Since achieving legal compliance is a primary goal for most records management policies, the first important step in creating a policy, is to know what regulations you’re trying to comply with. Knowing the legal, compliance and auditing frameworks that affect your industry and organization is therefore key. Depending on the scope of your organization, you may be doing business in several jurisdictions, states, or countries, and thus work is governed by different regulatory bodies.  You should establish a matrix that outlines what types of regulations apply to your company and outlines the retention requirements . The first, most important part of your policy should be to meet the requirements for items you must retain. 

In addition to finding out what records you need to keep for legal purposes, you will also find volumes of requirements ranging from audit accessibility, accuracy and authenticity, to privacy, confidentiality, and security. Many of these requirements are not black and white, but rather gray, requiring evaluation and assessment of their applicability to your business. By involving your legal department (or outside counsel) in this policy development effort from the start and having your attorneys help evaluate the legal needs for your company, as well as the policy language at its various stages of development, you’ll be able to make sure you’re addressing the requirements adequately.

Besides having your legal team involved, you’ll want to get representation from several other departments within your organization. Developing an effective policy that meets legal requirements is only valuable if it can be applied to your business. Involving your stakeholders in retention decisions will help you gain insight into the business processes and business usage needs of documents in individual departments (Finance may differ from IT for example).  Getting stakeholder buy-in from internal groups is paramount to easing policy implementation.

Knowing your organization also means knowing what retention policies will suit your business cycles, and what records types are important to your organization. Simply defining a record or deciding on the value of a document is an important decision that can be very specific to an organization. Does an instant message constitute a record in your organization? The answer is that it depends on the type of business you are in – if you are dealing with stock trades, the answer will likely be yes.  In other industries, the answer will come from your attorneys.  How about an e-mail that modifies a contract? In some organizations it will be, and in others it will not. The most important thing is not to assume, but to research carefully. Who helps create these documents and should be responsible for keeping them?  Who is accountable for compliance?  What defaults apply when no guidance is specified?  And don’t forget your employees:  you’ll want their input if you are going to make them follow the policy. Is this policy something that people can reasonably follow? Asking these questions and having representatives at the table who can answer them is therefore crucial. 

While the stakeholders will be essential to bringing different perspectives to the table, it is still important to have a single sponsor for your records management project. Often this will be someone from your legal department or the records manager whose specialized knowledge will be essential for guiding both policy and implementation.

Tina Torres, Corporate Records Manager