Records Management Policy Example

{{ firstError }}
We care about security of your data. Privacy Policy

Below is a template for a records management policy. To use it for your organization, you need to fully understand the rules and laws that apply to your organization and modify the sample text accordingly. For example, the retention periods listed might not comply with the regulations your organization is subject to.

If your organization has multiple records policies (e.g., finance, manufacturing, HR), it is useful to have a core records policy that defines the overall corporate responsibilities and includes an index delineating the individual records policies. In that situation, the individual policies would reference the corporate records policy and include only the sections relevant to the scope of the individual policy. This sample records management policy is designed for financial records, but it includes all components for other types of policies. Financial records were chosen for this example because they are a type of record that all organizations must manage.

Corporate Financial Records Policy: Key Information

This section is a collection of the key information for the records policy. You should structure it so readers can readily identify all relevant information.

Name

Choose a name for the policy that clearly identifies its scope, especially if your organizations has multiple policies.

RM1: Corporate Financial Records Policy

Version

Specify the version of the policy. Clearly indicate if this is a draft version that is still under review.

1.0-DRAFT

Approved By (Name, Role)

Provide the name and official role or title of the person who provided the final approval. Typically this is be the CEO, the General Counsel or the person with ultimate responsibility for records policies.

Jean Rooney, General Counsel

Approval Date

List the date the approver gave the final approval.

December 14, 2018

Effective Date

List this is the date that the policy is to take effect.

January 1, 2019

Expiration Date

List is the date that the policy expires. This is typically filled in only after the version has been approved. This field is optional.

N/A

Purpose

In this section, you should outline the purpose of the policy and detail the business drivers for creating it. Detail any specific rules and regulations your organization is meeting by implementing this policy and any additional considerations.

The purpose of this policy is to provide guidance and direction on the creation and management of information and records and to clarify staff responsibilities. The records management program is intended to maintain, protect, retain and dispose of records in accordance with operational needs; federal, state, and local government regulations; fiscal and legal requirements; historical value; and business reference purposes.

For internal operational needs, all financial records need to be retained for the purpose of performing financial analysis of the company over time. As such, all financial records should be retained for a minimum of five years.

For historical purposes, all public quarterly and annual financial reports should be retained as permanent records.

The relevant federal regulatory requirements come from the SEC and the IRS. The Sarbanes-Oxley Act of 2002 requires that all financial reviews and audit material be retained for five years. The IRS states that all financial records need to be retained for up to seven years depending upon the filing conditions. There are no additional requirements from state or local authorities.

Regulatory links [link to both internal and external references by name and when possible, a direct link]

  • SOX 
  • IRS regulation

Scope and Applicability

Specify who and what aspects of the organization’s business and business transactions the records policy covers. Indicate the business applications and systems the policy covers (email, electronic records, etc.). Indicate if the policy covers the entire organization, a specific division or defined geographic area.

This policy applies to all finance staff across the entire organization. It specifically covers all aspects of the organization’s financial business and all financial information created or received. It covers information and records stored in all formats, including:

  • Documents
  • Spreadsheets
  • Presentations
  • Email
  • Memoranda
  • Minutes
  • Audio-visual materials
  • All other electronic or scanned records

The policy also covers all applications used to create, manage or store financial information and records, including the official records management systems, email, websites, social media applications, databases and financial management systems. 

Policy

This outlines the records covered by the records policy and their retention schedule, defining how they are to be managed, made available and eventually disposed of. There can be several categories defined to correlate to different rules and regulations. It is recommended to group documents into a smaller number of “big bucket” categories to simplify the implementation of the records policy.

[This is the specific category of records that apply to this record. Note the continuation of the numbering scheme from the policy name.]

RM1-1, Tax Returns
DescriptionAll tax returns filed at the federal, state or local level
Retention Period

[Note the phased retention periods. This is optional and not all electronic management systems may support this behavior.]

  1. 7 years from end of applicable fiscal year
  2. 5 years from end of previous retention period
  3. Permanent
Disposition

[This is what happens at the end of the retention period. All records are, by default, read-only and cannot be deleted.]

  1. Lock access to finance managers only
  2. Move to permanent archive
  3. N/A [Permanent records have no final disposition action.]
Protection Level

[Outline any specific restrictions to the content once it is declared as a record.]

All edit, delete and versioning rights are removed. The system will purge all previous versions and only the final version is retained as a record.

Approvals

[Specify approval authority for exceptions and final disposition here. People should be listed by roles as defined in the next section of the policy. If a record is particularly sensitive, additional approvals may be defined.]

Exceptions must be approved by the CEO, Executive Owner, and Policy Owner.

RM1-2, Financial Audit Records         
DescriptionAll financial audit documents, spreadsheets, presentations, and correspondence                                                                    
Retention Period
  1. 10 years from end of applicable fiscal year
Disposition
  1. Permanently delete
Protection LevelAll edit, delete, and versioning rights removed. All major versions are retained as a record.
Approvals

Final disposition must be approved by the Policy Owner.

Exceptions must be approved by the Executive Owner and Policy Owner.

[For some records policies, a generic retention should be specified for all documents that are in the scope of the records policy but that do not fall into a specific category, as shown below.]

RM1-X, Other Financial Records
DescriptionAll financial audit documents, spreadsheets, presentations, and correspondence not specifically covered in other categories
Retention Period
  1. 5 years from end of applicable fiscal year
Disposition
  1. Permanently delete
Protection LevelAll edit, delete, and versioning rights removed. All major versions are retained as a record.
Approvals

Final disposition must be approved by the Policy Owner.

Exceptions must be approved by the Policy Owner.

Roles and Responsibilities

This section lists the roles and responsibilities for the policy. Some roles and responsibilities, such as the Executive Owner, may be the same in multiple records policies.

Executive Owner

This needs to be a role that is a member of the executive leadership team. While records management occurs across an entire organization, a single person needs to take responsibility. Ideally this person answers directly to the CEO.

This example lists the General Counsel, but many organizations do not have a full-time senior legal staff. Alternatives include the Chief Finance Officer (CFO), Chief Operations Officer (COO) or Chief Information Officer (CIO). However, note that in many organizations, the CIO does not report directly to the CEO or serve more as a Chief Technology Officer (CTO) and therefore might not fully understand the business side of the information they manage.

Assigned to: General Counsel

Responsibilities:

  • Act as executive sponsor for the records management program
  • Establish the records management program’s vision, goals, and objectives
  • Ensure the records management program receives adequate resources
  • Monitor compliance to the organization’s records management policies

Policy Owner

This role is the business owner of the domain of the business documents. This is the senior person who directly uses the records covered by the policy. In the case of a single records policy for the entire organization, this may be the COO or the same person as the Executive Owner.

Assigned to: CFO

Responsibilities:

  • Own the records management policy
  • Verify that the records management policy is implemented
  • Verify that the records management policy is followed
  • Review the records management policy annually to ensure that it is up to date with latest industry and organizational requirements

Records Manager

This may be the same person as the policy owner, someone on the policy owner’s staff or a dedicated position within the organization. It depends on the volume of both paper and electronic records as well as the level of automation implemented within the organization. 

Assigned to: Finance Records Manager

Responsibilities:

  • Responsible for paper records storage
  • Define records management procedures for financial records
  • Perform regularly scheduled financial records disposition review
  • Create and delivers records management policy training to financial staff

Technology Support

This is typically the owner of the IT organization that supports the Policy Owner. The scope of this role will depend highly upon the maturity of the electronic records management program.

Assigned to: CIO

Responsibilities:

  • Maintain the electronic records management systems
  • Ensure system compliance to the records management policy
  • Maintain full audit records for electronic records during the duration of their retention period
  • Provide reports showing the usage of the system and compliance to the records management policy
  • Prevent unauthorized access or modification to electronic records
  • Ensure the protection of the records, including a secure backup for the records storage that enables adequate disaster recovery

Record Creators and Users

If possible, declaration and categorization of records should be fully automated. This is easier with documents that are process-centric or that can be broadly categorized, e.g., financial documents. The goal is to remove the burden, real or perceived, of records management from the average employee.

Assigned to: Finance Staff

Responsibilities:

  • Properly store all finance documents electronically in the corporate content repository
  • Identify finance document contents through defined naming and metadata conventions
  • Send reference links to documents internally and not the actual document via email and chat to limit proliferation of document copies

Appendix: Definitions

If you have multiple policies, it is best to simply provide a link to an external resource with the definitions, so they are consistent for all policies and you don’t have to update every policy when you modify a definition.

Disposition: The action taken on a record at the end of a retention period.

Record: A document or other piece of information that has been declared a record and placed under retention.

Record declaration: The process of taking a document or other piece of information, either paper or electronic, and placing it under records retention. The document is considered a record after this process is complete.

Retention: The process of protecting and managing a record.

Retention period: The duration for which a record is retained.

Retention schedule: The detailed policy outlining how long a record is kept and what happens to it through its lifecyle.

Version: An iteration of a document. A document can have a major version (1.0, 2.0, 3.0, etc.) and minor versions (1.1, 1.2, 1.3, etc.). 

Related best practices