Compliance Presented by: Marty McNulty, ARMA Board Member One Reason to use The Principles New regulation of Dodd-Frank mandate new enforcement for financial, credit, investment and other organizations such as Energy Companies, Electric and Gas utilities, Chemical, Mining and Mineral, Airlines, Agribusiness, and Consumer Products. Information Management, Pulzello, Fred and Bhavsar, Sonali, November 2011. Dodd-Frank Act Focus on Information Governance ECM Capabilities Management Tools “Dodd-Frank’s “Title VII-Wall Street Transparency and Accountability” emphasizes the principles of accountability and transparency for recordkeeping”. Information Management, Pulzello, Fred and Bhavsar, Sonali, November 2011. The Principles ARMA International’s Governance Maturity Model Purpose: Provide a solid foundation for an Information Governance Structure Objective: Ensure companies are meeting their operating needs, legal and regulatory obligations. The Principles 1. Accountability 5. Availability 2. Integrity 6. Retention 3. Protection 7. Disposition 4. Compliance 8. Transparency How can adopting GARP principles help an organization in Legal matters? Adherence to the PRINCIPLES indicate how an organization is on top of its statutory and regulatory recordkeeping requirements. Overarching all this is the Principle of Compliance, which means that organizations must be sure that they are complying with recordkeeping and overall information governance requirements. In terms of “Legal matters,” compliance with The Principles should mean that the organization has a RIM program that is legally defensible, including the all-important Legal Holds policy and procedures to avoid sanctions for spoliation (i.e., the wrongful destruction of documents or evidence). John Isaza is a California-based attorney and founding partner of the Howett Isaza Law Group, a law firm that specializes in electronic information governance, records management and overall corporate compliance. The recordkeeping program shall be constructed to comply with applicable laws and other binding authorities, as well as, the organization’s policies. Compliance It is the duty of every organization to comply with applicable laws, including those maintaining records. An organization’s credibility and legal standing rest upon its ability to demonstrate that it conducts its activities in a lawful manner. The absence of and/or the poor quality of records may impair or jeopardize a business’s right to conduct business. Compliance Duty: 1. The recordkeeping system must contain information documenting that the organization’s activities are conducted in a lawful manner. 2. The recordkeeping system is subject to legal requirements (i.e. tax, environmental, engineering, etc.). Steps to Achieve Compliance Step One: Identify the Key Stakeholders Compliance – Legal and regulatory agencies and their associated staff members. Legal – understand the firm’s litigation profile Information Technology – understand technology infrastructure of the firm. Risk Management Business Unit Line Managers Steps to Achieve Compliance Step Two: Gather Existing Information Policies and Procedures Data Maps Functional Workflows Steps to Achieve Compliance Step Three: Define Desired Compliance Outcome and Criteria Use five level grading criteria Substandard Indevelopment Essential Proactive Transformational Steps to Achieve Compliance Step Four: Identify Gaps between Current and Desired Compliance Criteria-Practices Use the Principles Assessment Tool Conduct a Gap Analysis Establish Benchmarks and/or Set Criteria Steps to Achieve Compliance Step Five: Prioritize Gaps to be addressed List Gaps and set priorities Make them simple and clear Steps to Achieve Compliance Step Six: Develop a Roadmap to the Desired Compliance Criteria/Practices Determine the actions to take along a timeline to reach the desired Compliance State with the new Criteria/Practices Identify/assign resources to deliver action items. Steps to Achieve Compliance Step Seven: Develop a Roadmap to the Desired Compliance Criteria/Practices Determine the actions to take along a timeline to reach the desired Compliance State with the new Criteria/Practices Identify/assign resources to deliver action items. Steps to Achieve Compliance Step Eight: Deliver New Criteria and Audit Reporting Setup a Compliance auditing tool with the new criteria Schedule an audit annually and measure against previous year’s compliance. Report Compliance Grade and Findings Submit Recommendations to close gaps and address findings. Maturity Model for Information Governance Level 1 – Substandard Level 2 – In Development Level 3 – Essential Level 4 – Proactive Level 5 - Transformational Maturity Model can be found on ARMA website at: http://www.arma.org/r2/generally-accepted-brrecordkeeping-principles/metrics/metrics-compliance Maturity Model Level 1 (Sub-standard): This level describes an environment where recordkeeping concerns are either not addressed at all, or are addressed in a very ad hoc manner. Organizations that identify primarily with these descriptions should be concerned that their programs will not meet legal or regulatory scrutiny. Maturity Model Level 2 (In Development): This level describes an environment where there is a developing recognition that recordkeeping has an impact on the organization, and that the organization may benefit from a more defined information governance program. However, in Level 2, the organization is still vulnerable to legal or regulatory scrutiny since practices are ill-defined and still largely ad hoc in nature. Maturity Model Level 3 (Essential): This level describes the essential or minimum requirements that must be addressed in order to meet the organization's legal and regulatory requirements. Level 3 is characterized by defined policies and procedures, and more specific decisions taken to improve recordkeeping. However, organizations that identify primarily with Level 3 descriptions may still be missing significant opportunities for streamlining business and controlling costs. Maturity Model Level 4 (Proactive): This level describes an organization that is initiating information governance program improvements throughout its business operations. Information governance issues and considerations are integrated into business decisions on a routine basis, and the organization easily meets its legal and regulatory requirements. Organizations that identify primarily with these descriptions should begin to consider the business benefits of information availability in transforming their organizations globally. Maturity Model Level 5 (Transformational): This level describes an organization that has integrated information governance into its overall corporate infrastructure and business processes to such an extent that compliance with the program requirements is routine. These organizations have recognized that effective information governance plays a critical role in cost containment, competitive advantage, and client service. Compliance is the umbrella of all of The Principles. All firms are legally responsible to perform recordkeeping practices that are legally defensible and responsible. This level of compliance can be achieved by using The Principles.