Despite these requirements, your organization may not have a defined systematic process for effectively managing client records because existing systems were not initially configured to track lifecycle, retention, and security.
To be compliant (and to report compliance), your organization must have a comprehensive, enterprise-wide records and information management (RIM) program in place that supports client services, governance, and audit response, as well as litigation preparedness for the organization itself.
Improve Your Organization with RIM
A RIM program provides structure to address business concerns, helps avoid the risk of non-responsiveness during legal discovery, and demonstrates the practice’s lawfulness.
Litigation readiness – Organizations must maintain records that support business decisions, operations, and services for the length of time required by the regulating agencies, and as dictated by the statutes of limitations to bring a claim. A RIM program communicates these requirements clearly and concisely.
Awareness of communication and education – RIM will help your organization:
- Write “for the record, consistently classify and label documents:” no jargon, abbreviations, or slang.
- Write a business email: to the point, one subject per email.
- Dispose of drafts properly. When the final document is approved, delete drafts.
- Dispose of records and non-records: shred paper, delete and empty the recycle bin
Built-in cost control:
- Keeping records beyond the required time leaves your business open to discovery and high legal costs.
- Paying for storage of (electronic or hardcopy) client records beyond the obligation affects the bottom line.
- Disposing of duplicates and convenience copies eliminates confusion about which is the “real” record (a favorite question of an auditor).
- Being able to retrieve the right record quickly reduces the time the auditor will be on site.
Improved customer service – When you keep only the most current records, retrieval time to look up a reference takes seconds or minutes, instead of hours or days. This improves productivity.
Legal case law requires it – Safe Harbor is not available if you do not have a RIM program in place. Per a U.S. District Court ruling in Starbucks Corporation v. ADT Security Services, Inc., 2009, “Failure to adopt a compliant records retention and destruction protocol that permits cost effective access to relevant records and creates an audit trail subjects the non-compliant litigant to sanctions and constitutes spoliation.” This pertains to any business that creates, maintains, and manages records either for internal use or as a custodian of someone else’s records.
Organizations are responsible for instructing their employees, contractors, and third-party vendors on how to manage their records. This, too, is part of a RIM program. Information governance, content management, disaster recovery plans, and knowledge management are related and fall under the “Say it. Do it. Prove it!” approach to reducing risk.
Build a RIM Program
If your organization has not implemented an enterprise-wide records management system, the task of identifying employee-created records, and finding how and where they are stored will be a challenge. To be ready for an audit or litigation it must be done. If you waiting until your organization is audited or subpoenaed, you’ll suffer far worse. Courts have stated that if competitors in your industry have been sued, expect litigation in your company’s future. The same holds true for audits.
Creating a RIM program starts with a records and information policy statement that clearly explains how records are to be managed.
Next, take RIM inventory: It’s important to know what you have and how the records are used. During the inventory, gather information on why the record is created in the first place, so similar business functions can be subsequently grouped together. ARMA International® provides more detailed information about this process, including inventory forms.
After you get the RIM inventory results you can start grouping similar records. For instance, you might group together “correspondence,” “letters,” and “email.” Email is problematic because it is often used for topics unrelated to business. A clear statement about emails — how to write them, what is or is not a business-related record, etc. — should be part of your policy statement. Again, ARMA International® has good resources.
A retention schedule follows the RIM inventory. A good retention schedule will meet legal requirements, operational requirements, and historical value when determining how long a record should be kept. The minimum time a record needs to be kept is the legal requirement. It’s OK to keep records longer if that is the policy stated in the retention schedule. Outside of the retention schedule, or “Just in case” is not a valid operational reason to keep something longer than the legal requirement. It’s also better to use “life of the legal entity (LOE)” instead of “permanent,” for records that need to be kept for longer periods. “Permanent” causes issues when businesses are dissolved or go bankrupt; avoid them by using “LOE” in your schedule.
The retention schedule can also explain how to dispose of records that have met their retention period. Any record with personal information should be either shredded or permanently deleted.
Note: Many software programs offer a recovery period after you delete a digital record from your system allowing the record to be discoverable in an audit or litigation. Leave deletion of digital records to the information technology department. These folks know how to permanently delete electronic files. Consider an electronic records management (ERM) or enterprise content management (ECM) to maintain metadata about the record or information with a status of destroyed per schedule. (Important for audits and litigation!)
What Is an ERM or ECM?
An application with the ability to track through time and location is required to manage both hardcopy and electronic. An electronic records management (ERM) or enterprise content management (ECM) system with a records retention module will track who touched which record, what was done to it, and when. FileBound Enterprise with Records Management is one to take a look at.
Factor at Least Six Months to Implement
A policy statement with related procedures may take as long as six months by the time everyone agrees on them. Allot seven to eight hours per employee to inventory the records each creates, three to six months to research retention periods (operational being the longest) to create the schedule, and three months to source and implement an ERM/ECM application. Review and update the inventory and schedule every 12 to 18 months, and refresh training on the RIM program every 12 to 18 months.
ARMA International®: www.arma.org/
Cheryl Ahrens Young, IGP, CSM, CSPO, CIP, CTT+, ecmP ermM, has been employed over the last 35 years as trainer, records manager, image capture analyst, contracts manager, and project manager with specific expertise in RIM projects. She earned a Bachelor of Arts in Psychology from the University of California, Riverside, and has taken graduate level courses in Business Administration, Information Systems at California Polytechnic State University, Pomona. Young is the senior project manager at Western Integrated Systems for RIM projects. She is past chair for the ARMA International 2004 Conference and past Pacific Region Manager. Ms. Young is secretary of ARMA’s Orange County, Calif., chapter and on the program committee for the Golden State chapter of ARMA International, and is a member of the Project Management Institute, AIIM and IOFM.
“….…nor more doubtful in its success, than to setup as a leader in the introduction of changes. For he who innovates will have for his enemies all those who are well off under the existing order of things and only lukewarm supporters in those who might be better off under the new.”
–Machiavelli – 1469-1527 The Prince
Ready to Implement a RIM Program?
Contact Western Integrated Systems by phone (866) 736-2191, via email at firstname.lastname@example.org, or visit our website where you can fill out an eForm for more information. Learn how we can help you create a RIM roadmap and work with you through each step of implementing the program in your organization.
Final Thought: Organizations are responsible for instructing their employees, contractors, and third-party vendors on how to manage the organization’ records. Need a hand? Western can help.