Sentencing of records is the act of making and applying a decision about their long term handling.
Simply put, it’s about when to destroy them.
While most organisations are amazingly efficient keepers of information, very few outside of government are efficient destroyers of information.
When it’s done well, records that you capture are sentenced by the act of capturing them. This is called sentencing on creation. It means that the process will be largely automatic, and include destruction when the record reaches it’s end of life.
When it’s done badly, a vast trove of data and information will need to be classified and sentenced after the fact. It’s expensive, the chance for error is high, and the trove is what every hacker on earth is hoping they’ll find when they breach your organisation. Then there’s the chance that you’ll destroy information that legislation says you need to keep.
Sentencing is the discipline that every organisation needs to understand in a post privacy legislation, breach reporting world.
If your organisation has a great Records Manager, chances are that you’re already on your way there. If not – now is probably a good time to go and find one.
Is that the driver for the completion of work isn’t record keeping.
The driver for the completion of work is either customers, or co-workers, or managers.
Record keeping, when left to be done manually, is always a deviation from the critical path to getting stuff done.
So the problem that record keeping has to solve isn’t “how do we make everyone great record keepers”, it’s “how do we put record keeping in the critical path”.
When it’s in the critical path, it gets done – because it’s the only option.
Take away outlook.
That sounds crazy, but wherever I go, email is the number one way to ignore records management and information governance, because it’s totally uncontrolled by design.
People ignore record systems because they can, and they can because of email.
All workers really need is a way to move the information they’re working with to the next person in the process. Email is the simplest, lowest friction way of doing that.
For most people, email is how they do their work. It gets emailed to them, they do their work, and then they email it to the next person. Hard copies fulfil the same basic idea. At no point in that process do they need to put anything in a record keeping system.
If you take away the ability to email and print, how do people move their work around?
They have to put it in a system that moves it around.
If the system is a records system, you’ve got it.
(Incidentally, this is a lot of what digital looks like when done well)
There are only actually two reasons to fail an audit:
- You’re not doing the right things.
- You can’t prove you did the right things.
Doing the right things is obvious.
What is less obvious, is proving that the right things were done.
If you work in a regulated organisation, at some point the auditors are going to show up. When they do, they’re going to ask you for your records. Records are your evidence that you did the right things.
If you don’t have a records management program, chances are, you’re failing at capturing the right evidence, or you’re handling the audit process with a massive overcommitment of resources.
A records management program starts with a great records manager. A great records manager will review your regulations, work out what needs to be captured to provide evidence, and then execute a program to ensure that it is.
Then all you need to do is make sure your organisation does the right things.
Records are evidence of compliance.
To destroy information which is evidence of compliance, is to destroy a record.
The risks of doing Records Management poorly are that information proving compliance –
- Won’t be available when you need it because it has been deleted or lost.
- Will be difficult (ie. expensive and time consuming) to find.
- Will be incomplete, and will require significant time and effort to assemble into a comprehensive record.
The consequences of failing at Records starts with failing audit. Depending on your industry, there can also be other consequences that range from inconvenience and fines, to quite literally killing people.
I’ve simplified greatly here because I’ve discovered that Records have different meanings in different contexts. I think that’s part of the reason why record keeping isn’t held in much higher regard as a discipline, and why certain industries are doing it so badly (and failing audits left, right and centre).
What I’ve found by industry –
- Government agencies know what records are, but generally under-fund it.
- Health organisations think that they’re about patients (all patients have records, but not all records are about patients).
- The greater private sector thinks they’re in accounting, but have people in risk actually performing records management duties.
Records are evidence of compliance. If you have legislation, regulation or standards to comply with, records are the evidence that you can give an auditor that’s going to get them out of the building quickly. The longer the auditors are with you, the higher your risk is.
“Regulatory audits are enjoyable experiences.”
That’s what organisations say when they have good records.
The audit process is smooth, efficient, and low stress, because they’re permanently ready.
Mostly though, regulatory audits aren’t enjoyable experiences. They are high stress, and there’s a huge rush of last minute work to try and be ready.
The last minute rush is record assembly.
It’s trying to create complete records out of all the pieces of information collected and created by your process.
When you have a complete record, you can hand it to the auditor knowing that it’s everything you have.
If you’ve got an audit problem, you’ve got a records problemAnd the audit is, for lack of a better word – enjoyable.