Putting Policy into Practice

  • Published on

  • View

  • Download


Putting Policy into Practice. How to develop and implement an effective RIM policy. Agenda. Understanding what a policy is (and isnt) Basic policy characteristics Fundamental policy components Obtaining policy approval Distributing the policy Auditing for compliance. - PowerPoint PPT Presentation


PUTTING POLICY INTO PRACTICEHow to develop and implement an effective RIM policyAGENDAUnderstanding what a policy is (and isnt)Basic policy characteristicsFundamental policy componentsObtaining policy approvalDistributing the policyAuditing for complianceWHAT A POLICY IS (AND ISNT)Instructs employees what to do (Policy)Not how to do it (Procedure)When drafting a policy it is recommended to make notes of subject matter that will require and associated procedureBASIC POLICY CHARACTERISTICSSimpleConciseRelevant/specificEnforceableBASIC POLICY CHARACTERISTICSSimpleEmployees need to be able to understand what you are trying to communicate. Avoid using overly formal wording, acronyms and long sentences.The policy should be constructed and worded so that it can be understood by all employee levels. Remember you know the subject matter dont assume the policy reader does.BASIC POLICY CHARACTERISTICSConciseA policy does not have to be long to be effective.The shorter the better; a concise policy will increase readership.Long email syndromeBASIC POLICY CHARACTERISTICSRelevant/specificThe policy should address relevant issues and provide specific direction that will guide the employees decision-making.Policies that arent specific inevitably lead to inconsistent employee behavior.Inconsistency leads to reduced policy compliance and an increase in organizational risks.BASIC POLICY CHARACTERISTICSEnforceable Its assumed (by outside entities, e.g. courts, commissions, regulatory bodies) that whats contained in a policy can and will be followed.The policy shouldnt include any elements or directions that employees are incapable of following this may include lack of technology, resources or training.FUNDAMENTAL POLICY COMPONENTSPurposeScopeGlossaryAuditsVital recordsRetention scheduleInformation hold ordersRecord storageNetwork and hard drivesEmailInformation destructionFUNDAMENTAL POLICY COMPONENTSPurposeThe purpose states the reason for (or objective of) the policy.Example:The purpose of this policy is to ensure the complete lifecycle management of organizational information.FUNDAMENTAL POLICY COMPONENTSScopeThe scope communicates what and who the policy applies to.Example:This policy applies to all company employees and governs the management of physical and electronic information.FUNDAMENTAL POLICY COMPONENTSGlossaryA policy often includes terminology thats unfamiliar to employees. Its recommended that the policy contain an appendix of terms with definitions.If the policy is electronically posted (Intranet), hyperlinks can be established to provide a definition for each term.FUNDAMENTAL POLICY COMPONENTSAuditsThe policy should inform employees that all topics and matters contained within the policy should be complied with and are subject to internal and external audits.FUNDAMENTAL POLICY COMPONENTSVital recordsThe policy should contain a section on the identification and protection of the organizations vital records.Example:Its the responsibility of each department head to identify their operations vital recordsIts important to clearly define the term vital records The term is often misinterpreted by business owners.FUNDAMENTAL POLICY COMPONENTSRetention scheduleSpecifically address the purpose of the retention schedule and the requirement that it be followed.Additional information can be added to this section of the policy, which addresses requests for modifications to the schedule.FUNDAMENTAL POLICY COMPONENTSInformation hold ordersAll employees should fully understand their responsibility regarding information hold orders.The policy should clearly state that any information on hold regardless of the reason or matter should be retained, even if the retention period of the information has expired.FUNDAMENTAL POLICY COMPONENTSRecord storageThe policy should address that organizational records should only be stored with approved vendors.In this section of the policy you can also address environmental and security requirements for long-term onsite records storage.FUNDAMENTAL POLICY COMPONENTSNetwork and hard drivesThe policy should provide guidance on the use and maintenance of network and hard drives.Example:Hard drives (C: drives) are not to be used for the storage of company records or information of business value. This type of information must be stored in a repository accessible by employees with appropriate authorization.FUNDAMENTAL POLICY COMPONENTSEmailPolicy should take into consideration what technology it has implemented related to email management.Some organizations have a separate an email usage policy, that typically does not address information management.FUNDAMENTAL POLICY COMPONENTSInformation destructionThe policy should address proper methods for the destruction/deletion of physical and electronic information.This section of the policy would also include that only approved destruction vendors are to be used.Certificates of destruction are to be received and appropriately retained.OBTAINING POLICY APPROVAL Group effortBefore distributing the policy throughout the organization, it may require review and approval by other departments:Internal AuditLegalITComplianceExample:If the policy states that compliance is subject to audit then you want to ensure that the Internal Audit Department can support the statement.DISTRIBUTING THE POLICYHardcopySoftcopy/email with attachmentIntranetDISTRIBUTING THE POLICYHardcopyLeast recommended optionPeriodic updatesIn smaller organizations this approach may be appropriate.DISTRIBUTING THE POLICYSoftcopy/email with attachmentNot recommended for similar reasons (periodic updates).Allows for easier distribution v. hardcopy.Distributing the policy via email (attachment) allows you to provide additional commentary regarding the policy to the recipient such as, the policy needs to be reviewed by a certain date and that the recipient must respond that they have reviewed the policy.DISTRIBUTING THE POLICYIntranetRecommended approachHave the employee come to the policy rather than sending the policy to the employee.Email with link.The link can be part of a RIM Intranet page.Reality check employees can still print the policy from the Intranet creating stale information.AUDITING THE POLICYDeveloping an audit planCommunicating the auditDocumenting audit findingsAUDITING THE POLICYDeveloping an audit planAudit areasTestingCommunicationAudit findings reportAUDITING THE POLICYAudit areasThe primary objective of an audit is to identify areas of risk. Therefore, a RIM audit will typically include policy areas, that if not complied with, create the greatest potential for risks.Fundamental policy componentsAUDITING THE POLICYPolicy components to auditPolicy acknowledgementVital recordsRetention scheduleInformation hold ordersRecord storageNetwork/hard drive maintenanceDestructionAUDITING THE POLICYCommunicating the auditBefore conducting an audit, its recommended that you notify the management team of each department.Proposed datesWhat will be auditedHow to prepare for the auditAUDITING THE POLICYDocumenting the audit findingsProvides information on the results of the auditAreas of compliance and noncomplianceClassifying the severity and causes of the risk posed by noncompliance Recommendations for resolutionAction plansResolution datesRe-audits THANK YOU! Q & A TIME