- Agility. Good records management mitigates risk and increases productivity.
- Key components. A records retention policy must have a schedule policy to maximize efficiency.
- Recommended schedule. Legal and regulatory updates should happen every 12-24 months.
- Work together. It takes a corporate village to manage a records management system, but it’s possible with transparent collaboration.
This article is written with in-house counsel or other team members tasked with starting, updating, modernizing, or improving their company’s records management program in mind. It details the components of an effective program, and suggests how cooperation with and leveraging of the efforts of your IT, information security, and other business units can make records retention, not just a “legal program” but rather a company-wide initiative owned by multiple stakeholders.
Records management 101
Effective modern records management programs can be a tremendous boon to companies. Done well, these programs ensure compliance, reduce risks, lower costs, and increase employee productivity.
During the past five years, many companies have either created new programs or revamped older, tired, paper-based programs to better drive retention and disposition in today’s digitally driven work environments. This trend has accelerated in the past couple of years as companies are developing strategies to meet hybrid work-from-home (WFH) and emerging privacy requirements.
Good records programs not only drive compliance but also enable information agility to meet the demands of a changing world.
While they bring clear value, for the uninitiated or uninformed, these modern records programs are a type of corporate quicksand. A walk down what seems like a straightforward path can quickly get bogged down in policy, process, implementation, and often strong emotions.
Simple tasks such as determining what and how many emails to save or delete can turn into long debates. Worse, while the legal group may be given the task of updating the program, these activities involve technology, training, and organizational issues seemingly out of their area of expertise as well. The key is to take a smart and modern approach, which we will outline herein, ensuring key components meet the needs of today’s quickly changing information and work environments.
Key components of a records program
Development of traditional, old-fashioned records programs involved creating or updating a records schedule (based exclusively on legal and regulatory requirements) and then perhaps publishing a training guide. The development of modern records programs that address not only a wider variety of compliance requirements but also ever-growing quantities of digital information, requires more steps. While more work is required, the good news is that these modern programs will have a much bigger positive impact on the organization.
Records retention policy
There are two main components to a records policy: The actual records retention policy itself, and a records schedule, which is typically an addendum to the policy. A records policy is the “what” of the program, whereas the schedule is the “which.” Typically, less than 10 pages, a policy should cover records management objectives, scope, definitions, and guidelines, including legal hold obligations and the consolidation of existing policies enterprise-wide.
It should also make clear why the organization needs a records management policy and the types of records to be covered. It should also indicate whether electronic data, such as email, instant messages, and content generated from social media and collaboration tools – as well as drafts and convenience copies — are to be considered business records.
It also needs to include the specific roles and responsibilities of the records management staff, legal department, other employees, and outside personnel who handle organizational records. The policy must also document provisions for violations of the policy.
Records retention schedule
A records retention schedule defines record categories, the records within that category, and the minimum retention period. Schedules may also contain samples of record types as well as list the legal citations supporting the record period. While it is typically an Appendix to the policy, it is the heart of the program. The schedule can be organized by business function, within a number of record categories specified for each. For maximum buy-in and impact, representatives of the functions whose records will be controlled by the schedule should be involved in the conversation which sets these periods – inclusion early eases adoption later.
Using the legal department as an example, the schedule would typically include line items for business organization, board and shareholder meetings, company ownership and stock transactions, compliance, contracts and agreements, intellectual property, litigation agreements, pleadings, correspondence, and legal opinions.
In some cases, organizations may want to treat many records the same way for purposes of retention and destruction. These can be grouped together to reduce the number of items in the schedule.
Understanding and applying business value to a retention period
Looking to combat ongoing accumulation of older files, emails, and paper records, many organizations look towards their records policies and schedules as a mechanism to defensibly delete unneeded documents and data. Some employees have a bad habit of wanting to save everything forever (legal and IT included). This creates a temptation to create the schedule without input from the business, but that is a mistake.
Experience over the years has demonstrated that the most successful disposition efforts — getting rid of 70 percent or 80 percent of unneeded files, for example — are more likely to occur when business units and departments are included in policy discussions and a consensus is reached. Effective schedules seek to build a consensus on what to save and what not to save. Stakeholders, business units, and employees must agree that the schedule represents the appropriate retention and destruction of company information and that it reflects business value.
In enforcing a retention policy, legal sometimes gets set up as the “bad gal/guy.” Business units claim that “legal is poking its nose in our business” or “encroaching on our territory” and therefore is unwelcome. The result is rogue business units that either refuse to follow the policy or push back on its requirements. This pushback is most effectively headed off early, during the schedule development process.
Engaging multiple groups and stakeholders, doing good data collection, and making a reasonable effort to incorporate business value greatly reduces the risk of this policy pushback.
Employees may want to save more “little r” business value records than legal and IT are initially comfortable with. This does not mean that all the documents of an employee who hoards everything (and claims that he needs it all forever) can or should be classified as “little r” records.
Rather “little r” records tease out the limited amount of information that does have real business value. Surprisingly, these business value records often do not increase overall retention significantly. Employees and departments may initially believe that all their older documents contain some level of retention-worthy business value, but upon examination and discussion the business value incrementally increases retention only modestly – much less than initially suspected.
|Traditional Paper-centric Approach||Electronic Media-capable Approach|
|Media-specific Approach That Addresses Mainly Paper||Content-specific Approach Capable of Addressing Paper and Especially Electronic Content|
|Focused Almost Exclusively in Legal and Regulatory “Big R” Records||Includes Both Legal and Regulatory Requirements Plus “Little r” Business Value|
|Detailed Records Retention schedules with Hundreds of Categories||Compliant Yet “Bigger Bucket” Retention Categories for Easier Classification|
|Manually Oriented Record Classification Strategies||Easier, Faster, Intuitive and Sometimes Automated Classification Procedures|
|Documents Classified for Retention Periods||Documents Classified for a Broader Information Governance Framework Including Retention, Data Security, Access Controls and Collaboration|
|Many Records Printed Out on Paper as the Official Copy||Most Documents Managed in Electronic Format|
|Information Stored in Difficult to Access Locations, such as Offsite Storage||Employees and Departments Have Easy Access to Their Documents and Data|
|Employees Self-verify Compliance||Regular System Audits Ensure Policy Defensibility|
How often should a records retention schedule be updated?
Barring any new and significant regulation in its industry, typically a legal and regulatory review should occur every 12 to 24 months. Some are led to believe more frequent updates of a schedule are required, but this effort is often better spent on implementation, training, monitoring and, audit activities. Some vendors offer perpetually updated, online schedules promising compliance. This approach creates more risk. While the online schedule will be updated weekly, the corresponding training materials, system configurations, and day-to-day practices will quickly fall out of sync with the schedule.
This gap between what the schedule prescribes and your actual practices can and have been exploited by litigators and regulators who may claim you purposely were not following your policy. Finally, most legal and regulatory updates provide a significant amount of grace period, falling within the 12 or 24-month update period.
Risks of “out-of-the-box” schedules
|70% COmmon or Typical Records||30% Company-specific records|
|Accessed less often. Easy to include in schedule.||More frequently accessed by employees, expansion during litigation (Both as plaintiff and defendant). Requires more work to including in schedule, but also more important.|
It may be tempting to purchase an “out-of-the-box” records retention schedule that contains common record types and adopt this as the schedule. About 70 percent of a company’s records, from payroll, finance, and administration do tend to be similar not only across companies but also across industries.
“Out-of-the-box” schedules cover this 70 percent of records well. However, this approach is risky, as the remaining 30 percent tend to be very company or even business-unit specific and vary widely even across companies in the same industry.
Furthermore, these company-specific records are much more likely to address intellectual property, trade secrets, critical operational information, etc. They are much more in play during litigation, regulatory inquiry, maintaining institutional knowledge, etc. In other words, identifying the first 70 percent of records is easy. Identifying the remaining 30 percent requires more work, but is much more important to get right.
Data placement strategy
Once you have a policy and schedule, how to execute it?
A data placement strategy combines both policy with technology to make records and document classification both faster and easier. Many companies are enacting smart, compliant, and automated deletion strategies. This approach removes the employee from the disposition process, and instead depends on leveraging technology to dispose of records when the retention period expires.
This automation is accomplished by configuring IT systems with the rules of the policies. Modern content management systems, such as Microsoft 365, provide the ability to automatically apply metadata tagging (also referred to as labeling) based on where a record is stored. In other words, these systems allow a type of “drag and drop” tagging: Under this method, when employees drag and drop a file or email into a folder or specific location, the system automatically tags it.
The system can automatically tag and track the document for multiple types of governance controls, including records retention requirements, data security classification, access controls, and even legal hold capabilities. These retention periods, security levels, and other policy attributes are pre-configured into a given managed folder. When the user places a document into the folder the content management system then automatically tags and applies these controls to the file. No action is required on the part of the user other than storing the document into the right folder; the system does the rest. Upon reaching the end of its retention period, employees don’t need to do anything. Office365 and other repositories will automatically dispose of documents once the expiration date has been reached, based on when it was entered into the system. The old information simply fades away.
This “drag and drop” classification strategy requires more upfront work. The records management and IT teams need to configure the managed folders or other repositories with the records retention, data security, and access rules. Ideally, a complete Information Governance framework – retention, security, and access– should be configured. Translating the records retention schedule, data security classification and access control policies into specific system configurations can be tricky, and requires collaboration between the records, security, and IT groups.
That said, this upfront investment is worth it. Those companies that do take the time and effort to configure their systems for proper Information Governance may suddenly find classifying records, personal information, and other governed content much easier. Employees find the “drag and drop” approach easier. More information gets classified, and the less your team has to think about the retention schedules to “do the right thing” automatically, the more it will happen.
Employee behavior change management and training
Once you have policies and processes, roadmaps, tools, and technology in place, it’s easy to think you are done. Sorry, but no. The organization now needs to get the employees on board and properly using the new tools that have been put in place.
Employee behavior change management, including communications and training related to this initiative, is a critical element to drive user compliance. These efforts help to ensure effective implementation of the new structures and processes by affected employees and to demonstrate compliance with legal and regulatory requirements.
Designed to drive users toward a target behavior set and to measure progress in achieving compliance, these activities are also beneficial for providing formal, consistent communications to employees and executive sponsors during implementation.
The goals of behavior change management include:
- Drives user adoption. Drives program adoption by business units and employees.
- Communicates resonate messages. Identifies key messages likely to resonate with employees.
- Sells program as a win. Messages program as a win for all employees, not a compliance burden.
- Tests consistency. Ensures messages and trainings are effective for all groups across the organization.
- Demonstrate compliance. Demonstrates compliance with requirements and company intent to follow policies.
|VEHICLE OPTIONS|| |
|Senior Leadership Playbook||John Smith provides regular information to Executive Committee and Senior Leadership, to build awareness and get feedback||John Smith||X|
|Town Hall Play Books||High-level overview of Records Program rollout key messages relating to: Awareness, Timelines, and Training to pass on to XYZ employees during regular Town Hall meetings||BU Leaders / Managers||X||X|
|Departmental Meetings||5–10-minute presentations at scheduled departmental meetings||BU Managers||X||X|
|Computer-Based Training||30-minute module on records principles, new Policy and Schedule||iLearn||X||X||X|
|Online Messaging||Deliver different types of messaging (awareness building, how-to’s, reminders, etc.)||Intranet||X||X||X|
Records processes and procedures
Although most records should be classified and managed through a routine automated process, companies will still need to set up a series of additional processes and procedures to capture, classify, manage, and dispose of records and information that may be created or received outside of these everyday processes. Table 6 lists typical records processes and procedures.
Typically, the biggest risk with these types of processes is not lack of development, but instead that they were not applied consistently across the enterprise. This is particularly true for foreign subsidiaries, acquired entities, or applying governance to document and data sets preserved under legal holds under matters that have been adjudicated.
|Departing Employee Records Management Procedures||Provides guidance for dealing with the work-related records of departing or transferred employees, to ensure that the department/function does not lose any knowledge of the departing individual, or that potentially important documents are not abandoned, deleted, or otherwise lost as a result of the departure.|
|Email/Voicemail Management Guidelines||Recognizing that both email and voicemail can be discoverable documents in litigation or regulatory matters, these guidelines inform users on best practices for drafting, securing, and disposing of these messages.|
|Procedures for Managing Records during Merger, Acquisition or Divestiture||When a company merges with or acquires another company, or divests itself of a business unit, there are always records of that organization that must be considered and organized. These procedures provide guidance on how to manage company records that are either acquired with a new company or divested with a departing business.|
|Paper Records Management Procedures||Procedures on proper onsite management and storage of paper records, as well as procedures on how to organize, box, and send paper records to offsite storage, as well as retrieve those records when they are needed onsite.|
|Records & Information Management Program Change Request||Procedures for requesting revisions to, and then revising the Records Retention Policy, Records Retention Schedule, or other records processes and procedures.|
|Records Program Compliance Audit||Procedures and audit checklists that enable a records organization to perform an audit each year of a business unit/department/ function’s compliance with company records policies and the Retention Schedule. Includes an audit plan, audit checklists, and remediation plan. These audits are important to demonstrate diligence to courts and regulators.|
|Records Clean Up Day||Procedures and communication plans for conducting periodic “Records Clean Up Days” within the company or individual departments/business units.|
|Annual Records Self-Assessment||An assessment process administered each year to departments/ business units/functions, to determine the current state of their records maturity.|
Records management organization development
Records management is a bigger job than can be handled by a single department. No one person or group has the expertise to address all the functional aspects of a records program, and collectively, a well-established team will be better positioned to get the job done. It is important when launching a records initiative to create a cross-functional committee composed of multiple stakeholders.
Typical committee members include legal, IT, compliance, privacy, audit, risk, and sometimes HR and business units. Each stakeholder is still responsible for their area of expertise (legal still creates policies, for example) but these activities are done through an integrated and coordinated plan.
The creation of (or update of an existing) a matrix structure of the strategic governing body (steering committee) will drive ongoing Information Governance or records management activities and organizational compliance. The governance organization needs to bring together diverse professional viewpoints from various key business functions from across the organization. It is fine to have legal or IT “own” this process, as streamlined ownership can help accountability, but you need all key functions to embrace and see the schedules as helping them do their jobs for your program to truly be effective.
You also need to ensure that there is good communication of requisite concepts, promote best practices for the management and control of the organization’s information, establish cross-functional ownership, articulate goals, and business benefits, and define ongoing roles and responsibilities. As noted at the head of this article, this approach is not the “light-touch” one, but the more work you take on to make your program effective, the less work it will require for your organization to live by it — making you much more effective.