ERM Elements from the Inside Out

By Julie Gable posted 04-08-2010 15:37


If you’re doing ERM, chances are you either volunteered for it, were assigned to it, or incredibly, actually chose the field because you’re interested in it. You may be an IT person, a lawyer, a compliance officer, or a records manager. Those in finance, HR, or plant management may also find themselves involved.

Regardless of your route, you’ve reached the point where you already know certain truths about ERM. For example, technology by itself is not the answer; to make ERM actually work requires building blocks: policies, retention rules, procedures, training, and audit.

Collectively referred to sometimes as information governance, these elements have an internal and an external purpose. Within the organization, they are guidance that drives how an ERM system will work and how it will be used. Externally, each element speaks volumes to the outside world of regulators, inspectors, and litigators. On a chart, the relationships would look like this:

ERM Program Element

Internal Purpose

Demonstrates to Outsiders


Stated reasons for making, keeping and disposing of records

Consistent approach to information management

Retention Rules

Guidelines on what to keep for how long

Systematic, uniform advice


How records are handled routinely and in specific circumstances

Ongoing control


Uniform understanding

Expectation of responsibility


Measure compliance with internal rules

Expectation of accountability

You need the elements to configure the ERM system at set up. Designing or revising ERM program elements is a balancing act. What gets put in place has implications for what it takes to operate and maintain the system, as well as what can be demonstrated to outsiders in times of crisis. Here are some tips to consider:

Policies convey the organization’s overall approach to e-records control and are best when they are broad. Effective policies clearly state that the organization:

  • Creates accurate, reliable, and trustworthy records needed to operate effectively;
  • Complies with all applicable regulations and requirements;
  • Keeps records for specific time periods;
  • Destroys records no longer needed in the due course of business; and
  • Suspends destruction if investigation or litigation is pending or imminent

Retention rules should be as simple as possible. Finite time periods work better than event-based triggers if you want to automatically calculate destruction dates. Retention rules also imply that some categorization has taken place so that groups of related records are treated in the same way. (More on file plans in later posts.) Simpler rules and larger categories are easier to explain to outsiders.

Procedures depend on business processes and policies. At a minimum, have written procedures for when and how the organization:

  • Destroys records that have reached full retention
  • Suspends destruction if a legal or tax hold is in place
  • Updates and approves changes to the ERM program

Training should be mandatory for all employees with attendance records kept as proof that the organization makes everyone responsible for ERM. Training should include ERM principles, not just how to use an ERM system in place. Most firms do Web-based training with self-certification once per year.

Auditing the ERM program means checking on whether the company is in compliance with its own policies and procedures. This often-overlooked component of information governance can go a long way toward proving that an organization takes ERM seriously. The audit results can also point out gaps in procedure or the need for more specific training.

#recordspolicies #audits #retention #Career #ElectronicRecordsManagement #InformationGovernance #training #RMisnottechnology