Organizations depend on information to manage day-to-day operations, comply with regulations, gauge financial performance, and monitor strategic initiatives. This critical information resides in the organization's business records, according to ARMA International, a not-for-profit professional association and the authority on managing records and information governance.
As a key resource in the operation of any organization, records must be created, organized, secured, maintained, and used in a way that effectively supports the activity of that organization. This information facilitates operations, budgeting and planning, and documents compliance.
"Compliance measurement is a critical component we find missing from many records and information management programs," Mark Lagodinski, a certified records manager in Ernst & Young's Strategic Records Management Practice said. "Without periodic measurement (audit) a company has no mechanism to assess the organization's level of records management compliance. Records management, like any compliance function, should have defined controls, effectiveness criteria, and test plans developed for each provision of the RIM policy."
Increasingly, organizations must defend their recordkeeping practices to regulatory and other oversight organizations and respond to discovery demands. Numerous court rulings have established a legal demand that records be kept in accordance with legal requirements, that the records be accurate, and that organizations be accountable for ensuring their records and information are properly kept. The risks are significant for those organizations with too much, too little, or incomplete information within their recordkeeping systems.
Excessive discovery costs for records that should have been disposed, regulatory sanctions against organizations that cannot produce required documentation, or poor business decisions based on incorrect or incomplete information are all risks that can be managed by effective information governance processes.
Ensuring Quality Information Governance Processes
Like any critical business process, information governance processes should be defined, endorsed by executive management, communicated throughout the organization, and assessed regularly. The Generally Accepted Recordkeeping Principles® (GARP®) and its complementary Information Governance Maturity Model (Maturity Model) are broadly applicable frameworks that organizations of any size and in any industry sector can use to establish and monitor an effective information governance program.
Generally Accepted Recordkeeping Principles® (GARP®)
Complying with GARP® principles assures the organization that its:
- Information will be protected against loss. Its critical records will be backed up, protected, and easily accessible, allowing it to continue business in the event of a disaster.
- Information will be available when needed. The organization will have systems and processes in place that will enable it to locate, retrieve, and disseminate information to the right people at the right time so it can be used for decision making, transacting business, and responding to litigation.
- Information will be retained as required and disposed of when no longer required. The organization will have a records retention schedule that will ensure that information is being retained to meet its operational, legal, regulatory, and historical requirements and that it is disposed of in the normal course of business when its required retention has been met.
- External investigation and litigation obligations can be met easily. Processes will be in places that ensure that all information that is relevant to litigation or regulatory investigation can be located, placed on legal hold to ensure its availability and integrity, and produced when needed.
Organizations should view GARP® as a map for a road that is safely winding through an operational and legal minefield that has always existed but has recently become even more treacherous. An organization with an information governance program that doesn't adhere to the GARP® principles is teetering on the edge of the minefield. As it becomes more compliant, it will move away from that edge toward safety. Organizations progressing in that direction will find a lot of value in just taking that first step.
The GARP® principles were created with the assistance of renowned records and information management (RIM), legal, and IT professionals, who reviewed and distilled global best practice resources, including the international records management standard (ISO15489-1 Information and Documentation — Records Management), American National Standards, and court case law. The principles were vetted through a public call for comment process involving the professional RIM community.
The eight GARP® principles are:
- Principle of Accountability — An organization shall assign a senior executive who will oversee a recordkeeping program and delegate responsibility to appropriate individuals, adopt policies and procedures to guide personnel, and ensure auditability.
- Principle of Transparency — The processes and activities of an organization's recordkeeping program shall be documented in an understandable manner and be available to all personnel and appropriate interested parties.
- Principle of Integrity — A recordkeeping program shall be constructed so the records and information generated or managed by or for the organization have a reasonable and suitable guarantee of authenticity and reliability.
- Principle of Protection — A recordkeeping program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, or essential to business continuity.
- Principle of Compliance — The recordkeeping program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization's policies.
- Principle of Availability — An organization shall maintain records in a manner that ensures timely, efficient, and accurate retrieval of needed information.
- Principle of Retention — An organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational, and historical requirements.
- Principle of Disposition — An organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by applicable laws and the organization's policies.
Additional context for each of the GARP® principles is available at www.arma.org/garp.
About ARMA International
ARMA International is a not-for-profit professional association and the authority on managing records and information. Formed in 1955, ARMA International is the oldest and largest association for the records and information management profession with a current international membership of nearly 10,000. It provides education, publications, and information on the efficient maintenance, retrieval, and preservation of vital information created in public and private organizations in all sectors of the economy.