Building a Business Case for Records Management 

Download Article Article in Digital Form

Managing large volumes of data is an ever-growing challenge in business and one that has an impact on the IT industry. This issue is further complicated by the constant need to update software and infrastructure for managing e-mail for numerous employees.

There is a way to filter this information overload. While these challenges cannot be avoided, they can be controlled by adopting an effective records management program. This article outlines step-by-step details to help enterprises build a business case for a robust records management program. It includes helpful insights on how an IT leader can:

  • Assemble an essential cross-disciplinary team to help gain senior management’s support
  • Identify legal, compliance, operational and other records management risks
  • Quantify and prioritize the myriad of records management risks
  • Adopt case studies to demonstrate the real-life consequences of poor records management
  • Develop a robust records management plan and a proposed implementation budget

How to Build a Business Case

Building a business case for a records management initiative begins with providing the background of the challenge being addressed. Start by identifying and listing the challenges the company faces. Are there difficulties managing large volumes of data already stored in electronic systems? Is dealing with outdated or obsolete software or hardware creating a problem? Has managing e-mail become overwhelming?

Next, include a description of the scope of the records management initiative, along with details of the future state to be achieved at the end of the initiative. It is imperative to demonstrate solid reasoning for performing the initiative by describing the risks associated with not doing it. For example, a company could incur millions in additional costs from poorly managing electronically stored information, not following its own retention policy or being unable to produce proper documents at a critical time. But remember—it is equally important to describe any risks associated with doing the initiative.

Finally, the business case will need to establish an estimated plan and timeline, and then provide an estimated budget to carry out the initiative.

The following five steps offer detailed suggestions for creating a business case for records management.

Step 1:  Assemble a Cross-disciplinary Team
A cross-disciplinary team will aid in collecting the information needed to create a business case for investing in records management. First, establish a structure and the associated roles for a cross-disciplinary team, defining responsibilities for each team member. Determine from which areas team members should come, e.g., legal, IT, records management, business areas (such as purchasing, human resources, accounting, engineering and manufacturing) and audit. Select business areas in which records and information pose the greatest risk and impact to the business.

Document the roles, responsibilities, communication plan and meeting architecture, and share them with each team member. Provide individuals with an understanding of their purpose on the team. Address such questions as: How will team members interact? How often will they meet? What is the expected level of involvement for each team member? Gain support from senior executives for the proposed cross-functional team. Senior-level support is essential to securing the individuals who will act as team members—and who are necessary to sustain the initiative within the organization.

Identify who should fill the defined roles as representatives for each area. Seek out people who are well connected in their area. They should be at a level that provides them with access to both the user community and executives within their designated areas. And they should have the knowledge to identify risks and the motivation to make things happen.

Step 2:  Identify Records Management Risks
Identifying, understanding and prioritizing the risks a company faces are important steps in building a convincing business case for the program. Here are some leading practices:

  • Hold working group sessions to identify risks associated with records and the management of records.
  • Review business processes, identifying where records are input and output within the process.
  • Examine where records enter into the process, are accessed during the process and are generated by the process.
  • Consider how records are created, stored, used, maintained, distributed, accessed, preserved and disposed of.

Next, determine if there are any issues or risks associated with any aspect of the process or records life cycle. Are any records likely to be required during a litigation discovery event or a regulatory investigation? Find out if records pose any operational risk during any part of their life cycle. Operational risks may include mishandling, inappropriate access, accessing the incorrect version and inappropriate retention duration. Hold working sessions within the cross-disciplinary team and also within high-risk business areas.

Step 3:  Quantify and Prioritize Records Management Risks
While risks are being identified, it is important to capture the impact (or consequence) and probability (or likelihood) of a risk.

The impact of the risk, should it occur, should be quantified based on a numerical scale (1 = low, 2 = moderate, 3 = high, 4 = significant). The numerical impact scale should contain definitions for each level that clearly articulate the criteria for a specific number. Include a monetary amount that might result from a loss and a description of what the loss would entail. For example, “significant” could mean irreversible issues that may lead to costly mitigation or brand risk.

The probability of a risk occurring should also be quantified numerically, based on the likelihood of occurrence (1 = rare, 2 = unlikely, 3 = possible, 4 = likely, 5 = certain). Document risks along with a description containing “if… then” statements that describe the risk, along with the numerical impact and probability associated with each risk. Prioritize risks based on a ranking associated with the quantified probability and the impact of the event occurring.1

Step 4:  Use Case Studies to Show Consequences and Gain Support
A natural reaction to records management programs is to raise the question:  Why are we focusing resources on an administrative task? Organizational change management practices show that using specific examples to convey the importance of a program helps gain awareness about why a specific initiative is important and the roles individuals play in making it happen.

Cross-disciplinary team members should collect examples of the impact of poor records management practices from within their own business areas. The team should review the collected examples and select the most relevant and distressing stories to share across the organization. This is an effective way to demonstrate the real-life consequences of improper records management.

For example, the tax department may have examples of expenses that had to be reversed because required documentation could not be found during a tax audit. Legal departments may have examples demonstrating the significantly high cost of searching for and producing information from terabytes or even petabytes of electronically stored information in response to a litigation discovery request. Purchasing departments may have examples of multiple purchase orders for a single vendor that were not properly filed, thus causing the company to miss volume discounts. Collectively, these examples could cost a company millions in losses. Remember, individuals react more favorably to stories that resonate with them and are relevant to the work they perform.

Step 5:  Propose a Plan and Estimate a Budget
After completing the previous steps, develop a high-level plan focused on addressing records management challenges. Describe the intended scope of the initiative. Identify milestone activities, prioritize them into a logical sequence and create tentative timelines based on perceived durations. Determine the resource requirements to perform the initiative. These resources should include internal team members, external team members (vendors or consultants), process enhancements and technology requirements. Examine the plan with the cross-disciplinary team and then with executive leadership. It is important to gain support by socializing the plan prior to publishing it in a business case.

Create a budget to correspond with the milestone activities of the plan. This is required to gain approval for a business case. Developing a budget estimation can include:

  • Estimating resource requirements
  • Determining if outside consultants will be needed
  • Determining what technology may be required
  • Determining if any other records management vendors may be needed (e.g., offsite storage vendors, imaging vendors)

Work with consultants and vendors to secure realistic budgetary estimates. Finally, vet the proposed budget with executives to gain their support by socializing the numbers prior to publishing the business case.


Cost reduction continues to be top priority for most business executives in today’s turbulent environment. As many organizations look to drive costs out of the enterprise, expanding how and where records management is applied is being recognized as an enabler for reducing storage costs and improving the efficiency of routine operations. Realizing efficiencies by increasing an organization’s records management capabilities will require the investment of valuable resources, including people, time and money. Acquiring commitment to expend resources on records management will involve gaining the attention and support of executives with the authority to grant approval and provide access to the necessary assets. Creating a thoughtful and socialized business case lays the foundation for communicating the need, generating awareness of the benefits and providing executive leadership with an estimated return on investment required to gain their approval for the consumption of the scarce resources that will be utilized to improve the organization’s records management program.

Author’s Note

The views expressed herein are those of the author and do not necessarily reflect the views of Ernst & Young LLP.


1 Pritchard, C. L..; Risk Management Concepts and Guidance, ESI International, USA, 1997

Cheryl Strait
is a principal at Ernst & Young, where she provides strategic records management services to companies in all industries. She focuses her practice on helping organizations address and mitigate regulatory, legal and compliance risks through the development and use of a strong records management program. Strait has more than 20 years’ experience in utilizing and delivering services focused on facilitating and reengineering processes; identifying, designing, implementing and deploying technology solutions; applying program management methodologies; and implementing global records management programs.

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.