Records Management – A Guide to Managing the Life Cycle of Information
by WIS | Sep 29, 2020
Information and Records Management best practice is to manage the content of the record, regardless of format. Preservation and disposition methods vary by format and the length of time a record needs to be maintained for retention purposes.
A best practice would be to declare in a policy what the expected format is for long term preservation, taking into account the resources available to ensure the readability of the record in the long-term. Limitations in the past regarding the viability of electronic storage media have led to policies declaring that the official record is paper-based without taking into account how natively electronic records and databases are preserved. Advances in technology in long-term archival storage have addressed this issue so that the official record can be maintained in electronic format.
Advances in technology allow for much more robust and secure records management.
A key issue in the field is communicating with employees and third parties as to their responsibilities in preserving the organization’s records appropriately, and, conversely, the appropriate disposition methods in order to:
- Protect personally identifiable information
- Ensure a single source of the record as evidence of business transactions and decisions
- Ensure that the information that is retained is authentic, reliable and has integrity
- Follow published procedures in managing records to provide a clean audit trail
Another key issue is the concept of data mining from enterprise databases and business analysis of the data. A use case for an organization, for instance, would be in analyzing data about benefits applicants. Unfortunately, in many companies and agencies, the quality of data in legacy systems has led to the postponement or freeze of projects because the data was so inconsistent or corrupted—rendering it useless.
Tools are available to assist in cleansing and standardizing the data, after a norm is agreed upon, established and implemented in systems of record so that the problem of inconsistent data is eliminated. Often, this is a separate change management project. Data can be standardized using conventions found at USPS for addresses and a phone book for names.
An excellent program is composed of:
- Policy: A concise statement of employee responsibility in regards to records and information management
- Procedures: Methods and tools used in meeting their responsibilities
- Desktop Instructions: How the tools work in simple language
- Technology: Enterprise tools that protect data, are auditable and provide meaningful reports
- People: Computer literate employees who believe that the record is a business asset, not their private information to be stored as they see fit
- Training: Answering the “How Do I” questions. If there is a breakdown in training, or the trainer can’t convey important policy to employees, this needs to be addressed
- Education: Answering the “Why Should I?” questions that addresses the risk of “just in case” preservation
- Compliance: Periodic internal audits to ensure that employees are doing what they are supposed to do in managing business information assets
- Scheduled analysis and review: Have changes in regulatory requirements or case law affected the protection or retention of record sets? Are there departments who never send records to archives or are always asking for more storage?
There are a few obstacles that prevent a Program from being implemented. The number one cause is generally a lack of executive support and stewardship. The second is an inventory of the records created and received by the entire business, which includes the business function of the record – why is it created or received? The third is understanding secondary and tertiary operational needs in order to determine the longest retention period necessary and comparing them to legal requirements. For instance, does the training department use IT Helpdesk tickets to determine training needs? Does Planning look at the number of speeding tickets in a given area to assist in the placement of speed bumps?
There are multiple ways to gather information—from objective views of the volume of electronic records, history of certified destruction, interviews with department employees, electronic surveys of records and information usage, software inventories to see what types of applications are in place that could create records, opening closets to see what is stored, and even opening up desk drawers. An analysis of the culture first leads to the best approach for that organization, and formulates a road map for future operations and best practices.
Identifying Organizational Needs
When conducting a needs analysis, a review of existing documentation covering procedures, file classifications, file plans, taxonomies, installed systems and the functionality that has been turned on, a review of any existing contracts in which a vendor has some responsibility for records keeping, tools in place, such as multi-function devices or barcode scanners, is done first, offsite.
Then, a questionnaire is created – it may be online, a digital form, a printed-out form – whatever works for the organization’s culture. The key is that it must address the employees’ understanding of the program as documented, and, actual practice within the organization.
Next, onsite interviews are scheduled with key stakeholder departments, including, but not limited to, Legal Counsel, HR, Engineering, IT, Records Management, Finance, Treasury, R&D, Marketing, Sales, Manufacturing and C-Suite. The interviews build on the information supplied in the questionnaires. Finally, shadowing of knowledge workers to the extent that privacy laws permit, to see how they find the information they need on a daily basis.
Internal audits can help identify which employees are adhering to best practices and which employees may need additional training and/or guidance before an external audit occurs.
Audit, Audit, Audit. Pay Now or Pay Later.
Auditing is critical. You need to know that your employees are doing what you’ve told them to do using the tools that you have provided. External audits are much less stressful when periodic internal audits are conducted and issues resolved without the threat of fines hanging overhead. Maybe there is a breakdown in training causing employees to not adhere to best practices? Or possibly an employee is simply disregarding those instructions for the sake of convenience? Regardless of the records management issue, an internal audit will illuminate any unknown compliance issues that were unseen, without the consequence of heavy fines.
There should be a records manager providing input into the plan to ensure that records are gathered, protected and managed for each of the elements in the plan. This ensures transparency of the plan and also ensures that successes in the plan are documented so they can be repeated. This also holds true for failures, so that they can be avoided in the future. Strategic plans with an element of change and growth will more than likely be under close scrutiny and more apt to undergo litigation; having a records manager providing input as to how to preserve the record will cost much less than catching up later on.
When the elements of a trusted system are looked at in detail, they are the elements of ARMA’s Generally Accepted Recordkeeping Principles, AIIM/ANSI 2012:25 standard, ISO 15489, all of which speak to the integrity, reliability and authenticity of a record. So, yes, they do affect a Program. If the trusted document requirements are not met, then it’s very difficult to say with confidence “yes, this is the evidence of our decision or action.”
Training: A Prerequisite to Compliance
A multi-prong approach for new technology and concepts that covers not only the “how to” but the “why” is the most successful and effective. Classroom training for new processes and software applications that are hands-on, not lecture based, are best for adult learners. Refresher courses on a regular basis (six to twelve months), online, on-demand for new hires or transferees, webinars on very specific topics, such as how to use a single feature in an application are all part of a good training program.
The key is making sure that attestation is included in any of the approaches. Questions that cover each section as it’s presented during the training session as well as a test on the entire topic are recommended. In addition, each student should sign an affidavit that they understood the course material and will follow the instructions while on the job. Learning management systems (LMS) that are interactive and provide attestation are cost-effective ways to report on training efforts.
Public records requests and disaster recovery are two areas for the public sector’s records management needs that more critical than in the private sector. Redaction requirements in Public Records requests are heavier than in most private sector confidentiality requirements. Disaster recovery requires that the most current records be made available to the workers fixing the problem. Most companies will switch to Plan B while waiting for the government to get things back up and running; those that don’t have a Plan B don’t stay in business very long after the disaster. The local government doesn’t have the option to go out of business and so the obsolete repair records or “as-built” records need to be updated and preserved on a regular basis.
Again, this is a combination approach of questionnaires, interviews and analysis of offsite records. If a records inventory has never been conducted, “feet on the street” may be necessary; in a records inventory conducted for a local government agency, boxes of infrastructure records were found in a women’s restroom. No women worked for that particular department, and had never worked for the department, but during the initial survey that was sent out electronically, those records had been overlooked. In another instance, half of a floor had not been built out during initial construction and boxes were just stored there. Finding them filled a missing gap of about five years in the agency’s offsite storage inventory.
Records Retention Programs
There are records retention research programs which are offered as subscriptions that provide updates every 3 – 4 months on legal requirements and legal considerations. Monitoring the legal requirements is only part of the equation when determining retention, however. Operational and historical requirements should also be taken into account. For instance, a particular federal grant may only require records to be kept for five years after the close of the grant but the grant writer may find that referring back through two grant cycles helps win more grants, so the retention could be 10 years. The reason for the longer retention period should be noted in the schedule.
A vendor will need the number of departments, any third party relationships that the Business may have that entail maintenance of records (ADP for payroll, for instance, partnerships with other Counties or Special Districts, or Federal agencies providing grants), a holiday schedule so that the project plan can accommodate the employees’ time off, an idea of existing volumes for both electronic and hard copy, in terms of tera or peta bytes, number of shared drives, number of boxes, number of filing cabinets and number of backup tapes in storage, date the last time the retention schedule(s) were updated, existing applications that create, store and manage documents and records, and, that manage litigation.
If a business does not currently have a records retention program, a project should be budgeted with the following components:
- Project Plan for the consulting engagement
- Gap Analysis
- Retention schedule
- Policy Statement Draft for Adoption
- Procedures Manual
- Desktop Instructions
- Training Curriculum
- Recommendations for the future
- Roadmap for the recommendations
At the most optimistic, 18 months. Realistic, three years to inventory, research, present for approval, create procedures, desktop instructions and perform the initial training with the development of on-demand, online training curriculum.
Creating a program has been defined in the sections above. Implementing and maintaining a program require ongoing attention and support to ensure that it is executed and overseen by management. Because records management touches all departments and a record can have a life cycle across departments, phasing a program in one department at a time doesn’t work well.
It is usually more effective to make sure that the tools to manage records are in place and tested, then roll it out in a focused effort, usually by record series that touch multiple departments–like HR records, AP/AR, Budgeting, records frequently seen as responsive in litigation, and also records found only in specific departments, such as marketing or sales collateral.
The Role of Consultants
After program implementation, a consultant can serve the business by also providing audit services to make sure that what was implemented is continuing to be executed. If the business chooses to not subscribe to a retention research program, an annual review of retention requirements is best handled by a consultant due to their expertise and focus. The consultant can also provide a resource for ongoing training if a training program does not exist within the business.
Consultants are often used to:
- Develop curriculum for learning management systems (LMS) for online, on-demand training.
- Technical and functional specification review of proposed software purchases to ensure that records management requirements are there.
- RFP development.
A records consultant can help your organization assure best practices are being followed even after an internal audit.
Often overlooked in developing a program are secondary and tertiary uses of records, audit requirements and ease of management. Retention schedules with thousands of records series are too cumbersome to manage well. Taking the time to determine the business reason for the record to exist and assigning retention periods based on function rather than title leads to more manageable programs. A helpdesk ticket, for instance, does not have a legal requirement but after IT has resolved the issue, HR can analyze trends to focus future training efforts and Procurement can refer to issues with an application to negotiate for more training to be included in an maintenance renewal.
There are many sources of information for records management best practices, including:
- ARMA International
- AIIM International
- Industry specific sources of best practices include:
- IOFM – Financial Management
- SHRM – Human Resources
- PMI – Project Management
- IAOP – Outsourcing
- ILTA – Legal Technology
- ALA – Legal Administration
If records management is something your organization is struggling with, contact Western Integrated Systems to evaluate your options today.