And, later in the written opinion, “Parties need to anticipate and undertake document preservation with the most serious and thorough care, if for no other reason than to avoid the detour of sanctions.”
The judge believes monetary sanctions are appropriate to punish offending parties, and identifies other potential spoliation actions that can be levied against organizations which do not adequately manage their ESI. Yet, only 63% of the respondents in the ARMA/Forrester study are leveraging technology to enforce retention management for email. And only about 50% use technology to enforce retention policies for file shares, desktops, or other electronic assets.
What’s the impact of that? A significant quantity of data, records and information is subject to ad hoc retention and disposition decisions by individuals. As a result, businesses lack defensible recordkeeping policies and procedures, as well as defensible legal hold/document production processes.
Effective Information Governance – GARP is the Answer
Gartner describes information governance as an accountability framework that “includes the processes, roles, standards, and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.” The definition sets a context for information governance, but doesn’t help an organization understand much about what information governance looks like, or what is really necessary to achieve critical and scalable results.
In response to this need, ARMA International has undertaken to define information governance and to articulate the recordkeeping principles which are at the heart of effective information governance. This work is referred to as “generally accepted recordkeeping principles” or, more familiarly, as GARP. Though these principles have been well developed by those in records and information management, they are frequently less understood by colleagues in IT, in the business units and executive management. Nevertheless, these principles form the basis upon which every effective records program is built and are the yardstick by which any recordkeeping program is measured. These principles also form the basis upon which any organization’s recordkeeping will one day be judged.
The GARP principles identify the critical hallmarks of information governance. These hallmarks can be simply stated, and include: accountability, transparency, integrity, protection, compliance, availability, retention and disposition. Eight principles. Eight hallmarks of success.
It’s not quite as easy as it sounds, however. Underlying each principle is a detailed understanding of what is covered by the principle. The principles are based upon the major international and national level standards and best practices that have been developed and vetted by RIM professionals over more than half a century. The array of professional standards, best practices, educational courses and other published resources provide a roadmap for implementing defensible and comprehensive RIM programs.
For example, the Principle of Compliance states that “The recordkeeping program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization’s policies.” The annotation to this principle gives additional information regarding the intended scope and coverage of the principle. The annotation points to the need for documenting the organization’s activities so it can be shown that the organization operates in a lawful manner, knows the records it must maintain, and understands what the law dictates in terms of recordkeeping requirements. The annotation then identifies a variety of resources (in this case, a best practice guideline and various other ARMA International publications) as additional guidance for implementation of compliance. Each principle is documented and explained in a similar manner.
How Much Information Governance is Enough?
It has not always been easy to describe what “good recordkeeping” looks like. Yet, this question gains in importance as regulators, shareholders, and customers are increasingly concerned about the business practices of organizations. By articulating the GARP, ARMA provides guidance to:
- IT professionals in understanding information governance business and functional requirements;
- CEOs in determining how to protect their organizations in the use of information assets;
- Legislators in crafting legislation meant to hold organizations accountable, and;
- Records management professionals in designing comprehensive and effective records management programs.
The GARP principles establish a common language and a common understanding for RIM and IT, of what it takes to achieve effective information governance.
Yet, by themselves, the GARP principals still do not really help organizations determine whether their current practices are effective, where their current vulnerabilities lie, and what steps they should take in order to make the necessary improvements. Metrics are needed in order to begin assessing the sufficiency of current practices.
The GARP maturity model for information governance begins to paint this picture. Similar to the capability maturity model (CMMi)developed by Carnegie Mellon University, the GARP model is based on the eight GARP principles mentioned above, and incorporates the foundation of standards, best practices, and legal/regulatory requirements that establish the field of records and information management. The maturity model establishes five levels of maturity and defines characteristics at each level, for each GARP principle. The maturity levels represent a range from “substandard” to “transformational.”
The GARP model provides another common language and understanding to facilitate collaborative work throughout the organization. It can provide the basis for an organization’s self-assessment and a foundation for determining appropriate goals for information governance compliance.
Establishing Effective Governance
Effective information governance is heavily dependent on effective partnerships between the business units, legal, records and information managers (RIM), and IT professionals. Each of these entities has a piece of the overall picture.
The business units are the primary creators of the records. They understand the processes and technology tools they use to conduct their business. Legal understands the legal and litigation environment within which the company operates. Closely aligned with Legal (and often a part of the legal department) are the regulatory and compliance entities. They also have a perspective on the company’s regulatory obligations and reporting requirements.
Which two entities cross all these departmental boundaries and bring additional important perspectives? RIM and IT. Managers of an effective recordkeeping program have an enterprise-wide perspective which lends itself to the most comprehensive view of the varying needs of the business and how the business units access and use their records and information. With this understanding, the RIM professionals are positioned well to translate these varying needs between the parties involved.
At the same time, RIM professionals do not have the in-depth understanding of technical issues that is required for effective network architecture and infrastructure support, new technology developments and capabilities, interoperability of systems, programming and software development or hardware maintenance. Yet clearly, these issues are critical to effective information governance as well. RIM, IT, and Legal represent a three-legged stool – take away any one of the legs and the stool loses its effectiveness. The business units cannot be successful unless they have effective, integrated support from IT, RIM, and Legal.