I am finally returning back to my series on the Information Governance Reference Model and ARMA’s Generally Accepted Recordkeeping Principles (GARP). My goal is by the end of the month to make it to the end of the series. Today we will be taking a look at the principle of compliance. This is a topic that must be brushed with broad strokes as every industry have different compliances laws and regulations that are applicable to them. The principle of compliance states that a recordkeeping program should comply with applicable laws and other binding authorities, as well as the organization’s policies.
One of the driving factors for many records management departments is compliance and in the information governance reference model compliance is the inner ring of process transparency. Having an information governance program that is fully mature in compliance is the greatest means to reduce risk of indictment. According to GARP, “The absence or poor quality of the records required to demonstrate this damages an organization’s credibility and may impair its standing in legal matters or jeopardize its right to conduct business.”
A really insightful article to read on this topic is “Advice For A Compliance-Eye View of Records Management Strategy” in TechTarget by Ed Moyle.
Managing retention timelines is another complicated task when it comes to developing a records management process. Keep a record for too long and it has a litigation impact — large numbers of records add to the e-discovery workload. But discarding a record too soon can make you noncompliant with important regulatory requirements.
For compliance professionals, it’s tempting to resist developing a records management strategy since it’s rarely a direct compliance responsibility. This is the wrong perspective. Records management, when done well, is a significant help to compliance: A well-organized process will help you stay compliant and streamline audit efforts. A poorly managed process, however, will not only make you noncompliant but will also increase audit overhead.
For the relationship between records management and compliance Moyle winsomely writes the following.
Records are the authoritative source documenting the “who, what, when, where, why and how” of organizational activities. The records management process governs how these artifacts are tracked throughout the whole lifecycle: how they’re stored and organized, when and how they’re eventually disposed of, and how they’re handled along the way.
How this is accomplished directly impacts compliance when record retention is specifically mandated by regulations. The Health Insurance Portability and Accountability Act, PCI Data Security Standards and the Sarbanes–Oxley Act, to name just a few, specifically require that we keep certain types of records. They also indirectly impact compliance because of the role they play in an audit scenario. During an audit, you’ll likely be asked to produce records in an evidentiary capacity. This means you not only must retain records appropriately but also make sure they’re accessible to the compliance team for internal and external audits.
All these factors mean it’s important to represent compliance interests during updates to the records management process (or the automation of the process). Compliance officers should negotiate a seat at the table during discussions around changes to processes and tools, and these officers should have direct communication with the records management “owner” in the organizational hierarchy. A worst-case scenario is one where decisions are made (for example, the selection and deployment of a records management system) without compliance involvement. Issues like retention, accessibility and integrity of records are all vitally important to regulatory compliance.
For more information you can read, “How the Information Governance Reference Model (IGRM) Complements ARMA International’s Generally Accepted Recordkeeping Principles (GARP),” as well as ARMA International’s The Principles: Generally Accepted Recordskeeping Principle of Compliance.