RM Compliance: Accountability

To round out my current investigation of various methods of encouraging records management compliance, I turn to accountability. In simple terms, being accountable means being able to explain or justify actions (or inactions, as appropriate) and being held responsible for these decisions.

Accountability can be deployed in the records management realm in a number of ways:

• RM responsibilities can be incorporated into work plans and evaluated by a supervisor on a regular basis.
• Internal auditors can evaluate compliance with the retention and disposition schedule by determining whether records eligible for destruction are still being maintained in offices.
• Organizations can measure themselves against industry standards to evaluate whether they are adequately carrying out their RM responsibilities. An example of a standard is ISO 15489 (Information and documentation — Records management), maintained by the International Organization for Standardization.
• One way of benchmarking progress toward compliance is through the use of a maturity model, such as the Information Governance Maturity Model or the Digital Preservation Capability Maturity Model.

Undoubtedly, accountability adds a layer of bureaucracy to a records management program. But for people who may not be motivated by things like norms, accountability can provide an avenue for their compliance by establishing consequences for improper or inadequate actions.

RM Compliance: Costs

In my continuing look at methods of encouraging compliance in the field of records management, today I turn to costs. Both individuals and organizations might be motivated by the goal of reducing the costs associated with records management.

The economic costs of maintaining records are the most obvious. Back in April for RIM month, I produced some posts for the blog of SAA’s Records Management Section that provide some guidance about calculating the costs of records storage:

• paper
• electronic

Each post includes an overview of issues to research when trying to calculate your costs along with a 1-page brochure as well as a spreadsheet that provides some basic math of how to make these calculations. Each also takes into consideration in-house and vendor storage.

But economic costs are not the only ones to consider. There are also personnel costs — and these factor differently depending on whether or not an organization is exercising good records management. Managing records takes regular, dedicated time. Although I’ve never encountered someone who’s tried to put an actual dollar amount on the personnel costs of RM, I suppose it could be done. On the other hand, if an organization is not managing its records appropriately, the personnel costs come in the form of time wasted looking for files that have not been properly indexed or stored or that are misplaced in a sea of redundant, obsolete, or trivial (ROT) documents that should have previously been disposed. Be it for audits, discovery, or public records requests, most organizations are sometimes compelled to produce records, and as soon as someone asks for them, it no longer matters whether the records could have been destroyed previously; they now all must be produced.

Which raises the final type of cost — liability costs for records that are retained longer than required. Sometimes this liability may be nothing more than having to generate a more robust response to a public records request. But if your organization suffers a breach of some sort and exposes more records than should have been available to bad actors — especially if there are confidential records in the mix — the costs are amplified. So even if the economic costs of RM don’t motivate everyone, perhaps consideration of the personnel costs and liability costs can help tip the scale to a more compliant RM environment.

RM Compliance: Positive reinforcement

In my ongoing series on compliance in the records management realm, this week I turn to positive reinforcement as a mechanism for encouraging compliance. As opposed to last week’s look at deterrence, positive reinforcement is the principle that favorable outcomes or rewards can lead people to repeat desired behaviors.

Let me first provide a different lens on compliance. In its efforts to prevent the spread of COVID-19 on campus, Duke University has deployed what it calls the C-Team, with the C standing for both care and compliance. These employee volunteers go around campus encouraging mask wearing and physical distancing. If you’ve been paying any attention over the past 9 months, you realize this sort of compliance is by no means automatic, especially among young people. But the C-Team hands out coupons for free coffee and smoothies to reward those who are doing the right things. This is only one arrow in its quiver, but Duke has definitely had remarkably low rates of COVID transmission on campus, so apparently positive reinforcement can work.

So what could this look like in a records management field? Obviously most kinds of positive reinforcement other than an attagirl will require a little bit of money. But the prizes don’t have to be lavish and could take the form of a small gift card or a free lunch for someone who takes on the taming of the shared drive. Or if there’s a larger group that needs to be praised, maybe there could be a pizza or sub party for the unit most in compliance with the retention and disposition schedule. Someone with some HR pull could maybe let the person who completed an annual file inventory go home early on a Friday. And if you happen to work in a place that oversees your own parking, you could assign a prime parking location to the RM employee-of-the-month.

RM Compliance: Deterrence

In my ongoing series on compliance in the records management realm, this week I turn to deterrence as a mechanism for encouraging compliance.

Deterrence is a simple premise: scare people enough about the possible repercussions of their actions to convince them to do the right thing. Think of the mutual assured destruction approach of the U.S. and the Soviet Union during the Cold War. Or the anti-drug ads from the 1980s: This is your brain. This is your brain on drugs. Except it’s never quite that simple. While you may strike fear in the hearts of some who will them carefully seek to avoid calamity, others will belittle the victims and assume they would never fall prey to such a disaster.

In the records management field, it can be handy to have laws that not only compel compliance but do so by assigning penalties. Those of us who teach records management like to have some ready examples of those situations in which poor records management has caused measurable results — often financial but sometimes ever more far-reaching.

• Enron hid its debts and then when the SEC was investigating, their accounting firm Arthur Andersen shredded financial documents. The companies were dissolved and many of their executives faced both financial and criminal penalties.
• Almost any day of the week you can find an example of some data breach that has occurred and exposed customer information. Most states have laws that require disclosure to affected parties in short order and likely additional repercussions.
• Many companies and government agencies have been victims of ransomware and have been left to decide whether to pay the ransom or lose months while reconstructing data that had not been properly backed up.
• Far too often, there are stories of HIPAA breaches where the careless disposal of records led to the exposure of patients’ medical information. Breaches can result in civil monetary penalties and even criminal penalties.

Some people crave boundaries and will appreciate knowing exactly what they can do without crossing an RM line. But don’t be surprised if some push back and ask if anyone has actually ever been charged with a misdemeanor for destroying a public record without permission.

RM Compliance: Norms

Last week, I began this series investigating various methods of achieving compliance with records management principles and policies by looking at using chain of command as a mechanism of engendering compliance. Today I’ll look at norms as a means of encouraging compliance.

Norms in a workplace are the outgrowth of both workplace culture and workplace expectations. Consider two categories of norms:

• descriptive norms are based on the behaviors of people around you
• injunctive norms are perceptions of what you ought to do based on the “rules” of your peer group

From the records management perspective, expectations can be established from day one if RM training is included in the onboarding conducted for new personnel. Whether this takes the form of a one-page primer on records responsibilities, or a checklist from IT about appropriate file locations and file naming protocols, or anything else, early exposure can set the expectation that records management is a crucial part of the workplace.

Ensuring that records management is not only a solitary activity can help to shape descriptive norms. I know of places that have regularly-scheduled shred days on which employees can dress casually and take care of purging paper files that have met their required retention. Of course, records managers understand that appropriate disposition cannot occur at the drop of a hat, so having these regularly-scheduled events in which everyone participates sets the expectation that good records management is routinely occurring in the lead-up to this day. Places that are expected to transfer archival records to an appointed repository will often schedule days to box and move these records. At academic institutions, this may occur at the end of the academic year; at others, it may occur at the end of the fiscal year. But irrespective of the exact date, the important factor is that the norm is established for routine archival transfers.

Unfortunately, norms are ineffective on some people. We’ve all no doubt experienced people who talk loudly in a museum or some other norm-breaking behavior. But for all those who appreciate concrete expectations and want to assimilate into the culture of their workplace, norms can be effective in shaping behavior.

RM Compliance: Chain of command

Having worked in the records management field for over 6 years, I recognize that one of the holy grails of the business is compliance. In many cases, the people writing retention and disposition schedules are not the same people who are creating and maintaining the records covered by these schedules, so there can be the feeling of yelling into a canyon, not even knowing if what you’re trying to communicate is being heard and certainly not having a good means of evaluating the usability or efficacy of the schedule.

For a long time, it frustrated me that the methods of achieving compliance with records management principles and policies vary so greatly from one place to another. But when I thought more about the term compliance, I realized it also encompasses a number of prompts, with a definition that means acting in accordance with a request, demand, order, rule, etc. Not to mention there’s a psychological aspect to figuring out how to get people to do what they are “supposed” to do, and this sort of analysis is not something that most RM folks are trained to do. So I’ve decided to embrace variety as the spice of life and spend a number of weeks looking at various methods of gauging compliance. Rather than looking for a single solution, I’m content to lay out the possibilities and put together the pieces that make sense for a particular situation.

Beginning this series on Veterans Day, it makes sense to first consider chain of command as a motivation for compliance. I’ve been fascinated to recognize that records management responsibilities and authorities sit in many different places in different organizations. Even in the government realm where I work, sometimes the records officer is in Legal, or IT, or Communications, or Admin, etc. Some agencies vest this authority with someone fairly high up the chain of command, while others look to someone with boots on the ground actually handling records. From a compliance standpoint, using chain of command makes sense because employees are more likely to feel compelled to follow the directives of someone in a superior position. But on the other hand, someone that high up the food chain probably has a lot on her plate, so she might not have regular undivided attention to give to records management concerns.

If compliance is also on your mind, stay tuned. In the coming weeks, I’ll continue my look into the pros and cons of various methods of RM compliance.