy characteristics like being simple, concise and enforceable, fundamental components to include like purpose, scope and retention schedule, obtaining necessary approvals, distributing the policy through an intranet for easy updating, and auditing for compliance by developing an audit plan and documenting findings. The overall document serves as a helpful guide for organizations looking to establish and enforce a strong RIM policy.
2. AGENDA
Understanding what a policy is (and isn’t)
Basic policy characteristics
Fundamental policy components
Obtaining policy approval
Distributing the policy
Auditing for compliance
3. WHAT A POLICY IS (AND ISN’T)
Instructs employees what to do (Policy)
Not how to do it (Procedure)
When drafting a policy it is recommended to make notes of
subject matter that will require and associated procedure
5. BASIC POLICY CHARACTERISTICS
Simple
Employees need to be able to
understand what you are trying
to communicate. Avoid using
overly formal wording,
acronyms and long sentences.
The policy should be
constructed and worded so
that it can be understood by all
employee levels.
Remember – you know the
subject matter – don’t assume
the policy reader does.
6. BASIC POLICY CHARACTERISTICS
Concise
A policy does not have to be
long to be effective.
The shorter – the better; a
concise policy will increase
readership.
Long email syndrome
7. BASIC POLICY CHARACTERISTICS
Relevant/specific
The policy should address
relevant issues and provide
specific direction that will guide
the employee’s decision-making.
Policies that aren’t specific
inevitably lead to inconsistent
employee behavior.
Inconsistency leads to reduced
policy compliance and an
increase in organizational risks.
8. BASIC POLICY CHARACTERISTICS
Enforceable
It’s assumed (by outside entities,
e.g. courts, commissions,
regulatory bodies) that what’s
contained in a policy can and
will be followed.
The policy shouldn’t include any
elements or directions that
employees are incapable of
following – this may include lack
of technology, resources or
training.
9. FUNDAMENTAL POLICY COMPONENTS
Purpose
Scope
Glossary
Audits
Vital records
Retention schedule
Information hold orders
Record storage
Network and hard drives
Email
Information destruction
10. FUNDAMENTAL POLICY COMPONENTS
Purpose
The purpose states the reason
for (or objective of) the policy.
Example:
The purpose of this policy is to
ensure the complete lifecycle
management of organizational
information.
11. FUNDAMENTAL POLICY COMPONENTS
Scope
The scope communicates what
and who the policy applies to.
Example:
This policy applies to all company
employees and governs the
management of physical and
electronic information.
12. FUNDAMENTAL POLICY COMPONENTS
Glossary
A policy often includes
terminology that’s unfamiliar to
employees. It’s recommended
that the policy contain an
appendix of terms with
definitions.
If the policy is electronically
posted (Intranet), hyperlinks
can be established to provide a
definition for each term.
13. FUNDAMENTAL POLICY COMPONENTS
Audits
The policy should inform
employees that all topics and
matters contained within the
policy should be complied with
and are subject to internal and
external audits.
14. FUNDAMENTAL POLICY COMPONENTS
Vital records
The policy should contain a
section on the identification
and protection of the
organization’s vital records.
Example:
It’s the responsibility of each
department head to identify their
operation’s vital records
It’s important to clearly define
the term vital records –The
term is often misinterpreted by
business owners.
15. FUNDAMENTAL POLICY COMPONENTS
Retention schedule
Specifically address the purpose
of the retention schedule and
the requirement that it be
followed.
Additional information can be
added to this section of the
policy, which addresses requests
for modifications to the
schedule.
16. FUNDAMENTAL POLICY COMPONENTS
Information hold orders
All employees should fully
understand their responsibility
regarding information hold
orders.
The policy should clearly state
that any information on hold
regardless of the reason or
matter should be retained, even
if the retention period of the
information has expired.
17. FUNDAMENTAL POLICY COMPONENTS
Record storage
The policy should address that
organizational records should
only be stored with approved
vendors.
In this section of the policy you
can also address environmental
and security requirements for
long-term onsite records
storage.
18. FUNDAMENTAL POLICY COMPONENTS
Network and hard drives
The policy should provide
guidance on the use and
maintenance of network and
hard drives.
Example:
Hard drives (C: drives) are not to
be used for the storage of
company records or information of
business value. This type of
information must be stored in a
repository accessible by employees
with appropriate authorization.
19. FUNDAMENTAL POLICY COMPONENTS
Email
Policy should take into
consideration what technology
it has implemented related to
email management.
Some organizations have a
separate an email “usage” policy,
that typically does not address
information management.
20. FUNDAMENTAL POLICY COMPONENTS
Information destruction
The policy should address
proper methods for the
destruction/deletion of physical
and electronic information.
This section of the policy would
also include that only approved
destruction vendors are to be
used.
Certificates of destruction are
to be received and
appropriately retained.
21. OBTAINING POLICY APPROVAL
Group effort
Before distributing the policy
throughout the organization, it
may require review and
approval by other departments:
Internal Audit
Legal
IT
Compliance
Example:
If the policy states that compliance
is subject to audit – then you want
to ensure that the Internal Audit
Department can support the
statement.
23. DISTRIBUTING THE POLICY
Hardcopy
Least recommended option
Periodic updates
In smaller organizations this
approach may be appropriate.
24. DISTRIBUTING THE POLICY
Softcopy/email with
attachment
Not recommended – for similar
reasons (periodic updates).
Allows for easier distribution v.
hardcopy.
Distributing the policy via email
(attachment) allows you to
provide additional commentary
regarding the policy to the
recipient such as, the policy
needs to be reviewed by a
certain date and that the
recipient must respond that
they have reviewed the policy.
25. DISTRIBUTING THE POLICY
Intranet
Recommended approach
Have the employee come to
the policy – rather than sending
the policy to the employee.
Email with link.
The link can be part of a RIM
Intranet page.
Reality check – employees can
still print the policy from the
Intranet creating stale
information.
26. AUDITING THE POLICY
Developing an audit plan
Communicating the audit
Documenting audit findings
27. AUDITING THE POLICY
Developing an audit plan
Audit areas
Testing
Communication
Audit findings report
28. AUDITING THE POLICY
Audit areas
The primary objective of an
audit is to identify areas of risk.
Therefore, a RIM audit will
typically include policy areas,
that if not complied with, create
the greatest potential for risks.
Fundamental policy
components
29. AUDITING THE POLICY
Policy components to
audit
Policy acknowledgement
Vital records
Retention schedule
Information hold orders
Record storage
Network/hard drive
maintenance
Destruction
30. AUDITING THE POLICY
Communicating the audit
Before conducting an audit, it’s
recommended that you notify
the management team of each
department.
Proposed dates
What will be audited
How to prepare for the audit
31. AUDITING THE POLICY
Documenting the audit
findings
Provides information on the
results of the audit
Areas of compliance and
noncompliance
Classifying the severity and
causes of the risk posed by
noncompliance
Recommendations for
resolution
Action plans
Resolution dates
Re-audits