Here’s a riddle for you: How much investment does the average organization need to make in order to update a US-based organization’s records retention schedule every year?
The answer is…
The reason: creating and maintaining a records retention schedule is becoming more complex, with privacy laws that are frequently in conflict with retention requirements.
Navigating that paradox means it’s more important than ever to have a vetted documented records retention schedule that you can justify retention or destruction of any particular records.
This post will give a brief overview of retention schedules, the current complexities in updating them, and how current solutions can enable a clear return on investment.
While this may seem like going back to basics, a 2021 ARMA IG Maturity Index Report highlighted that only 17.4% of organizations surveyed are meeting more than just basic requirements for their processes. Likewise, during our webinar on records retention schedules, only 50% thought that they had a good RRS in place.
So we’ll start with a brief definition and a review.
At the core of any defensible records and information management program is a vetted retention schedule. It covers the length of time, the location, and the form in which a record is kept.
A comprehensive retention schedule should contain at least the following:
Whether your organization is looking to create a retention schedule from scratch or updating an existing one, there really isn’t much of a difference in terms of effort required.
Access’ T’Don Marquis has observed that “many Access clients that initially came to us weren’t necessarily creating schedules from scratch but taking their current work and supplementing it with best practices, which can take as long as starting with nothing.”
The first step of tackling the creation or revision of a retention schedule is research. That means understanding the following questions:
You’ll notice that three of those four questions are not static answers—they will continue to change and evolve over time.
Creating a retention schedule is competing in a sport where the rules change constantly. To put this in perspective, Access’ software solution Virgo’s database contains retention policies for 140 countries and contains over 200k citations… but continues to grow and change by the day.
Therein lies the challenges that many organizations are faced with – keeping up with change and having the resources to act when required.
The current focus on privacy and expansion of privacy laws across the globe has made maintaining or updating a retention schedule more complex than ever.
Likewise, there is a new degree of sophistication needed for organizations to comply with retention and disposition laws. The potential for litigations, discovery, investigations, and audits demand defensibility. The stakes are high when it comes to compliance. You can’t just pay lip service to retention – you have to follow through and be able to back it up.
This is why organizations need a retention schedule that can be referenced in case they need to justify why a record was (or wasn’t) destroyed.
Here’s a simple example:
In the U.S., the record of termination of an employee must be retained for 40 years. At the same time, it contains conflicting PII which must be destroyed within a much shorter period depending on the record type.
With so many requirements that are often in conflict, it usually results in keeping a record too long rather than destroying it too early. According to a survey of information security, compliance, and privacy professionals across 50 of the most respected companies headquartered in the U.S., over-retention (not early destruction) of information is a top concern.
It takes an enormous amount of time, effort, and energy to understand what requirements an organization is subject to.
“Along with so many regulatory changes over many decades,” Access’ T’Don Marquis observed during a recent presentation, “we’re working with Access clients that are subject to a substantial amount of laws. For instance, domestic U.S. companies are subject to 8,000 to 15,000 requirements, while global clients are subject to more than 30,000 laws. We even have some complex global enterprises that are subject to 100,000 requirements.”
Manually tracking these requirements requires an enormous amount of revenue and time investment to accomplish.
Finding the most efficient way to perform these updates is key because, in the end, it boils down to a simple direct correlation, or as T’Don Marquis puts it, “The more time it takes, the more expensive it gets.”
Making the business case for investing in a retention schedule automation solution like Access’ Virgo comes down to a few key points.
If you’re looking to leverage a technology solution that will enable you to create, maintain, or update a retention schedule, then it should be able to do the following:
Building a schedule or records retention program is just the beginning. Maintaining compliance, with constant changes occurring, is another.
Refreshing a retention schedule in the United States alone is a substantial lift because new laws are passed daily. As mentioned on the recent live Access webinar, “We ran a calculation in our Virgo database and there are approximately 200 updates to retention requirements per day.”
Are these changes a typo fix, a clarification, or a significant change? When you reach a certain scale, it’s cost prohibitive for a team to track all of this.
For more detailed information on how a records retention solution can deliver impressive ROI, be sure to check out our recent webinar presented with ARMA: OMG, Yes! Retention Management ROI is Attainable.