Records and Information Management (RIM) Services

Transform your records and information management (RIM) for risk reduction and value creation with practical workflows and safeguards to help ensure you are in compliance and protecting data.

Most large organizations have a global records and information management (RIM) program, even as simple as just a basic policy, a retention schedule, a computer use policy, limited in-house counsel time, and outside counsel or consultants responsible for updating the policy at set intervals or in the wake of new laws and regulations.

Now, more than ever, RIM needs to work hand-in-hand with Compliance, IT, InfoSec, HR and the DPO.  To do that, RIM needs to be a part of a comprehensive Information Governance (IG) program.  Often RIM programs focus solely on mission-critical records maintenance, especially in companies and industries subject to a direct reporting requirement to a government or other external agencies and regulators.

Foundations of an Effective RIM Program

Policies and Procedures

How does a company understand how to create, maintain, and dispose of records in a defensible manner?  Solid policies are needed to establish the necessary guidance, such as a RIM policy and the associated retention schedules.  These include definitions of record types, how those records should be maintained, and procedures end-users need to abide by to comply. These guidelines may be influenced by user input, government regulations, business requirements or other various mandates – including legal hold.

Program Governance and Reporting

A successful RIM program is usually an enterprise function. For the program to be able to gather information and report on how the program is functioning, it needs to partner with many other parts of the organization, such as lines of business (LOBs), HR, IT, compliance, executive leadership and other functions.  As records become more important and regulated, even some corporate boards are starting to take notice.   Whether for an audit, litigation, investigation or business support, employees should be able to locate and access the information they need, when and where they need it. They also need to be able to share that information easily when requested by external auditors.

Stakeholder Engagement

Anyone with a stake in the company’s records are to be involved at some level.  It also can be a diverse grouping. The RIM program needs to manage across that broad population of constituents.

Companies with an Inadequate RIM Program Face Several Risks:

Too Much Data and Too Many Records

Often, more data is retained than necessary because records managers may not be enforcing records maintenance principles with the business and stakeholders. Sometimes, they fear being blamed if something deleted is “needed” at a future date. Not only can this create unnecessary day-to-day storage costs, but in the case of litigation or regulatory investigations, too much data can cause delays in responding to discovery requirements, create a nightmare scenario for legal personnel tasked with discovery, and result in significant costs, not the least of which are processing, review and production of the in-scope documents.

Retrieval Challenges

Without a consistently defined RIM process, standard retrieval tools may not be used, making it difficult to find and retrieve relevant records in a cost-effective manner.  Even if a company has a robust Document Management System (DMS) in place, they still need to pay attention as circumstances change, companies evolve, and regulations change. Not to mention the information and records that end up outside the DMS.  And how many companies still have boxes and boxes of physical records in storage facilities, warehouses and offices around the world?

Non-compliant Data and Records Disposition

Data and other records are frequently disposed of without consideration of potential consequences, sometimes to avoid maintenance or real estate costs. This can create legal or regulatory exposure and the potential for significant fines and other penalties. Documents and records may be needed for litigation, to comply with environment laws, for patent protection, etc.  This doesn’t mean that records should not be disposed, only that a solid RIM program will help differentiate between what can be destroyed and when it can be destroyed.

Privacy Concerns

If you don’t know what data you have or where it is, how can you comply with the various privacy regulations such as GDPR, CCPA, NYDFS 500 and others? How can you know what you need to do as new regulations are passed and take effect?  How can you handle data-subject access requests (DSARs)?  The inability to answer these questions can create legal or regulatory exposure and the potential for significant fines and other penalties.

In the absence of a broad-based RIM program, these risks can materialize very quickly. A pressing question for leadership of multinational businesses is what level of investment might produce an effective RIM program that aligns with corporate objectives and risk appetite? Whether a centralized, decentralized, or hybrid federated model, an effective program can support compliance, transparency and visibility that is vital in a world that increasingly values data protection, privacy and cyber security.

Our Records and Information Management Services Include

• Needs assessment and GAP analysis
• Policy and procedures development
• Legal hold policy development and implementation
• Development of retention and destruction policies and procedures
• Implementation of imaging and document management systems
• Analysis and best practice advice regarding e-mail management
• Creation of training and communication plans and procedures
• Evaluation of enterprise content and hierarchical storage management systems

Talk to a Kroll expert today.