1. Consistent Record Classification System
The foundation of any good record management program is developing a consistent records classification system across the organization.
While there are many record classification systems, one recommended best practice is a three-tier classification based on business function, record class, and record type.
The first step toward developing such a records classification system is taking an inventory or a comprehensive and accurate listing of locations and contents of all records within the organization.
The second step is grouping the records in the inventory according to business functions, record class, and record type:
- Common business functions include operations, finance, legal, marketing, human resources, and others.
- The top-level business functions are broken down into record classes. For instance, two record classes of record-function accounting are accounts payable and accounts receivable.
- Record types are a further subdivision of record classes. For instance, the accounts payable record class can be further broken down into accounts payable aging reports, accounts payable distribution reports, cash disbursement reports, and other categories.
No matter which classification system is adopted, the selected system should address all records regardless of the media type.
Image Credit: Wikimedia Commons/Tom Ventura
2. Indexing and Access Policy
The success of a records management program depends on the ease and efficiency of retrieval of the required data. The inability to retrieve the required data on a timely basis causes costly hold ups, decreases organizational efficiency, degrades organizational quality, and even leads to litigations and fines.
The best practice in this regard is indexing all records, regardless of the media, in a systematic matter with multiple indexing heads. Possible indexing heads include subject matter based on content, subject matter based on context, record creator, intended recipient, date of creation, and others.
The indexing policy needs reinforcement through an access control policy and safeguards. The access policy should define:
- Extent of access to records for each employee.
- An authorization process that includes checks against the laid-down access policy before retrieval of records
- A means to record and track retrieval of records
A well laid-out authorization and access policy helps maintain confidentiality and prevents unauthorized disclosure or data theft.
3. Retention Policy
A records retention schedule ensures retention of records only while legally and operationally required and ensures disposal of obsolete records in a systematic and controlled manner. Organizations would do well to create the records retention schedule at the record class level rather than at the departmental or functional level.
Factors that determine the retention time for each record class include:
- Federal, state, local, or international laws and regulations. Agencies that usually mandate retention of records for a specified period include agencies such as the Securities Exchange Commission (SEC), Federal Trade Commission (FTC), Federal Communications Commission (FCC), Environmental Protection Agency (EPA), National Labor Relations Board (NLRB), Internal Revenue Service (IRS), Equal Employment Opportunity Commission (EEOC), Occupational Safety and Health Administration (OSHA), and others.
- Statutes of limitation and limitation of actions that dictate the time period to file a lawsuit or levy a fine
- Operational requirements such as process life cycles, time taken to sell a product, inventory shelf life, after sales guarantee, and similar considerations.
Some tips for combining best practices and record management in a records retention program include:
- Categorizing records into “official" records and “convenience copy" records, and destroying “convenience copy" records that have no business value or legal validity after the intended use, usually after 30 days.
- Establishing a system that requires employees to classify and retain e-mails that are official records. An automated warning on pressing the delete key to force employees to review and make a decision about the nature of the e-mail helps in this direction.
- Identifying vital or “mission critical" records essential to protect the financial, legal, and operational interests of the organization and the stakeholders, and preserving such documents of permanently in media-appropriate archival conditions
- Defining a triggering event for each record class to become inactive. Conducting corporate-wide annual reviews of onsite records to pack inactive records to less expensive off-site storage or purge them altogether as the policy demands.
- Establishing a system of “hold" or not destroying records even when allowed to do so by the records retention schedule to cater to eventualities such as prolonged litigation, audit, or governmental investigation.
- Re-examining the records retention schedule for possible updates and revisions at least once every two years
- Taking periodic backups for disaster recovery
Image Credit: Wikimedia Commons/Aaron Logan
Systematic, consistent, and controlled regulations to destroy records that have outlived their utility not only save valuable space and efforts to maintain such records, but also reduce risk and serve as evidence of an organization’s good faith in attempting to conform to the law. Haphazard patterns of records disposal may cause accidental destruction of vital records, leakage of confidential information, and cause doubts of intentional destruction of embarrassing records.
Best practices in record disposal include:
- Establishing standard disposal policies at the corporate level and periodic review of such standards by legal and compliance professionals.
- Instituting a system of final check by the relevant personnel to determine whether the record is required for legal or business purpose after the record retention policy clears the document for disposal.
- Instituting annual organized purges of off-site records to destroy obsolete records.
- Determining an appropriate method of disposal by records class or media type. For instance, non-confidential documents are best recycled whereas confidential records require secure shredding to prevent slippage of confidential information or personal data.
The implementation of a records management system remains incomplete without establishing mechanisms to ensure compliance with the policy. The responsibility of implementation of the records management system usually rests with a steering committee composed of a designated records manager to administer the program, working with representatives from legal, IT, finance, tax, human resources, and risk management teams.
Best practices to ensure compliance of record management policies include:
- Instituting a records management training programs and acknowledgement program requiring employees to acknowledge receipt of training and understanding of records management policies and procedures.
- Periodic communication of records management information to employees via company newsletters and the intranet including implications of non-compliance with the policy, unauthorized access, or premature destruction of records.
- Including records management in the company’s internal audit process.
- Enforcing accountability by including compliance of the records management program in performance appraisals.