You’ve Just Been Handed Your Company’s Records Program — Now What?

Banner artwork by Envato ImageGen

Being handed the responsibility to create or mature your company’s records management program can be daunting. It often comes with a myriad of questions: Where do I begin? What steps should I take, and in what order? How do I staff and budget for this? What needs updating from the old program? How do I get others to care?

These are all valid concerns. Records management, a core component of a broader information governance program, is a discipline designed to ensure that an organization retains the information it needs for legal, regulatory, and business purposes and disposes of it when it’s no longer needed. Taking over a records program is an opportunity to modernize and realign it with the organization’s current needs and best practices.

While the task can feel overwhelming or too big and too long to handle effectively, breaking the activity into understandable steps helps to give a sense of scope and the confidence to move forward.

This effort can be organized into four key steps:

Step 1: Assess, plan, and collaborate

The first step upon inheriting a records program is to understand where things stand and chart a course for improvement. Assess the current state by reviewing the existing records retention schedule, policies, procedures, and tools or systems currently in use and identifying gaps or pain points.

Are retention rules out of date or overly complex? Are employees actually following the policies? Noting these at the outset (e.g., “our schedule is outdated and hard to use”) will set the stage for the next step, where you address those foundational elements. A brief maturity assessment or comparison against industry best practices can help pinpoint what needs the most urgent attention.

Taking over a records program is an opportunity to modernize and realign it with the organization’s current needs and best practices.

Next, develop a plan or roadmap for updating and improving the program. Outline the key initiatives, including revising the retention schedule, implementing new tools, and conducting training along with a rough timeline. This roadmap will guide your efforts and set expectations with management.

Recognize that building a modern records program is typically a multi-phase effort. You might aim for some quick wins in the first few months (such as establishing governance roles or updating high-priority policies) and then tackle longer-term projects (like technology deployment and company-wide training) over the next year or more. Having a clear plan will prevent wasted effort and keep the program on track.

Crucially, engage key stakeholders from the start. While in-house counsel is an excellent advocate for and initial leader of the program, records management is cross-functional and you will need buy-in and input from multiple departments. Identify stakeholders in Legal, Compliance, Privacy, IT, and major business units — including Finance and HR — and emphasize the “wins” of this program for each group. Bringing these groups into the planning process (for instance, via a steering committee or working group) helps ensure the program addresses all needs and has broad support. It also clarifies the program’s scope.

In some organizations, “records management” might be part of a larger information governance initiative; in others, it stands alone. By collaborating with others, define what falls under your program’s responsibility and what will be handled by related efforts (such as data governance or privacy programs), so nothing important is overlooked and efforts are coordinated.

As you plan, build the business case to secure resources and budget. A strong records management program can yield significant benefits and returns on investment, including:

• storage reclamation and decreased storage costs by disposing of unnecessary old data,
• significant reductions in potential eDiscovery and legal expenses with a smaller volume of data to handle in litigation,
• productivity gains when employees spend less time searching for information, and
• lower overall legal and privacy risk of regulatory penalties or data breaches involving old sensitive files.

Emphasizing these benefits can help build support for the program across the organization. However, don’t be surprised if you are interrupted when you start advocating for record management maturation. You will face little resistance as to the need and benefit. It is the implementation and resource gathering that can be the primary challenge.

Step 2: Develop and update the program foundation

Step 2 is about establishing a solid foundation of policies, retention schedules, and guidelines for your records program. This is the part of the process where an in-house counsel can lead and start to move the activity forward. The records retention policy and schedule are core components of this foundation. If you inherited an old retention schedule, it likely requires revision to be more modern, compliant, and user-friendly.

Traditional schedules tend to be:

• paper-centric, neglecting to account for the diversity of electronic records,
• “big R”-focused, based almost exclusively on legal and regulatory requirements to the detriment of operational data with business value,
• too granular or lengthy, containing hundreds of obscure categories, and
• created without sufficient business input.

Now is the time to transition to a streamlined and comprehensive approach.

A modern records retention schedule should cover all major record types in your organization across all media, regardless of format, and capture both typical and company-specific records. Work with stakeholders to clearly define record categories in plain language that employees can follow in practice.

In addition to identifying records based on legal and regulatory requirements (the “big R”), take business value (the “little r”) into account. In other words, your schedule should reflect not just laws and regulations, but also how long the business finds the information useful.

Finally, rather than maintaining two policies, a records retention schedule can incorporate a privacy data retention policy, identifying which records contain personal information and defining a legitimate business need for how long these should be saved.

You will face little resistance as to the need and benefit. It is the implementation and resource gathering that can be the primary challenge.

Another decision to make is whether to use a standard template or build a custom schedule. Some organizations “rent” a reputable off-the-shelf retention schedule to save time and ensure coverage of common record types, then customize it. Others “own” their schedule, developing it from scratch and tailoring it precisely to their operations.

Using a template can jump-start the process and provide a baseline of legal citations but ultimately may be more expensive, can be difficult to automate or customize, and still requires tailoring. Building your own schedule takes more upfront work, but in the long run it can be more cost-effective and align exactly with your company’s needs and terminology. Either way, involve your legal counsel (for compliance verification) and business units (for practicality) when crafting the final schedule.

Along with the retention schedule, you will want to update or create supporting procedures and guidelines to operationalize it. These might include data clean-up procedures (how and when to dispose of certain records), guidelines for managing email and other electronic communications, processes for implementing legal holds (to suspend deletion of records under litigation), and periodic compliance review or audit procedures. Defining these methods ensures there is a clear plan for carrying out the policy on a day-to-day basis.

By the end of Step 2, you will have updated the core “rulebook” of your records program, a retention schedule and associated policies and procedures that define how information should be managed. The next step is to put these rules into practice.

Step 3: Execute, automate, and train

With policies and schedules defined, Step 3 is all about execution: putting the program into action through technology, process changes, and training. This is when the focus of effort begins to shift from the Legal Department to those responsible for managing data: IT, Operations, etc. The primary objective is to make compliance with the records program as easy and automated as possible for employees.

Our “five-second rule” says that if you ask busy employees to spend more than a few seconds classifying or managing a record, they will likely circumvent the process. The solution is to incorporate records management into their workflow with minimal friction through a data placement and automation strategy.

The more you can rely on system-driven policies rather than manual clean-up, the more consistent and defensible your program will be.

This tactic uses automation and simple user experiences for managing records. For example, a limited number of designated repositories or folders for records (in a document management system, SharePoint site, or network drive) are configured so that anything placed there is automatically classified and handled according to the appropriate retention rule.

In practice, a user might drag an email or document into a particular folder, and the system will tag it as a certain record category and start the retention clock behind the scenes. To the user, it’s just a matter of putting the file in the right spot, a quick action that doesn’t require manually entering metadata or dates. This approach leverages technology to enforce rules while keeping the user effort low.

This system enables fully compliant and automatic retention and disposition. Work with IT to implement the rules in your systems so that as records reach their expiration, they are automatically deleted or archived (with processes to pause deletion for legal holds). The more you can rely on system-driven policies rather than manual clean-up, the more consistent and defensible your program will be. Still, maintain oversight. For instance, review deletion logs or audit reports to ensure holds were respected and no issues occurred.

In parallel, train employees and roll out awareness of the new procedures. Rather than emphasizing deletion, sell employees on how the new program will benefit them, such as easier retrieval of information, reduced clutter, and prevention of bigger problems like not being able to find key documents during an audit or legal case.

When people understand the “why” and find the process easy to follow, they are far more likely to comply. Clearly explain what people need to do differently (for example, “Going forward, save final project documents to the Project Archive library, not on your personal drive”). Provide practical training sessions or quick reference guides.  It can also help to enlist department managers or designate “records champions” in each team to encourage compliance and serve as local points of contact.

Throughout the execution phase, keep communication open and celebrate progress. Share success stories or metrics (for example, “We have already cleaned up X gigabytes of old files” or “The Finance team has successfully moved all their records into the new system”). This positive reinforcement helps maintain momentum and shows the organization that the program is delivering results.

Step 4: Staff, manage, and update the program

The final step is the ongoing management and continuous improvement of the records program over time. Begin by ensuring the right staffing and governance are in place. Ideally, someone (or a team) is explicitly responsible for the records program going forward. Skills in records management, technology, eDiscovery/Legal, and Privacy are ideal for this role, as well as a broad awareness of the organization’s work and the ability to act as a program ambassador.

It’s important to note that you don’t always need to hire a certified records manager. If there is someone (perhaps within the organization) who possesses some of these skills and is willing and excited to learn, they can be trained in the areas where they have gaps. Don’t hold up your search looking for someone who checks all the boxes.

It’s also wise to have a cross-functional steering committee or working group that meets periodically to review the program’s status, address new issues, and guide updates. This group should include representatives from Legal, IT, Compliance/Privacy, and business units, mirroring the collaborative approach you started with.

The success of the records management effort also relies on behavior change management processes. It takes time and reinforcement to move employees away from a “save everything everywhere” or “my data” mindset to one built around having the right data in the right place with the right access controls.

Rather than simply putting policies in place, convince employees of how this approach will make them more productive and make their lives easier. Create a communication strategy with consistent messaging and audit its success. Keep leadership engaged so that managers understand they need to support the records policy. Provide periodic reminders or tips to all employees to keep awareness high.

For example, you might send periodic reminders about key policy requirements or share tips to reinforce good practices. Over time, the goal is to embed good information habits into the company culture, so that following the records program becomes second nature for employees.

It’s important to note that you don’t always need to hire a certified records manager.

Plan for an audit process and regular reviews and updates of your retention schedule and policies. Laws change and your business will evolve; the records program must keep pace. Set a schedule (such as an annual or biennial review) to determine if new regulations, business lines, or systems require modifications to retention rules.

Also gather feedback: perhaps users find a certain category confusing, or a new privacy law necessitates shorter retention for certain data. Update your documentation and processes accordingly. This continuous improvement ensures the program stays relevant and effective.

Conclusion

Being handed the records management program may initially feel overwhelming, but it is also an opportunity to improve your organization’s information governance and save costs in a meaningful way. By following these steps of carefully assessing and planning, updating the foundational policies, executing with user-friendly tools and training, and actively managing the program going forward, you can build a records program that delivers ongoing value and protects the organization.

What starts as a daunting assignment can turn into a success story, ensuring compliance, reducing risk and costs, improving collaboration, and increasing productivity. With a solid roadmap and sustained effort, you’re well on your way to a modern and effective records management program.