Information Governance Policies, Procedures, and Guidelines

Just about every client organization I work with needs help with its policies and procedures for information governance, records management (RM), compliance, litigation readiness, and so on. This post addresses the structure and differences between the policies, procedures, and guidelines you need for an effective information governance program.

“The rules” for managing records include policies, procedures, and guidelines. The most obvious difficulty companies have with their RM rules is that they are a logical mess – they mix general mandates to ensure retention of business records with tips on how to save attachments in Exchange and Gmail. But you should structure your rules like good computer code: They should be logically tight and modular.

Policies should face up and down. They should fulfill your company’s business goals (up) and be actionable (down). Likewise, procedures face up and down. They should fulfill your company’s policies (up) and be actionable (down). Procedures and “guidelines” are all necessary. But their adequacy should be measured against how they help achieve your company’s goals.

Clarify Your Rules along Three Dimensions

When you’re trying to think clearly about such rules, it’s useful to clarify them along three dimensions: statement type, level of generality, and level of obligation.

  1. Statement Type: Rules can be declarative (what your company wants), imperative (what employees must do), or pragmatic (how employees should do it).
  2. Level of Generality: Rules range from general to specific.
  3. Level of Obligation: Rules range from mandatory to optional but recommended.

The Five Rule Types

Here are the five common types of rules. Most organizations don’t explicitly lay out their principles and standards, but I include them here because some organizations do.

  1. Principles are declarative, general, and mandatory. They are sometimes called Business Objectives.
  2. Policies are imperative, general, and mandatory.
  3. Standards are imperative, more specific than policies, and typically mandatory.
  4. Procedures are pragmatic, specific, and mandatory. Examples include Standard Operating Procedures (SOPs) and Desk Procedures.
  5. Guidelines are pragmatic, specific, and recommended. Examples include Work Instructions, Frequently Asked Questions (FAQs), clarifications, and Job Aids, etc. Here are the typical distinctions between rule types along the three dimensions (statement type, level of generality, and level of obligation).
Rich Medina
Rich Medina
I’m a Principal Consultant and co-founder of Doculabs, and the resident expert in using ECM for information lifecycle management.