GRC: An Introduction To Records Management

Recent events — particularly in the financial services sector — have increased the pressure on enterprise records management practitioners, as more and more companies face regulatory audits or litigation-related discovery requests. The idea of document management is easy for most people to understand. Records management, on the other hand, presents some conceptual challenges. Here's a primer.

Only recently, the U.S. Library of Congress added to the records management confusion by announcing that that they will be archiving all the tweets tweeted since Twitter’s 2006 creation. So, one might ask does this imply that tweets are business records?

Federal Records And ISO

Apparently not. In the US, the Federal Records Act provides the basis for all records-related decisions. It defines a record as,

 …recorded information, regardless of medium or characteristics, made or received by an organization that is evidence of its operations and has value requiring its retention for a specific period of time.”

Internationally, the International Standardization Organization (ISO) defines records as:

… information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business.”

From these two definitions we can draw three important things. A record :

1. Provides evidence of an organization’s activities
2. Can be in any medium
3. Is information created in respect of legal obligations

Records Management And DoD 5015.2

Amongst vendors, the de facto standard used by both the public and private sectors for the provision of an adequate records management systems (RMS) is the Department of Defence’s 5015.2 standard.

It outlines the minimum requirements of RMSs  before they can be used by the DoD and other federal agencies and outlines what functions they must have. Included among desired features are:

• Capture and scanning management
• File plan management
• Retention and disposition management
• Access and library management
• Storage management
• Email management

Combined, these applications manage different aspects of electronic and physical records and come with search capabilities to locate records stored across enterprises.

The DoD 5051.2 standard acts as the starting point for the European standards (MoReq) in records management which, like the DoD standards, outline requirements of a RMS.

Record Management Considerations

So if a record is an evidential record of an enterprise's activities what do you need to take into account before deploying a RMS?

While the role of records as an evidential resource outlining enterprise activities rarely changes, the way in which different enterprises choose to deal with them is different from company to company.

This is why it is necessary to be clear as to what needs to be achieved. Areas that need to be identified include:

• Record management roles:
  Records managers, compliance officers and IT personnel to deploy and monitor systems, content managers to identify where records will be kept.
• Enterprise content:
  Assessment of all existing and future content and determining what content is likely to become records.
• Outline file plan:
  Clear list of content that can be considered records and identify where they will be stored, retention periods, person responsible for them.
• Retention schedules:
  Whether the record is still in use, when its lifecycle has come to an end and how to dispose of them
• Records management design:
  Based on your file plan, design libraries, content types, policies, and storage locations
• Compliance:
  As records are a key component of compliance, it is important to ensure that the records can be found and accessed easily.

Electronic Records and Physical Records

The increasing number of regulatory demands from different federal and international organizations means that enterprises now have to consider the relationship between physical records and electronic records and how best to manage both.

Retention policies under regulatory regimes like those related to the Sarbanes-Oxley Act, HIPAA, ISO Document Control and Certification, SEC and DoD 5015.2, means that some of your physical records must be retained.

However, many vendors will have taken that into account when designing their RMS. As a result they come with a number of features that will be common to both. These include:

• Metadata: All information contained in a RMS must have metadata that describes what is contained in a particular file.
• Retention policies: All records must be accompanied by a retention policy that outlines when a record can be destroyed.
• Query Interface: All records must be retrievable with accuracy and speed. Instead of dual searches across indexes of physical records and electronic records, a single query interface that search both should be used.

Physical Records

While electronic records are generally stored within a central repository once relevant metadata has been applied, physical records are still kept in physical filing systems or folders.

The result is that there are individual features that are unique to physical and electronic record keeping. For enterprises that need to plan for physical records there are a number of unique features that will be needed. Amongst them are:

• Ability to locate non-electronic information
• User-definable physical record locator
• User-defined record attributes including location information, contents information
• Bar code application and reader
• Printing abilities for container labels (labels can also be stored physically)
• Bar code labels and bar code reader integration

Worth remembering is that when a physical record is added to the system it is generally only the information about the record that is added (the metadata). In this way users can manage the information about physical records in the same way they would information about electronic records.

Electronic Records

Because electronic records never really leave the RMS there are a number of features that can be deployed that would not be practical when trying to manage physical records. These include:

• Automatic classification of records based on metadata
• Automatic placement of records in context
• Automatic application of retention rules
• Creation of data standards for access with future technologies
• Application of disposal policies

Records Management A Priority

Recent AIIM (news, site) research shows 37% of organizations in total are not confident their electronic records would stand up in court. It also showed that nearly 50% of companies say electronic documents and emails remain unmanaged.

However, over the course of the next year that looks like it is changing. The recent State of the ECM Indsutry report from AIIM shows that implementing electronic records management will be the top priority for enterprises looking at ECM over the course of the year.

Given the current regulatory environment and the cost of non-compliance, the pressure for companies to implement an effective records management policy is growing weekly.

But before rushing out and investing in the first system that looks like it can do the job, enterprises need to make sure they know exactly what it is they are looking for. Compliance starts with a good records management policy. Your first step is to design the policy and get it reviewed. Then start thinking about the enabling technologies which can make it a reality.

Bookmarks