Records Management Policy Example

Below is a template for a records management policy. To use it for your organization, you need to fully understand the rules and laws that apply to your organization and modify the sample text accordingly. For example, the retention periods listed might not comply with the regulations your organization is subject to.

If your organization has multiple records policies (e.g., finance, manufacturing, HR), it is useful to have a core records policy that defines the overall corporate responsibilities and includes an index delineating the individual records policies. In that situation, the individual policies would reference the corporate records policy and include only the sections relevant to the scope of the individual policy. This sample records management policy is designed for financial records, but it includes all components for other types of policies. Financial records were chosen for this example because they are a type of record that all organizations must manage.

Corporate Financial Records Policy: Key Information

This section is a collection of the key information for the records policy. You should structure it so readers can readily identify all relevant information.

Choose a name for the policy that clearly identifies its scope, especially if your organizations has multiple policies.

RM1: Corporate Financial Records Policy

Specify the version of the policy. Clearly indicate if this is a draft version that is still under review.

Provide the name and official role or title of the person who provided the final approval. Typically this is be the CEO, the General Counsel or the person with ultimate responsibility for records policies.

Jean Rooney, General Counsel

List the date the approver gave the final approval.

December 14, 2018

List this is the date that the policy is to take effect.

January 1, 2019

List is the date that the policy expires. This is typically filled in only after the version has been approved. This field is optional.

Purpose

In this section, you should outline the purpose of the policy and detail the business drivers for creating it. Detail any specific rules and regulations your organization is meeting by implementing this policy and any additional considerations.

The purpose of this policy is to provide guidance and direction on the creation and management of information and records and to clarify staff responsibilities. The records management program is intended to maintain, protect, retain and dispose of records in accordance with operational needs; federal, state, and local government regulations; fiscal and legal requirements; historical value; and business reference purposes.

For internal operational needs, all financial records need to be retained for the purpose of performing financial analysis of the company over time. As such, all financial records should be retained for a minimum of five years.

For historical purposes, all public quarterly and annual financial reports should be retained as permanent records.

The relevant federal regulatory requirements come from the SEC and the IRS. The Sarbanes-Oxley Act of 2002 requires that all financial reviews and audit material be retained for five years. The IRS states that all financial records need to be retained for up to seven years depending upon the filing conditions. There are no additional requirements from state or local authorities.

Regulatory links [link to both internal and external references by name and when possible, a direct link]

Scope and Applicability

Specify who and what aspects of the organization’s business and business transactions the records policy covers. Indicate the business applications and systems the policy covers (email, electronic records, etc.). Indicate if the policy covers the entire organization, a specific division or defined geographic area.

This policy applies to all finance staff across the entire organization. It specifically covers all aspects of the organization’s financial business and all financial information created or received. It covers information and records stored in all formats, including:

The policy also covers all applications used to create, manage or store financial information and records, including the official records management systems, email, websites, social media applications, databases and financial management systems.

Policy

This outlines the records covered by the records policy and their retention schedule, defining how they are to be managed, made available and eventually disposed of. There can be several categories defined to correlate to different rules and regulations. It is recommended to group documents into a smaller number of “big bucket” categories to simplify the implementation of the records policy.

[This is the specific category of records that apply to this record. Note the continuation of the numbering scheme from the policy name.]

[Note the phased retention periods. This is optional and not all electronic management systems may support this behavior.]

  1. 7 years from end of applicable fiscal year
  2. 5 years from end of previous retention period
  3. Permanent

[This is what happens at the end of the retention period. All records are, by default, read-only and cannot be deleted.]

  1. Lock access to finance managers only
  2. Move to permanent archive
  3. N/A [Permanent records have no final disposition action.]

[Outline any specific restrictions to the content once it is declared as a record.]

All edit, delete and versioning rights are removed. The system will purge all previous versions and only the final version is retained as a record.

[Specify approval authority for exceptions and final disposition here. People should be listed by roles as defined in the next section of the policy. If a record is particularly sensitive, additional approvals may be defined.]

Exceptions must be approved by the CEO, Executive Owner, and Policy Owner.

  1. 10 years from end of applicable fiscal year
  1. Permanently delete

Final disposition must be approved by the Policy Owner.

Exceptions must be approved by the Executive Owner and Policy Owner.

[For some records policies, a generic retention should be specified for all documents that are in the scope of the records policy but that do not fall into a specific category, as shown below.]

  1. 5 years from end of applicable fiscal year
  1. Permanently delete

Final disposition must be approved by the Policy Owner.

Exceptions must be approved by the Policy Owner.

Roles and Responsibilities

This section lists the roles and responsibilities for the policy. Some roles and responsibilities, such as the Executive Owner, may be the same in multiple records policies.

Executive Owner

This needs to be a role that is a member of the executive leadership team. While records management occurs across an entire organization, a single person needs to take responsibility. Ideally this person answers directly to the CEO.

This example lists the General Counsel, but many organizations do not have a full-time senior legal staff. Alternatives include the Chief Finance Officer (CFO), Chief Operations Officer (COO) or Chief Information Officer (CIO). However, note that in many organizations, the CIO does not report directly to the CEO or serve more as a Chief Technology Officer (CTO) and therefore might not fully understand the business side of the information they manage.

Assigned to: General Counsel

Responsibilities:

Policy Owner

This role is the business owner of the domain of the business documents. This is the senior person who directly uses the records covered by the policy. In the case of a single records policy for the entire organization, this may be the COO or the same person as the Executive Owner.

Assigned to: CFO

Responsibilities:

Records Manager

This may be the same person as the policy owner, someone on the policy owner’s staff or a dedicated position within the organization. It depends on the volume of both paper and electronic records as well as the level of automation implemented within the organization.

Assigned to: Finance Records Manager

Responsibilities:

Technology Support

This is typically the owner of the IT organization that supports the Policy Owner. The scope of this role will depend highly upon the maturity of the electronic records management program.

Assigned to: CIO

Responsibilities:

Record Creators and Users

If possible, declaration and categorization of records should be fully automated. This is easier with documents that are process-centric or that can be broadly categorized, e.g., financial documents. The goal is to remove the burden, real or perceived, of records management from the average employee.

Assigned to: Finance Staff

Responsibilities:

Appendix: Definitions

If you have multiple policies, it is best to simply provide a link to an external resource with the definitions, so they are consistent for all policies and you don’t have to update every policy when you modify a definition.

Disposition: The action taken on a record at the end of a retention period.

Record: A document or other piece of information that has been declared a record and placed under retention.

Record declaration: The process of taking a document or other piece of information, either paper or electronic, and placing it under records retention. The document is considered a record after this process is complete.

Retention: The process of protecting and managing a record.

Retention period: The duration for which a record is retained.

Retention schedule: The detailed policy outlining how long a record is kept and what happens to it through its lifecyle.

Version: An iteration of a document. A document can have a major version (1.0, 2.0, 3.0, etc.) and minor versions (1.1, 1.2, 1.3, etc.).