the principles

Report
Compliance
Presented by:
Marty McNulty, ARMA Board Member
One Reason to use The Principles
 New regulation of Dodd-Frank mandate new
enforcement for financial, credit, investment and
other organizations such as Energy Companies,
Electric and Gas utilities, Chemical, Mining and
Mineral, Airlines, Agribusiness, and Consumer
Products.
 Information Management, Pulzello, Fred and Bhavsar, Sonali, November 2011.
Dodd-Frank Act
 Focus on Information Governance
 ECM Capabilities
 Management Tools
“Dodd-Frank’s “Title VII-Wall Street Transparency and
Accountability” emphasizes the principles of accountability
and transparency for recordkeeping”.
 Information Management, Pulzello, Fred and Bhavsar, Sonali, November 2011.
The Principles
 ARMA International’s Governance Maturity Model
 Purpose: Provide a solid foundation for an Information
Governance Structure
 Objective: Ensure companies are meeting their
operating needs, legal and regulatory obligations.
The Principles
 1. Accountability
 5. Availability
 2. Integrity
 6. Retention
 3. Protection
 7. Disposition
 4. Compliance
 8. Transparency
How can adopting GARP principles help an organization
in Legal matters?
 Adherence to the PRINCIPLES indicate how an organization is
on top of its statutory and regulatory recordkeeping
requirements. Overarching all this is the Principle of
Compliance, which means that organizations must be sure
that they are complying with recordkeeping and overall
information governance requirements. In terms of “Legal
matters,” compliance with The Principles should mean that
the organization has a RIM program that is legally
defensible, including the all-important Legal Holds policy
and procedures to avoid sanctions for spoliation (i.e., the
wrongful destruction of documents or evidence).
 John Isaza is a California-based attorney and founding partner of the
Howett Isaza Law Group, a law firm that specializes in electronic
information governance, records management and overall corporate
compliance.
The recordkeeping program shall be constructed to comply with
applicable laws and other binding authorities, as well as, the
organization’s policies.
Compliance
 It is the duty of every organization to comply with
applicable laws, including those maintaining records.
An organization’s credibility and legal standing rest
upon its ability to demonstrate that it conducts its
activities in a lawful manner.
 The absence of and/or the poor quality of records may
impair or jeopardize a business’s right to conduct
business.
Compliance
Duty:
 1. The recordkeeping system must contain information
documenting that the organization’s activities are
conducted in a lawful manner.
 2. The recordkeeping system is subject to legal
requirements (i.e. tax, environmental, engineering,
etc.).
Steps to Achieve Compliance
 Step One: Identify the Key Stakeholders
 Compliance – Legal and regulatory agencies and their




associated staff members.
Legal – understand the firm’s litigation profile
Information Technology – understand technology
infrastructure of the firm.
Risk Management
Business Unit Line Managers
Steps to Achieve Compliance
 Step Two: Gather Existing Information
 Policies and Procedures
 Data Maps
 Functional Workflows
Steps to Achieve Compliance
 Step Three: Define Desired Compliance
Outcome and Criteria
 Use five level grading criteria





Substandard
Indevelopment
Essential
Proactive
Transformational
Steps to Achieve Compliance
 Step Four: Identify Gaps between Current and
Desired Compliance Criteria-Practices
 Use the Principles Assessment Tool
 Conduct a Gap Analysis
 Establish Benchmarks and/or Set Criteria
Steps to Achieve Compliance
 Step Five: Prioritize Gaps to be addressed
 List Gaps and set priorities
 Make them simple and clear
Steps to Achieve Compliance
 Step Six: Develop a Roadmap to the Desired
Compliance Criteria/Practices
 Determine the actions to take along a timeline to reach
the desired Compliance State with the new
Criteria/Practices
 Identify/assign resources to deliver action items.
Steps to Achieve Compliance
 Step Seven: Develop a Roadmap to the Desired
Compliance Criteria/Practices
 Determine the actions to take along a timeline to reach
the desired Compliance State with the new
Criteria/Practices
 Identify/assign resources to deliver action items.
Steps to Achieve Compliance
 Step Eight: Deliver New Criteria and Audit
Reporting
 Setup a Compliance auditing tool with the new criteria
 Schedule an audit annually and measure against
previous year’s compliance.
 Report Compliance Grade and Findings
 Submit Recommendations to close gaps and address
findings.
Maturity Model for Information
Governance





Level 1 – Substandard
Level 2 – In Development
Level 3 – Essential
Level 4 – Proactive
Level 5 - Transformational
 Maturity Model can be found on ARMA website at:
http://www.arma.org/r2/generally-accepted-brrecordkeeping-principles/metrics/metrics-compliance
Maturity Model
 Level 1 (Sub-standard): This level describes an
environment where recordkeeping concerns are either
not addressed at all, or are addressed in a very ad hoc
manner. Organizations that identify primarily with
these descriptions should be concerned that their
programs will not meet legal or regulatory scrutiny.
Maturity Model
 Level 2 (In Development): This level describes an
environment where there is a developing recognition
that recordkeeping has an impact on the organization,
and that the organization may benefit from a more
defined information governance program. However, in
Level 2, the organization is still vulnerable to legal or
regulatory scrutiny since practices are ill-defined and
still largely ad hoc in nature.
Maturity Model
 Level 3 (Essential): This level describes the essential
or minimum requirements that must be addressed in
order to meet the organization's legal and regulatory
requirements. Level 3 is characterized by defined
policies and procedures, and more specific decisions
taken to improve recordkeeping. However,
organizations that identify primarily with Level 3
descriptions may still be missing significant
opportunities for streamlining business and
controlling costs.
Maturity Model
 Level 4 (Proactive): This level describes an
organization that is initiating information governance
program improvements throughout its business
operations. Information governance issues and
considerations are integrated into business decisions
on a routine basis, and the organization easily meets
its legal and regulatory requirements. Organizations
that identify primarily with these descriptions should
begin to consider the business benefits of information
availability in transforming their organizations
globally.
Maturity Model
 Level 5 (Transformational): This level describes an
organization that has integrated information
governance into its overall corporate infrastructure
and business processes to such an extent that
compliance with the program requirements is routine.
These organizations have recognized that effective
information governance plays a critical role in cost
containment, competitive advantage, and client
service.
Compliance is the umbrella of all of The Principles. All
firms are legally responsible to perform recordkeeping
practices that are legally defensible and responsible. This
level of compliance can be achieved by using
The Principles.

similar documents