Generally Accepted Recordkeeping Principles® Where it’s at, what it means, and what to look for
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be created, organized, secured, maintained, and used in a way that effectively supports the activity of that organization. Records and recordkeeping are inextricably linked with any organized activity. As a key resource in the operation of any organization, records must be created, organized, secured, maintained, and used in a way that effectively supports the activity of that organization. These needs can be fulfilled only if recordkeeping is an objective activity, insulated from individual and organizational influence or bias, and measured against universally applicable principles. To achieve this transparency, ARMA International developed the Generally Accepted Recordkeeping Principles (GARP) in order for organizations to adhere to objective records and information management standards and principles. Without adherence to these standards and principles, organizations will have poorly run operations, legal compliance failures, and – potentially – a mask for improper or illegal activities. 2
Quotation “As to methods there may be a million and then some, but principles are few. The man who grasps principles can successfully select his own methods. The man who tries methods, ignoring principles, is sure to have trouble.” I happened upon a relevant quote from Ralph Waldo Emerson that explains our approach to developing the Generally Accepted Recordkeeping Principles. Ralph Waldo Emerson 3
What Are They? A common language and imperative to use with executive management when describing the tenets of a solid program A model for program development A benchmark against your peers A legislative and judicial roadmap to best practices GARP is our shortened version of the Generally Accepted Recordkeeping Principles sm. ARMA International is developing and socializing the principles in order to provide a framework for guidance in implementing information management programs. The defined set of principles will help business leaders, legislators, the judiciary, and other stakeholders understand and address the key components of records and information management as a discipline and as a best business practice. We’ve already used the principles in conversations with the legislature in discussing potential regulations and corporate best practices. 4
Where Did They Come From? Committee of 7 widely-respected professional practitioners on the task force Using standards, best practices, and practical experience Sent to public review by ARMA International members and stakeholders Finalized and released March 31, 2009 It’s important to point out that we didn’t just create these out of thin air. They come from work experience of 7 of our most widely recognized RIM practitioners in a variety of fields, but they also are built upon the collective wisdom of ARMA International standards and best practices as a foundation. Following that, they were reviewed by ARMA International members and practitioners who helped comment and further define the principles. A committee of widely respected professional practitioners served on the task force to develop the final list of Principles. Among those participating were Fred Pulzello, Patrick Cunningham, Galina Datskovsky, Jim Coulson, John Montana, Lenore Greenberg. Rick Sterling. ARMA International’s Board of Directors unanimously approved the submitted principles to proceed through a comment phase by members and stakeholders in the business world. The finalized principles were posted to ARMA International’s site and released to the media March 31. 5
How will GARP® be Used? By Regulators… By RIM Professionals… To protect the public by assuring access about the operations, policies and procedures of regulated companies By RIM Professionals… To measure the records management programs of a companies in a consistent and systematic manner By Businesses… To document to regulators and the public that information will be available from these companies if ever needed 6
Generally Accepted Recordkeeping Principles® Accountability Integrity Protection Compliance Availability Retention Disposition Transparency So let’s walk through the actual principles… The eight principles are Accountability, Integrity, Protection, Compliance, Availability, Retention, Disposition, and Transparency. In the following slides I’ll summarize each of the eight principles. But for more information about each one of them visit www.arma.org/garp. http://www.arma.org/garp/ 7
Principle of Accountability An organization assign a senior executive to oversee recordkeeping program delegate program responsibility to appropriate individuals adopt policies and procedures to guide personnel, and ensure program auditability Principle of Accountability An organization shall assign a senior executive who will oversee a recordkeeping program and delegate program responsibility to appropriate individuals, adopt policies and procedures to guide personnel, and ensure program auditability. 8
Principle of Accountability Senior executive Establish method to design and implement a structure to support recordkeeping program Establish governance structure for program development and implementation Recordkeeping program Have documented and approved policies and procedures to guide implementation Auditability enables program to validate its mission Principle of Accountability The senior executive in charge should establish a method to design and implement a structure to support the recordkeeping program Governance structure should be established for program development and implementation Necessary components include an accountable person and a developed program A recordkeeping program should have documented and approved policies and procedures to guide its implementation Auditability enables the program to validate its mission and be updated as appropriate 9
Principle of Integrity Recordkeeping program Construct so organizational records and information have a reasonable and suitable guarantee of authenticity and reliability Principle of Integrity A recordkeeping program shall be constructed so the records and information generated or managed by or for the organization have a reasonable and suitable guarantee of authenticity and reliability 10
Integrity of Records Should include the following: Correctness of and adherence to the policies and procedures of the organization Reliability of information management training Reliability of records created Acceptable audit trail Reliability of systems that control the recordkeeping Integrity of records in a recordkeeping environment should include the following: Correctness of and adherence to the policies and procedures of the organization Reliability of the information management training and direction given to the employees who interact with all systems Reliability of the records created An acceptable audit trail Reliability of the systems that control the recordkeeping including hardware, network infrastructure, and software 11
Principle of Protection Recordkeeping Program Construct to ensure protection to records and information that are: Private Confidential Privileged Secret Essential to business continuity Principle of Protection A recordkeeping program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, or essential to business continuity 12
Protection Controls for Information Systems must have appropriate security so only approved personnel can access to information Sensitive records must be safeguarded from inadvertent or malicious leaks Security and confidentiality must be integral parts of final disposition Audit program must have a clear process to determine whether sensitive information is being handled in accordance with the principle of protection Principle of Protection A recordkeeping program must ensure that appropriate protection controls are applied to information from the moment it is created to the moment it undergoes final disposition Each system utilized must have an appropriate security structure so only personnel with the appropriate level of security or clearance can gain access to the information An organization must also safeguard its sensitive records from becoming available on social networking sites and chat rooms by employees who may either inadvertently or maliciously post it there Security and confidentiality must be integral parts of the final disposition processing of the information An organization’s audit program must have a clear process to ascertain whether sensitive information is being handled in accordance with the outlined policies in the principle of protection 13
Principle of Compliance Recordkeeping program Comply with laws and other binding authorities, as well as the organization’s policies Principle of Compliance The recordkeeping program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization’s policies Provide examples of Applicable Laws. Provide examples of Binding Authorities. 14
Principle of Availability An organization Maintain records to ensure timely, efficient, and accurate retrieval of information Principle of Availability An organization shall maintain records in a manner that ensures timely, efficient, and accurate retrieval of needed information 15
Principle of Availability Organizations must have the ability to identify, locate, and retrieve the records and information required to support its business activities Information must be described during the capture, maintenance, and storage processes to make retrieval effective and efficient Routinely back up electronic information Manage availability of information assets at a reasonable cost from creation through disposition Principle of Availability Successful and responsible organizations must have the ability to identify, locate, and retrieve the records and related information required to support its ongoing business activities Information must be described during the capture, maintenance, and storage processes in such a way as to make retrieval effective and efficient Electronic information needs to be routinely backed up to ensure that it can be restored if there is a disaster, a system malfunctions, or the data becomes corrupted To effectively manage the availability of its information assets at a reasonable cost, an organization should in the normal course of business regularly remove obsolete or redundant records and related information from its information systems 16
Principle of Retention Organization must maintain its records and information for an appropriate time, taking into account legal regulatory fiscal operational historical requirements Principle of Retention An organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational, and historical requirements. Organizations make retention decisions based on the content and purpose of records. 17
Principle of Retention Records retention program based on information life cycle Time period from record creation to disposition Retention decisions based on content and purpose of records Retention periods determined by legal and regulatory, fiscal, operational and historical requirements Organization must conduct a risk assessment to determine retention period for each record type Minimize risks and costs associated with records retention, by immediately disposing of records after their retention period expires Principle of Retention The records retention program is based on the concept that information has a life cycle, which is the time period from the creation of a record to its final disposition Organizations make retention decisions based on the content and purpose of records. Retention periods are determined by legal and regulatory, fiscal, operational and historical requirements Once its records retention requirements are determined, an organization must conduct a risk assessment to determine the appropriate retention period for each type of record To minimize risks and costs associated with records retention, it is essential to immediately dispose of records after their retention period expires 18
Principle of Disposition An organization Provide secure and appropriate disposition for records that are no longer required to be maintained by laws and organizational policies Principle of Disposition An organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by applicable laws and the organization’s policies 19
Principle of Disposition Records must be designated for disposition Organization must make reasonable effort to ensure all versions of the records are included in disposition Disposition of records must be suspended for pending or ongoing litigation or audit Destruction of records must be performed in a secure manner Transfer of records to historical archives, library, or museum should be documented as part of the organization’s records retention policy Principle of Disposition At the completion of the retention period for an organization’s records, the records must be designated for disposition. In many cases, the disposition for records will be destruction In all instances, the organization must make a reasonable effort to ensure that all versions and copies of the records are included in the disposition Disposition of relevant records must be suspended in the event of pending or ongoing litigation or audit Destruction of records must be performed in a secure manner, ensuring that records to be destroyed are transported securely and destroyed completely The transfer of records to the custody of a historical archives, library, or museum should be documented as part of the organization’s records retention policy 20
Principle of Transparency An Organization’s Recordkeeping program shall be documented and be available to all personnel and appropriate interested parties Principle of Transparency The processes and activities of an organization’s recordkeeping program shall be documented in an understandable manner and be available to all personnel and appropriate interested parties. 21
Principle of Transparency In best interest for all parties to understand that an organization conducts its activities in a lawful and appropriate manner by having recordkeeping systems that accurately and completely record the activities of the organization An organization that is subject to open records laws may need to make all records available to any person upon request, and other organizations may have a legitimate need to protect confidential or proprietary information Every organization must create and manage the records documenting its recordkeeping program to ensure the structure, processes, and activities of the program are apparent and understandable to legitimately interested parties Principle of Transparency It is in the best interest of every organization, and of society in general, that all parties clearly understand that an organization conducts its activities in a lawful and appropriate manner, and those recordkeeping systems accurately and completely record the activities of the organization An organization that is subject to open records laws may need to make all records available to any person upon request, and other organizations may have a legitimate need to protect confidential or proprietary information Every organization must create and manage the records documenting its recordkeeping program to ensure that the structure, processes, and activities of the program are apparent and understandable to legitimately interested parties 22
The Value of GARP® to Your Organization Regulatory requirements Maturity model Benchmark among peers The three primary values of GARP for your organization are: Regulatory requirements Maturity model Benchmark among peers 23
Regulatory Requirements Provide common framework among jurisdictions and industries Demonstrate reasonable adherence to best practices Regulatory Requirements Provide common framework among jurisdictions and industries Demonstrate reasonable adherence to best practices 24
Maturity Model Apply proven methodology to measure progress toward optimization Measure current state and identify gaps against common framework Develop remediation plan Audit and test against metrics Maturity Model Apply proven methodology to measure progress towards optimization Measure current state and identify gaps against common framework Develop remediation plan Audit and test against metrics
Benchmark Among Peers Establish industry norms Calibrate resources accordingly Maintain competitive advantage Benchmark Among Peers Establish industry norms Calibrate resources accordingly Maintain competitive advantage 26
GARP® Roadmap ARMA is introducing GARP® to regulators ARMA is promoting GARP® awareness ARMA is providing training sessions on GARP® Measurements and testing are being developed GARP® compliance will become a barometer of records management health
What’s Next? Look for more resources to help measure your organization against GARP® Look for resources from ARMA International that directly connects each principle to related resources and education And more! The September / October Hot Topic supplement to the Information Management magazine will focus on the principles. More resources are forthcoming from ARMA International. Benchmark / maturity model Resource list that connects each principle to resources and education And much more we’re not at liberty to talk about right now for competitive reasons. 28
Thank You! 29