Best Practices for Strategic Records Management
- Published on Monday, October 22, 2012
- Written by JAMAL POWELL
One of the keys to successful and rapid disaster recovery is effective records management. In the past, the records management role was simple and non-strategic. However, today’s records managers are tasked with reducing risk in many areas, including data breaches, improper storage, destruction of information, and lack of employee compliance. Any type of risk has the potential for financial, reputational, and even criminal consequences if not managed effectively.
Now, records managers are integrated into the functionality of the businesses. They are responsible for identifying the need to embrace new technologies, adhering to specific records, laws, and policies, and driving greater efficiency and cost reduction. Having a keen awareness of the records management environment and adjusting their approach and management techniques to their particular program is critical to success.
With an increased level of records and data, and additional records legislation, records management risks are compounded. At times, records managers may feel as if they are playing a game of whack-a-mole instead of strategically managing one of the organization’s greatest risks. Security breaches are expensive. A single breach could impact thousands of records. In fact, according to The Ponemon Institute’s annual “U.S. Cost of a Data Breach,” the average cost of a data breach is $5.5 million. There’s also risk of fines for not storing, securing, or destroying documents properly or in the right time frame.
For example, a health clinic in the United States was fined $4.3 million for violating HIPAA privacy laws, and an insurance firm was fined $1.2 million by an independent regulatory committee for failing to comply with policies archiving company email records. With significant changes in today’s policies and procedures for both physical and electronic records management, there’s an even greater need to establish an effective strategy to prevent errors and data breaches.
In another example, a government agency’s employees were found improperly shredding critical documents and personal records. As the investigation continued, authorities discovered there were more than 500 misplaced records, highlighting a much larger problem with how the agency handled records and how employees failed to follow existing policies and procedures. In fact, some employees were accused of mishandling records as a way of meeting performance goals and receiving bonuses. It represented a major risk for both the agency and its employees, as improperly destroying government documents is a felony, punishable by up to three years in prison and a fine.
Disasters like these can be avoided by following best practices. Begin your approach to records management with these strategies:
- Understand and quantify your risk. At the core, strategy is about understanding your environment and responding appropriately. One of the most important items for a records manager to get his or her head around is where risk exists and to what magnitude. This requires not only understanding the internal environment, but also the external environment, including laws that can ultimately determine the impact of a policy breach. The Ponemon Institute Study is a great way to quantify the risk. In addition, news articles and reports that contain costs of data breaches or costs associated with litigation from poor records management also contain great information for quantifying risks. The greater the risk, the more an organization is likely to spend on prevention, which is one of the best strategies a records manager can utilize.
- Put focus on the greatest risk. Strategy is also about priorities. A good strategist focuses on getting a few things done right versus trying to do a multitude of tasks with average results. Rather than equally dividing your funding across the company, find the greatest exposure and enhance efforts in that specific area. Many companies recognize the significant risks with electronic media, including hard drives, PCs, and laptops. However, some organizations lack a truly secure destruction program for electronic media. Even when it comes to physical documents, most organizations will find themselves spending as much time managing customer documents with sensitive information as they do storing marketing materials that may be out of date.
- Stay current on the industry’s best practices. Don’t become complacent with current policies and procedures. Risks are always evolving and changing. Be more strategic and effective by researching best practices for policies, procedures, compliance oversight, and new technologies. Investigate industry trends and read information from peers and thought leaders. Then take the extra step to think through the potential implications of the best practices on your business.
- Think like the business. Do you know how much you are spending on records management? Can you demonstrate ways to drive increased efficiency in the organization? Earn records management investment dollars by presenting business leaders with a clear and concise business case. You can highlight benefits (tangible and intangible), expected savings, or payback and risks associated with action or inaction. Use industry research to quantify the value of the benefit and the potential cost of the risk to the business. As with many successful business cases, don’t give up if the first try isn’t persuasive. Invest time in modifying the business case and getting key stakeholders aligned, but be sure to stay consistent in your rationale for the investment.
Develop a Plan
While it’s impossible to eliminate all risks, steps can be taken to significantly reduce those facing your organization. Start with a solid plan. It’s important to think strategically about records management and how to make your business case for prioritization and funding for records management. Given such a complex environment, it is important to lay out a strategic plan that ensures you are covering all areas of risks, recognizing that it will take some time – likely years – to get the program in a position where management is comfortable with the level of risk.
First, establish a baseline. It is always important to understand where you are starting from in order to measure the benefit of your strategic plan. In addition, with regular monitoring of this data, you can determine if you are on track to meet your goals and adjust your strategies accordingly. Some potential records management metrics may include:
- annual number of breaches or potential for breach
- percentage of inventory properly indexed (could be done based on sampling)
- number or percent of records past retention period
- percentage of employees completing annual compliance training
- total number of records in the organization, separating physical and digital (this can help keep track of the growth of information)
- percentage of information requests properly filled by records management department (accurate and timely)
Next, begin outlining your strategic records management plan. Consider investment time to development of the following components:
Define success. As time management expert Stephen Covey would advise, begin with the end in mind. What are you trying to achieve as a records manager? How will you measure the success of your plan? Save money. Avoid policy fines. Create a more efficient organization. Serve and protect your customers. The list can be as unique as your organization. You can also establish metrics with each goal. Where would you like to be in one year, three years, and five years? Use the baseline assessment of your metrics to establish realistic targets.
Establish program elements. What will you include in your strategic records management program? Use industry research and data to help define what this should look like. For example, will your program include secure destruction? Will it cover both internal and external records? Will it be specific to a location, country, or region? While an effective program will typically cover all of these elements, it is important that your strategic plan focuses on those areas where the organization believes it has the greatest amount of risk.
Get tactical. Based on your assessment of the various metrics and a clear understanding of your greatest risks, outline specific items you would like to see in your records management program over the next three to five years. It is important to pick a time period over which you will have influence but also recognizes that it cannot all be accomplished in one year. Specific tactics can include items such as employee compliance training; record retention management; securing electronic data; enhancing security of data with vendors; etc. Use a traditional SWOT (strength, weaknesses, opportunities, threats) analysis to address any major gaps and also include opportunities for implementing best practices.
Be detailed. Looking ahead to five years, get detailed about what steps to take over the next year to make progress against the tactical plan. Too often, individuals set a target three to five years out in the future. They believe they are making progress against the target, but when year three approaches nothing has changed. The key is to break the target down into achievable one-year or even half-year milestones. For example, if your goal is to enhance security of data with outside vendors, the first year milestone might be to take an inventory of the policies for vendors handling 75 percent of your information. Based on that, identify any major areas of risk. Also be sure to include necessary resources when building out the detailed one-year plan.
Track your progress. A perfect plan is no help when you don’t use it. Establish a specific cadence for tracking your progress against the detailed one-year plan (quarterly at a minimum). Make this progress transparent to key stakeholders across the organization, and use it as a tool to ensure key decisions are made and important deadlines are met.
Finally, measure the success of your strategic planning by the impact it has on your metrics, not necessarily the ability to hit all of your milestones exactly when you were supposed to. For strategy to be effective, it has to be flexible. Always assess your progress on an annual basis, and should the environment change, be willing to change your tactics.
Businesses in all industries are recognizing the dynamic environment today in records management and realizing the need for reliable solutions. Ineffective records management and data breaches can be disastrous to customer retention and reputation. Follow best practices and develop a strategic plan to both manage and reduce risk.
Jamal Powell is global director of strategy of Recall Corporation. He is responsible for helping to shape and implement the future strategic direction of Recall.