Most large organizations have a global records and information management (RIM) program, even one as barebones as a basic policy, a retention schedule, limited in-house counsel time, and outside counsel responsible for updating the policy at set intervals or in the wake of new laws and regulations. However, such programs often focus solely on mission-critical records maintenance, especially in companies and industries subject to direct regulatory reporting requirements, and may introduce a host of unnecessary security and compliance risks.
Companies With an Inadequate RIM Program May Face Several Risks
- Too Much Data
Often, more data is retained than necessary because records managers may not be enforcing records maintenance principles with the business and stakeholders. This can not only create unnecessary day-to-day storage costs but also too much data can cause delays in responding to discovery requirements, create a nightmare scenario for legal personnel tasked with discovery, and result in significant costs during litigation or regulatory investigation.
- Retrieval Challenges
Standard retrieval tools may not be used without a consistently defined RIM process, making it difficult to find and cost-effectively retrieve relevant records.
- Non-compliant Data Disposition
Often, data and other records are disposed of without consideration of potential consequences, sometimes to avoid maintenance costs. This can create legal or regulatory exposure and the potential for significant fines and other penalties.
- Privacy Concerns
If you don’t know what you have or where it is, how can you comply with the various privacy regulations such as GDPR, CCPA, NYDFS 500 and others? How can you handle data subject access requests (DSARs)?
In the absence of a broad-based RIM program, these risks can materialize quickly. A pressing question for leadership is, what level of investment might produce an effective RIM program that aligns with corporate objectives and risk appetite? Whether centralized, decentralized or a hybrid-federated model, an effective RIM program can support transparency and visibility that is vital in a world that increasingly values data protection, privacy and security.
Defining a RIM Program
- Policies and Procedures
An organization needs guidance to understand how to create, maintain and dispose of records in a defensible manner. The tools generally used to establish this guidance are policies, such as a RIM policy and retention schedules, which include defining record types and associated required maintenance periods (sometimes including how records should be maintained), and procedures—the specifics of what end users should do to comply. These guidelines may be influenced by government regulations, business needs or other various requirements.
- Oversight and Reporting
Generally, RIM is an enterprise function. For the RIM program to be able to gather information and report on how the program is operating, the RIM program needs to partner with other parts of the organization, such as lines of business (LOBs), HR, IT and other functions, depending on the organization’s structure.
- Operations and Delivery
Depending on the organization, the RIM program may be responsible for delivering technology capabilities, training or advisory roles. From this perspective, LOBs and other functions are clients of the RIM program.
- Stakeholder Engagement
Stakeholders across the enterprise can be diverse; it’s imperative that the RIM program adapts to the diverse needs and receives support from stakeholders across all business units and departments.
When and How Do You Secure Outside Experts?
The expertise to design and implement well-formulated RIM strategies that are consistently enforced without slowing the business process can be challenging to source within an organization.
Experts with a proven track record across companies of varied sizes and diverse industries can bring a more efficient approach and garner wider internal buy-in.
Look for RIM providers that can work with leading technologies to deliver robust solutions inclusive of:
- Records management needs assessment and GAP analysis
- Records management policy and procedures development
- Legal hold policy development and implementation
- Development of retention and destruction policies and procedures
- Implementation of imaging and document management systems
- Analysis and best practice advice regarding email management
- Creation of training and communication plans and procedures
- Evaluation of enterprise content and hierarchical storage management systems
Count on Duff & Phelps’ frontline expertise to enhance your RIM program. Talk to one of our experts today.