Most organizations we see as consulting clients have in place many of the pieces necessary for effective IG and RM policies and procedures—or are in the process of developing them. But in all too many cases, there’s still a lot of work to be done: The policies and procedures themselves present significant challenges, if not outright shortcomings. These challenges are in structure, logical consistency and coherence, readability, easy review and updating, comprehensiveness with respect to key issues and obligations, and capability of being fulfilled in practice.
This post outlines each of these challenges and how to address them.
- Clear, modular structure: Good policies and procedure design requires a modular, clear structure, as well as a clear outline format (the format of a literal multi-level list: 1, 1.1, 1.1.1, etc., or I, A, 1, a, etc.).
- Logical consistency and coherence: Most policies and procedures don’t use consistent, clear definitions of records versus non-records, the criteria for each, and examples for each. The scope of the Records Management Program and its obligations are almost never clearly staked out. The concepts and requirements in the IG or RM policy are not well organized into a hierarchy that includes general requirements (which apply broadly) and specific requirements (which apply to more particular cases, such as electronic versus physical documents, or email versus images).
- Clarity and readability: The policies are typically difficult for the average employee to understand and difficult to operationalize with procedures, to update, and to use as a tool to monitor and enforce compliance. These shortcomings are usually the result of a number of factors, including unclear structure, inconsistency, unclear examples, and “legalese” language that introduces unnecessary complexity in places within the policies and procedures.
- Easy reviewing and updating: As your company develops its RM, IG, and other relevant initiatives, you should be reviewing and updating your relevant policies and procedures. But most RM and IG policies are not designed to facilitate such updating—for instance, to include additional information formats (e.g. instant messaging) and roles, or to provide clear divisions of labor and cross-referencing between it and other relevant policies and documents.
- Comprehensiveness with respect to issues and obligations: Even in 2016, most RM policies are still too paper-centric and don’t adequately address electronic recordkeeping and governance requirements. They don’t address those aspects of the entire records and information lifecycle relevant to RM and compliance, such as records creation, maintenance, and access. They aren’t designed with the relevant information management requirements necessary for specific industry regulations and standards such as North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), the Financial Industry Regulatory Authority (FINRA), the Federal Rules of Civil Procedure (FRCP), state Department of Insurance (DOI) regulations, the Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH); nor do they adequately address non-records, which require significantly more attention from an RM and compliance perspective (see below).
- Capability of being fulfilled in practice: Most RM and IG policies don’t include many requirements not obviously necessary for successful fulfilment, but which are necessary for an organization’s RM/IG Program to succeed. These include, for example, additional or expanded roles, such as Accountable Executives in the relevant business units. Accountable Executives are often necessary in business units because the traditional Records Coordinator role doesn’t have enough “juice” in the organization to ensure that RM and IG are effectively planned and implemented.
So there you have it—the common challenges we’ve been seeing from the perspective of RM and IG policies and procedures. For still more recommendations concerning your IG and RM policies and procedures, take a look at my recent post, IG and RM Policies and Procedures: Best Practices.