Just about every firm I work with needs help with the policies and procedures (P&P) associated with records management (RM), all varieties of compliance, discovery and litigation, and so on. P&Ps are always worth looking at, because on the one hand if they aren’t in good shape, you’re not going to have an effective ECM, RM, or litigation readiness program. And on the other hand, even if you don’t have the budget or ability to implement technology for your program, you can get surprisingly far with just good P&Ps. This post summarizes some of the P&P best practices I’ve gleaned from the last several years.
What’s the Problem?
It would definitely be a problem if employees were indifferent or hostile to your firm’s P&Ps, but this is usually not the case, particularly in the financial services and insurance sector. Most employees are willing and eager to follow P&Ps in their daily work, but they face a number of challenges that make adherence more difficult:
- Lack of P&Ps in some areas – and often in all areas where electronic records are concerned
- Lack of systems and processes in place to communicate P&Ps – necessary if you are going to spread the word to employees
- Employees unaware of or unclear about P&Ps – because of the first two failures, causing the improper use of your document systems, the squirreling away of documents and other breakdowns in your program
- P&Ps not operationally feasible – violating the first axiom of ethics, that “ought implies can”, and also ensuring that you have explicit policies that you aren’t following in practice
- No enterprise process in place for creating, managing, and maintaining P&Ps across the organization – to ensure that the P&Ps are relevant the day after they are created
What’s the Solution?
Here are a few best practices for developing and implementing P&Ps that will get you on the right track. I describe three areas where firms have the most problems. The first two are really prerequisites to developing your P&Ps. The third addresses how you should design your P&Ps.
1. Clarify your hierarchy of objectives for justifying and prioritizing your P&Ps. Most firms get rolling with RM P&Ps without understanding what business objectives the Records Program or the P&Ps are supposed to fulfill. They therefore have no clear idea regarding how the objectives should be prioritized and how the inevitable conflicts between them should be adjudicated. Taking action to reduce risk is good, but it costs money and often impacts productivity. So it would be good to have an ordered set of RM objectives against which any RM P&Ps should be evaluated. The idea behind an ordered list of objectives is that since it is in descending order of priority, you have to satisfy the first objective before you can satisfy the second, and so on. Here’s my list, and it’s worked in almost all cases (sometimes with tweaking):
- Ensure compliance with regulatory and legal requirements
- Reduce the cost of compliance
- Reduce the impact of compliance on the organization
- Don’t be invasive; don’t hinder the organization’s performance or user productivity
- Ensure that RM policies, procedures, and the actual practices that implement them are all consistent with the organization’s mission
- Enable (or at least don’t hinder) later “offensive” enterprise initiatives (e.g. line-of-business initiatives using ECM)
- Provide some “offensive” business benefits now (primarily to encourage compliance participation and secondarily to improve productivity or decrease operational costs now)
2. Clearly define your territory. I have discussed this at length elsewhere. The simplest way to explain it is that there are three fundamental subsets of information in your firm: all the information in your firm, the likely discoverable information (a smaller subset than all your information), and the declared records (which may be a smaller subset of the likely discoverable information). One of the most important achievements of any RM program is to clearly define these categories for the organization. You can’t develop clear policies without taking this step, and you certainly can’t communicate your policies to your employees and hope to have them follow them without it. Very few firms do this, however.Another way to put the problem is that your firm’s information ranges in terms of risk, value, and manageability. Some of your information scores high on all three dimensions – these are typically the most important documents in your firm, and they are almost certainly managed very well by your records program. Some of your information scores low on all three dimensions – these are the trivial and harmless items littering your shared drives, hard drives, and email boxes. Most of your firm’s information is somewhere in the middle, being of indeterminate value, risk, and manageability. Some of this stuff is records-worthy. More of it is relevant to discovery.Your territory (the information in your firm) therefore has gradations of risk and relevance, and you must address it with gradations of focus and different approaches.
- You can’t take a simplistic narrow view and focus exclusively on the declared records (a much smaller subset of what’s relevant to discovery) or your firm will be hopelessly exposed.
- And on the other hand, you can’t take a simplistic broad view by “declaring every document a record” and treat them all equally or you will dissipate your focus and resources and fail to manage even your most vital declared records.
The good news is that you’ll be fine if you take either a narrow or broad view, with gradations that effectively address the likely discoverable information in the middle. It doesn’t matter so much which one you take; what does matter is that you follow through on its implications. In other words, a best practice is to clearly:
- Define declared records narrowly (but then also address the gradations of non-records, from high-value and high-risk non-records all the way down to the trivial and harmless non-records), or
- Define declared records broadly (but then address the required differential treatment of higher- versus moderate- versus lower-priority records)
You will end up with tiers or categories of information. Most organizations end up with three basic categories (high, middle, and low priority). They then handle the different types in something like the following ways:
- The currently declared records they keep as records, and put them in a rigorous enterprise standard ECM system with an RM module, managing them as declared records.
- They find that some document types were not classified as declared records, but are very high value and risk. So they redefine them as declared records, and treat them just like the declared records in #1 above (managing them as records in an ECM system).
- Some document types they keep as non-records, but move to the rigorous enterprise standard ECM/RM system. They manage these documents in the ECM system without declaring them as records and managing them with the RM module.
- Some document types they keep as non-records, but manage in specialist systems or legacy system. These might be email or legacy document archives, digital asset management systems, CAD systems, etc.
- Some document types they keep as non-records, but manage effectively in SharePoint sites as non-records.
- Some document types they keep on (better managed) shared drives. There’s not much left here, since the bulk of it has been moved or disposed of according to general rules regarding low priority transitory documents.
3. Design your RM P&Ps with a clear, logically tight, and hierarchical structure. I mean several things by this. Your policies face up and down. They should logically connect to your firm’s business and RM goals (up) and be actionable (down). The sole justification for any policy is that it should ensure the fulfillment of the RM objectives it serves (e.g. to ensure compliance). Policies connect to the procedures below them, and procedures in turn face up and down: up to the policies they must fulfill and down to fulfillment by actual human actions. If you perform a procedure, you should by definition have fulfilled its associated policy… which in turn should have furthered your explicit RM objectives.