This document provides guidance on developing and implementing an effective records and information management (RIM) policy. It discusses key elements such as understanding what constitutes a policy versus a procedure, basic policy characteristics like being simple, concise and enforceable, fundamental components to include like purpose, scope and retention schedule, obtaining necessary approvals, distributing the policy through an intranet for easy updating, and auditing for compliance by developing an audit plan and documenting findings. The overall document serves as a helpful guide for organizations looking to establish and enforce a strong RIM policy.

1. PUTTING POLICY
INTO PRACTICE
How to develop and implement an
effective RIM policy

2. AGENDA
 Understanding what a policy is (and isn’t)
 Basic policy characteristics
 Fundamental policy components
 Obtaining policy approval
 Distributing the policy
 Auditing for compliance

3. WHAT A POLICY IS (AND ISN’T)
 Instructs employees what to do (Policy)
 Not how to do it (Procedure)
 When drafting a policy it is recommended to make notes of
subject matter that will require and associated procedure

4. BASIC POLICY CHARACTERISTICS
 Simple
 Concise
 Relevant/specific
 Enforceable

5. BASIC POLICY CHARACTERISTICS
 Simple
 Employees need to be able to
understand what you are trying
to communicate. Avoid using
overly formal wording,
acronyms and long sentences.
 The policy should be
constructed and worded so
that it can be understood by all
employee levels.
 Remember – you know the
subject matter – don’t assume
the policy reader does.

6. BASIC POLICY CHARACTERISTICS
 Concise
 A policy does not have to be
long to be effective.
 The shorter – the better; a
concise policy will increase
readership.
 Long email syndrome

7. BASIC POLICY CHARACTERISTICS
 Relevant/specific
 The policy should address
relevant issues and provide
specific direction that will guide
the employee’s decision-making.
 Policies that aren’t specific
inevitably lead to inconsistent
employee behavior.
 Inconsistency leads to reduced
policy compliance and an
increase in organizational risks.

8. BASIC POLICY CHARACTERISTICS
 Enforceable
 It’s assumed (by outside entities,
e.g. courts, commissions,
regulatory bodies) that what’s
contained in a policy can and
will be followed.
 The policy shouldn’t include any
elements or directions that
employees are incapable of
following – this may include lack
of technology, resources or
training.

9. FUNDAMENTAL POLICY COMPONENTS
 Purpose
 Scope
 Glossary
 Audits
 Vital records
 Retention schedule
 Information hold orders
 Record storage
 Network and hard drives
 Email
 Information destruction

10. FUNDAMENTAL POLICY COMPONENTS
 Purpose
 The purpose states the reason
for (or objective of) the policy.
 Example:
 The purpose of this policy is to
ensure the complete lifecycle
management of organizational
information.

11. FUNDAMENTAL POLICY COMPONENTS
 Scope
 The scope communicates what
and who the policy applies to.
 Example:
 This policy applies to all company
employees and governs the
management of physical and
electronic information.

12. FUNDAMENTAL POLICY COMPONENTS
 Glossary
 A policy often includes
terminology that’s unfamiliar to
employees. It’s recommended
that the policy contain an
appendix of terms with
definitions.
 If the policy is electronically
posted (Intranet), hyperlinks
can be established to provide a
definition for each term.

13. FUNDAMENTAL POLICY COMPONENTS
 Audits
 The policy should inform
employees that all topics and
matters contained within the
policy should be complied with
and are subject to internal and
external audits.

14. FUNDAMENTAL POLICY COMPONENTS
 Vital records
 The policy should contain a
section on the identification
and protection of the
organization’s vital records.
 Example:
 It’s the responsibility of each
department head to identify their
operation’s vital records
 It’s important to clearly define
the term vital records –The
term is often misinterpreted by
business owners.

15. FUNDAMENTAL POLICY COMPONENTS
 Retention schedule
 Specifically address the purpose
of the retention schedule and
the requirement that it be
followed.
 Additional information can be
added to this section of the
policy, which addresses requests
for modifications to the
schedule.

16. FUNDAMENTAL POLICY COMPONENTS
 Information hold orders
 All employees should fully
understand their responsibility
regarding information hold
orders.
 The policy should clearly state
that any information on hold
regardless of the reason or
matter should be retained, even
if the retention period of the
information has expired.

17. FUNDAMENTAL POLICY COMPONENTS
 Record storage
 The policy should address that
organizational records should
only be stored with approved
vendors.
 In this section of the policy you
can also address environmental
and security requirements for
long-term onsite records
storage.

18. FUNDAMENTAL POLICY COMPONENTS
 Network and hard drives
 The policy should provide
guidance on the use and
maintenance of network and
hard drives.
 Example:
 Hard drives (C: drives) are not to
be used for the storage of
company records or information of
business value. This type of
information must be stored in a
repository accessible by employees
with appropriate authorization.

19. FUNDAMENTAL POLICY COMPONENTS
 Email
 Policy should take into
consideration what technology
it has implemented related to
email management.
 Some organizations have a
separate an email “usage” policy,
that typically does not address
information management.

20. FUNDAMENTAL POLICY COMPONENTS
 Information destruction
 The policy should address
proper methods for the
destruction/deletion of physical
and electronic information.
 This section of the policy would
also include that only approved
destruction vendors are to be
used.
 Certificates of destruction are
to be received and
appropriately retained.

21. OBTAINING POLICY APPROVAL
 Group effort
 Before distributing the policy
throughout the organization, it
may require review and
approval by other departments:
 Internal Audit
 Legal
 IT
 Compliance
 Example:
 If the policy states that compliance
is subject to audit – then you want
to ensure that the Internal Audit
Department can support the
statement.

22. DISTRIBUTING THE POLICY
 Hardcopy
 Softcopy/email with attachment
 Intranet

23. DISTRIBUTING THE POLICY
 Hardcopy
 Least recommended option
 Periodic updates
 In smaller organizations this
approach may be appropriate.

24. DISTRIBUTING THE POLICY
 Softcopy/email with
attachment
 Not recommended – for similar
reasons (periodic updates).
 Allows for easier distribution v.
hardcopy.
 Distributing the policy via email
(attachment) allows you to
provide additional commentary
regarding the policy to the
recipient such as, the policy
needs to be reviewed by a
certain date and that the
recipient must respond that
they have reviewed the policy.

25. DISTRIBUTING THE POLICY
 Intranet
 Recommended approach
 Have the employee come to
the policy – rather than sending
the policy to the employee.
 Email with link.
 The link can be part of a RIM
Intranet page.
 Reality check – employees can
still print the policy from the
Intranet creating stale
information.

26. AUDITING THE POLICY
 Developing an audit plan
 Communicating the audit
 Documenting audit findings

27. AUDITING THE POLICY
 Developing an audit plan
 Audit areas
 Testing
 Communication
 Audit findings report

28. AUDITING THE POLICY
 Audit areas
 The primary objective of an
audit is to identify areas of risk.
Therefore, a RIM audit will
typically include policy areas,
that if not complied with, create
the greatest potential for risks.
 Fundamental policy
components

29. AUDITING THE POLICY
 Policy components to
audit
 Policy acknowledgement
 Vital records
 Retention schedule
 Information hold orders
 Record storage
 Network/hard drive
maintenance
 Destruction

30. AUDITING THE POLICY
 Communicating the audit
 Before conducting an audit, it’s
recommended that you notify
the management team of each
department.
 Proposed dates
 What will be audited
 How to prepare for the audit

31. AUDITING THE POLICY
 Documenting the audit
findings
 Provides information on the
results of the audit
 Areas of compliance and
noncompliance
 Classifying the severity and
causes of the risk posed by
noncompliance
 Recommendations for
resolution
 Action plans
 Resolution dates
 Re-audits

32. THANKYOU!
Q & A TIME