Principles of information governance (IG) are evolving and expanding. Successful IG programs are characterized by ten key principles, which are the basis for best practices and should be designed into the IG approach. They include:

1. Executive sponsorship. No IG effort will survive and be successful if it does not have an accountable, responsible executive sponsor. The sponsor must drive the effort, clear obstacles for the IG team or committee, communicate the goals and business objectives that the IG program addresses, and keep upper management informed on progress.
2. Information policy development and communication. Clear policies must be established for the access and use of information, and those policies must be communicated regularly and crisply to employees. Policies for the use of email, instant messaging, social media, cloud computing, mobile computing, and posting to blogs and internal sites must be developed in consultation with stakeholders and communicated clearly. This includes letting employees know what the consequences of violating IG policies are, as well as its value.
3. Information integrity. This area considers the consistency of methods used to create, retain, preserve, distribute, and track information. Adhering to good IG practices include data governance techniques and technologies to ensure quality data. Information integrity means there is the assurance that information is accurate, correct, and authentic. IG efforts to improve data quality and information integrity include de-duplicating (removing redundant data) and maintaining only unique data to reduce risk, storage costs, and information technology (IT) labor costs while providing accurate, trusted information for decision makers. Supporting technologies must enforce policies to meet legal standards of admissibility and preserve the integrity of information to guard against claims that it has been altered, tampered with, or deleted (called “spoliation”). Audit trails must be kept and monitored to ensure compliance with IG policies to assure information integrity.¹
4. Information organization and classification. This means standardizing formats, categorizing all information, and semantically linking it to related information. It also means creating a retention and disposition schedule that spells out how long the information (e.g. e-mail, e-documents, spreadsheets, reports) and records should be retained and how they are to be disposed of or archived. Information, and particularly documents, should be classified according to a global or corporate taxonomy that considers the business function and owner of the information, and semantically links related information. Information must be standardized in form and format. Tools such as document labeling can assist in identifying and classifying documents. Metadata associated with documents and records must be standardized and kept up-to-date. Good IG means good metadata management and utilizing metadata standards that are appropriate to the organization.
5. Information security. This means securing information in its three states: at rest, in motion, and in use. It means implementing measures to protect information from damage, theft, or alteration by malicious outsiders and insiders as well as nonmalicious (accidental) actions that may compromise information. For instance, an employee may lose a laptop with confidential information, but if proper IG policies are enforced using security-related information technologies, the information can be secured. This can be done by access control methods, data or document encryption, deploying information rights management software, using remote digital shredding capabilities, and implementing enhanced auditing procedures. Information privacy is closely related to information security and is critical when dealing with personally identifiable information (PII).
6. Information accessibility. Accessibility is vital not only in the short term but also over time using long-term digital preservation (LTDP) techniques when appropriate (generally if information is needed for over five years). Accessibility must be balanced with information security concerns. Information accessibility includes making the information as simple as possible to locate and access, which involves not only the user interface but also enterprise search principles, technologies, and tools. It also includes basic access controls, such as password management, identity and access management, and delivering information to a variety of hardware devices.
7. Information control. Document management and report management software must be deployed to control the access to, creation, updating, and printing of documents and reports. When documents or reports are declared records, they must be assigned to the proper retention and disposition schedule to be retained for as long as the records are needed to comply with legal retention periods and regulatory requirements. Also, information that may be needed or requested in legal proceedings is safeguarded through a legal hold process.
8. Information governance monitoring and auditing. To ensure that guidelines and policies are being followed and to measure employee compliance levels, information access and use must be monitored. To guard against claims of spoliation, use of e-mail, social media, cloud computing, and report generation should be logged in real time and maintained as an audit record. Technology tools such as document analytics can track how many documents or reports users access and print and how long they spend doing so.
9. Stakeholder consultation. Those who work most closely to information are the ones who best know why it is needed and how to manage it, so business units must be consulted in IG policy development. The IT department understands its capabilities and technology plans and can best speak to those points. Legal issues must always be deferred to the in-house council or legal team. A cross-functional collaboration is needed for IG policies to hit the mark and be effective. The result is not only more secure information but also better information to base decisions on and closer adherence to regulatory and legal demands.²

   Principles of successful IG programs are emerging. They include executive sponsorship, information classification, integrity, security, accessibility, control, monitoring, auditing, policy development, and continuous improvement.

10. Continuous improvement. IG programs are not one-time projects but rather ongoing programs that must be reviewed periodically and adjusted to account for gaps or shortcomings as well as changes in the business environment, technology usage, or business strategy.

Accountability Is Key

According to Debra Logan at Gartner Group, none of the proffered definitions of IG includes “any notion of coercion, but rather ties governance to accountability [emphasis added] that is designed to encourage the right behavior…. The word that matters most is accountability.” The root of many problems with managing information is the “fact that there is no accountability for information as such.”³

Establishing policies, procedures, processes, and controls to ensure the quality, integrity, accuracy, and security of business records are the fundamental steps needed to reduce the organization's risk and cost structure for managing these records. Then it is essential that IG efforts are supported by IT. The auditing, testing, maintenance, and improvement of IG is enhanced by using electronic records management (ERM) software along with other complementary technology sets, such as workflow and business process management suite (BPMS) software and digital signatures.

Generally Accepted Recordkeeping Principles®

Contributed by Charmaine Brooks, CRM

A major part of an IG program is managing formal business records. Although they account for only about 7 to 9 percent of the total information that an organization holds, they are the most critically important subset to manage, as there are serious compliance and legal ramifications to not doing so.

Records and recordkeeping are inextricably linked with any organized business activity. Through the information that an organization uses and records, creates, or receives in the normal course of business, it knows what has been done and by whom. This allows the organization to effectively demonstrate compliance with applicable standards, laws, and regulations as well as plan what it will do in the future to meet its mission and strategic objectives.

Standards and principles of recordkeeping have been developed by records and information management (RIM) practitioners to establish benchmarks for how organizations of all types and sizes can build and sustain compliant, defensible records management (RM) programs.

The Principles

In 2009 ARMA International published a set of eight Generally Accepted Recordkeeping Principles,® known as The Principles⁴ (or sometimes GAR Principles), to foster awareness of good recordkeeping practices. These principles and associated metrics provide an IG framework that can support continuous improvement.

The eight Generally Accepted Recordkeeping Principles are:

1. Accountability. A senior executive (or person of comparable authority) oversees the recordkeeping program and delegates program responsibility to appropriate individuals. The organization adopts policies and procedures to guide personnel, and ensure the program can be audited.
2. Transparency. The processes and activities of an organization's recordkeeping program are documented in a manner that is open and verifiable and is available to all personnel and appropriate interested parties.
3. Integrity. A recordkeeping program shall be constructed so the records and information generated or managed by or for the organization have a reasonable and suitable guarantee of authenticity and reliability.
4. Protection. A recordkeeping program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, or essential to business continuity.
5. Compliance. The recordkeeping program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization's policies.
6. Availability. An organization shall maintain records in a manner that ensures timely, efficient, and accurate retrieval of needed information.
7. Retention. An organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational, and historical requirements.
8. Disposition. An organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by applicable laws and the organization's policies.⁵

Table 3.1 Generally Accepted Recordkeeping Principles Levels

Level 1 Substandard	Characterized by an environment where recordkeeping concerns are either not addressed at all or are addressed in an ad hoc manner.
Level 2 In Development	Characterized by an environment where there is a developing recognition that recordkeeping has an impact on the organization, and the organization may benefit from a more defined information governance program.
Level 3 Essential	Characterized by an environment where defined policies and procedures exist that address the minimum or essential legal and regulatory requirements, but more specific actions need to be taken to improve recordkeeping.
Level 4 Proactive	Characterized by an environment where information governance issues and considerations are integrated into business decisions on a routine basis, and the organization consistently meets its legal and regulatory obligations.
Level 5 Transformational	Characterized by an environment that has integrated information governance into its corporate infrastructure and business processes to such an extent that compliance with program requirements is routine.

Source: Used with permission from ARMA.

The Principles apply to all sizes of organizations, in all types of industries, in both the private and public sectors, and can be used to establish consistent practices across business units. The Principles are an IG maturity model, and it is used as a preliminary evaluation of recordkeeping programs and practices.

Interest in and the application of The Principles for assessing an organization's recordkeeping practices have steadily increased since their establishment in 2009. The Principles form an accountability framework that includes the processes, roles, standards, and metrics that ensure the effective and efficient use of records and information in support of an organization's goals and business objectives.

As shown in Table 3.1, the Generally Accepted Recordkeeping Principles maturity model associates characteristics that are typical in five levels of recordkeeping capabilities ranging from 1 (substandard) to 5 (transformational). The levels are both descriptive and color coded for ease of understanding. The eight principles and levels (metrics) are applied to the current state of an organization's recordkeeping capabilities and can be cross-referenced to the policies and procedures. While it is not unusual for an organization to be at different levels of maturity in the eight principles, the question “How good is good enough must be raised and answered; a rating of less than “transformational” may be acceptable, depending on the organization's tolerance for risk and an analysis of the costs and benefits of moving up each level.

The maturity levels define the characteristics of evolving and maturing RM programs. The assessment should reflect the current RM environment and practices. The principles and maturity level definitions, along with improvement recommendations (roadmap), outline the tasks required to proactively approach addressing systematic RM practices and reach the next level of maturity for each principle. While the Generally Accepted Recordkeeping Principles are broad in focus, they illustrate the requirements of good RM practices. The Principles Assessment can also be a powerful communication tool to promote cross-functional dialogue and collaboration among business units and staff.

Accountability

The principle of accountability covers the assigned responsibility for RM at a senior level to ensure effective governance with the appropriate level of authority. A senior-level executive must be high enough in the organizational structure to have sufficient authority to operate the RM program effectively. The primary role of the senior executive is to develop and implement RM policies, procedures, and guidance and to provide advice on all recordkeeping issues. The direct responsibility for managing or operating facilities or services may be delegated.

The senior executive must possess an understanding of the business and legislative environment within which the organization operates, business functions and activities, and the required relationships with key external stakeholders to understand how RM contributes to achieving the corporate mission, aims, and objectives.

It is important for top-level executives to take ownership of the RM issues of the organization and to identify corrective actions required for mitigation or ensure resolution of problems and recordkeeping challenges. An executive sponsor should identify opportunities to raise awareness of the relevance and importance of RM and effectively communicate the benefits of good RM to staff and management.

The regulatory and legal framework for RM must be clearly identified and understood. The senior executive must have a sound knowledge of the organization's information and technological architecture and actively participate in strategic decisions for IT systems acquisition and implementation.

The senior executive is responsible for ensuring that the processes, procedures, governance structures, and related documentation are developed. The policies should identify the roles and responsibilities at all levels of the organization.

An audit process must be developed to cover all aspects of RM within the organization, including substantiating that sufficient levels of accountability have been assigned and accountability deficiencies are identified and remedied. Audit processes should include compliance with the organization policies and procedures for all records, regardless of format or media. Accountability audit requirements for electronic records include employing appropriate technology to audit the information architecture and systems. Accountability structures must be updated and maintained as changes occur in the technology infrastructure.

The audit process must reinforce compliance and hold individuals accountable. The results should be constructive, encourage continuous improvement, but not be used as a means of punishment. The audit should contribute to records program improvements in risk mitigation, control, and governance issues and have the capacity to support sustainability.

Transparency

Policies are broad guidelines for the operation of the organization and provide a basic guide to action that prescribes the boundaries within which business activities are to take place. They state the course of action to be followed by the organization, business unit, department, and employees.

Transparency of recordkeeping practices includes documenting processes and promoting an understanding of the roles and responsibilities of all stakeholders. To be effective, policies must be formalized and integrated into business processes. Business rules and recordkeeping requirements need to be communicated and installed at all levels of the organization.

Senior management must recognize that transparency is fundamental to IG and compliance. Documentation must be consistent, current, and complete. A review and approval process must be established to ensure that the introduction of new programs or changes can be implemented and integrated into business processes.

Employees must have ready access to RM policies and procedures. They must receive guidance and training to ensure they understand their roles and requirements for RM. Recordkeeping systems and business processes must be designed and developed to clearly define the records lifecycle.

In addition to policies and procedures, guidelines and operational instructions, diagrams and flowcharts, system documentation, and user manuals must include clear guidance on how records are to be created, retained, stored, and dispositioned. The documentation must be readily available and incorporated in communications and training provided to staff.

Integrity

Record generating systems and repositories must be assessed to determine record-keeping capabilities. A formalized process must be in place for acquiring or developing new systems, including requirements for capturing the metadata required for lifecycle management of records in the systems. In addition, the record must contain all the necessary elements of an official record, including structure, content, and context. Records integrity, reliability, and trustworthiness are confirmed by ensuring that a record was created by a competent authority according to established processes.

Maintaining the integrity of records means that they are complete and protected from being altered. The authenticity of a record is ascertained from internal and external evidence, including the characteristics, structure, content, and context of the records, to verify they are genuine and not corrupted or altered. In order to trust that a record is authentic, organizations must ensure that recordkeeping systems that create, capture, and manage electronic records are capable of protecting records from accidental or unauthorized alteration or deletion while the record has value.

Protection

Organizations must ensure the protection of records and ensure they are unaltered through loss, tampering, or corruption. This includes technological change or the failure of digital storage media and protecting records against damage or deterioration.

This principle applies equally to physical and electronic records, each of which has unique requirements and challenges.

Access and security controls need to be established, implemented, monitored, and reviewed to ensure business continuity and minimize business risk. Restrictions on access and disclosure include the methods for protecting personal privacy and proprietary information. Access and security requirements must be integrated into the business systems and processes for the creation, use, and storage of records.

LTDP is a series of managed activities required to ensure continued access to digital materials for as long as necessary. Electronic records requiring long-term retention may require conversion to a medium and format suitable to ensure long-term access and readability.

Compliance

RM programs include the development and training of the fundamental components, including compliance monitoring to ensure sustainability of the program.

Monitoring for compliance involves reviewing and inspecting the various facets of records management, including ensuring records are being properly created and captured, implementation of user permissions and security procedures, workflow processes through sampling to ensure adherence to policies and procedures, ensuring records are being retained following disposal authorization, and documentation of records destroyed or transferred to determine whether destruction/transfer was authorized in accordance with disposal instructions.

Compliance monitoring can be carried out by an internal audit, external organization, or RM and must be done on a regular basis.

Availability

Organizations should evaluate how effectively and efficiently records and information are stored and retrieved using present equipment, networks, and software. The evaluation should identify current and future requirements and recommend new systems as appropriate. Certain factors should be considered before upgrading or implementing new systems. These factors are practicality, cost, and effectiveness of new configurations.

A major challenge for organizations is ensuring timely and reliable access to and use of information and that records are accessible and usable for the entire length of the retention period. Rapid changes and enhancements to both hardware and software compound this challenge.

Retention

Retention is the function of preserving and maintaining records for continuing use. The retention schedule identifies the actions needed to fulfill the requirements for the retention and disposal of records and provides the authority for employees and systems to retain, destroy, or transfer records. The records retention schedule documents the record-keeping requirements and procedures, identifying how records are to be organized and maintained, what needs to happen to records and when, who is responsible for doing what, and whom to contact with questions or guidance.

Organizations must identify the scope of their recordkeeping requirements for documenting business activities based on regulated activities and jurisdictions that impose control over records. This includes business activities regulated by the government for every location or jurisdiction in which the company does business. Other considerations for determining retention requirements include operational, legal, fiscal, and historical ones.

Records appraisal is the process of assessing the value and risk of records to determine their retention and disposition requirements. Legal research is outlined in appraisal reports. This appraisal process may be accomplished as a part of the process of developing the records retention schedules as well as conducting a regular review to ensure that citations and requirements are current.

The records retention period is the length of time that records should be retained and the actions taken for them to be destroyed or preserved. The retention periods for different records should be based on legislative or regulatory requirements as well as on administrative and operational requirements.

It is important to document the legal research conducted and used to determine whether the law or regulation has been reasonably applied to the recordkeeping practices and provide evidence to regulatory officials or courts that due diligence has been conducted in good faith to comply with all applicable requirements.

Disposition

Disposition is the last stage in the life cycle of records. When the retention requirements have been met and the records no longer serve a useful business purpose, records may be destroyed. Records requiring long-term or permanent retention should be transferred to an archive for preservation. The timing of the transfer of physical or electronic records should be determined through the records retention schedule process. Additional methods, including migration or conversion, are often required to preserve electronic records.

Records must be destroyed in a controlled and secure manner and in accordance with authorized disposal instructions. The destruction of records must be clearly documented to provide evidence of destruction according to an agreed-on program.

Destruction of records must be undertaken by methods appropriate to the confidentiality of the records and in accordance with disposal instructions in the records retention schedule. An audit trail documenting the destruction of records should be maintained, and certificates of destruction should be obtained for destruction undertaken by third parties. In the event disposal schedules are not in place, written authorization should be obtained prior to destruction. Procedures should specify who must supervise the destruction of records. Approved methods of destruction must be specified for each media type to ensure that information cannot be reconstructed.

Disposition is not synonymous with destruction, although destruction may be one disposal option. Destruction of records must be carried out under controlled, confidential conditions by shredding or permanent disposition. This includes the destruction of confidential microfilm, microfiche, computer cassettes, and computer tapes as well as paper.

Methods of Disposition

• Discard. The standard destruction method for nonconfidential records. If possible, all records should be shredded prior to recycling. Note that transitory records can also be shredded.
• Shred. Confidential and sensitive records should be processed under strict security. This may be accomplished internally or by secure on-site shredding by a third party vendor who provides certificates of secure destruction. The shredded material is then recycled.
• Archive. This designation is for records requiring long-term or permanent preservation. Records of enduring legal, fiscal, administrative, or historical value are retained.
• Imaging. Physical records converted to digital images, after which the original paper documents are destroyed.
• Purge. This special designation is for data, documents, or records sets that need to be purged by removing material based on specified criteria. This often applies to structure records in databases and applications.

Assessment and Improvement Roadmap

The Generally Accepted Recordkeeping Principles® maturity model can be leveraged to develop a current state assessment of an organization's recordkeeping practices and resources, identify gaps and assess risks, and develop priorities for desired improvements.

The Principles were developed by ARMA International to identify characteristics of an effective recordkeeping program. Each of the eight principles identifies issues and practices that, when evaluated against the unique needs and circumstances of an organization, can be applied to improvements for a recordkeeping program that meets recordkeeping requirements. The Principles identify requirements and can be used to guide incremental improvement in creation, organization, security, maintenance, and other activities over a period of one to five years. Fundamentally, RM and information governance are business disciplines that must be tightly integrated with operational policies, procedures, and infrastructure.

The Principles can be mapped to the four improvement areas in Table 3.2.

As an accepted industry guidance maturity model, the Principles provide a convenient and complete framework for assessing the current state of an organization's recordkeeping and developing a roadmap to identify improvements that will bring the organization into compliance. An assessment/analysis of the current RM practices, procedures, and capabilities together with current and future state practices provides two ways of looking at the future requirements of a complete RM (see Table 3.3).

Table 3.2 Improvement Areas for Generally Accepted Recordkeeping Principles

Who Should Determine IG Policies?

When forming an IG steering committee or board, it is essential to include representatives from cross-functional groups and at different levels of the organization. The committee must be driven by an executive sponsor and include active members from key business units as well as other departments, including IT, finance, risk, compliance, RM, and legal. Then corporate training/education and communications must be involved to keep employees trained and current on IG policies. This function may be performed by an outside consulting firm if there is no corporate education staff.

Knowledge workers who work with records and sensitive information in any capacity best understand the nature and value of the records they work with as they perform their day-to-day functions. IG policies must be developed and communicated clearly and consistently. Policies are worthless if people do not know or understand them or how to comply with them. And training is a crucial element that will be examined in any compliance hearing or litigation that may arise. “Did senior management not only create the policies but provide adequate training on them on a consistent basis?” This will be a key question raised. So a training plan is a necessary piece of IG, and education should be heavily emphasized.⁶

The need for IG is increasing due to increased and tightened regulations, increased litigation, and the increased incidence of theft and misuse of internal documents and records. Organizations that do not have active IG programs should reevaluate IG policies and their internal processes following any major loss of records, the inability to produce accurate records in a timely manner, or any document security breach or theft. If review boards include a broad section of critical players on the IG committee and leverage executive sponsorship, they will better prepare the organization for legal and regulatory rigors.

Table 3.3 Assessment Report and Road Map.

Notes

1. Laura DuBois and Vivian Tero, “Practical Information Governance: Balancing Cost, Risk, and Productivity,” IDC White Paper, August 2010, www.emc.com/collateral/analyst-reports/idc-practical-information-governance-ar.pdf

2. Ibid.

3. Debra Logan, “What Is Information Governance? And Why Is It So Hard?” January 11, 2010, http://blogs.gartner.com/debra_logan/2010/01/11/what-is-information-governance-and-why-is-it-so-hard/.

4. ARMA International, “Generally Accepted Recordkeeping Principles,” www.arma.org/r2/generally-accepted-br-recordkeeping-principles/copyright (accessed November 14, 2013).

5. ARMA International, “Information Governance Maturity Model,” www.arma.org/r2/generally-accepted-br-recordkeeping-principles (accessed November 14, 2013).

6. “Governance Overview (SharePoint Server 2010),” http://technet.microsoft.com/en-us/library/cc263356.aspx (accessed April 19, 2011).

* Portions of this chapter are adapted from Chapter 3 of Robert F. Smallwood, Managing Electronic Records: Methods, Best Practices, and Technologies, © John Wiley & Sons, Inc., 2013. Reproduced with permission of John Wiley & Sons, Inc.