What Is Records Management?
Records management (RM), also known as records and information management (RIM), is an organizational function responsible for the creation and maintenance of a system to deal with records throughout a company’s lifecycle. RM includes everything from the creation of a record to its disposal. Essentially, it comprises anything that is part of a business transaction.
Some people use the term information governance (IG) when talking about records management. IG is the management of information to support an organization’s present and future, keeping in mind the regulatory, legal, environmental, and operational requirements. It includes the structure, policies, procedures, and processes necessary to manage all the information stored within an organization.
See how Smartsheet can help you be more effective
Watch the demo to see how you can more effectively manage your team, projects, and processes with real-time work management in Smartsheet.
What Makes Something a Record?
What makes something a record? The answer is somewhat complicated. The International Organization for Standardization (ISO) is an independent, non-governmental international organization that develops international standards to be implemented globally throughout its 162 national standards bodies. The ISO 15489-1:2001 defines records as "information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business.” ISO 15489 is divided into two parts: concepts and principles, and guidelines. Together, the two parts provide an outline for a comprehensive records management program.
Essentially, a record is content that documents a business transaction. A record usually does not include drafts, duplicates, or convenience copies of documents. For example, a final response to a proposal is a record, but the drafts, comments about the drafts, and correspondence about the proposal might not be. Personnel files are records, as are social media posts and instant messages (therefore, records management does not just involve paper documents). According to The Global Trade Association for Information Management Companies (PRISM), courts consider all of the following to be records: doodles on a paper napkin, core samples from oil exploration, a pipe with a part number on it, and sections of frozen tissue samples.
A record serves as evidence of an event. Therefore, you can often take a record into a court of law to prove authenticity, reliability, integrity, and usability. Records can provide necessary documentation for an audit, court case, or other official uses.
A record can also be anything that includes personally identifiable information (PII). Companies that are in the financial services, health, government, or legal sectors must be particularly aware of this kind of record.
Is Records Management the Same as Document Management?
Document management is part of records management since many documents are records. However, not all records are documents. Document management concerns more of the day-to-day activities involving physical or digital files, like capturing, storing, modifying, or sharing them.
Document management has several goals:
- Organizing existing and future documents
- Improving workflow
- Allowing quick search and retrieval of documents
- Maintaining organization of files to reduce the number of lost and misfiled documents
- Reducing physical storage of documents
Forms management can be an important part of records management. For many organizations, the largest volume of records consists of printed or electronic forms.
For more information on document management, read “How to Use Smartsheet as Agile Document Management” and “SharePoint Document Management: What It Is and What It Isn’t.”
The Records Management Lifecycle
n records management, there is a lifecycle that corresponds to the stages that a record undergoes. This lifecycle covers everything from the creation of a record to its disposal. Different policies and procedures exist at each phase.
Think of the records lifecycle as a life span that begins with creation and ends with disposal or preservation. Different programs, software, and educational materials may use different names for the phases, but they are basically fixed and operate concurrently and in continuum.
Creation is the first phase in a record’s lifecycle. It involves the receipt of a record and classification of it as a record in an organization’s records management system. Ensure that you create records correctly, which means including the right information and using the proper format.
As people use and modify a record, it continues as a record, and you must maintain and protect it from several things, including unauthorized access and damage. Those who need records on a regular basis must have easy access to them. Different organizations follow different policies about how long they must keep a record. Active records are those that are in current use and often within close physical proximity to the people using them. An inactive record is one that a company no longer uses for current business but that you still must maintain until it reaches the end of its retention period. Even if someone is not regularly accessing an inactive record, you must maintain and protect it.
At the end of a record’s lifecycle, the records management team must decide whether to destroy or preserve the record. Within records management, systems exist to determine what happens to each record and when. The length of time that you must maintain a record differs based on several factors, including company policy and government rules and regulations. You need to keep some records forever and, therefore, institute an archival process at some point.
Throughout the records management lifecycle, it’s essential to maintain security and privacy.
What Does Records Management Include?
Again, records management is by definition responsible for the creation and maintenance of records throughout their lifecycle. The function includes many different but related elements, all with the goal of controlling access to company or organizational records while maintaining ease of use and security. Records management can be physical or electronic, and is frequently a combination of both.
In practice, records management usually includes a records manager. This is the person responsible for records management within the organization, but that person often has a team of people working together to create and maintain systems. In some companies and agencies, the top official, often the agency head, CEO, or CFO, is ultimately responsible for records management, even if they have hired others to do the work of actively managing records.
According to the ISO 15489-1:2001, records management involves tasks like setting policies and standards, assigning responsibilities and authorities, establishing procedures and guidelines, providing access to management and use of records, and integrating records management into business systems and processes. Because it includes so many things, records management can be a bit daunting, but the benefits outweigh the risks.
Why Implement Records Management?
Records management is a requirement for many governmental agencies, and other companies also have systems in place. RM provides a framework to gain control over piles of paperwork and locate documents, and ensures that needed information is easily accessible and readily available. According to PRISM, an organization’s active files grow at an annual rate of approximately 25 percent, and paperwork is a huge overhead expense. Proper records management can free up precious office space. PRISM says that at any given time, between three and five percent of an organization’s files are lost or misplaced. Proper organization can help provide consistent service to clients and partners while simultaneously increasing staff efficiency and productivity. Records management is also a way to tell an organization’s history, but that job often falls under the expertise of an archivist, rather than under that of a records manager.
Having proper records can also help a company that ends up in court. Records can show conformity to statutory requirements, provide proof of transactions, and offer protection against unauthorized access.
Additionally, in the event of an emergency, records management can allow for continuity. After 9/11, many businesses located in or near the twin towers were only able to reopen because they had system and record redundancy.
A records management redundancy plan should address the following:
- Creating a records and information inventory
- Labeling vital records and designating them for redundancy
- Identifying who has access to records and including a third party located off site
As part of planning for an emergency, it’s important to identify potential scenarios and to communicate the disaster plan. Simply backing up computer hard drives to a portable drive would not do a company any good in a flood or fire.
Consequences for Not Implementing Records Management
Although the consequences are not the same for every business or organization, there can be severe penalties for not having proper records management systems in place. In some cases, such as with government grants or at government agencies, there might be financial penalties or possible requirements to return grant funds.
In other situations, the penalty might be fines, criminal charges, or imprisonment, as was the case for some individuals at Enron, WorldCom, Imclone, Arthur Andersen, and Morgan Stanley. Audits and other investigations of records at those companies found irregularities in record keeping, falsified documents, and improper destruction of documents.
It is important to keep in mind that it could be illegal to destroy records during an open court case or investigation, even if the destruction is in line with company policy. The legal tenet of spoliation comes into play in these cases. According to Black’s Law Dictionary, “Spoliation of evidence is the intentional, reckless, or negligent withholding, hiding, altering, fabricating, or destroying of evidence relevant to a legal proceeding.”
The Sarbanes-Oxley Act of 2002, also known as Sarbox or SOX, created new requirements for public companies concerning records. The legislation came about after the public scandals involving Enron, WorldCom, and others. Section 802(a) reads: “Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.”
The law also allows fines of up to $1 million and prison sentences of up to ten years for CFOs and CEOs who falsely report their company’s financial status.
Sarbanes-Oxley isn’t just about penalties. It also spells out whistleblower protection for employees who may be the ones to become aware of inappropriate behavior within an organization. Since records management professionals have extensive knowledge of their company’s records and processes, they might be the first to notice a problem.
To learn more about Sarbanes-Oxley, read this article.
Who Is Responsible for Records Management?
RM responsibility varies from company to company and agency to agency. In federal agencies, the agency heads have a legal requirement to manage records, and federal employees are responsible for keeping records of their own work.
The National Archives and Records Administration (NARA) and the General Services Administration (GSA) divide the records management oversight on a federal level. The National Archives and Records Administration Act of 1984 outlined the responsibilities of both agencies, making NARA responsible for the adequacy of documentation and records disposition and the GSA responsible for the efficiency and economy of records management.
The United States Department of Defense (DoD) 5015.2-STD has a standard that many other organizations have informally adopted as their own. DoD created the standard in the mid 1990s after Congress ordered the department to improve its records management. The government mandate came in response to having trouble obtaining records to look into Gulf War Syndrome. In 1998, NARA endorsed the DoD functional requirements and other elements of a records management program so that other agencies could use the standards as baseline requirements for their own records management programs.
Some federal agencies, like the Securities and Exchange Commission (SEC), have their own regulations that go beyond the federal ones. Many states and state agencies also have their own rules concerning records management. Several international membership organizations exist to provide education and support about records management.
“Our members are all people who work in this field of information management, and they come from a wide variety of industries,” says Carlisle. “We have a lot of resources that help people understand their organization.” ARMA International has publications, resources, professional development webinars, and more available both for members and non-members.
Is Records Management Just for Large Businesses?
Records management exists to provide a history of documents and decisions and to ensure continuity. These benefits apply to all companies and organizations, no matter how big or small. They even apply to individuals.
Aside from Internal Revenue Service guidelines about tax records, there are no set standards about how long you must keep business records. Many lawyers and accountants suggest keeping original business documents for seven years, as that’s the statute of limitations for many tax audits, lawsuits, and other possible claims. The suggestions for records management for small businesses are basically the same as those for large ones.
Even ARMA International does not publish set guidelines about what to keep and for how long — they say that requirements vary by industry, state, and country. “It depends on the industry you’re in and how regulated you are,” Carlisle points out. “The key is having a structure in place that is appropriate for the business you’re in.”
As for personal records, experts have some recommendations. According to financial expert Suze Orman and others, here are some brief guidelines about personal record keeping.
How to Know if You Need Records Management?
If you’re uncertain about whether or not you need records management, the short answer is that every business should have some type of records management system in place. However, many companies introduce or revise records management policies and procedures after a problem emerges. Why wait until then?
A checklist can help you decide if you need a new or revised system. If any of the following statements are true to your organization, it might be time to implement records management:
How to Implement Records Management
Beginning a proper records management program does not need to be daunting. The key to the system can be the records manager, the professional responsible for records management within an organization. That person (or persons) is usually the expert in the records lifecycle and in how to maintain and protect privacy and data. It is also important to decide where the records management department fits in with an organization. Does it belong in legal services, management and audits, administrative services, information technology, or somewhere else? The answer depends on the company’s organizational structure.
Courtesy ARMA International
Records management should also have a champion at a high level within the organization to ensure proper buy-in and compliance. Moreover, departments must work together from the outset to create, implement, and use a system. Having the technology department simply buy a system without input from other departments is not a good idea.
Records management is most effective if implemented organization-wide, rather than just within certain departments. With the help of a records manager, taking records inventory throughout the organization is a good place to start. Doing this will give everyone a good idea of what exists and how much information you have. From this research, you will be able to identify the vital records and records that tell the history of the organization.
Next, develop retention schedules that work for your organization and follow industry, government, and ISO standards. Working within those parameters, you will more clearly discover how to manage active and inactive files. Part of the process is deciding who has and does not have access to the records, as well as who will control that access.
There are many companies that specialize in helping with records management. Some are software-based with cloud storage capabilities. Others come in and assist with storage and management of physical records. If an organization has been around for a while, chances are its records management system includes both physical and electronic records. Although the two types of records are dramatically different, a strong system will address ease of access and protection of the record throughout its lifecycle, regardless of whether it’s physical or electronic.
“We can help you manage, store, and destroy information from the time it’s created until you are ready to get rid of it,” says Potts of Iron Mountain. “It’s not just putting stuff in the trash can on your laptop.”
Companies like Iron Mountain have facilities in a variety of locations that are far removed from seismic zones and flood zones. Iron Mountain’s facilities have multiple fire suppression systems, generators to back up the backup generators, climate control, and security. The company can store physical files as well as electronic ones, and clients can retrieve them at any time. “This is all that we do, all day, every day. It really comes down to this: If you do it on your own, you have to be so up to date on compliance and regulations in your business. It’s a lot of work,” Potts says.
Companies pay a fee for the services they want. This can save money, Potts explains, because they do not have to hire their own records management teams, and they can use precious real estate for other uses. “If you’re a law firm and you’re using space to store boxes, that’s not making you any money,” Potts says. “Not only is this stuff hard to do, but it’s also the sheer fact that real estate costs money.”
What Is a Registry in Records Management?
A registry is usually a physical place where records management occurs. It is often where paper records are filed and accessed, usually by a records manager. This manager also maintains a record throughout its lifecycle, from creation to disposition.
A registry often incorporates records management taxonomy. Taxonomy is the system of classification within a records management system. It uses a predetermined system to organize the framework for classification. Taxonomies should be easy to remember and simple to use.
Electronic Records Management
As technology becomes an increasingly significant aspect of business, records management systems have had to keep up. Records management applications (RMAs) are software applications that manage records electronically by using features to categorize and locate active records as well as identify records for disposition. These apps must be secure, reliable, permanent, and comprehensive, and they must comply with rules and regulations.
When using any kind of electronic system, it’s important to note that simply scanning an existing paper document might not be sufficient to make it a record. Some software systems require a person to declare something a record, so the system can properly manage it. Each record must have a unique identifier to work with some systems.
Look for something that is easy to use and has the necessary security to protect files. Some systems include document management systems (DMS) within the scope of records management. Also, look for something that guarantees an enforceable chain of custody, so you can see what a record said, how the content within it evolved, and who was involved with any changes. That kind of system can prevent unauthorized access and changes.
Electronic records management systems need to be able to adapt and grow as technology changes. Formats change, and the documents and records saved in a particular format might also need to change. For example, floppy discs were the best technology available in the mid 1990s. Now, hardly anyone has a drive to read those discs. Records management occurs in the long term, not the short term.
Issues That Arise in Records Management
As with any policy or procedure, records management is not free from complications and issues. Records management has been in place in public and government agencies, healthcare, and public companies for a long time, but it’s just starting to catch on in the private sector. No matter how ingrained it is within in any system, there will always be compliance and legal issues.
The following issues can also be problematic:
- Conflicts between departments, especially between records managers and IT
- Security, data protection, and privacy, as hackers and data breaches become more advanced
- Transparency and accountability, as freedom of information laws and other laws become more prevalent
- Adoption and implementation, because not everyone sees records management as a top priority
- The merging of systems, as companies acquire each other, merge, and grow together
- The failure to recognize internet and social media posts as records as the dissemination speed of social media increases
- Improper filing and creation of access when converting older physical records to electronic ones
Consistency across vendors and departments and proper training are also key components in the success of any records management system. Everyone needs to understand the records lifecycle and each step in the process.
Carlisle believes many companies have a problem with one RM aspect in particular: “I think a big mistake is assuming a technology will fix all the problems you have. The technology should be the last step in the process of records management because any company should first do an analysis of workflow and basic needs before turning to technology.”
Additionally, make sure any technology allows you to dispose of records once their retention period is past. Carlisle says some systems do not allow deletions: “If you cannot get rid of something, you will not be in compliance with your retention schedule. There is definitely a harm of keeping things forever. Most of the attorneys I know who work in this space think a retention and disposition schedule should be in place. What you want is a policy that is clear, a process that is clear, and the proper documentation showing that you followed that policy and process.”
Records Management Training, Education, and Certifications
Because of the comprehensive nature of records management, there are degree programs, certifications, and professional organizations dedicated to records and information management.
The field is changing and so is some of the terminology. Carlisle says the term information assets is now more popular than records management. “It brings home the concept that information is as important as other types of assets,” she says, “Information assets are as important as talent and financial assets.”
To help records management professionals, ARMA International has conferences, webinars, and information they call their Generally Accepted Recordkeeping Principles® and Information Governance Maturity Model. Both of these resources are available to guide people through the ever-changing field of records management. “Even though the media is changing, the requirements for facilitating that information still exist. The company still needs access to use it,” she says.
Improve Records Management with Work Management in Smartsheet
Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.