Putting Policy into Practice

  • Published on
    01-Jan-2016

  • View
    94

  • Download
    1

Embed Size (px)

DESCRIPTION

Putting Policy into Practice. How to develop and implement an effective RIM policy. Agenda. Understanding what a policy is (and isnt) Basic policy characteristics Fundamental policy components Obtaining policy approval Distributing the policy Auditing for compliance. - PowerPoint PPT Presentation

Transcript

  • PUTTING POLICY INTO PRACTICEHow to develop and implement an effective RIM policy

  • AGENDAUnderstanding what a policy is (and isnt)Basic policy characteristicsFundamental policy componentsObtaining policy approvalDistributing the policyAuditing for compliance

  • WHAT A POLICY IS (AND ISNT)Instructs employees what to do (Policy)Not how to do it (Procedure)When drafting a policy it is recommended to make notes of subject matter that will require and associated procedure

  • BASIC POLICY CHARACTERISTICS

    SimpleConciseRelevant/specificEnforceable

  • BASIC POLICY CHARACTERISTICS

    SimpleEmployees need to be able to understand what you are trying to communicate. Avoid using overly formal wording, acronyms and long sentences.The policy should be constructed and worded so that it can be understood by all employee levels. Remember you know the subject matter dont assume the policy reader does.

  • BASIC POLICY CHARACTERISTICS

    Concise

    A policy does not have to be long to be effective.The shorter the better; a concise policy will increase readership.Long email syndrome

  • BASIC POLICY CHARACTERISTICS

    Relevant/specificThe policy should address relevant issues and provide specific direction that will guide the employees decision-making.Policies that arent specific inevitably lead to inconsistent employee behavior.Inconsistency leads to reduced policy compliance and an increase in organizational risks.

  • BASIC POLICY CHARACTERISTICS

    Enforceable

    Its assumed (by outside entities, e.g. courts, commissions, regulatory bodies) that whats contained in a policy can and will be followed.The policy shouldnt include any elements or directions that employees are incapable of following this may include lack of technology, resources or training.

  • FUNDAMENTAL POLICY COMPONENTSPurposeScopeGlossaryAuditsVital recordsRetention scheduleInformation hold ordersRecord storageNetwork and hard drivesEmailInformation destruction

  • FUNDAMENTAL POLICY COMPONENTS

    Purpose

    The purpose states the reason for (or objective of) the policy.Example:The purpose of this policy is to ensure the complete lifecycle management of organizational information.

  • FUNDAMENTAL POLICY COMPONENTS

    Scope

    The scope communicates what and who the policy applies to.Example:This policy applies to all company employees and governs the management of physical and electronic information.

  • FUNDAMENTAL POLICY COMPONENTS

    GlossaryA policy often includes terminology thats unfamiliar to employees. Its recommended that the policy contain an appendix of terms with definitions.If the policy is electronically posted (Intranet), hyperlinks can be established to provide a definition for each term.

  • FUNDAMENTAL POLICY COMPONENTS

    Audits

    The policy should inform employees that all topics and matters contained within the policy should be complied with and are subject to internal and external audits.

  • FUNDAMENTAL POLICY COMPONENTS

    Vital recordsThe policy should contain a section on the identification and protection of the organizations vital records.Example:Its the responsibility of each department head to identify their operations vital recordsIts important to clearly define the term vital records The term is often misinterpreted by business owners.

  • FUNDAMENTAL POLICY COMPONENTS

    Retention scheduleSpecifically address the purpose of the retention schedule and the requirement that it be followed.Additional information can be added to this section of the policy, which addresses requests for modifications to the schedule.

  • FUNDAMENTAL POLICY COMPONENTS

    Information hold ordersAll employees should fully understand their responsibility regarding information hold orders.The policy should clearly state that any information on hold regardless of the reason or matter should be retained, even if the retention period of the information has expired.

  • FUNDAMENTAL POLICY COMPONENTS

    Record storageThe policy should address that organizational records should only be stored with approved vendors.In this section of the policy you can also address environmental and security requirements for long-term onsite records storage.

  • FUNDAMENTAL POLICY COMPONENTS

    Network and hard drivesThe policy should provide guidance on the use and maintenance of network and hard drives.Example:Hard drives (C: drives) are not to be used for the storage of company records or information of business value. This type of information must be stored in a repository accessible by employees with appropriate authorization.

  • FUNDAMENTAL POLICY COMPONENTS

    EmailPolicy should take into consideration what technology it has implemented related to email management.Some organizations have a separate an email usage policy, that typically does not address information management.

  • FUNDAMENTAL POLICY COMPONENTS

    Information destructionThe policy should address proper methods for the destruction/deletion of physical and electronic information.This section of the policy would also include that only approved destruction vendors are to be used.Certificates of destruction are to be received and appropriately retained.

  • OBTAINING POLICY APPROVAL

    Group effortBefore distributing the policy throughout the organization, it may require review and approval by other departments:Internal AuditLegalITComplianceExample:If the policy states that compliance is subject to audit then you want to ensure that the Internal Audit Department can support the statement.

  • DISTRIBUTING THE POLICY

    HardcopySoftcopy/email with attachmentIntranet

  • DISTRIBUTING THE POLICY

    Hardcopy

    Least recommended optionPeriodic updatesIn smaller organizations this approach may be appropriate.

  • DISTRIBUTING THE POLICY

    Softcopy/email with attachmentNot recommended for similar reasons (periodic updates).Allows for easier distribution v. hardcopy.Distributing the policy via email (attachment) allows you to provide additional commentary regarding the policy to the recipient such as, the policy needs to be reviewed by a certain date and that the recipient must respond that they have reviewed the policy.

  • DISTRIBUTING THE POLICY

    IntranetRecommended approachHave the employee come to the policy rather than sending the policy to the employee.Email with link.The link can be part of a RIM Intranet page.Reality check employees can still print the policy from the Intranet creating stale information.

  • AUDITING THE POLICYDeveloping an audit planCommunicating the auditDocumenting audit findings

  • AUDITING THE POLICY

    Developing an audit plan

    Audit areasTestingCommunicationAudit findings report

  • AUDITING THE POLICY

    Audit areas

    The primary objective of an audit is to identify areas of risk. Therefore, a RIM audit will typically include policy areas, that if not complied with, create the greatest potential for risks.Fundamental policy components

  • AUDITING THE POLICY

    Policy components to auditPolicy acknowledgementVital recordsRetention scheduleInformation hold ordersRecord storageNetwork/hard drive maintenanceDestruction

  • AUDITING THE POLICY

    Communicating the audit

    Before conducting an audit, its recommended that you notify the management team of each department.Proposed datesWhat will be auditedHow to prepare for the audit

  • AUDITING THE POLICY

    Documenting the audit findingsProvides information on the results of the auditAreas of compliance and noncomplianceClassifying the severity and causes of the risk posed by noncompliance Recommendations for resolutionAction plansResolution datesRe-audits

  • THANK YOU!

    Q & A TIME