Principles of information governance (IG) are evolving and expanding. Successful IG programs are characterized by ten key principles, which are the basis for best practices and should be designed into the IG approach. They include:
Principles of successful IG programs are emerging. They include executive sponsorship, information classification, integrity, security, accessibility, control, monitoring, auditing, policy development, and continuous improvement.
According to Debra Logan at Gartner Group, none of the proffered definitions of IG includes “any notion of coercion, but rather ties governance to accountability [emphasis added] that is designed to encourage the right behavior…. The word that matters most is accountability.” The root of many problems with managing information is the “fact that there is no accountability for information as such.”3
Establishing policies, procedures, processes, and controls to ensure the quality, integrity, accuracy, and security of business records are the fundamental steps needed to reduce the organization's risk and cost structure for managing these records. Then it is essential that IG efforts are supported by IT. The auditing, testing, maintenance, and improvement of IG is enhanced by using electronic records management (ERM) software along with other complementary technology sets, such as workflow and business process management suite (BPMS) software and digital signatures.
Contributed by Charmaine Brooks, CRM
A major part of an IG program is managing formal business records. Although they account for only about 7 to 9 percent of the total information that an organization holds, they are the most critically important subset to manage, as there are serious compliance and legal ramifications to not doing so.
Accountability is a key aspect of IG.
Records and recordkeeping are inextricably linked with any organized business activity. Through the information that an organization uses and records, creates, or receives in the normal course of business, it knows what has been done and by whom. This allows the organization to effectively demonstrate compliance with applicable standards, laws, and regulations as well as plan what it will do in the future to meet its mission and strategic objectives.
Standards and principles of recordkeeping have been developed by records and information management (RIM) practitioners to establish benchmarks for how organizations of all types and sizes can build and sustain compliant, defensible records management (RM) programs.
In 2009 ARMA International published a set of eight Generally Accepted Recordkeeping Principles,® known as The Principles4 (or sometimes GAR Principles), to foster awareness of good recordkeeping practices. These principles and associated metrics provide an IG framework that can support continuous improvement.
The eight Generally Accepted Recordkeeping Principles are:
The Generally Accepted Recordkeeping Principles consist of eight principles that provide an IG framework that can support continuous improvement.
Level 1 Substandard | Characterized by an environment where recordkeeping concerns are either not addressed at all or are addressed in an ad hoc manner. |
Level 2 In Development | Characterized by an environment where there is a developing recognition that recordkeeping has an impact on the organization, and the organization may benefit from a more defined information governance program. |
Level 3 Essential | Characterized by an environment where defined policies and procedures exist that address the minimum or essential legal and regulatory requirements, but more specific actions need to be taken to improve recordkeeping. |
Level 4 Proactive | Characterized by an environment where information governance issues and considerations are integrated into business decisions on a routine basis, and the organization consistently meets its legal and regulatory obligations. |
Level 5 Transformational | Characterized by an environment that has integrated information governance into its corporate infrastructure and business processes to such an extent that compliance with program requirements is routine. |
Source: Used with permission from ARMA.
The Principles apply to all sizes of organizations, in all types of industries, in both the private and public sectors, and can be used to establish consistent practices across business units. The Principles are an IG maturity model, and it is used as a preliminary evaluation of recordkeeping programs and practices.
Interest in and the application of The Principles for assessing an organization's recordkeeping practices have steadily increased since their establishment in 2009. The Principles form an accountability framework that includes the processes, roles, standards, and metrics that ensure the effective and efficient use of records and information in support of an organization's goals and business objectives.
As shown in Table 3.1, the Generally Accepted Recordkeeping Principles maturity model associates characteristics that are typical in five levels of recordkeeping capabilities ranging from 1 (substandard) to 5 (transformational). The levels are both descriptive and color coded for ease of understanding. The eight principles and levels (metrics) are applied to the current state of an organization's recordkeeping capabilities and can be cross-referenced to the policies and procedures. While it is not unusual for an organization to be at different levels of maturity in the eight principles, the question “How good is good enough must be raised and answered; a rating of less than “transformational” may be acceptable, depending on the organization's tolerance for risk and an analysis of the costs and benefits of moving up each level.
The maturity levels define the characteristics of evolving and maturing RM programs. The assessment should reflect the current RM environment and practices. The principles and maturity level definitions, along with improvement recommendations (roadmap), outline the tasks required to proactively approach addressing systematic RM practices and reach the next level of maturity for each principle. While the Generally Accepted Recordkeeping Principles are broad in focus, they illustrate the requirements of good RM practices. The Principles Assessment can also be a powerful communication tool to promote cross-functional dialogue and collaboration among business units and staff.
The Generally Accepted Recordkeeping Principles maturity model measures recordkeeping maturity in five levels.
The principle of accountability covers the assigned responsibility for RM at a senior level to ensure effective governance with the appropriate level of authority. A senior-level executive must be high enough in the organizational structure to have sufficient authority to operate the RM program effectively. The primary role of the senior executive is to develop and implement RM policies, procedures, and guidance and to provide advice on all recordkeeping issues. The direct responsibility for managing or operating facilities or services may be delegated.
The senior executive must possess an understanding of the business and legislative environment within which the organization operates, business functions and activities, and the required relationships with key external stakeholders to understand how RM contributes to achieving the corporate mission, aims, and objectives.
It is important for top-level executives to take ownership of the RM issues of the organization and to identify corrective actions required for mitigation or ensure resolution of problems and recordkeeping challenges. An executive sponsor should identify opportunities to raise awareness of the relevance and importance of RM and effectively communicate the benefits of good RM to staff and management.
The regulatory and legal framework for RM must be clearly identified and understood. The senior executive must have a sound knowledge of the organization's information and technological architecture and actively participate in strategic decisions for IT systems acquisition and implementation.
The senior executive is responsible for ensuring that the processes, procedures, governance structures, and related documentation are developed. The policies should identify the roles and responsibilities at all levels of the organization.
An audit process must be developed to cover all aspects of RM within the organization, including substantiating that sufficient levels of accountability have been assigned and accountability deficiencies are identified and remedied. Audit processes should include compliance with the organization policies and procedures for all records, regardless of format or media. Accountability audit requirements for electronic records include employing appropriate technology to audit the information architecture and systems. Accountability structures must be updated and maintained as changes occur in the technology infrastructure.
The audit process must reinforce compliance and hold individuals accountable. The results should be constructive, encourage continuous improvement, but not be used as a means of punishment. The audit should contribute to records program improvements in risk mitigation, control, and governance issues and have the capacity to support sustainability.
An audit process must be developed to cover all aspects of RM in the organization.
Policies are broad guidelines for the operation of the organization and provide a basic guide to action that prescribes the boundaries within which business activities are to take place. They state the course of action to be followed by the organization, business unit, department, and employees.
Transparency of recordkeeping practices includes documenting processes and promoting an understanding of the roles and responsibilities of all stakeholders. To be effective, policies must be formalized and integrated into business processes. Business rules and recordkeeping requirements need to be communicated and installed at all levels of the organization.
Senior management must recognize that transparency is fundamental to IG and compliance. Documentation must be consistent, current, and complete. A review and approval process must be established to ensure that the introduction of new programs or changes can be implemented and integrated into business processes.
Employees must have ready access to RM policies and procedures. They must receive guidance and training to ensure they understand their roles and requirements for RM. Recordkeeping systems and business processes must be designed and developed to clearly define the records lifecycle.
In addition to policies and procedures, guidelines and operational instructions, diagrams and flowcharts, system documentation, and user manuals must include clear guidance on how records are to be created, retained, stored, and dispositioned. The documentation must be readily available and incorporated in communications and training provided to staff.
Record generating systems and repositories must be assessed to determine record-keeping capabilities. A formalized process must be in place for acquiring or developing new systems, including requirements for capturing the metadata required for lifecycle management of records in the systems. In addition, the record must contain all the necessary elements of an official record, including structure, content, and context. Records integrity, reliability, and trustworthiness are confirmed by ensuring that a record was created by a competent authority according to established processes.
Maintaining the integrity of records means that they are complete and protected from being altered. The authenticity of a record is ascertained from internal and external evidence, including the characteristics, structure, content, and context of the records, to verify they are genuine and not corrupted or altered. In order to trust that a record is authentic, organizations must ensure that recordkeeping systems that create, capture, and manage electronic records are capable of protecting records from accidental or unauthorized alteration or deletion while the record has value.
Organizations must ensure the protection of records and ensure they are unaltered through loss, tampering, or corruption. This includes technological change or the failure of digital storage media and protecting records against damage or deterioration.
This principle applies equally to physical and electronic records, each of which has unique requirements and challenges.
Access and security controls need to be established, implemented, monitored, and reviewed to ensure business continuity and minimize business risk. Restrictions on access and disclosure include the methods for protecting personal privacy and proprietary information. Access and security requirements must be integrated into the business systems and processes for the creation, use, and storage of records.
LTDP is a series of managed activities required to ensure continued access to digital materials for as long as necessary. Electronic records requiring long-term retention may require conversion to a medium and format suitable to ensure long-term access and readability.
RM programs include the development and training of the fundamental components, including compliance monitoring to ensure sustainability of the program.
Monitoring for compliance involves reviewing and inspecting the various facets of records management, including ensuring records are being properly created and captured, implementation of user permissions and security procedures, workflow processes through sampling to ensure adherence to policies and procedures, ensuring records are being retained following disposal authorization, and documentation of records destroyed or transferred to determine whether destruction/transfer was authorized in accordance with disposal instructions.
Compliance monitoring can be carried out by an internal audit, external organization, or RM and must be done on a regular basis.
Organizations should evaluate how effectively and efficiently records and information are stored and retrieved using present equipment, networks, and software. The evaluation should identify current and future requirements and recommend new systems as appropriate. Certain factors should be considered before upgrading or implementing new systems. These factors are practicality, cost, and effectiveness of new configurations.
A major challenge for organizations is ensuring timely and reliable access to and use of information and that records are accessible and usable for the entire length of the retention period. Rapid changes and enhancements to both hardware and software compound this challenge.
Retention is the function of preserving and maintaining records for continuing use. The retention schedule identifies the actions needed to fulfill the requirements for the retention and disposal of records and provides the authority for employees and systems to retain, destroy, or transfer records. The records retention schedule documents the record-keeping requirements and procedures, identifying how records are to be organized and maintained, what needs to happen to records and when, who is responsible for doing what, and whom to contact with questions or guidance.
Organizations must identify the scope of their recordkeeping requirements for documenting business activities based on regulated activities and jurisdictions that impose control over records. This includes business activities regulated by the government for every location or jurisdiction in which the company does business. Other considerations for determining retention requirements include operational, legal, fiscal, and historical ones.
Records appraisal is the process of assessing the value and risk of records to determine their retention and disposition requirements. Legal research is outlined in appraisal reports. This appraisal process may be accomplished as a part of the process of developing the records retention schedules as well as conducting a regular review to ensure that citations and requirements are current.
The records retention period is the length of time that records should be retained and the actions taken for them to be destroyed or preserved. The retention periods for different records should be based on legislative or regulatory requirements as well as on administrative and operational requirements.
It is important to document the legal research conducted and used to determine whether the law or regulation has been reasonably applied to the recordkeeping practices and provide evidence to regulatory officials or courts that due diligence has been conducted in good faith to comply with all applicable requirements.
Disposition is the last stage in the life cycle of records. When the retention requirements have been met and the records no longer serve a useful business purpose, records may be destroyed. Records requiring long-term or permanent retention should be transferred to an archive for preservation. The timing of the transfer of physical or electronic records should be determined through the records retention schedule process. Additional methods, including migration or conversion, are often required to preserve electronic records.
Records must be destroyed in a controlled and secure manner and in accordance with authorized disposal instructions. The destruction of records must be clearly documented to provide evidence of destruction according to an agreed-on program.
Destruction of records must be undertaken by methods appropriate to the confidentiality of the records and in accordance with disposal instructions in the records retention schedule. An audit trail documenting the destruction of records should be maintained, and certificates of destruction should be obtained for destruction undertaken by third parties. In the event disposal schedules are not in place, written authorization should be obtained prior to destruction. Procedures should specify who must supervise the destruction of records. Approved methods of destruction must be specified for each media type to ensure that information cannot be reconstructed.
Disposition is the last stage in the life cycle of records. Disposition is not synonymous with destruction, although destruction may be one disposal option.
Disposition is not synonymous with destruction, although destruction may be one disposal option. Destruction of records must be carried out under controlled, confidential conditions by shredding or permanent disposition. This includes the destruction of confidential microfilm, microfiche, computer cassettes, and computer tapes as well as paper.
Methods of Disposition
The Generally Accepted Recordkeeping Principles® maturity model can be leveraged to develop a current state assessment of an organization's recordkeeping practices and resources, identify gaps and assess risks, and develop priorities for desired improvements.
The Principles were developed by ARMA International to identify characteristics of an effective recordkeeping program. Each of the eight principles identifies issues and practices that, when evaluated against the unique needs and circumstances of an organization, can be applied to improvements for a recordkeeping program that meets recordkeeping requirements. The Principles identify requirements and can be used to guide incremental improvement in creation, organization, security, maintenance, and other activities over a period of one to five years. Fundamentally, RM and information governance are business disciplines that must be tightly integrated with operational policies, procedures, and infrastructure.
The Principles can be mapped to the four improvement areas in Table 3.2.
As an accepted industry guidance maturity model, the Principles provide a convenient and complete framework for assessing the current state of an organization's recordkeeping and developing a roadmap to identify improvements that will bring the organization into compliance. An assessment/analysis of the current RM practices, procedures, and capabilities together with current and future state practices provides two ways of looking at the future requirements of a complete RM (see Table 3.3).
When forming an IG steering committee or board, it is essential to include representatives from cross-functional groups and at different levels of the organization. The committee must be driven by an executive sponsor and include active members from key business units as well as other departments, including IT, finance, risk, compliance, RM, and legal. Then corporate training/education and communications must be involved to keep employees trained and current on IG policies. This function may be performed by an outside consulting firm if there is no corporate education staff.
Knowledge workers who work with records and sensitive information in any capacity best understand the nature and value of the records they work with as they perform their day-to-day functions. IG policies must be developed and communicated clearly and consistently. Policies are worthless if people do not know or understand them or how to comply with them. And training is a crucial element that will be examined in any compliance hearing or litigation that may arise. “Did senior management not only create the policies but provide adequate training on them on a consistent basis?” This will be a key question raised. So a training plan is a necessary piece of IG, and education should be heavily emphasized.6
The need for IG is increasing due to increased and tightened regulations, increased litigation, and the increased incidence of theft and misuse of internal documents and records. Organizations that do not have active IG programs should reevaluate IG policies and their internal processes following any major loss of records, the inability to produce accurate records in a timely manner, or any document security breach or theft. If review boards include a broad section of critical players on the IG committee and leverage executive sponsorship, they will better prepare the organization for legal and regulatory rigors.
When forming an IG steering committee or board, it is essential to include representatives from cross-functional groups.
Knowledge workers who work with records in any capacity best understand the nature and value of the records they work with.
CHAPTER SUMMARY: KEY POINTS
1. Laura DuBois and Vivian Tero, “Practical Information Governance: Balancing Cost, Risk, and Productivity,” IDC White Paper, August 2010, www.emc.com/collateral/analyst-reports/idc-practical-information-governance-ar.pdf
3. Debra Logan, “What Is Information Governance? And Why Is It So Hard?” January 11, 2010, http://blogs.gartner.com/debra_logan/2010/01/11/what-is-information-governance-and-why-is-it-so-hard/.
4. ARMA International, “Generally Accepted Recordkeeping Principles,” www.arma.org/r2/generally-accepted-br-recordkeeping-principles/copyright (accessed November 14, 2013).
5. ARMA International, “Information Governance Maturity Model,” www.arma.org/r2/generally-accepted-br-recordkeeping-principles (accessed November 14, 2013).
6. “Governance Overview (SharePoint Server 2010),” http://technet.microsoft.com/en-us/library/cc263356.aspx (accessed April 19, 2011).
* Portions of this chapter are adapted from Chapter 3 of Robert F. Smallwood, Managing Electronic Records: Methods, Best Practices, and Technologies, © John Wiley & Sons, Inc., 2013. Reproduced with permission of John Wiley & Sons, Inc.
3.138.124.194