How to Build a RIM Playbook Part 7 - Reviewing and Finalizing the Plays

In the previous installment of this series, we talked about how to draft the plays. The next step is to review the plays for accuracy and completeness. All the way back in Part 1, I noted that the playbook needs input from more than just the person or team building it. Information management is a team sport, and some plays will be performed or reviewed by other teams such as IT, legal, privacy, risk management, etc. 

While we want to review each play in detail, the two most important parts to review for most plays are the RACI / roles and responsibilities, and the resources. This is because many plays will include participants who are not part of the core RIM team and/or require activities the RIM team is not as familiar with. 

Roles and responsibilities

In practice, during the drafting process you'd identify the draft roles and responsibilities and then have the individuals or teams in those roles review the contents of "their" play(s). Recall that RACI stands for: 

• Responsible - the role that actually does the work of executing the play. 
• Accountable - the role that ensures that the play is executed.
• Consult - the role(s) that are impacted by the play or contribute to it in some way. 
• Inform - the role(s) that are not directly impacted, but need to be apprised of the execution of the play. 

In the previous article, we used the "Send Boxes to Offsite Storage" play as an example. The RACI for that play looks like this: 

• Responsible - Records analyst
• Accountable - Records manager
• Consult - Offsite storage vendor
• Inform - Records owner

But let's say that in your organization, you use records coordinators, and you expect them to have a bigger role in that process. You'd probably want something more like this: 

• Responsible - Records analyst
• Accountable - Records manager
• Consult - Records coordinators, offsite storage vendor
• Inform - Records owner -or- perhaps nobody. If the records coordinators are already involved in the process, that might be sufficient. 

Any play that involves roles outside the RIM team, such as IT, should be reviewed by those outside roles to make sure that the play is accurate and to identify any references and resources they use. It's important to confirm with them that they recognize their role in the play including timelines, outcomes, and deliverables. They should also confirm whether they are in fact the right role for a particular responsibility - after all, IT isn't "IT", it's enterprise architecture, and software developers, and help desk, and network engineers, etc. 

References and resources

References and resources include any documentation used to execute a play. We discussed these in detail in Part 3. As a reminder, these include: 

• Existing procedures
• Flowcharts and process maps
• Checklists and guidelines
• Troubleshooting guides
• Templates
• "Cheat sheets"
• Quick start guides
• Training materials
• Lists of frequently asked questions
• Job descriptions
• Reports
• Scorecards and dashboards 

This seems like a lot, and for a traditional SOP manual it would be. But we're linking to these, not including them in their entirety. I'd rather err on the side of including resources to make it as absolutely simple as possible for whomever is executing the play. 

In the example play above, the process flowchart, inventory sheet templates, policy, etc. are probably developed and owned by the records team, so they already have all of the resources listed for the play. But as we discussed in Part 4, there may plays where the documentation is significantly out of date or missing. During the review process, you'd want to determine that, as well as whether any informal documentation exists, or what other references and resources are being used to actually execute the plays. Again, having coordinators can really be helpful here. 

It's important to include references owned by other teams where applicable. For example, a play to monitor broker/dealer communications for a financial services company will likely refer to risk management/compliance policies and guidance. A play for handling a separated employee's information will probably need to include references from HR as well as IT. 

We'll talk about timelines and scheduling in a later post, but it's absolutely critical to communicate to those reviewing the plays the importance of being thorough. The review process doesn't work if it doesn't get done, or if it's along the lines of a 2-minute review and a "Yeah, that looks good" response. 

At the end of this step you should have your final list of finalized plays, either built using your tool of choice or ready to build or load into it. 

Next up: Part 8 - building the (optional) introduction and appendices. 

I teach a workshop on how to build playbooks. The next public course is scheduled for December 3 and 10, 2024. You can find more details about the course and approach at https://athroconsulting.com/?page_id=981. 

I also build RIM and IG playbooks for organizations - drop me a note at jesse.wilkins@athroconsulting.com and let's talk about what that could look like.