How to Put Compliance into Your Compliant Records Management Program

The benefits of a major investment in an enterprise records management program will be short-lived if employees are not in compliance with the program and its policies. What are the most critical components for compliance? Organization-wide accountability and regular auditing.

Organization-wide Accountability

Accountability should exist at the policy, program management and local implementation levels. Without senior-level sponsorship and commitment, the program is bound to fail. An executive owner with a cross-functional team must periodically set policy, review audits and ensure proper resources. There must be a corporate records manager to administer the program at a corporate level, plus a designee in each business unit accountable for implementation in their divisions. Finally, each employee should be required to acknowledge that they have read and understood the records management policies and procedures.

Regular Auditing

To ensure compliance, the records management program should be integrated into the organization's internal audit process. Key program components that should be audited periodically include:

• Destruction timeliness - measure the time lag between when records are eligible for destruction and actual destruction.
• Retention schedule accuracy with the latest laws and regulations.
• Classification accuracy and completeness - auditing the classification is the best way to inspect whether records are being destroyed in accordance with your policy.
• Business unit compliance - the audit should confirm that all business units are equally participating in the program, following the policy and destroying records on schedule.
• Destruction hold administration - pay special attention to auditing whether records temporarily suspended for destruction due to litigation have indeed been retained, and then later released for destruction on schedule.
• Program training and communications delivery - audits should validate that appropriate employee groups have attended training and individual employees have acknowledged the company's records management policies.

The Guiding Principles of Accountability and Auditing

Based on Iron Mountain's years of experience helping the world's leading companies design, implement and maintain compliant records management programs, following are the guiding principles we recommend for accountability and auditing:

• Establish a corporate records management program Steering Committee comprised of a designated records manager and representation from legal, IT, finance, tax, human resources, and risk management. The Steering Committee should assume responsibility for overseeing the records management program, providing high-level management, strategic insight, and oversight of the program.
• Schedule Steering Committee meetings at appropriate intervals to assess the current state of the records management program. Specific responsibilities include providing high-level management and oversight of the program; assuring that the records management program is properly maintained and updated; and recommending staff and system resources.
• Designate a Corporate Records Manager to administer the program at the business unit or department level to facilitate accountability throughout the entire organization. The charter of this role should be broad, and cover all information assets and storage systems.
• Support the records management function with the appropriate resources and experts internally and externally.
• Create a records management acknowledgement program that requires employees to sign a document confirming their receipt of training and understanding of records management policies and procedures.
• Regularly communicate records management program information to employees via a company newsletter, the use of an Intranet site and ongoing training.
• Introduce measures of performance related to consistent retention and destruction of records, for both paper and electronic records.
• Include records management as part of the company's internal audit process to ensure that consistency, compliance, and legal requirements are met.
• Audit compliance adherence to corporate electronic records, email retention and deletion policies by involving the IT department.

If your company has made a substantial investment in an enterprise records management program, it is critical that you follow through with accountability and auditing. An accountability infrastructure will help convey your good faith efforts to comply. Auditing will give you the metrics to see how you are doing and how to improve.