The best laid plans…implementing document retention policies


This is the third in a three part series about how to minimize the risks of being caught unprepared if you’re sued.

  • Part One, Millions At Stake, documented why it could cost your company literally millions if you weren’t complying with your document retention policy.
  • Part Two, Best Practices for Litigation Readiness, described best practices to create your policy.

But the best laid plans of mice and men come to nothing without strong implementation.

The key to implementing an effective records retention policy is support from senior management to provide the necessary resources and the authority to prioritize employee compliance with the policies even in the face of existing business priorities.  Implementation requires a dedicated effort by a multi-disciplinary team.  In larger organizations, it may be most cost effective to engage experienced consultants to assist.  In others, an internal team could be the most efficient approach.  Careful planning and flexibility on the team will help the transition into compliance.

To promote a successful implementation and identify the challenges that will impact your transition, here are some lessons we’ve learned.

To smooth the implementation, make sure to do these things during your planning.

  • Secure management’s commitment. The best way to do this is to include them on your records retention task force.
  • Identify a framework you can follow, for example, ISO 15489, and include the records manager in the process.
  • Align the implementation with the organization’s business priorities and eagerness to accept the change.  Be flexible. No one likes change!
  • Identify funding and staff requirements. Some aspects may need to be outsourced, such as systems evaluation with respect to enterprise architecture, policies and procedures gap assessment, policies and program drafting, legal research, and training.
  •  Develop a strategic relationship with IT and leverage your effort with their resources.
  • Develop realistic timelines for the different phases.

Then, as you implement, make sure to:

  • Work with in-house or outside counsel to ensure that policies and procedures are in compliance with the law.
  • Simplify your naming conventions and file structure.
  • Make sure records at the PC, desktop and PDA levels—which are under the control of their creators—will be protected, retained and disposed in accordance with the policy.
  • Roll-out the policy in phases and train all staff.
  • Ensure that a reliable reporting system is in place to identify records that need to be disposed.

Formalizing a document retention policy can be challenging, particularly if you have ad hoc information management practices and records scattered all across the company.  But it is not a lost cause. Remember that in order for a records retention policy to be effective and defensible, it must be well-designed and consistently followed.  That means strong implementation is essential.

Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.

Leave a Reply

Your email address will not be published. Required fields are marked *

We respect your personal information. Please review our Privacy Policy for more details.