A Roadmap to Resilience and Efficiency
Date: Tuesday, Feb. 18, 2025
Featuring Jennifer Chadband and Rick Surber — Zasio Senior Consultants
Editorial Note: Portions of this Virtual Coffee with Consulting transcript have been reviewed and refined using AI tools to improve readability, punctuation, and clarity. While the content remains true to the original discussion, minor edits were made to enhance understanding. You can also watch the webinar in its entirety below.
Welcome everyone to Virtual Coffee with Consulting. Today’s topic is the Revamping Your Rim Program. A Roadmap to Resilience and Efficiency. This is a great topic. Rick and I were brainstorming for the year and wondered if it would be too dry or not interesting enough since we’re going back to the fundamentals. But surprisingly, we’ve had a ton of interest and great attendance numbers.
We’re extra excited to present on this topic because there are always new things to think about. Just a reminder—Virtual Coffee is meant to be a casual forum. We always encourage people to bring their coffee or beverage of choice. I think we once had a guest who brought Diet Coke and a cigar. Whatever floats your boat.
We want to have a loose conversation about this, but we also think it’s great to have slides and we all like visuals and takeaways. This is really meant to be a discussion format. Rick and I will go over some ideas and content, but also have conversations about common practices and trends we’re seeing.
If you’re new here, welcome! I’ve seen quite a few new names signed up for today’s presentation and questions are always welcome. You’ll see there’s time for questions at the end, but feel free to submit them anytime and we’ll get back to you.
Now, the roadmap for today’s discussion: we’ll start with the “why”—why we’re conducting assessments and reevaluating programs. What’s the driver behind that? Then we’ll talk about fundamental program components, which really lay the foundation for the rest of the conversation.
Building on that, we’ll explore what it looks like to conduct assessments and how that might vary depending on your organization, goals, and drivers. We’ll also talk about common findings, practical tips, and other helpful insights—especially for those of you who are leading initiatives or conducting assessments yourselves.
There are a lot of handy tips we can pass down.
Why Conduct a RIM Assessment
Talking about the “why”—if you look at the bullet points, they’ll likely look familiar. These are the common drivers for RIM assessments. And these can evolve over time. We recommend periodic assessments, especially if your goal is full maturity.
Even if full maturity isn’t the goal, you should still check in regularly to see what’s working, what’s not, and where your strengths and weaknesses lie. These are typically the drivers for building a robust records management program.
First, legal and regulatory compliance is always evolving. Think GDPR, HIPAA—there are even recent changes coming to HIPAA. Assessments help identify compliance gaps and protect against legal risks or penalties.
Next, mitigating risks and reducing liability. Poor records management can lead to data breaches, noncompliance, and fines. You don’t have to look far to see examples—especially in financial services, where SEC-related issues and privacy breaches have made headlines.
Another key driver is optimizing operational efficiency and cost savings. Inefficient records management wastes resources, increases storage costs, and reduces productivity. Modernization and automation are important here—technology enhancements can significantly improve your information governance program.
Protecting organizational information is also critical. Sensitive, confidential, and proprietary information are valuable assets. A robust RIM program helps safeguard them.
Rick, do you want to take the last few?
Thanks, Jen. The next driver is preparing for unforeseen events like disasters. Having a business continuity plan is essential. Assessments help identify critical records and ensure they’re recoverable in case of natural disasters or cyberattacks. They also help identify weaknesses and backup plans.
Another driver is making informed decisions. The ultimate goal of an assessment is to create a strategic roadmap for your RIM program—what to prioritize and how to move forward. This improves decision-making, enables quick retrieval of records, ensures proper storage, and supports defensible disposition.
Lastly, facilitating digital transformation and information governance. AI-driven records management is something we’ve received questions about. We’ll touch on it briefly today and plan a dedicated session later this year. The goal is to integrate records management into broader enterprise content and digital transformation strategies, ensuring technologies are used efficiently while maintaining compliance.
Core Components of a Successful RIM Program
Here are the key components and factors that Zasio looks at during assessments. First and foremost is program governance and structure. We look for things like RIM policies and retention schedules, which are foundational. Just as important is ensuring that senior leadership is on board and that RIM is part of a broader information governance program that takes a holistic view of information management.
A dedicated steering committee is ideal. Clearly defined roles and resources form a strong foundation for a proper RIM structure. When it comes to records management practices, we’re looking for progress in implementing program objectives—policies, procedures, and retention schedules. These practices, workflows, and processes should be designed to responsibly manage records and ensure the full lifecycle is followed, especially the disposition phase, which must be defensible.
Work culture and behavior are crucial. You can have the best governance in the world, but if people aren’t engaged or don’t care, it won’t go far. This is often the biggest challenge we hear from clients. They may have all the pieces in place, but struggle with implementation and follow-through. Common questions include: How do we reinforce this? How do we create awareness? How do we communicate effectively?
We’ll talk about strategies to promote enthusiasm for RIM, which can be difficult. One helpful approach—though not the most in-depth—is training and boosting awareness. We’ll dive deeper into that shortly.
Next is technology—how it supports records management processes. This includes the ability of existing systems to provide visibility and control over both electronic and physical records. It’s about understanding repositories, applications, their limitations, and how they align with RIM objectives. We’ll explore potential workarounds and solutions.
Risk management and security are also key. We’ve already touched on business continuity and disaster recovery, as well as cybersecurity. Finally, compliance monitoring and auditing are essential. These ensure compliance, track key metrics, and support corrective action when needed.
A quick note on technology: it’s playing an increasingly important role. Many of our assessment findings include recommendations to adopt technologies that enhance or even enable the implementation of project goals. AI is a major factor here. While this presentation won’t focus heavily on AI, we are planning a future Virtual Coffee session dedicated to how AI and technology can modernize and elevate your program.
Benchmarking and Industry Common Practice
This section is about identifying your yardstick—how you measure the current status or structure of your program. There are many resources available. One of the major ones is the Generally Accepted Recordkeeping Principles (GARP), which include eight principles: accountability, transparency, integrity, protection, compliance, availability, retention, and disposition.
These principles help organizations measure maturity and compliance. On a lighter note, I once asked ChatGPT for a mnemonic for GARP. It initially got the acronym wrong but eventually came up with a good one: A Trusted Information Professional Complies and Reviews Records Diligently. I wish I had that while studying for the CRM!
Another useful model is the ARMA Maturity Model, which outlines five levels of maturity: initial, developing, defined, managed, and transformational. The goal is to move toward a transformational program—one that is proactive rather than reactive. This model encourages continuous improvement by identifying weaknesses in retention and compliance practices.
While many assessments focus on weaknesses, it’s just as important to identify strengths. It’s not uncommon to find disparities within an organization. For example, finance, accounting, and HR departments often have more mature practices in place.
There are also ISO standards for RIM and IG. ISO 15489 focuses on core principles for designing and implementing RIM systems, while ISO 24143 emphasizes IG concepts and a structured, cross-functional approach involving legal, IT, and other departments.
We also use our own proprietary model, which incorporates industry best practices based on years of conducting assessments. The idea is to compare your program to a chosen standard and identify gaps.
Common gaps include a lack of formalized policies or procedures, or having policies that are too complex to follow—like overly complicated retention schedules.
Many people don’t understand how to use the retention schedule. Sometimes there’s a policy in place, but it’s not easy to follow. Inconsistent retention and disposition practices across the organization are common. Another frequent issue is poor integration of RIM and information governance (IG) with IT and security policies.
These gaps help highlight and justify the need for resource allocation and support. They also guide the next steps in developing your RIM program. From there, you can prioritize areas for improvement. As Rick mentioned earlier, gaining executive buy-in is essential for implementing necessary changes. It’s important to revisit the “why”—why are we doing this?
If legal or regulatory compliance is the main driver, that may be the most urgent risk to address first. Prioritizing based on risk and impact helps shape your takeaways and next steps.
Risk Priorities and Maturity Milestones
Let’s dive deeper into risk priorities and maturity milestones. If your program is still developing or just starting out, you’ll likely take a risk-based approach. As your program matures, you can begin to rely more on established milestones and metrics.
When starting from scratch, you may not have any governance in place. Often, the first thing organizations implement is a records retention schedule, which is foundational. But a RIM policy is just as essential. You may not yet have a formal program or a dedicated RIM professional.
In this case, a general risk-based approach is appropriate. An assessment and strategic roadmap are excellent starting points. They help outline a path toward maturity and align everyone around shared goals.
Some clients come to us saying, “We need a records management program, but we can’t get buy-in or support.” In our experience, we’ve helped build business cases to address this. You don’t need to be a lawyer to build a risk-based case. There are plenty of resources—legal cases, enforcement actions, and industry examples—that can help you make a compelling argument.
When you’re just starting out, focus on the risks to your organization. That can help you secure buy-in and resources. Anyone can pull together a persuasive case to support that first step.
There’s no shortage of cautionary tales. We even hosted a Halloween-themed webinar on RIM horror stories—some classic, some recent. It’s still available on our website and worth a watch.
For minimally developed programs, there’s a balance between risk and maturity. The roadmap helps justify additional resources and technology. Once your program reaches substantial maturity, you’ll likely have senior sponsorship, a steering committee, key performance indicators, and continuous improvement goals.
At that point, you can focus on known hurdles and develop strategies to overcome them. Internal audit findings and a commitment to continuous improvement are key tools for mature programs to keep evolving.
Assessment Planning and Considerations
When planning an assessment, it’s important to be concise and deliberate. Start by asking: Why is this assessment being conducted? The answer helps define the scope and outreach strategy.
It could be driven by risk management, regulatory compliance, operational efficiency, modernization, or digital transformation. Sometimes, an audit finding or litigation exposure prompts the assessment. Other times, it’s part of a routine check-in to ensure things are working as they should.
Next, determine what you’re going to assess. It’s not always necessary—or practical—to survey the entire organization. You might focus on specific areas, depending on whether your program is centralized or decentralized, or based on known maturity levels across departments.
People often underestimate the effort and timeline involved in a full enterprise-wide assessment. You’ll be evaluating policies and procedures—are they regularly updated? Are retention schedules compliant and aligned with business needs? Are records being managed according to the schedule?
These questions help shape your outreach. We’ll touch more on that shortly.
You’ll also assess technology and systems. What tools are in use? How are employees managing records day to day? Is there a standardized approach?
Training and awareness are also key. As a stakeholder, you’ll likely have answers to many of these questions, though input from others will be necessary too.
As mentioned earlier, the scope of the assessment may be organization-wide or limited to specific business areas. You’ll also want to consider whether the focus is on electronic records, physical records, or both.
More and more, the focus is on electronic records. Physical records still matter, but they play a smaller role. Managing digital records—especially across software platforms, databases, and cloud environments—adds complexity, particularly when applying retention policies. That’s why electronic records often require a deeper dive during assessments.
Geographical considerations also come into play. Where your organization operates can affect which legal and regulatory compliance requirements apply. All of this reinforces the importance of having a well-scoped, thoughtful plan going into an assessment.
Stakeholder Involvement
If there’s a magic trick to helping with support, adherence, and smooth implementation, this is it: involving stakeholders. Getting them engaged, collaborating with them, making sure their opinions are heard, and doing everything you can to bring their needs into the program goes a long way in building champions and rolling out a successful program.
You may not know who your stakeholders are. If that’s the case, you can develop a survey and send it to managers. Ask them to identify the people in their departments who are most knowledgeable about records—how long they need to be retained, what the business needs are, and so on.
We’re usually looking at some key stakeholders. Legal is a major player and typically requires multiple touchpoints. If there’s a privacy team, we’ll want to talk to them too. Then there’s representation from each business area within your organization.
Often, these touchpoints can evolve into a RIM liaison-type relationship, which we’ve found to be really useful—not just for collecting information, but for helping with compliance, training, and rollout.
If you have stakeholders who are willing to stay involved and have bought into the process through collaboration, it makes everything easier down the road.
One question we get a lot is: how many people should be involved in an assessment? The answer is: it depends. We look at the size of the organization and the core verticals—HR, Legal, IT, and any industry-specific areas.
Sometimes it gets tricky. A client might say, “We have 50 manufacturing sites. Are we really going to reach out to all of them?” The answer is no. Nobody has the bandwidth for that. But you do want a good sampling—especially if there are unique products, regulatory considerations, or higher-risk jurisdictions. Focus on the sites that will provide the most value to the assessment.
This part of the process can be a hang-up. It can feel overwhelming, and it’s often hard to get people to engage. We can’t underestimate that. Survey response rates typically range from 30% to 70%. Smaller organizations sometimes hit 100%, especially when Legal is involved. That tends to prompt more responses.
As long as the importance of the initiative is clearly communicated—why it matters to the business—people usually understand and are more willing to participate. It helps to make them feel like they’re part of it.
Executive support helps too. I like to talk to someone in an executive role later in the information-gathering phase. That way, you can report on what’s been collected, talk through the strategies you’ve developed, and get feedback from an executive sponsor on the path forward.
It’s not always easy to get an executive on a call, but we do. We’ve even had meetings with company presidents. It’s great when that happens.
Accessibility and Communication
All right. Talking about assessment planning considerations—when we’re thinking about the existing framework and policies—we want to go over some of these. You’re reaching out now, asking questions. The survey itself should be as straightforward and simple as possible.
We can’t get every question answered in the survey. People just won’t complete it if it’s too long. There’s a sweet spot. The survey sets a foundation for the most important aspects. For example, we ask about systems, record locations, and provide a list of options they can select from. That helps facilitate the process.
We usually work with IT to get an idea of what that looks like, which can be complex depending on the size of the organization. When we get into conversations, we go down a list of things we want to answer because it helps inform where the program is and what the maturity level looks like.
We think about the retention schedule and ask: Are there inconsistencies? Is anything missing? Do people use it? Are they familiar with it?
We also look at policy documentation for clarity and accessibility. Are the policies clear? Are they well documented? Are they updated regularly? Are they written in a way that ensures consistent application across the organization?
Accessibility and communication are key. One of the real linchpins of the program is whether employees are aware of and able to find the RIM policy. Even in fairly mature programs, it’s not uncommon to find people who’ve never seen the retention schedule. That usually indicates there wasn’t an onboarding requirement for training.
These types of questions can reveal a lot. Are policies being enforced consistently—or at all—across departments?
We also look at disposition practices. ROT—redundant, obsolete, trivial information—is a big issue. Is there over-retention? Is anything being deleted? You can get at that through general questions, and even by asking about email. Email is a major consideration. Even if it’s not part of your formal strategy, it’s worth asking: Are records being stored in email? Are emails being deleted? Are there backlogs of records that should have been destroyed but are still stored? Are disposition practices documented and auditable?
These are just some of the questions we ask during information gathering. As you meet with people and go through these lists, you start to get a general sense of where things stand. Not every question needs to be answered in every interview, but the conversations are meant to be organic. You’ll gather more and more information as you go, and that helps inform the overall state of the program.
All right. Technology—this is a big one. There’s a lot to talk about, but I’ll keep it brief.
We got a user-submitted question: How are RIM programs addressing the shift from managing legacy paper to a vast array of software repositories that all hold digital records in different ways—most without metadata or connection to the retention schedule—and with legacy staff unfamiliar with the new systems?
That sums up a lot of what’s going on. Technology is advancing. The volume of digital records is exploding, and managing it all is becoming more challenging.
A couple of tips: prioritize key systems. Focus on where the most records are stored or on systems that are critical to business operations.
Then ask: Are there tools available in these systems or repositories to help manage records?
A good example is Microsoft 365. Purview labels have been improving. It wasn’t originally built for records management, but they’ve added features over time. It’s more robust with an E5 license than with an E3.
You can still use some of the features in E3. Use what you’ve got, recognizing that better technology and more centralized management will make things a lot easier. If you can move toward an electronic records management solution, it’s going to make a big difference—the sooner, the better.
And then there’s automation. Anything that makes things less manual helps. It reduces employee burden, improves consistency, and just makes things better.
All right, another component you’re measuring during the assessment is the records lifecycle and governance practices. It’s important to get a general idea of how records are created, stored, accessed, and disposed of across the organization. You may already have some insight into that.
Here are some typical questions we ask to help gauge this: Are records being captured in a structured and standardized way? Are there policies in place to ensure proper classification at the point of creation? Where are records stored—physically, electronically, in the cloud, or in hybrid systems?
That’s something you might be able to answer through the survey. Then we look at whether storage practices align with security and access control requirements. And how are records being disposed of? Are they being handled according to the retention schedule?
There’s some overlap in these components, but the questions help guide where you want to go. From an AI perspective, we’re also looking for information silos—areas where redundant or obsolete information is being stored.
This is really about good RIM practice. You want to eliminate situations where people are managing records locally, making them hard to access or duplicating them unnecessarily. We recently had a meeting where people kept saying, “We’re keeping copies here and here,” even though there was a centralized repository. Turns out, the system only allowed users to view records by downloading them. That explained why everyone was saving their own copies. These are the kinds of things we uncover through these conversations.
We also look at whether metadata and classification standards are being applied consistently. That’s especially important as we move toward modernization and broader technology integration. Are metadata elements—like record type, owner, and retention period—being used consistently across systems? Are records properly tagged? Is there a universal classification scheme?
In larger organizations, we sometimes find that people are creating their own policies. That’s a red flag, but also a great takeaway to address.
Another important area is audit and compliance monitoring—if your program is mature enough for that. Are periodic audits being conducted to ensure classification and metadata consistency? If audits are happening, they can reveal a lot. If not, that’s something to work toward.
These categories—lifecycle, governance, metadata, and auditing—give you insight into what’s happening across the organization. They help you understand where things are, what’s working, what’s not, and what could be improved.
Audit findings aren’t fun, but they can help justify more resources. They get attention. Still, it’s better to be proactive than reactive.
Let’s talk about risk and security quickly since we’re a little behind. The security team is an ally with overlapping objectives. They’re probably doing phishing and penetration testing. RIM can help identify vulnerabilities related to records practices.
We also assist with disaster recovery and business continuity—identifying vital records, making sure they’re protected, and ensuring there’s a plan to access them in case of a disaster.
Privacy teams are also key allies with similar goals.
They can help evaluate how sensitive, confidential, and personal information is being protected and managed. A couple of things to work toward are accurate categorization and clear processes for storing and securing records.
Also, implementing the principle of least privilege is important—something both security and privacy teams support. That means employees only have the minimum level of access needed to perform their tasks. It keeps things compartmentalized so only those who need access have it. That makes things much easier if something goes wrong, like a phishing attempt.
All right, some more assessment planning and considerations. Efficiency and process optimization may not always be the primary objective, but it’s still important. It’s often a goal for organizations during assessments.
We’re looking to identify manual, redundant, or inefficient processes that could be automated. You can start by asking: How are people searching for records? Are they having trouble finding what they need? If so, why? Is it poor indexing, metadata issues, the retention schedule, or the classification scheme?
We also assess how people are using RIM tools and whether they’re following policies. One big issue is shadow IT—when people go off the grid and use their own methods. You’ll hear things like, “We’re not using that system; here’s how I do it.” That usually means the official process is too complicated or hard to follow.
That kind of feedback can point to areas that need further development or additional training. It also gives insight into best practices for improving adoption, change management, and communication across the organization.
Finally, we look for opportunities to streamline workflows, reduce costs, and automate where possible. We’ve already talked about AI-driven classification. That’s a big one. We’ll go into more detail in our next Virtual Coffee, which will focus on technology and AI.
Machine learning for compliance monitoring and automated retention triggers are also important. And in the background, you’re always thinking about how your RIM knowledge—whether from IGP, CRM, or industry best practices—can guide process optimization. You’re measuring against that and thinking about what the roadmap and strategy should look like in your final report.
Ah yes, the dreaded management side of the CRM coming back to help us out. Flashbacks.
At the end of the assessment, you’ll want a report that includes findings, risk areas, and recommendations. One piece of advice: distill the important findings and present them in a clear, easy-to-understand way.
You can include all your supporting information—risk analysis, appendices, templates—but the actual findings and recommendations should be plain and simple. Include an executive summary and a dedicated section for findings and recommendations.
That’s a good takeaway. Over the years, we’ve seen long assessments packed with helpful content—risk sections, use cases, enforcement examples, templates—but you don’t want to bury the most important parts. The primary risks and the recommendations to address them should be front and center.
Visualizing and Presenting Information
Make sure to keep it organized and put the important aspects right up front so your team and executives can easily see what’s going on and what needs to be done.
Also, consider data visualization. These reports can be very text-heavy, so don’t be afraid to make them more engaging with colors or visuals. One tip for survey distribution: use tools like Google Forms or Microsoft Forms. You can format your questions, and the tools will automatically generate visuals—pie charts, diagrams, and other helpful graphics—from the responses.
It’s nice to dress up the report with visuals, even icons or pictures. These days, people are used to seeing graphics in everything—even reports. It helps break things up and makes the information easier to digest.
Honestly, I’ve never seen a report like this with too many visuals. Usually, there are too few. People don’t always think about how to visually represent information to make it easier to read and process. Even AI can help with that. If you have data that’s not sensitive or proprietary, you can feed it in and ask for visual representations. AI can suggest ways to present the information that you might not have considered.
Roadmap Strategy and Timeline Planning
Now, thinking about the roadmap strategy and timeline—this is just a high-level idea of how things could be mapped out. We like to create a visual roadmap. Each phase will have its own details, and you can include those in the report. But it’s helpful to have a one-page summary that lays out the roadmap clearly. Executives especially appreciate that kind of concise view, rather than digging through all the details.
For the assessment and gap analysis, two to three months is realistic for a small organization. For a larger one, it could take twice as long. It depends on how many people you’re reaching out to and how easy it is to get on their calendars. That can really stretch the timeline.
It’s always smart to be conservative with your estimates. These things often take longer than expected—especially when you’re trying to coordinate interviews and meetings.
Updating governance and framework—whether that’s forming a committee or reviewing policies—can take three to six months. Again, that’s for a small organization. Larger ones may need more time.
Technology and process optimization can take six to twelve months, depending on how many systems are involved. We’ve learned that the acquisition and procurement process alone can be lengthy, and implementation adds even more time.
Training and change management follow a similar timeline. It takes time to fully implement, but it’s important to have a solid enterprise-wide training strategy. You also need to think about onboarding, ongoing awareness, and how to keep people informed. And don’t forget—being available to answer questions is part of that process.
Continuous Improvement and Program Maturity
Then there’s continuous improvement. Once you’ve started—maybe with a pilot—you’ll want to keep checking in. Where are we now? What’s improved? What still needs work? Where are the gaps?
It’s a rinse-and-repeat cycle. These check-ins should be part of your regular process, along with auditing and monitoring. It’s all part of the bigger picture.
Always aim for continuous improvement and program maturity.
Good stuff. Did I miss anything?
I don’t think so. It’s a lot to go over, but it’s always helpful to lay it out and think about it from the ground up. It helps you get ready and see the big picture—where to start and how to move forward.
With that, I think we can go to our last slide.
And I’ve got a save-the-date. Warren’s been asking me to collaborate on a webinar. It ties back to a user-submitted question about repositories: Should the retention schedule manage the data that makes up records? Traditionally, the answer has been no. But in today’s environment, where applications are replacing traditional records, how should we approach that?
I think we covered the assessment pretty well today, Jenn. Great job. We’ll see everyone next time on Virtual Coffee. Thanks, everyone. Feel free to send us any questions if there’s anything we can clarify or help with. Thank you.