By Katie Burke, Senior Government Program Strategist, Laserfiche
A records management strategy is vital to the lifecycle of any organization’s information. Many organizations considering electronic records face decisions about which system and capabilities are needed, as well as how to manage the system once deployed. Organizations that already have electronic records management (ERM) systems — like many hospitals, educational institutions, and government entities — are reassessing their systems in light of new risks, regulations, and advances in ERM technologies.
At an organizational level, ERM software simplifies the governance of how information is created, stored, shared, tracked, and protected, helping to manage the lifecycle of business records without interfering with the line of business. A records management application supports the automatic enforcement of consistent, organization-wide records policies, simplifying compliance with federal, state, and industry regulations.
Whether an organization is completely new to ERM or is refining its system and practices, there are four important points to consider.
- Develop An Information Governance Strategy
Before deploying an ERM system, it is essential to design a comprehensive information governance strategy that outlines all of an organization’s content, how it is organized, and who should have access to it.
A good governance structure enables staff to work in the most efficient and effective way possible, by allowing appropriate access to information when it’s needed. This structure should also define user groups and the record types they can access — simplifying the actual application of security within the ERM system — and consider any state or regulatory requirements for record access or retention.
“Records management is a critical component in information governance, and organizations need information professionals who can incorporate records retention and management principles into all storage media architectures, automated systems, and emerging technologies,” says Allen Podraza, Director of Records Management & Archives for the American Medical Association.
Before implementing an ERM system, it is important to have a detailed plan of who should have what type of access to which documents.
2.Evaluate Certified Records Management Systems
Not all ERM systems are created equally. Capabilities for records segmentation are critical considerations, especially in highly regulated industries such as government, healthcare or financial services.
Organizations should examine systems that are certified, particularly by the Department of Defense (DoD), and consider systems that are in compliance with the Victorian Electronic Records Strategy (VERS). The DoD 5015.2 standard outlines requirements for managing classified records and includes requirements to support the Freedom of Information Act (FOIA), Privacy Act, and interoperability; while VERS specifies a standard format for electronic records that focuses on data integrity and authentic archiving.
Unless an organization provides services to the United States Department of Defense or one of its components, it is not typically required to meet the DoD 5015.2 certification; however, an ERM system that has been certified to meet stringent requirements for organizing file structures — and reliably preserving data — offers some the highest levels of records compliancy and integrity.
A DoD 5015.2 compliant ERM system helps organizations retain and dispose of records according to their retention schedules.
- Ensure The Electronic Document Can Be Legally Presented As An Official Record
Organizations need ensure electronic documents can be legally presented as official record. Regulations differ by state, but it is often required that ERM software is compatible with a wide range of hardware components, such as optical, tape, and magnetic-based WORM (write once, read many) storage. ERM systems must also:
- Utilize both hardware and media storage methodologies to prevent unauthorized additions, modifications or deletions during the approved lifecycle of the stored information;
- be verifiable through independent audit processes ensuring that there is no plausible way for electronically stored information to be modified, altered, or deleted during the approved information lifecycle; and
- write at least one copy of the electronic document or record into electronic media — that does not permit unauthorized additions, deletions, or changes to the original document — to be stored and maintained in a safe and separate location
- Track Actions Taken On The Document
To form a complete record of organization-wide activity, an ERM system should track every action taken on each document throughout its lifecycle including what information was added and deleted. These reports should also track when and by whom each action was performed.
Reports can be run regularly or on an as-needed basis. ERM systems that enable process automation streamline reporting by emailing data to the appropriate people on a schedule. This tracking can also add to an organization’s analytics initiatives, providing managers with insight into bottlenecks and how to prevent or alleviate them.
An ERM system can generate system-wide reports on user logins, audit activity, document modifications and more.
As the stewards of governance, risk, and compliance programs, records managers are on the front lines of reducing risk and restoring control for their organizations. With complicated retention schedules and the looming possibility of an audit always present, records management involves far greater effort than making sure documents are filed in a safe place.
Katie Burke is Senior Government Program Strategist for Laserfiche enterprise content management software, which provides intuitive solutions for capture, electronic forms, workflow, case management, cloud, mobile, and government-certified records management.