Jacki Cheslow (j.cheslow@ieee.org) is Global Compliance Program Leader for New York City-based The Institute of Electrical and Electronics Engineers.
As discussed in my last article,[1] records information management (RIM) and compliance go hand in hand. As compliance professionals, our job is to reduce an organization’s risk. The risk of not having and enforcing a strong record management program is great and could potentially affect not just the organization but others. In this follow-up article, we’ll focus on the basics of building a defensible compliance program. Like compliance, there is no out-of-the-box or one-size-fits-all program. Your record management program will need to be customized to your needs, but I hope the tips provided here will help achieve a truly defensible record management program.
Designing the program
If you don’t already have a RIM policy, create one that includes spelling out the roles and specific responsibilities. Consider including the program manager, department and functional managers, record coordinators, the archivist (if appropriate), and anyone with access to your records and information. Include references to information technology (IT) or other related policies and, if necessary, include them as appendices to your policy.
Next create an inventory, identifying what records you have, who has them, where they are kept, why they are kept, and how they are being used. If you have an existing retention plan, use it as your baseline. If you don’t, start with what you know. Human resources, finance, legal, and internal audit are all standard functions and generally have similar record types from organization to organization. Document these record types from those functions, and then start gathering information:
-
Identify different business lines or functions, and document the records you’re aware of for each.
-
Identify major enterprise applications. Start with what you or your department uses every day and then other applications you may be aware of. Have IT validate your list and identify backup procedures and any other IT policies that might relate to what’s being kept, where, and for how long.
-
Identify regulatory requirements, industry standards, tax requirements, etc. Work with privacy, information security, and finance to identify these. Being aware of both your legal obligations and the sensitivity of your records will help ensure that the retention periods that are established meet legal requirements, support operational needs, and are as short as possible.
-
Identify which, if any, records are shared or stored outside of IT’s controlled environment. Consider software-as-a-service applications, third-party processors, etc. Then work with the contracts team to ensure those third parties adhere to your retention requirements.
Before long you will have collected a tremendous amount of information and be ready to draft a plan to present for review and input. As you draft, try to make it concise and easy to follow. If your existing plan isn’t what it needs to be, redesign it. In the sample retention plan (Figure 1), records are sorted into functional areas, and descriptions, examples, and defined starting points for retention are given. Most retention is event-based and only begins when something occurs—for example, an employee leaves a company, a contract expires, or an investigation is resolved. If you need help defining retention periods, look to others in your industry for best practices and adopt what suits the organization. You’ll be able to validate these during your review process.
The review process
You’re almost there, but before you invite input from the business, consider how you will publish the plan. Will you have one global plan? Or does it make sense to publish functional or business unit plans? Knowing this in advance will assist you in defining your review process. Identify how you will publish the plan. There are multiple vendors that offer RIM policy tools, and they’re great if you can afford them. Otherwise, consider your intranet and use bookmarks and hyperlinks to allow users to navigate easily. The more work you are able to accomplish up front, the better. Providing a cohesive draft to the reviewers will lessen the impact on their time, speed up the process, and ultimately make it easier on you.
In defining your review process, include a set of prepared questions for reviewers to address. Include these questions in your request to senior leadership for a representative on the review team. This helps the manager understand what you need and ensures you get the right individuals assigned. Typical questions might include:
-
Did we get it right?
-
Did we capture all of the potential business record types in your organization?
-
Are there other record types that need to be considered?
-
Are the proposed retention periods sufficient to meet the operational need? If not, why not?
Build out your review team starting with the A team: technical accounting, compliance, human resources, information security, internal audit, legal, privacy, and tax. Then consider who else is needed: What are your major lines of business? Activities? What other touch points do you need?
Once you have identified the reviewers, schedule a kick-off meeting to set expectations. Introduce the project, describe what it is you’re hoping to achieve, and explain what research or background work you’ve done to date. Describe any significant changes/updates that may be in store. Then use the questions you’ve developed to explain what you need from the reviewers. It is important at this point to make it clear that you’re not looking for RIM expertise. Instead, you need them to take the draft plan back to their area, socialize it, and see what others think. Specifically designate the reviewers during the meeting as the central contacts for their areas to make it clear that all feedback should be funneled through them and consolidated before it comes back to you. This will prevent you from being overwhelmed or receiving conflicting information from the same business unit. Let your reviewer ensure their business area or department is aligned.
If you hope to get this review done on a timely basis, you need to not only set deadlines but enforce them, and to do that, you’re going to need support from an executive champion. At my kick-off meetings, and with support from the general counsel, we discuss the timeline. There will be requests to change it, so be flexible, but once the schedule is set, make it clear that everyone will be held to deadlines. We advise reviewers that late submissions will not be accepted; while we need and want everyone’s feedback, in the interest of fairness to the larger group and to ensure the project is completed on a timely basis, deadlines will be firm. It’s a tough stance to take but a necessary one. On my last project, we had 100% participation, with 95% submitted on time and the remainder within a day or two.
Treat your reviewers as team members to keep them engaged. Explain how you’ll handle feedback and how it will be retained, who will mediate differences in opinions, and who will have the final say on what goes into the plan. Make the team aware of any potential outside reviews that may be required. Keep the team updated as the project develops.
Regardless of how you choose to do it, in-house or outside, get the legal team involved. Every project is different; you may want to use outside counsel or just do it in-house—perhaps with a RIM consultant. Most statutes are silent when it comes to record retention, and when they are not, they only discuss minimums. Legal review goes beyond the regulations and operational need by looking at tort law, considering statute of limitations, and potentially identifying conflicting regulations.
Throughout this process and any future reviews, the most important thing I can say to you is document, document, document. Document who asked for what, who agreed to the changes, why they are being made, and when. If you’re relying on law, include the regulation name/number/effective date. If you’re basing the decision on business or operational needs, make note of how that need has been evaluated, who participated in the discussion, and what the outcome was. Document all approvals. If you have a privacy investigation/audit, you may be asked to produce documentation that supports your retention schedule both from a regulatory and operational perspective. You need to be prepared to address challenges to your retention plan.