Auditing an organization's RIM program: a RIM program audit is a valid checkup that every organization needs to ensure that is operating at its unique, optimal health level.

[ILLUSTRATION OMITTED]

When people are sick, their bodies experience an information management crisis. Essentially, the critical supporting components of the body's defense mechanisms are not getting the right information at the right time to facilitate the best possible reaction to the intruders.

An organization--whether small, medium, or large; government, publicly traded, or private--is like a body: it can also get sick. The records and information that course through it each day must get to the right people at the right time in order to support the organization's optimum health.

Just as people go to the doctor for checkups to ensure their good health and for diagnosis, treatment, and monitoring when they are ill, undergoing a records and information management (RIM) audit provides an organization the necessary checkup, diagnosis, and treatment to ensure its good health.

In metaphorical terms, if records and information--both physical and electronic--are the life-giving blood in an organization's body, then the conduits, or programs, by which they flow are the organization's circulatory system.

A RIM audit is a critical dissection and evaluation of the processes that manage records and information flows throughout their lifecycle.

Defining the Stakeholders and Drivers

Like people, every organization is unique. Each has its own personality, objectives, stakeholders, drivers, and performance measures. The audit team must identify and understand each of these elements in order to shape the audit to meet the organization's unique needs.

A significant step in the audit is to identify the stakeholders involved in and affected by the RIM program and those stakeholders' drivers. (See Figure 1.)

Recognizing the stakeholders and understanding their diverse drivers will provide insight into the needs driving the RIM program audit and empower the audit team with the ability to connect with the stakeholders in the context of their functions.

Although everyone within an organization creates records and information and is responsible for that content, the audit team must identify and use key personnel, or champions, from within each stakeholder group to keep the process moving. This step requires buy-in from these individuals--a task that can be handled now that their organizational drivers have been uncovered and the auditors can communicate with them on their level and in their language.

Beginning the Audit Process

After determining the "why" of the RIM program audit process by identifying the drivers and stakeholders, determining the "how" of the process must begin. In basic terms, the RIM program health check consists of defining drivers, gathering data, and developing an action plan. (See Figure 2.)

Building an Audit Team

Understanding the drivers and stakeholders will provide the framework within which to create the audit team. The organization's unique characteristics will help guide its creation.

A public sector audit team may include

* Organization records manager and support staff

* Industry RIM expert(s)

* Other non-RIM program staff such as stakeholders and focus groups members

* Executive-level representation

A private sector audit team may include:

* A core team comprising an organizational records manager, project manager, and representatives from legal and IT

* Industry RIM expert(s)

* Advisory committee comprising functional management as stakeholders and subject-matter experts

The makeup of the audit team is an important consideration. As shown above, finding individuals with functional expertise in information technology, legal, and records management is a great start. Ideally, a handful of end users should be involved, if only to validate the approach and language. Small groups of quiet, supportive advisors from across the organization can go a long way toward enabling the team to reach the right audience in the right way to get honest and accurate answers about current practices. The use of outside RIM experts can be helpful as well. They can provide objective counsel regarding practices at other, similar organizations in the given industry or segment, and--by virtue of their expertise alone--they can provide reasonable context for launching a RIM program audit.

Identifying Elements to Evaluate

Once the audit team has been assembled, the next step is to identify which elements of the RIM program to evaluate. Elements commonly measured include the following:

* Retention and vital records schedules

* Access and security controls

* Classification and indexing schemes (e.g., file plans and metadata models)

* Disposition procedures

* Records and information storage processes, tools, and environments

* Ease of access and retrieval of information

* Legal holds process

* Organizational understanding of RIM

* Roles and responsibilities related to RIM

Auditors must ensure that the retention schedule is structured in a logical way (typically, this entails a process-oriented, or functional, structure). When reviewing the legal research, the audit team should spot-check citations. It should be loaded into an electronic system for use, and any manual classification procedures should be well-documented and easily understood. Organizations with the most successfully implemented retention schedules often have workgroup-level file plans (or mini-taxonomies) that identify the information that is relevant for each workgroup to manage in its daily work. Disposition procedures, as well as the storage locations (from warehouses to server rooms to backup tapes), also should be reviewed by the auditors to confirm that the information is safe, accessible, and easy to retrieve.

Many end users understand the basics of how to respond to a hold order--but they may not understand the overall lifecycle of information and their own and others' roles in managing it. The audit team should not hesitate to ask respondents to demonstrate their understanding and knowledge as part of the audit process.

Choosing the Right Tools

Just as a physical exam requires specialized medical equipment like a stethoscope, the RIM program audit requires the use of specialized tools to evaluate the health of the organization's RIM processes. These resources might include:

* Published standards:

--ISO 9000:2005 Quality Management Systems--Fundamentals and Vocabulary

--ISO 9001:2000 Quality Management Systems--Requirements

--ISO 15489-1:2001 Information and Documentation--Records Management--Part I: General

--ISO/TR 15489-2:2001 Information and Documentation--Records Management--Part 2: Guidelines

--ISO 23081-1:2006 Metadata for Records--Part h Principles

--DoD 5015.2-STD, Department of Defense Records Management Program DoD 5015.2-STD

--Model Requirements for the Management of Electronic Records (MoReq)

* Non-profit guidelines: The Sedona Conference's Sedona Guidelines for Managing Information and Records in the Electronic Age

* ARMA International's Risk Profiler Self-Assessment for RIM

* Metrics, statistics, and other reports generated internally

* External benchmarks and industry studies

* Interview questionnaires and surveys

Auditors should become familiar with the suite of tools and sources available so that the records manager and a trusted advisor can create a RIM program audit "toolkit" that specifically meets the organization's unique needs. Choosing the right tools often involves selecting the things that are most suited to the organization's needs from several possible sources. Applying a single source or tool may overlook some of the key elements that an organization needs to measure or consider--or may attempt to measure them in a way that does not fit the program's audit needs.

In developing this toolkit, many of the elements of a desired state for RIM will emerge. This desired state will be used later in the audit process to compare against results and to build a roadmap.

Knowing Where to Look

The team has identified the program elements that should be evaluated and the tools for assessing the situation. Where does it go in the organization to find a realistic picture of how things work? And, further, how does the team get those people to be honest regarding how they handle information, comply with processes, and understand the overall program? This aspect of the RIM program audit is both art and science.

One consideration when choosing the organizational audience is to understand where the mission-critical processes are executed. What support functions assist this area? Who is their liaison for managing records, if they have one? Although a successful RIM program audit will include data gathered from a cross-section of the organization, it should include representatives from those workgroups that execute the organization's core processes and reflect its reason for existing.

[FIGURE 2 OMITTED]

Knowing How to Look

There are three primary methodologies for conducting the RIM program health check: questionnaires, interviews, and group sessions. The most efficient, effective audits use a combination of two or more of them: