An Electronic Records Management (ERM) Program should typically form part of a broader enterprise-wide Records and Information Management (RIM) Program in an organization that includes management records of all media (hard-copy, electronic) enterprise-wide.
A RIM governance structure should have a senior management owner or “champion” (depending upon how defined in the organization) as well as the head of the RIM function. The structure may be defined in the RIM Program Charter or may constitute a separate document. The RIM Program referred to here, is typically charged with the following (or equivalent): developing and deploying a RIM function for managing records enterprise-wide in order ensure compliance with legal requirements and applicable RIM/industry standards and best practices, to mitigate legal risk and to meet business needs.
Various governance structures can be effective for RIM, depending upon the unique requirements of a particular enterprise. For instance, a two level governance structure for RIM (described here) may be advisable – tweaked for your organization.
Within a two level RIM governance structure, it may be wise to have a committee consisting of “C” level execs that oversees information governance activities of the enterprise – i.e., an Information Governance Oversight Committee (IGOC) – or equivalent. Appointing the Chief Information Officer (CIO) – if there is one - as chair of an IGOC, is appropriate. This Committee, if so structured, would oversee not only the RIM Program, but also the information governance components of several other functions – such as Business Continuity Planning (BCP), Information Security and Privacy.
One level down, a RIM Advisory Committee (or RIM Oversight Board, or equivalent) would report to the IGOC. It comprises a secondary level of oversight focused exclusively on the RIM Program. This committee would consist of functional leaders across the business and should be chaired by the head of the RIM function. The rest of this blog entry focuses on how a RIM Advisory Committee could be organized within your organization.
Suggested Purpose and Responsibilities for the RIM Advisory Committee
The purpose of a RIM Advisory Committee is to provide guidance and collaboration for RIM Program development, implementation and administration. It helps to ensure that strategy and program options are developed and implemented by making recommendations and guiding processes for RIM enterprise-wide. The Committee, for example, helps the head of RIM to see that the RIM Program complies with legal requirements for record-keeping and related systems, meets the needs of the business, helps to manage and mitigate risk, and incorporates applicable standards and best practices. The line between “advice” and “decision-making” can be gray. However this committee is named, it should be clear that the head of RIM is accountable for the program – it is not a program to be run by committee. However, a RIM head that does not heed the strong advice of committee members does so at his/her peril.
The RIM Advisory Committee:
Reports to the IGOC on RIM program status, issues, risks and resource requirements and elevates critical matters for disposition.
Provides recommendations on the content, systems, structure and implementation of the RIM Program (including communication and training).
Provides review of key RIM documents.
Recommends benchmarks and timetables to achieve RIM Program goals.
Provides guidance for RIM Program monitoring and audit.
Provides advice to ensure that requirements of related and/or impacted functions (e.g., Legal, Privacy, and Information Security) and business needs are reflected in the RIM Program.
Reviews key RIM docs (e.g., Charters) annually and recommends modifications as needed.
Proposed Membership and Responsibilities:
Core Team Members should include representatives from the following areas: Depending upon your specific organization, there may be more or fewer functions represented.RIM: Director (Chair), Information Technology (IT), Legal, Compliance, Risk, Finance, Marketing, Quality and representatives from business areas. Some key roles and responsibilities for the RIM Advisory Committee are identified below:
All membersshall provide advice, guidance and collaboration for RIM, including ensuring that RIM requirements are properly integrated within other relevant policies and practices.
The RIM Director, who is responsible for managing the RIM program, shall chair the Committee, identify RIM requirements and risks, draft RIM materials for Committee review, report the status of the information governance portions of the RIM Program to the IGOC, make recommendations for RIM enhancements, and interface with members from all organizational functions impacted by RIM to ensure that requirements are met.
The IT representative(s) shall ensure that the technology strategies and systems selected and used in the enterprise interface effectively with RIM systems, provide functionality needed to adhere to RIM requirements (e.g., implementation of the Records Retention Schedule in electronic systems) and are secure and of proper scale. IT members shall also help ensure that proposed RIM practices are feasible from a technology perspective. IT Department also collaborates with RIM to develop an Electronic Records Management System (ERMS), which may be a series of systems and applications.
The Legal representative shall ensure that the RIM Program addresses federal and state/provincial records requirements, requirements for legal holds and e-discovery and adequately manages and mitigates legal risk. Areas of legal risk will differ depending upon industry sector, jurisdiction, and unique business functions.
The Risk Management representative shall advise the RIM Program, taking into consideration the risk profile of the organization and shall also ensure that compliance audits are undertaken.
The Finance representative shall provide guidance related to financial issues that impact RIM and the organization.
The Quality representative shall provide advice and guidance related to quality assurance for the RIM Program and and its execution in the enterprise.
Business representatives (core team and ad-hoc; as needed) shall facilitate the RIM Program implementation within their respective areas and ensure that the RIM Program incorporates business needs. For example, a member of the Human Resources Department must be involved in ensuring proper management of employee records and protection of employee privacy.
The Committee should meet at least every month in a meeting called by the RIM Director, to review program needs, make appropriate recommendations (including RIM policy and procedure modifications), assess issues and address roadblocks to execution. Meetings may be conducted by telephone or other means. Committee review and guidance may be conducted electronically.
The RIM Governance structure should encompass RIM in the organization – including records in all media, enterprise-wide. It should be constituted to ensure that there is buy-in, support and appropriate guidance from key organizational stakeholders such that all organizational requirements for RIM are met. The number of levels and the membership for each committee will differ, depending upon the structure and needs of specific organizations. Appropriately functioning, the RIM Governance structure will go a long way toward ensuring that an organization has a “defensible” RIM program – one that can be shown to be trustworthy to the courts, regulatory agencies and others.
The Opinions rendered are that of the authors and do not represent the opinions of her employer (Consumer Reports) or AIIM.