1 / 32

Putting Policy into Practice

Putting Policy into Practice . How to develop and implement an effective RIM policy. Agenda. Understanding what a policy is (and isn’t) Basic policy characteristics Fundamental policy components Obtaining policy approval Distributing the policy Auditing for compliance.

benjiro-fujii
Télécharger la présentation

Putting Policy into Practice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Putting Policy into Practice How to develop and implement an effective RIM policy

  2. Agenda • Understanding what a policy is (and isn’t) • Basic policy characteristics • Fundamental policy components • Obtaining policy approval • Distributing the policy • Auditing for compliance

  3. What a Policy is (and isn’t) • Instructs employees what to do (Policy) • Not how to do it (Procedure) • When drafting a policy it is recommended to make notes of subject matter that will require and associated procedure

  4. Basic Policy Characteristics • Simple • Concise • Relevant/specific • Enforceable

  5. Basic policy Characteristics • Simple • Employees need to be able to understand what you are trying to communicate. Avoid using overly formal wording, acronyms and long sentences. • The policy should be constructed and worded so that it can be understood by all employee levels. • Remember – you know the subject matter – don’t assume the policy reader does.

  6. Basic policy characteristics • Concise • A policy does not have to be long to be effective. • The shorter – the better; a concise policy will increase readership. • Long email syndrome

  7. Basic policy Characteristics • Relevant/specific • The policy should address relevant issues and provide specific direction that will guide the employee’s decision-making. • Policies that aren’t specific inevitably lead to inconsistent employee behavior. • Inconsistency leads to reduced policy compliance and an increase in organizational risks.

  8. Basic Policy Characteristics • Enforceable • It’s assumed (by outside entities, e.g. courts, commissions, regulatory bodies) that what’s contained in a policy can and will be followed. • The policy shouldn’t include any elements or directions that employees are incapable of following – this may include lack of technology, resources or training.

  9. Fundamental policy components • Purpose • Scope • Glossary • Audits • Vital records • Retention schedule • Information hold orders • Record storage • Network and hard drives • Email • Information destruction

  10. Fundamental policy components • Purpose • The purpose states the reason for (or objective of) the policy. • Example: • The purpose of this policy is to ensure the complete lifecycle management of organizational information.

  11. Fundamental policy components • Scope • The scope communicates what and who the policy applies to. • Example: • This policy applies to all company employees and governs the management of physical and electronic information.

  12. Fundamental policy components • Glossary • A policy often includes terminology that’s unfamiliar to employees. It’s recommended that the policy contain an appendix of terms with definitions. • If the policy is electronically posted (Intranet), hyperlinks can be established to provide a definition for each term.

  13. Fundamental Policy components • Audits • The policy should inform employees that all topics and matters contained within the policy should be complied with and are subject to internal and external audits.

  14. Fundamental policy components • Vital records • The policy should contain a section on the identification and protection of the organization’s vital records. • Example: • It’s the responsibility of each department head to identify their operation’s vital records • It’s important to clearly define the term vital records – The term is often misinterpreted by business owners.

  15. Fundamental policy components • Retention schedule • Specifically address the purpose of the retention schedule and the requirement that it be followed. • Additional information can be added to this section of the policy, which addresses requests for modifications to the schedule.

  16. Fundamental policy components • Information hold orders • All employees should fully understand their responsibility regarding information hold orders. • The policy should clearly state that any information on hold regardless of the reason or matter should be retained, even if the retention period of the information has expired.

  17. Fundamental policy components • Record storage • The policy should address that organizational records should only be stored with approved vendors. • In this section of the policy you can also address environmental and security requirements for long-term onsite records storage.

  18. Fundamental policy components • Network and hard drives • The policy should provide guidance on the use and maintenance of network and hard drives. • Example: • Hard drives (C: drives) are not to be used for the storage of company records or information of business value. This type of information must be stored in a repository accessible by employees with appropriate authorization.

  19. Fundamental policy components • Email • Policy should take into consideration what technology it has implemented related to email management. • Some organizations have a separate an email “usage” policy, that typically does not address information management.

  20. Fundamental policy components • Information destruction • The policy should address proper methods for the destruction/deletion of physical and electronic information. • This section of the policy would also include that only approved destruction vendors are to be used. • Certificates of destruction are to be received and appropriately retained.

  21. Obtaining Policy approval • Group effort • Before distributing the policy throughout the organization, it may require review and approval by other departments: • Internal Audit • Legal • IT • Compliance • Example: • If the policy states that compliance is subject to audit – then you want to ensure that the Internal Audit Department can support the statement.

  22. Distributing the policy • Hardcopy • Softcopy/email with attachment • Intranet

  23. Distributing the policy • Hardcopy • Least recommended option • Periodic updates • In smaller organizations this approach may be appropriate.

  24. Distributing the policy • Softcopy/email with attachment • Not recommended – for similar reasons (periodic updates). • Allows for easier distribution v. hardcopy. • Distributing the policy via email (attachment) allows you to provide additional commentary regarding the policy to the recipient such as, the policy needs to be reviewed by a certain date and that the recipient must respond that they have reviewed the policy.

  25. Distributing the policy • Intranet • Recommended approach • Have the employee come to the policy – rather than sending the policy to the employee. • Email with link. • The link can be part of a RIM Intranet page. • Reality check – employees can still print the policy from the Intranet creating stale information.

  26. Auditing the policy • Developing an audit plan • Communicating the audit • Documenting audit findings

  27. Auditing the policy • Developing an audit plan • Audit areas • Testing • Communication • Audit findings report

  28. Auditing the policy • Audit areas • The primary objective of an audit is to identify areas of risk. Therefore, a RIM audit will typically include policy areas, that if not complied with, create the greatest potential for risks. • Fundamental policy components

  29. Auditing the policy • Policy components to audit • Policy acknowledgement • Vital records • Retention schedule • Information hold orders • Record storage • Network/hard drive maintenance • Destruction

  30. Auditing the policy • Communicating the audit • Before conducting an audit, it’s recommended that you notify the management team of each department. • Proposed dates • What will be audited • How to prepare for the audit

  31. Auditing the policy • Documenting the audit findings • Provides information on the results of the audit • Areas of compliance and noncompliance • Classifying the severity and causes of the risk posed by noncompliance • Recommendations for resolution • Action plans • Resolution dates • Re-audits

  32. Thank You! Q & A Time

More Related