Transcript Generally Accepted Recordkeeping PrinciplesSM: The Key to

Generally Accepted
Recordkeeping PrinciplesSM
Where it’s at, what it means, and
what to look for
What is GARPSM?
GARPSM is an Acronym for
Generally Accepted
Recordkeeping Principles
ARMA understands that records must be
created, organized, secured, maintained,
and used in a way that effectively supports
the activity of that organization.
Quotation
“As to methods there may be a
million and then some, but principles
are few. The man who grasps
principles can successfully select his
own methods. The man who tries
methods, ignoring principles, is sure
to have trouble.”
• Ralph Waldo Emerson
What Are They?
• A common language and
imperative to use with executive
management when describing the
tenets of a solid program
• A model for program development
• A benchmark against your peers
• A legislative and judicial roadmap
to best practices
Where Did They Come From?
• Committee of 7 widely-respected
professional practitioners on the task
force
• Using standards, best practices, and
practical experience
• Sent to public review by ARMA
International members and
stakeholders
• Finalized and released March 31,
2009
How will GARPSM be Used?
By Regulators…
To protect the public by assuring access about the operations,
policies and procedures of regulated companies
By RIM Professionals…
To measure the records management programs of a
companies in a consistent and systematic manner
By Businesses…
To document to regulators and the public that information will
be available from these companies if ever needed
Generally Accepted
SM
Recordkeeping Principles
•
•
•
•
Accountability
Integrity
Protection
Compliance
•
•
•
•
Availability
Retention
Disposition
Transparency
http://www.arma.org/garp/
Principle of Accountability
• An organization
– assign a senior executive to oversee
recordkeeping program
– delegate program responsibility to
appropriate individuals
– adopt policies and procedures to guide
personnel, and ensure program
auditability
Principle of Accountability
• Senior executive
– Establish method to design and implement a
structure to support recordkeeping program
– Establish governance structure for program
development and implementation
• Recordkeeping program
– Have documented and approved policies
and procedures to guide implementation
• Auditability enables program to validate
its mission
Principle of Integrity
• Recordkeeping program
– Construct so organizational records and
information have a reasonable and suitable
guarantee of authenticity and reliability
Integrity of Records
Should include the following:
– Correctness of and adherence to the policies
and procedures of the organization
– Reliability of information management training
– Reliability of records created
– Acceptable audit trail
– Reliability of systems that control the
recordkeeping
Principle of Protection
Recordkeeping Program
• Construct to ensure protection to records
and information that are:
– Private
– Confidential
– Privileged
– Secret
– Essential to business continuity
Protection Controls for
Information
– Systems must have appropriate security so
only approved personnel can access to
information
– Sensitive records must be safeguarded from
inadvertent or malicious leaks
– Security and confidentiality must be integral
parts of final disposition
– Audit program must have a clear process to
determine whether sensitive information is
being handled in accordance with the
principle of protection
Principle of Compliance
•Recordkeeping program
– Comply with laws and other binding
authorities, as well as the organization’s
policies
Principle of Availability
• An organization
– Maintain records to ensure timely, efficient,
and accurate retrieval of information
Principle of Availability
– Organizations must have the ability to
identify, locate, and retrieve the records and
information required to support its business
activities
– Information must be described during the
capture, maintenance, and storage
processes to make retrieval effective and
efficient
– Routinely back up electronic information
– Manage availability of information assets at a
reasonable cost from creation through
disposition
Principle of Retention
Organization must maintain its records and
information for an appropriate time, taking
into account
– legal
– regulatory
– fiscal
– operational
– historical requirements
Principle of Retention
• Records retention program based on information
life cycle
– Time period from record creation to disposition
• Retention decisions based on content and
purpose of records
– Retention periods determined by legal and
regulatory, fiscal, operational and historical
requirements
• Organization must conduct a risk assessment to
determine retention period for each record type
• Minimize risks and costs associated with records
retention, by immediately disposing of records
after their retention period expires
Principle of Disposition
• An organization
– Provide secure and appropriate disposition for
records that are no longer required to be
maintained by laws and organizational
policies
Principle of Disposition
– Records must be designated for disposition
– Organization must make reasonable effort to
ensure all versions of the records are included in
disposition
– Disposition of records must be suspended for
pending or ongoing litigation or audit
– Destruction of records must be performed in a
secure manner
– Transfer of records to historical archives, library,
or museum should be documented as part of the
organization’s records retention policy
Principle of Transparency
• An Organization’s
– Recordkeeping program shall be documented
and be available to all personnel and
appropriate interested parties
Principle of Transparency
– In best interest for all parties to understand that an
organization conducts its activities in a lawful and
appropriate manner by having recordkeeping systems
that accurately and completely record the activities of the
organization
– An organization that is subject to open records laws may
need to make all records available to any person upon
request, and other organizations may have a legitimate
need to protect confidential or proprietary information
– Every organization must create and manage the records
documenting its recordkeeping program to ensure the
structure, processes, and activities of the program are
apparent and understandable to legitimately interested
parties
The Value of GARPSM to Your
Organization
• Regulatory requirements
• Maturity model
• Benchmark among peers
Regulatory Requirements
• Provide common framework among
jurisdictions and industries
• Demonstrate reasonable adherence to
best practices
Maturity Model
• Apply proven methodology to measure
progress toward optimization
• Measure current state and identify gaps
against common framework
• Develop remediation plan
• Audit and test against metrics
Benchmark Among Peers
• Establish industry norms
• Calibrate resources accordingly
• Maintain competitive advantage
SM
GARP
Roadmap
• ARMA is introducing GARPSM to regulators
• ARMA is promoting GARPSM awareness
• ARMA is providing training sessions on
GARPSM
• Measurements and testing are being
developed
• GARPSM compliance will become a
barometer of records management health
What’s Next?
• The September / October Hot Topic
supplement to the Information Management
magazine will focus on the principles
• Look for more resources to help measure
your organization against GARPSM
• Look for resources from ARMA International
that directly connects each principle to
related resources and education
• And more!
Thank You!