An information governance program enables an organization to mitigate risk, achieve business objectives, comply with regulatory requirements, and reduce costs associated with regulatory penalties, storage and lost productivity.
A key step to effectively governing your information assets such as contracts, investor contact information, customer credit card information, and employee benefit records is to establish policies and guidelines that clearly define for employees how to store and share records, how long to keep those records, how to keep them safe, and how to dispose of them properly.
Defining a clear framework for employees regarding information management is key. It is also essential to involve leadership and key stakeholders within your organization to create these policies and guidelines for how employees should handle your organization's information assets.
Creating organizational policies and guidelines such as a records retention schedule and policies regarding email management, document and information sharing, protection of private information, correct disposition methods, and device use gives employees clear guidance for handling your organization's information assets.
Here are a few examples of policies and guidelines we’ve found to be critical to employee success regarding information management.
Inventory Your Information Assets:
Knowing what records your organization has is the critical first step. This is done by creating an inventory of your information assets. The records and data your organization creates and manages help keep your business running and your doors open. But what are those records?
Which records at your organization are essential to meet business and regulatory needs, and how long must they be kept?
Which records hold private and sensitive information related to employees, customers, and contractors?
Where are those records, who manages them and what software applications are they stored in?
Where is your organization’s intellectual property stored?
Have you identified all the records your organization categorizes as confidential and classified - that if they were released or leaked your business and reputation may suffer or may face fines and other penalties?
Identifying your information assets and who manages them allows your organization to more effectively govern that information, leading to better compliance and increased resilience when it comes to employee turnover, mergers and acquisitions, and cyber attacks.
Create a Records Retention Schedule and Policy:
Once you have an inventory of your information assets, the next step is to create a schedule that will give clear guidance to employees for how long to keep those records based on the regulatory, legal and business needs of your organization.
A records retention schedule will empower your employees to defensibly dispose of records. It is the foundation of an information governance program - you need to know what information you have in order to manage it effectively.
Create a records retention schedule. The schedule should identify what is considered a record within the organization and establishes how long each record must be kept. The retention period for each type of record is determined according to regulatory requirements as well as business need. The schedule will provide clear guidelines for when records can be defensibly disposed of.
Create records retention policies and guidelines that give employees guidelines for following the retention schedule and correctly disposing of records. These should include appropriate disposition instructions for hard copy, digital, and other media formats.
An information asset inventory and retention schedule also allow for delivery of “need to know” information to end users. Employees don’t have to manage or consume an entire retention schedule, but instead can have access to what they need to know to complete the job functions that they or their group/department is responsible for. In other words, Accounting shouldn't have to sort through management or Development's records but instead should have direct access to the information assets in the inventory and schedule that they are responsible for.
Create Email Retention Policies and Guidelines:
Create a policy and procedures that maintain clear guidelines regarding what to do with emails that qualify as records, with appropriate timelines and correct methods for deletion. You may want to consider using an email archiving software solution or service.
Create End-user Device Policies and Guidelines:
Information assets are routinely stored by employees on company-owned and personal devices other than office desktops. This makes control of that information tougher and more complex. Robust internal policies and guidelines around mobile devices including laptops, mobile phones, and portable storage media such as flash drives and tablets will give strong guidance to employees - as well as consequences should those rules be broken.
Create Policies and Guidelines to Guide Software Application Acquisition:
Software applications are ubiquitous - some organizations use up to hundreds of applications in their daily business operations for tracking sales, managing benefits administration, running payroll, completing accounting functions, tracking customers, investors and employees, and much more. These applications may contain private and sensitive data such as employee, customer, donor, or third party social security numbers, personal addresses and phone numbers, credit card numbers and much more.
To effectively manage your information assets it is important to know what software applications are currently being used that contain private and sensitive information and other important records (intellectual property, etc.) and by whom, as well as what software applications are no longer in use that still contain private and sensitive information.
Your information governance policies and guidelines should delineate a clear set of steps, and potentially gatekeepers, for acquiring new applications. Then use your records retention schedule to map what applications contain records and privacy information, allowing your organization to confidently maintain knowledge over where that private and sensitive information is being stored. In addition, this will be important information in the future when those applications are retired.
Use ARMA's Generally Accepted Recordkeeping Principles as a Resource:
ARMA's Generally Accepted Recordkeeping Principles outline the eight core principles that are the global standard for good practices in information governance. These Principles provide a high level framework for how an organization's information governance program can maintain and protect their information assets. These guiding Principles refer to how an organization should have policies for compliance and disposition of information assets.
Next Steps:
Information management and governance is complex and continuous. Your organization may want to consider hiring a consultant to assist with developing a record retention schedule, determining appropriate policies, and writing policies and guidelines. You may also choose to implement a software solution to manage your information assets and record retention schedule. There are various consultant and software solutions available in the field.
iGMapware's consulting and software services help organizations create and optimize their information governance, records management and compliance programs through identifying and managing their information assets. Our most popular professional services include:
Designing and building an information inventory and data map of your organization’s information assets, including a records retention schedule
Data analysis and metrics of your information assets to inform planning to reduce information risk
Records management and information compliance programs
Legal retention and privacy regulatory research
iGMapware software implementation consulting, including configuration, training and other support services
Using a software like iGMapware will help your organization create an information asset inventory and records retention schedule to identify what your information assets are, their location, media type, which users have access, what private information they contain, their security level and what application/s they are contained in. The software is highly configurable to meet the specific needs of your organization, as well as scalable - it's easy to start small and grow as needed.
Reach out to the iGMapware team to have a conversation to discuss if we would be a good fit for your organization's information asset inventory and retention schedule needs.
References:
Generally Accepted Recordkeeping Principles® ©2017 ARMA International, www.arma.org.
Rouse, M. (2016, December). Information Governance. Retrieved from: https://searchcompliance.techtarget.com/definition/information-governance
#datainventory #InformationRisk #RecordsManagementConsulting #RetentionScheduleConsulting #LegalCompliance #Thirdpartyvendor #Cybersecurity #corporaterisk #personaldata #Cybersecurity #InformationManagementSpecialists #InformationGovernance #informationassets #Defensibledisposition #compliance #Regulatoryrequirements #informationassetinventory #recordretentionschedule #policies #guidelines #emailretention #deviceuse #softwareapplications #GARP #ARMAGenerallyAcceptedRecordkeepingPrinciples #employees