Managing records is a basic compliance competence, so crafting a records management strategy should be one of your central concerns. It's important to remember that the actual implementation of the records management solution, while not the first concern, is certainly the most important -- and most difficult -- part of the process.
Failed implementations are one of the worst-case scenarios. For one thing, you've already spent a considerable amount of time, money and energy in the planning and attempted execution of your records management strategy. If you don't reach your intended information management goals, you're no better off functionally than when you started -- and you're also out of that precious time, money and energy.
It's the last few steps of implementing a solution that count for all the marbles. Without a successful implementation of the records management solution, your overall strategy will not be effective.
The best method for ensuring a solid records management implementation is following an audit-driven approach, which ensures that the right people are driving the requirements and that the requirements are complete and fully vetted by all stakeholders. It also helps prevent bureaucracy and politics from determining the outcomes and keeps everyone focused on the objective.
Here is the basic flow of a records management system implementation using an audit-driven approach:
- Work with the auditors to build a solid audit kit that includes a performance scorecard, an audit plan and self-assessment plans.
- Build or buy records management solution components that help progressively pass the requirements on the scorecard.
- Have the auditors manually test and/or build automated tests to see if the records management components are aiding passage of the scorecard's requirements.
- Once you have a release candidate that passes the applicable automated tests, have the auditors conduct a final audit.
- If their scorecard passes all of their items, celebrate. If not, go back to step 2.
The final scorecards should audit comprehensive competence in anything and everything that's required of your records management function.
The final scorecards should audit comprehensive competence in anything and everything that's required of your records management function. You should certainly work with your auditors and legal department to find out exactly what these needs are, and to develop a records management strategy that's both comprehensive and practical.
I've always been an advocate of building a solution in-house because you ultimately have more control over it. It's perfectly acceptable, however, to work with a vendor's solution if it meets all of your records management requirements. This is why I can't overemphasize the value of the scorecard -- it is a golden key that drives your records management success.
Whether or not you're working with vendors, approach records management functionality in chunks. This is similar to using a pilot program, except a pilot implies a smaller version of a larger effort. Progressive functional deployments are small pieces that ultimately aggregate to a larger whole. But, in both cases, developing small, functional records management components is the objective.
Realize your records management goals
Records management is about producing the right evidence when it needs to be produced and ensuring the wrong evidence is not available. Record disposal is as important as retention. Both physical and electronic records must be in scope, and they should have the same taxonomy for metadata and the same storage strategy.
The retrieval time for any piece of evidence should be quick if you plan to build any sort of audit presence. There are many levels of sophistication when it comes to a legal department's requirements, but the system should at least be able to execute a litigation hold. Finally, the system must be secure and able to defend successfully against identity theft and other forms of privacy invasion.
Most importantly, a successful records management implementation begins and ends with the auditors. If you spend time with them up front to develop the right scorecard, the final steps are much easier.
More on records management strategy
How to develop a good organizational records management strategy
The challenge of information management and governance in modern business
As a final word of caution: Make sure to stick to your guns with the scorecard. Under mounting pressure from upper management, it's tempting to start reconsidering requirements if the auditors don't pass your records management solution right away. Don't cave in to this temptation -- this is not the time to negotiate with your auditors. It will only put your records management strategy and your organization at risk.
That's why it's important in the beginning stages of your records management strategy's development to make sure the scorecard is comprehensive and practical. It's OK to fail some nice-to-have functions as long as the scoring rules for the overall scorecard allow for it. Remember, these are rules that you establish at the beginning of the program, and they should not be modified when there's pressure to wrap things up.
Following an audit-driven approach targeting small chunks will prevent this uncomfortable situation. Audit records from prior targets will clearly indicate where there are problems with the records management solution. Aside from massive regression-related issues (which are uncommon at the last moments), if your functions tested well in the last release they should test just as well in the next one. That's why the final pass, while significant, shouldn't be laden with anxiety. If done right, the final steps are to sit back, smile and watch the auditors pass everything.
John Weathington is president and CEO of Excellent Management Systems Inc., a San Francisco-based management consultancy. Write to him at firstname.lastname@example.org. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.