Transcript
Page 1: Putting policy into practice

PUTTING POLICY INTO PRACTICEHow to develop and implement an effective RIM policy

Page 2: Putting policy into practice

AGENDA

Understanding what a policy is (and isn’t) Basic policy characteristics Fundamental policy components Obtaining policy approval Distributing the policy Auditing for compliance

Page 3: Putting policy into practice

WHAT A POLICY IS (AND ISN’T)

Instructs employees what to do (Policy) Not how to do it (Procedure) When drafting a policy it is recommended to

make notes of subject matter that will require and associated procedure

Page 4: Putting policy into practice

BASIC POLICY CHARACTERISTICS

Simple Concise Relevant/specific Enforceable

Page 5: Putting policy into practice

BASIC POLICY CHARACTERISTICS

Simple

Employees need to be able to understand what you are trying to communicate. Avoid using overly formal wording, acronyms and long sentences.

The policy should be constructed and worded so that it can be understood by all employee levels.

Remember – you know the subject matter – don’t assume the policy reader does.

Page 6: Putting policy into practice

BASIC POLICY CHARACTERISTICS

Concise

A policy does not have to be long to be effective.

The shorter – the better; a concise policy will increase readership.

Long email syndrome

Page 7: Putting policy into practice

BASIC POLICY CHARACTERISTICS

Relevant/specific

The policy should address relevant issues and provide specific direction that will guide the employee’s decision-making.

Policies that aren’t specific inevitably lead to inconsistent employee behavior.

Inconsistency leads to reduced policy compliance and an increase in organizational risks.

Page 8: Putting policy into practice

BASIC POLICY CHARACTERISTICS

Enforceable

It’s assumed (by outside entities, e.g. courts, commissions, regulatory bodies) that what’s contained in a policy can and will be followed.

The policy shouldn’t include any elements or directions that employees are incapable of following – this may include lack of technology, resources or training.

Page 9: Putting policy into practice

FUNDAMENTAL POLICY COMPONENTS

Purpose Scope Glossary Audits Vital records Retention schedule

Information hold orders

Record storage Network and hard

drives Email Information

destruction

Page 10: Putting policy into practice

FUNDAMENTAL POLICY COMPONENTS

Purpose

The purpose states the reason for (or objective of) the policy.

Example: The purpose of this policy is

to ensure the complete lifecycle management of organizational information.

Page 11: Putting policy into practice

FUNDAMENTAL POLICY COMPONENTS

Scope

The scope communicates what and who the policy applies to.

Example: This policy applies to all

company employees and governs the management of physical and electronic information.

Page 12: Putting policy into practice

FUNDAMENTAL POLICY COMPONENTS

Glossary

A policy often includes terminology that’s unfamiliar to employees. It’s recommended that the policy contain an appendix of terms with definitions.

If the policy is electronically posted (Intranet), hyperlinks can be established to provide a definition for each term.

Page 13: Putting policy into practice

FUNDAMENTAL POLICY COMPONENTS

Audits

The policy should inform employees that all topics and matters contained within the policy should be complied with and are subject to internal and external audits.

Page 14: Putting policy into practice

FUNDAMENTAL POLICY COMPONENTS

Vital records

The policy should contain a section on the identification and protection of the organization’s vital records.

Example: It’s the responsibility of each

department head to identify their operation’s vital records

It’s important to clearly define the term vital records – The term is often misinterpreted by business owners.

Page 15: Putting policy into practice

FUNDAMENTAL POLICY COMPONENTS

Retention schedule

Specifically address the purpose of the retention schedule and the requirement that it be followed.

Additional information can be added to this section of the policy, which addresses requests for modifications to the schedule.

Page 16: Putting policy into practice

FUNDAMENTAL POLICY COMPONENTS

Information hold orders

All employees should fully understand their responsibility regarding information hold orders.

The policy should clearly state that any information on hold regardless of the reason or matter should be retained, even if the retention period of the information has expired.

Page 17: Putting policy into practice

FUNDAMENTAL POLICY COMPONENTS

Record storage

The policy should address that organizational records should only be stored with approved vendors.

In this section of the policy you can also address environmental and security requirements for long-term onsite records storage.

Page 18: Putting policy into practice

FUNDAMENTAL POLICY COMPONENTS

Network and hard drives

The policy should provide guidance on the use and maintenance of network and hard drives.

Example: Hard drives (C: drives) are

not to be used for the storage of company records or information of business value. This type of information must be stored in a repository accessible by employees with appropriate authorization.

Page 19: Putting policy into practice

FUNDAMENTAL POLICY COMPONENTS

Email

Policy should take into consideration what technology it has implemented related to email management.

Some organizations have a separate an email “usage” policy, that typically does not address information management.

Page 20: Putting policy into practice

FUNDAMENTAL POLICY COMPONENTS

Information destruction

The policy should address proper methods for the destruction/deletion of physical and electronic information.

This section of the policy would also include that only approved destruction vendors are to be used.

Certificates of destruction are to be received and appropriately retained.

Page 21: Putting policy into practice

OBTAINING POLICY APPROVAL

Group effort

Before distributing the policy throughout the organization, it may require review and approval by other departments:

Internal Audit Legal IT Compliance

Example: If the policy states that

compliance is subject to audit – then you want to ensure that the Internal Audit Department can support the statement.

Page 22: Putting policy into practice

DISTRIBUTING THE POLICY

Hardcopy Softcopy/email with attachment Intranet

Page 23: Putting policy into practice

DISTRIBUTING THE POLICY

Hardcopy

Least recommended option

Periodic updates In smaller organizations

this approach may be appropriate.

Page 24: Putting policy into practice

DISTRIBUTING THE POLICY

Softcopy/email with attachment

Not recommended – for similar reasons (periodic updates).

Allows for easier distribution v. hardcopy.

Distributing the policy via email (attachment) allows you to provide additional commentary regarding the policy to the recipient such as, the policy needs to be reviewed by a certain date and that the recipient must respond that they have reviewed the policy.

Page 25: Putting policy into practice

DISTRIBUTING THE POLICY

Intranet

Recommended approach Have the employee come

to the policy – rather than sending the policy to the employee.

Email with link. The link can be part of a

RIM Intranet page. Reality check – employees

can still print the policy from the Intranet creating stale information.

Page 26: Putting policy into practice

AUDITING THE POLICY

Developing an audit plan Communicating the audit Documenting audit findings

Page 27: Putting policy into practice

AUDITING THE POLICY

Developing an audit plan

Audit areas Testing Communication Audit findings report

Page 28: Putting policy into practice

AUDITING THE POLICY

Audit areas

The primary objective of an audit is to identify areas of risk. Therefore, a RIM audit will typically include policy areas, that if not complied with, create the greatest potential for risks.

Fundamental policy components

Page 29: Putting policy into practice

AUDITING THE POLICY

Policy components to audit

Policy acknowledgement Vital records Retention schedule Information hold orders Record storage Network/hard drive

maintenance Destruction

Page 30: Putting policy into practice

AUDITING THE POLICY

Communicating the audit

Before conducting an audit, it’s recommended that you notify the management team of each department.

Proposed dates What will be audited How to prepare for the

audit

Page 31: Putting policy into practice

AUDITING THE POLICY

Documenting the audit findings

Provides information on the results of the audit

Areas of compliance and noncompliance

Classifying the severity and causes of the risk posed by noncompliance

Recommendations for resolution

Action plans Resolution dates Re-audits

Page 32: Putting policy into practice

THANK YOU!

Q & A TIME


Recommended