Logo Rob Buckley – Freelance Journalist and Editor

Golden retrieval

Golden retrieval

Developing a dependable document retention, retrieval and destruction strategy demands a measured, step-by-step approach

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages

As compliance legislation starts to bear down on organisations in almost all sectors, record retention is becoming a task even the most paperless of offices can not avoid.

Emails, customer correspondence, employee records, spreadsheets and countless other documents are potentially under the control of regulations such as the Freedom of Information Act, the Data Protection Act and innumerable more mundane legislation, such as the VAT Act and the Finance Act.

Many organisations are, therefore, now having to overhaul - or establish - a business-wide records retention, retrieval and destruction policy. Ensuring that is done successfully, say specialists, depends on taking a measured, step-by step approach.

Step one
The first step is to appoint someone to head the project. That person needs a firm understanding of the business and how it operates; the ability to digest the legal, corporate and regulatory requirements that will be encapsulated within the records management policy; and the ability to get management backing for the project.

Liz Maloney, managing director of enterprise content management specialist Hummingbird, says that in her experience, projects tend to be more successful if the project leader comes from a business, rather than a technical, background, and if they already hold a senior position.

“It's a lot easier to teach someone about records management than it is to teach them business skills. Business skills generally come from experience rather than training,” she says. It is also easier for someone with strong business connections to get the support required to implement and enforce the policy.

However, if a business leader is chosen, it is vital that someone else with records management skills forms part of the team devising the policy.

Step two
With the right person in charge of the project and the backing of senior management, an assessment of assets can begin. These assets include both the documents that the organisation has and any records management policies that might already be in existence, whether informal, departmental or otherwise.

“Even in quite small firms, there's someone responsible for records management, even if they're not called a records manager,” says Maloney of Hummingbird. “They might be a senior personal assistant, they may report to the facilities department, but there's usually someone.”

This 'records manager' - or 'records managers' - may not have a written policy, but he or she can describe existing processes, such as how things are filed, how long they are filed for, how people can retrieve documents, when they are archived and even when they are destroyed. This policy can then form the basis of the new organisational policy.

If, as generally happens, there are different policies for different units, they need to be combined as much as possible, not only to prevent inconsistencies, but also to get as much benefit as possible from an organisation-wide policy.

While old policies are usually geared only towards paper records, may lack many qualities of a robust records management policy and will not necessarily exemplify best practice, they will describe existing business processes, which can be built upon.

This often prevents a massive exercise in change management from having to take place and fills in the blanks left by regulations and guidelines, which rarely specify actual processes, merely steps or outcomes that have to occur.

It will also ensure that paper and electronic documents do not have significantly different policies, which could cause the two to fall out of sync.

Step three
The next step is to conduct a review of the records created by each business unit. As well as ensuring that the records policy matches existing business processes, consulting with the business units will improve the chances of getting buy-in from them.

Andy Maurice, head of consultancy at Iron Mountain, recommends looking both at what each unit uses in day-to-day business and what is generated less frequently. “You can then identify different types of record classes: you may, for example, be able to treat invoices and purchase orders in the same way; but tax records would have to be treated differently.” Depending on the organisation, says Maurice, there could be hundreds or even thousands of different record classes that need studying.

With those classifications developed, the project team can look at the requirements for each class of record. Regulatory bodies for various vertical markets can often provide details of the regulations that apply to particular record types and the organisation in general. The government can provide details of legal requirements that are specific to the industry and also on more horizontal requirements, such as health and safety records, pensions and so on.

Adam Lee, European marketing manager of Objective Corporation, warns not to rely on either the government or regulatory bodies to provide best practice. “The FSA, for instance, provides a lot of guidance, but no mandatory way of doing things. It likes words like 'robust and demonstrable', which means whatever it wants them to on the day.”

Best practice information, he adds, is more likely to be found from consultancies or other organisations. These need not be in the same market: public sector organisations are generally ahead of the private sector in records management strategies; and legal, pharmaceutical and financial services companies have had to cope with retention and retrieval policies for many years.

Step four
Following the business asset survey and regulation review, the policy team can then start to draw up general guidelines on retrieval practices and decide who should be able to access which documents, although often the exact details will need to be tweaked during the initial stages of implementation.

One important task is to draw up schedules for the retention of documents, including the minimum amount of time documents need to be kept for. “The policy does not need to be too detailed at first, but you need the retention schedules from day one. They are what will kill you if you don't get them right, since that's what the regulators will clamp down on,” says Maloney.

Having the right schedules at the beginning also means policies do not have to be improvised or retrofitted if unplanned events such as mergers and acquisitions cause units to close.

Not all retention policies will be simple. While most regulations only stipulate a minimum retention period, there are some, such as the Data Protection Act, that specify maximum amounts of time.

There are other regulations, particularly related to pensions, that are not periods such as “five years”, but may be more algorithmic: “period of relationship between customer and organisation”, “lifetime of customer” and potentially even “lifetime of customer and his or her next of kin”. So organisations need to be aware that their records policy may not be totally automatable.

Organisations also need to consider maximum storage terms, because apart from the overheads of long-term storage of paper documents, keeping documents longer than necessary can lead to problems during legal disputes and make it harder to find relevant documents during retrievals.

“You should not underestimate the costs associated with keeping documents for unreasonable periods of time,” says Ashley Bailey, managing director of Pitney Bowes Management Services.

“As long as you're complying, you should encourage an active document destruction policy. We've helped clients take out huge amounts of cost through document management policies: untrained staff will often create an archive file with literally everything in it, whether appropriate or not. Typically, 50% of an archive should not ever have gone in there, let alone be stored.”

Firms concerned about deleting potentially useful records can instead have a document review policy that flags up records due for deletion so they can be checked before destruction.

“Some people call it a destruction date. Some call it a review date. Our systems produce monthly report documents for customers. If they want to go ahead and delete documents, we get them to sign off and then provide them with a certificate to say their document has been destroyed,” says Maurice.

Destruction policies need to be clear on when the retention date begins: it might be from the date the organisation creates or receives the document, or it might be at some later date. The records policy can then codify that date for each record type.

Although the temptation is to put as much as possible into the document at this stage, this can prevent the policy being adopted, since it will make it unwieldy and unusable for most employees. The policy should at least stipulate, beyond regulatory and business requirements, where the records are kept, and in what media, particularly if the company is looking to employ an information lifecycle management strategy. Each record class can then have details of when it will be archived to nearline or offline storage.

If the organisation also has paper documents, the policy can stipulate which documents can be converted into electronic format and how to reference the paper documents within a physical records management system.

Any electronic records management system must usually, therefore, be able to manage both kinds of documents in order to provide a single view on both kinds of information - something essential to efficient retrieval.

Step five
With the initial policy drawn up, the team needs to implement it throughout the organisation, making clear the penalties for failing to stick with the processes. But the policy will need to remain fluid.

Bob Pitman, European business development manager at Hyland Software, says that there must be regular reviews of the processes as they are implemented as well as the policy itself. “You should review in anticipation of key events, such as when new standards come out of the FSA, or every time you create a new process or launch a new product,” he says. With many new regulations impending, such as the UK's forthcoming Companies Bill, no policy can remain static for very long either at the moment.

By ensuring both the policy and the systems have flexibility, the organisation can ensure it remains agile and responsive to changes.

The arrival of the Sarbanes-Oxley Act in the US has brought about the advent of software tools for documenting processes, so the possible overheads of adapting policies to new processes can be avoided to some extent through the adoption of these tools.

While developing a records retention, retrieval and destruction policy might seem a daunting task, by using existing processes and expertise, the scope of the problem can be reduced.

If implemented properly, such policies can save organisations money by cutting storage requirements and making processes more efficient. But most important of all, they can also save organisations from legal actions and the wrath of regulators.

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages

Interested in commissioning a similar article? Please contact me to discuss details. Alternatively, return to the main gallery or search for another article: