Recap and IM Action Plan

Recap and IM Action Plan

  1. There is no one-size-fits-all approach to strategic IM management. Each organization must balance risks with business need to determine the most appropriate approach.

  2. Banning IM may not be right for all organizations. A ban may lead to rogue use, employee outcry, or client complaints.

  3. Standardization reduces risks, but limits communication to internal chat.

  4. If you opt for flexibility, be sure to select a gateway/IM management technology product that enables you to control risks and manage use within policy and regulatory guidelines.

  5. Weigh both sides of the productivity issue before banning IM outright.

  6. Don’t assume every employee needs or is entitled to IM access.

Chapter 4: Establishing an E-Risk Management, Compliance, and Litigation Response Team


IM Rule # 14: Don’t allow IT (or legal, records management, or human resources) to dictate your instant messaging management solution. Work as a team.

If you’re following the action steps outlined in this book, you have determined the extent of your employees’ current IM use and have decided how to manage all that IM activity moving forward.

Now it’s time to start focusing on the development of your strategic IM management program.

Step one is the formation of an e-risk management, compliance, and litigation response team to oversee the development and implementation of your IM rules, policies, practices, and training programs—and to responsively handle discovery requests in the event of a lawsuit.

The makeup of your team will depend on the size of your organization, the scope of your IM exposures, and your willingness to commit financial and human resources to the development of an IM risk management and litigation response strategy.

A note of caution: Assigning the technology department sole responsibility for developing and implementing your strategic IM program could potentially expose you to legal problems. Retention and deletion policies in particular should be driven by the law, not technology. Obviously, your legal counsel should also dictate the actions your organization takes when it receives word of a lawsuit, investigation, or pending claim. [1]

For most organizations, the IM risk management team will be made up of some or all of the following professionals: [2]

  1. Senior Executive. Increase the likelihood of success by appointing a senior executive to oversee your IM risk management team. The involvement of a top executive will signal to staff that your organization is fully committed to strategic IM risk management. With the right champion leading the charge, your IM risk management team should have no trouble receiving necessary funding from decision makers or compliance from employees.

  2. Legal Counsel and Compliance Officer. Legal and regulatory compliance is integral to IM risk management. Have your legal counsel review organizational risks, rules, regulations, and responsibilities. Your lawyer and compliance officer should work together to ensure that all relevant federal and state laws and government and industry regulations are addressed. If you operate facilities overseas, be sure that the IM-related laws and regulations of each country are addressed in written policies, just as country-specific e-mail-related laws and regulations are covered.

    Your lawyer and compliance officer should also oversee development and implementation of the organization’s IM retention, deletion, and archiving strategies to ensure business records are properly saved and stored and insignificant messages deleted.

    In addition, assign your legal compliance team the task of supervising litigation response. Among other things, litigation response involves the immediate cessation of automatic IM and e-mail deletion policies—as soon as you suspect litigation is pending or a claim has been filed.

  3. Records Manager. Some organizations employ a records manager to ensure that IM, e-mail, and paper business records are properly retained and effectively archived. Your records manager should work closely with your lawyer and compliance officer to ensure that the organization’s retention and deletion schedule is followed, and that archived messages can be produced easily and quickly.

    In addition, the records manager should coordinate with IT on the purchase of software to automate the saving and storing of IM business records.

  4. Human Resources Manager. Involve your human resources manager in internal survey development and implementation, policy writing, employee education, and enforcement and discipline.

  5. Chief Information Officer. Your CIO can help bridge the gap between people problems and technology solutions. IT professionals can play an important role in identifying IM risks and recommending the most effective technologies, including retention and archiving tools, to help manage those risks.

  6. Training Professional. IM rules, policies, and procedures are only as good as your employees’ willingness to adhere to them. Spend at least as much time communicating your IM policies as you do developing them. Don’t rely on employees to train themselves. Support initial policy training with continuing education tools and programs designed to keep employees’ IM— and all other electronic communications—clean, clear, and compliant.

[1]Nancy Flynn and Randolph Kahn, Esq., E-Mail Rules, New York, AMACOM, 2003.

[2]Ibid. See also Nancy Flynn, The ePolicy Handbook, New York, AMACOM, 2001.