Say Goodbye to DIY Records Management

Topics: Store and Protect Information

It’s the nightmare you don’t even know you’re having: A rogue department’s self-styled record-keeping is creating serious legal and financial risks for your firm. Thankfully, you can return those MacGyvers to the records management fold.

FAST FACT: The 2002 Sarbanes–Oxley Act is still the gold standard by which managers measure the compliance of financial information. Since its enactment, the revisions to the Act have increased penalties for fraud, strengthened the role of outside auditors, and called for greater oversight by boards of directors.

DID YOU KNOW? It’s not enough to dispose of out-of-date records properly; you must be able to prove you did it. That means showing a consistent, auditable chain of custody, from pickup to destruction.

Your business has grown quickly, but now you’re struggling with the very success you’ve created. Departments that didn’t exist last year are now rock stars in the company. Employees have overcome budget and resource deficits by bending the rules and doing their own “problem-solving.” Your records management probably resembles the Wild West, and those DIY initiatives have left you vulnerable to data breaches, financial loss and government fines for not complying with regulatory requirements.

It’s time to rein in the cowboys and make sure they understand that maintaining best practices for records management is a company-wide priority.

Records and information management (RIM) still gets short shrift at some companies. Fully 36 percent of the organizations responding to A View Into Unified Records Management: The Iron Mountain 2012 Compliance Benchmark Report say they lack formal records management training. More troubling, 74 percent monitor compliance on an ad hoc basis or not at all—an 11 percent decline from the 2010 report.

Your Data at the Turning Point

You never want to find evidence of poor record-keeping the hard way—like when your legal counsel requests a contract from your data archives only to receive the wrong one. But the longer you let renegade initiatives flourish, the more likely it is that counsel may soon be huddling with your CFO and COO to address the consequences. These include legal fees and fines for not meeting discovery and regulatory requirements.

Rope in the Outliers, Eliminate Risk

Companies are taking more notice of electronic files and email, and requiring formal retention of that material, according to the Iron Mountain benchmark report. Such challenges have led to a growing consensus that records management is really risk management. Sixty percent of respondents in 2012—versus 25 percent in 2010—place responsibility for implementing, enforcing and auditing records policies with legal/compliance or audit/risk departments.

You’ll stand a better chance of reducing that risk if those superstar departments learn—and let employees know—that innovation and proper record-keeping are essential.

To establish and maintain a unified and compliant records management system, take these steps.

Step 1: Make it scalable. To achieve effective record-keeping, be sure that the system you implement can always scale to the size of your business. The information management system must also meet your particular industry’s data and compliance demands.

Step 2: Root out the do-it-yourselfers. Undoing those outside-the-box records management practices is like getting toothpaste back in the tube—it’s far harder than adhering to proper record-keeping best practices in the first place. But if DIY and ad hoc records managers have already wreaked havoc, shut them down. Then address the damage.

Step 3: Make policies happen. Key policymaking aspects include governance, communication, education/training and implementation. You’ll need input and guidance from IT, legal, compliance, human resources and other relevant departments. Such participation fosters a high-functioning compliance program—and overall RIM strategy success.

Step 4: Blast your RIM playbook across the organization. There’s no such thing as being “too clear” about your records and information management policies and procedures. Once you’ve defined and validated them, publish them throughout the organization, in as many formats as you need to be effective.

Step 5: Run audit drills to ensure accountability. Enterprise-wide unified records management calls for a culture of accountability. Maintain regular audits based on defined metrics. Make employees accountable for consistent adherence to policies, and provide visible support from the highest levels of the organization.

Step 6: Index data for faster, more accurate retrieval. Classify information by location, subject, author, date, method of origination, system of creation and intended recipient. Identify who’s authorized to see each record and/or record type to speed the retrieval process.

Step 7: Pay serious attention to records retention. Retention refers to the preservation of business records and includes their eventual destruction. Effective retention schedules account for all business records, including regular updates to maintain compliance with changing regulations.

Step 8: Dispose of records properly. Consistent procedures for safeguarding and disposing of information reduce risk and limit storage costs. Provide your colleagues with detailed instructions on how your firm identifies and approves records for secure media destruction.

Step 9: Enforce the rules. You have to show employees that there’s a new sheriff in town who means business; otherwise the cowboys will likely continue to ride the range. Make sure you outline the consequences for flaunting the rules, and then put action to words.

Step 10: Make training and auditing part of the ongoing program. These processes should ensure that your colleagues learn to keep proper records, follow procedures and know how to address mistakes as they occur.

Unless your firm is prosperous (or well-funded) enough to build and maintain an industry-leading records management program on its own, consider collaborating with a trusted partner. An experienced records management firm can help you corral your renegades and patch up any rough spots on your RIM’s “back forty.” Then you can both work on a plan to establish and implement a winning RIM program.

Can You Defend Your Records Management Procedures?

Running a flawless, company-wide unified records management system is great—as long as you can prove it. In the book Records & Information Management 2.0 for Dummies, author Blake Richardson warns that lawyers have gotten aggressive about undermining companies’ claims regarding records handling.

Richardson says: “During a lawsuit, an attorney may attempt to prove that a policy was in place, but employees didn’t receive proper training on how to follow it and that no enforcement of the policy was in place.”

Be warned: You must have the policies and be able to prove they were followed properly should your company be involved in a legal action. Your firm could face a legal challenge if a court decides that one or more of your policies could not be followed. For example, if one policy calls for email to be indexed and archived within 30 days of receipt but you lack the records management software to do that, your organization may be held accountable for that gap.

With these possible challenges in mind, you’ll want to handle lapses in records handling consistently throughout the company. Such threats are also why many companies are now placing records management under their legal department’s control.

Given the risks, that may be a good thing.

Do you have questions about information management? Read additional Knowledge Center Small Business resources, or contact Iron Mountain’s Small Business team. You’ll be connected with a knowledgeable product and services Small Business specialist who can address your specific challenges.

Related News:

Selling Records Management Reform Upstairs

Five Steps to Gaining—and Maintaining—Big Data Sanity

Take Five: IT Initiatives Worth Putting Into Action