Professional Documents
Culture Documents
Records Management Policy Example
Records Management Policy Example
Management
Policy Example
Below is a template for a records management policy. To use it for your organization, you need to fully under-
stand the rules and laws that apply to your organization and modify the sample text accordingly. For example,
the retention periods listed might not comply with the regulations your organization is subject to.
If your organization has multiple records policies (e.g., finance, manufacturing, HR), it is useful to have a core
records policy that defines the overall corporate responsibilities and includes an index delineating the individ-
ual records policies. In that situation, the individual policies would reference the corporate records policy and
include only the sections relevant to the scope of the individual policy. This sample records management policy
is designed for financial records, but it includes all components for other types of policies. Financial records
were chosen for this example because they are a type of record that all organizations must manage.
Name Choose a name for the policy that clearly identifies its scope, especially if your organizations has
multiple policies.
RM1: Corporate Financial Records Policy
Version Specify the version of the policy. Clearly indicate if this is a draft version that is still under review.
1.0-DRAFT
Approved By Provide the name and official role or title of the person who provided the final approval. Typically
(Name, Role) this is be the CEO, the General Counsel or the person with ultimate responsibility for records
policies.
Jean Rooney, General Counsel
Approval List the date the approver gave the final approval.
Date December 14, 2018
Effective List this is the date that the policy is to take effect.
Date January 1, 2019
Expiration List is the date that the policy expires. This is typically filled in only after the version has been
Date approved. This field is optional.
N/A
2
Purpose
In this section, you should outline the purpose of the policy and detail the business drivers for creating it. Detail
any specific rules and regulations your organization is meeting by implementing this policy and any additional
considerations.
The purpose of this policy is to provide guidance and direction on the creation and management of in-
formation and records and to clarify staff responsibilities. The records management program is intended
to maintain, protect, retain and dispose of records in accordance with operational needs; federal, state,
and local government regulations; fiscal and legal requirements; historical value; and business reference
purposes.
For internal operational needs, all financial records need to be retained for the purpose of performing
financial analysis of the company over time. As such, all financial records should be retained for a mini-
mum of five years.
For historical purposes, all public quarterly and annual financial reports should be retained as perma-
nent records.
The relevant federal regulatory requirements come from the SEC and the IRS. The Sarbanes-Oxley Act of
2002 requires that all financial reviews and audit material be retained for five years. The IRS states that
all financial records need to be retained for up to seven years depending upon the filing conditions. There
are no additional requirements from state or local authorities.
Regulatory links [link to both internal and external references by name and when possible, a direct link]
SOX
IRS regulation
3
Scope and Applicability
Specify who and what aspects of the organization’s business and business transactions the records policy cov-
ers. Indicate the business applications and systems the policy covers (email, electronic records, etc.). Indicate if
the policy covers the entire organization, a specific division or defined geographic area.
This policy applies to all finance staff across the entire organization. It specifically covers all aspects of the
organization’s financial business and all financial information created or received. It covers information
and records stored in all formats, including:
Documents
Spreadsheets
Presentations
Email
Memoranda
Minutes
Audio-visual materials
All other electronic or scanned records
The policy also covers all applications used to create, manage or store financial information and records,
including the official records management systems, email, websites, social media applications, databases
and financial management systems.
4
Policy
This outlines the records covered by the records policy and their retention schedule, defining how they are to
be managed, made available and eventually disposed of. There can be several categories defined to correlate
to different rules and regulations. It is recommended to group documents into a smaller number of “big bucket”
categories to simplify the implementation of the records policy.
[This is the specific category of records that apply to this record. Note the continuation of the numbering
scheme from the policy name.]
Description All tax returns filed at the federal, state or local level
Retention [Note the phased retention periods. This is optional and not all electronic management systems
Period may support this behavior.]
Disposition [This is what happens at the end of the retention period. All records are, by default, read-only and
cannot be deleted.]
Protection [Outline any specific restrictions to the content once it is declared as a record.]
Level All edit, delete and versioning rights are removed. The system will purge all previous versions and only
the final version is retained as a record.
Approvals [Specify approval authority for exceptions and final disposition here. People should be listed by
roles as defined in the next section of the policy. If a record is particularly sensitive, additional
approvals may be defined.]
Exceptions must be approved by the CEO, Executive Owner, and Policy Owner.
5
RM1-2, Financial Audit Records
Protection All edit, delete, and versioning rights removed. All major versions are retained as a record.
Level
[For some records policies, a generic retention should be specified for all documents that are in the scope of the
records policy but that do not fall into a specific category, as shown below.]
Description All financial audit documents, spreadsheets, presentations, and correspondence not specifically covered
in other categories
Protection All edit, delete, and versioning rights removed. All major versions are retained as a record.
Level
6
Roles and Responsibilities
This section lists the roles and responsibilities for the policy. Some roles and responsibilities, such as the Exec-
utive Owner, may be the same in multiple records policies.
Executive Owner
This needs to be a role that is a member of the executive leadership team. While records management occurs
across an entire organization, a single person needs to take responsibility. Ideally this person answers directly
to the CEO.
This example lists the General Counsel, but many organizations do not have a full-time senior legal staff. Al-
ternatives include the Chief Finance Officer (CFO), Chief Operations Officer (COO) or Chief Information Officer
(CIO). However, note that in many organizations, the CIO does not report directly to the CEO or serve more as
a Chief Technology Officer (CTO) and therefore might not fully understand the business side of the information
they manage.
Responsibilities:
7
Policy Owner
This role is the business owner of the domain of the business documents. This is the senior person who directly
uses the records covered by the policy. In the case of a single records policy for the entire organization, this may
be the COO or the same person as the Executive Owner.
Responsibilities:
Records Manager
This may be the same person as the policy owner, someone on the policy owner’s staff or a dedicated position
within the organization. It depends on the volume of both paper and electronic records as well as the level of
automation implemented within the organization.
Responsibilities:
8
Technology Support
This is typically the owner of the IT organization that supports the Policy Owner. The scope of this role will
depend highly upon the maturity of the electronic records management program.
Responsibilities:
If possible, declaration and categorization of records should be fully automated. This is easier with documents
that are process-centric or that can be broadly categorized, e.g., financial documents. The goal is to remove the
burden, real or perceived, of records management from the average employee.
Responsibilities:
Properly store all finance documents electronically in the corporate content repository
Identify finance document contents through defined naming and metadata conventions
Send reference links to documents internally and not the actual document via email and chat to limit proliferation
of document copies
9
Appendix: Definitions
If you have multiple policies, it is best to simply provide a link to an external resource with the definitions, so they are
consistent for all policies and you don’t have to update every policy when you modify a definition.
Record: A document or other piece of information that has been declared a record and placed under retention.
Record declaration: The process of taking a document or other piece of information, either paper or electronic, and
placing it under records retention. The document is considered a record after this process is complete.
Retention schedule: The detailed policy outlining how long a record is kept and what happens to it through its lifecyle.
Version: An iteration of a document. A document can have a major version (1.0, 2.0, 3.0, etc.) and minor versions
(1.1, 1.2, 1.3, etc.).
10
About Netwrix
Netwrix is a software company that enables information security and governance professionals to reclaim
control over sensitive, regulated and business-critical data, regardless of where it resides. Over 10,000 organi-
zations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise
content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and
knowledge workers.
Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000
and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.
www.netwrix.com.
Corporate Headquarters:
300 Spectrum Center Drive, Suite 200, Irvine, CA 92618
Phone: 1-949-407-5125 Toll-free: 888-638-9749 EMEA: +44 (0) 203-588-3023 netwrix.com/social
11
Do Electronic Records
Management Right, Across
Your Entire Enterprise