Records

Management
Policy Example
Below is a template for a records management policy. To use it for your organization, you need to fully under-
stand the rules and laws that apply to your organization and modify the sample text accordingly. For example,
the retention periods listed might not comply with the regulations your organization is subject to.

If your organization has multiple records policies (e.g., finance, manufacturing, HR), it is useful to have a core
records policy that defines the overall corporate responsibilities and includes an index delineating the individ-
ual records policies. In that situation, the individual policies would reference the corporate records policy and
include only the sections relevant to the scope of the individual policy. This sample records management policy
is designed for financial records, but it includes all components for other types of policies. Financial records
were chosen for this example because they are a type of record that all organizations must manage.

Corporate Financial Records Policy: Key Information

This section is a collection of the key information for the records policy. You should structure it so readers can
readily identify all relevant information.

Name Choose a name for the policy that clearly identifies its scope, especially if your organizations has
multiple policies.
RM1: Corporate Financial Records Policy

Version Specify the version of the policy. Clearly indicate if this is a draft version that is still under review.
1.0-DRAFT

Approved By Provide the name and official role or title of the person who provided the final approval. Typically
(Name, Role) this is be the CEO, the General Counsel or the person with ultimate responsibility for records
policies.
Jean Rooney, General Counsel

Approval List the date the approver gave the final approval.
Date December 14, 2018

Effective List this is the date that the policy is to take effect.
Date January 1, 2019

Expiration List is the date that the policy expires. This is typically filled in only after the version has been
Date approved. This field is optional.
N/A

2
Purpose

In this section, you should outline the purpose of the policy and detail the business drivers for creating it. Detail
any specific rules and regulations your organization is meeting by implementing this policy and any additional
considerations.

The purpose of this policy is to provide guidance and direction on the creation and management of in-
formation and records and to clarify staff responsibilities. The records management program is intended
to maintain, protect, retain and dispose of records in accordance with operational needs; federal, state,
and local government regulations; fiscal and legal requirements; historical value; and business reference
purposes.

For internal operational needs, all financial records need to be retained for the purpose of performing
financial analysis of the company over time. As such, all financial records should be retained for a mini-
mum of five years.

For historical purposes, all public quarterly and annual financial reports should be retained as perma-
nent records.

The relevant federal regulatory requirements come from the SEC and the IRS. The Sarbanes-Oxley Act of
2002 requires that all financial reviews and audit material be retained for five years. The IRS states that
all financial records need to be retained for up to seven years depending upon the filing conditions. There
are no additional requirements from state or local authorities.

Regulatory links [link to both internal and external references by name and when possible, a direct link]

ƒƒ SOX
ƒƒ IRS regulation

3
Scope and Applicability

Specify who and what aspects of the organization’s business and business transactions the records policy cov-
ers. Indicate the business applications and systems the policy covers (email, electronic records, etc.). Indicate if
the policy covers the entire organization, a specific division or defined geographic area.

This policy applies to all finance staff across the entire organization. It specifically covers all aspects of the
organization’s financial business and all financial information created or received. It covers information
and records stored in all formats, including:

ƒƒ Documents
ƒƒ Spreadsheets
ƒƒ Presentations
ƒƒ Email
ƒƒ Memoranda
ƒƒ Minutes
ƒƒ Audio-visual materials
ƒƒ All other electronic or scanned records

The policy also covers all applications used to create, manage or store financial information and records,
including the official records management systems, email, websites, social media applications, databases
and financial management systems.

4
Policy

This outlines the records covered by the records policy and their retention schedule, defining how they are to
be managed, made available and eventually disposed of. There can be several categories defined to correlate
to different rules and regulations. It is recommended to group documents into a smaller number of “big bucket”
categories to simplify the implementation of the records policy.

[This is the specific category of records that apply to this record. Note the continuation of the numbering
scheme from the policy name.]

RM1-1, Tax Returns

Description All tax returns filed at the federal, state or local level

Retention [Note the phased retention periods. This is optional and not all electronic management systems
Period may support this behavior.]

1. 7 years from end of applicable fiscal year

2. 5 years from end of previous retention period
3. Permanent

Disposition [This is what happens at the end of the retention period. All records are, by default, read-only and
cannot be deleted.]

1. Lock access to finance managers only

2. Move to permanent archive
3. N/A [Permanent records have no final disposition action.]

Protection [Outline any specific restrictions to the content once it is declared as a record.]
Level All edit, delete and versioning rights are removed. The system will purge all previous versions and only
the final version is retained as a record.

Approvals [Specify approval authority for exceptions and final disposition here. People should be listed by
roles as defined in the next section of the policy. If a record is particularly sensitive, additional
approvals may be defined.]
Exceptions must be approved by the CEO, Executive Owner, and Policy Owner.

5
 RM1-2, Financial Audit Records

Description All financial audit documents, spreadsheets, presentations, and correspondence

Retention 1. 10 years from end of applicable fiscal year

Period

Disposition 1. Permanently delete

Protection All edit, delete, and versioning rights removed. All major versions are retained as a record.
Level

Approvals Final disposition must be approved by the Policy Owner.

Exceptions must be approved by the Executive Owner and Policy Owner.

[For some records policies, a generic retention should be specified for all documents that are in the scope of the
records policy but that do not fall into a specific category, as shown below.]

RM1-X, Other Financial Records

Description All financial audit documents, spreadsheets, presentations, and correspondence not specifically covered
in other categories

Retention 1. 5 years from end of applicable fiscal year

Period

Disposition 1. Permanently delete

Protection All edit, delete, and versioning rights removed. All major versions are retained as a record.
Level

Approvals Final disposition must be approved by the Policy Owner.

Exceptions must be approved by the Policy Owner.

6
Roles and Responsibilities

This section lists the roles and responsibilities for the policy. Some roles and responsibilities, such as the Exec-
utive Owner, may be the same in multiple records policies.

Executive Owner

This needs to be a role that is a member of the executive leadership team. While records management occurs
across an entire organization, a single person needs to take responsibility. Ideally this person answers directly
to the CEO.

This example lists the General Counsel, but many organizations do not have a full-time senior legal staff. Al-
ternatives include the Chief Finance Officer (CFO), Chief Operations Officer (COO) or Chief Information Officer
(CIO). However, note that in many organizations, the CIO does not report directly to the CEO or serve more as
a Chief Technology Officer (CTO) and therefore might not fully understand the business side of the information
they manage.

Assigned to: General Counsel

Responsibilities:

ƒƒ Act as executive sponsor for the records management program

ƒƒ Establish the records management program’s vision, goals, and objectives
ƒƒ Ensure the records management program receives adequate resources
ƒƒ Monitor compliance to the organization’s records management policies

7
Policy Owner

This role is the business owner of the domain of the business documents. This is the senior person who directly
uses the records covered by the policy. In the case of a single records policy for the entire organization, this may
be the COO or the same person as the Executive Owner.

Assigned to: CFO

Responsibilities:

ƒƒ Own the records management policy

ƒƒ Verify that the records management policy is implemented
ƒƒ Verify that the records management policy is followed
ƒƒ Review the records management policy annually to ensure that it is up to date with latest industry and organiza-
tional requirements

Records Manager

This may be the same person as the policy owner, someone on the policy owner’s staff or a dedicated position
within the organization. It depends on the volume of both paper and electronic records as well as the level of
automation implemented within the organization.

Assigned to: Finance Records Manager

Responsibilities:

ƒƒ Responsible for paper records storage

ƒƒ Define records management procedures for financial records
ƒƒ Perform regularly scheduled financial records disposition review
ƒƒ Create and delivers records management policy training to financial staff

8
Technology Support

This is typically the owner of the IT organization that supports the Policy Owner. The scope of this role will
depend highly upon the maturity of the electronic records management program.

Assigned to: CIO

Responsibilities:

ƒƒ Maintain the electronic records management systems

ƒƒ Ensure system compliance to the records management policy
ƒƒ Maintain full audit records for electronic records during the duration of their retention period
ƒƒ Provide reports showing the usage of the system and compliance to the records management policy
ƒƒ Prevent unauthorized access or modification to electronic records
ƒƒ Ensure the protection of the records, including a secure backup for the records storage that enables adequate
disaster recovery

Record Creators and Users

If possible, declaration and categorization of records should be fully automated. This is easier with documents
that are process-centric or that can be broadly categorized, e.g., financial documents. The goal is to remove the
burden, real or perceived, of records management from the average employee.

Assigned to: Finance Staff

Responsibilities:

ƒƒ Properly store all finance documents electronically in the corporate content repository
ƒƒ Identify finance document contents through defined naming and metadata conventions
ƒƒ Send reference links to documents internally and not the actual document via email and chat to limit proliferation
of document copies

9
Appendix: Definitions

If you have multiple policies, it is best to simply provide a link to an external resource with the definitions, so they are
consistent for all policies and you don’t have to update every policy when you modify a definition.

ƒƒ Disposition: The action taken on a record at the end of a retention period.

ƒƒ Record: A document or other piece of information that has been declared a record and placed under retention.

ƒƒ Record declaration: The process of taking a document or other piece of information, either paper or electronic, and
placing it under records retention. The document is considered a record after this process is complete.

ƒƒ Retention: The process of protecting and managing a record.

ƒƒ Retention period: The duration for which a record is retained.

ƒƒ Retention schedule: The detailed policy outlining how long a record is kept and what happens to it through its lifecyle.

ƒƒ Version: An iteration of a document. A document can have a major version (1.0, 2.0, 3.0, etc.) and minor versions
(1.1, 1.2, 1.3, etc.).

10
About Netwrix
Netwrix is a software company that enables information security and governance professionals to reclaim
control over sensitive, regulated and business-critical data, regardless of where it resides. Over 10,000 organi-
zations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise
content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and
knowledge workers.

Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000
and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.
www.netwrix.com.

Corporate Headquarters:
300 Spectrum Center Drive, Suite 200, Irvine, CA 92618
Phone: 1-949-407-5125 Toll-free: 888-638-9749 EMEA: +44 (0) 203-588-3023 netwrix.com/social
11
 Do Electronic Records
Management Right, Across
Your Entire Enterprise

Automatically identify records, both on-premises

and in the cloud.

Tag records accurately and consistently.

Identify non-records and facilitate their cleanup.

Discover the records that business users no

longer work with.

Ensure timely disposal of your records.

Download Free 20-Day Trial