compliance presented by: marty mcnulty, arma board member
TRANSCRIPT
THE PRINCIPLES:Compliance
Presented by: Marty McNulty, ARMA Board Member
One Reason to use The PrinciplesNew regulation of Dodd-Frank mandate new
enforcement for financial, credit, investment and other organizations such as Energy Companies, Electric and Gas utilities, Chemical, Mining and Mineral, Airlines, Agribusiness, and Consumer Products.
Information Management, Pulzello, Fred and Bhavsar, Sonali, November 2011.
Dodd-Frank ActFocus on Information GovernanceECM CapabilitiesManagement Tools
“Dodd-Frank’s “Title VII-Wall Street Transparency and Accountability” emphasizes the principles of accountability and transparency for recordkeeping”.
Information Management, Pulzello, Fred and Bhavsar, Sonali, November 2011.
The PrinciplesARMA International’s Governance Maturity
Model
Purpose: Provide a solid foundation for an Information Governance Structure
Objective: Ensure companies are meeting their operating needs, legal and regulatory obligations.
The Principles
1. Accountability2. Integrity3. Protection4. Compliance
5. Availability6. Retention7. Disposition8. Transparency
How can adopting GARP principles help an organization in Legal matters?
Adherence to the PRINCIPLES indicate how an organization is on top of its statutory and regulatory recordkeeping requirements. Overarching all this is the Principle of Compliance, which means that organizations must be sure that they are complying with recordkeeping and overall information governance requirements. In terms of “Legal matters,” compliance with The Principles should mean that the organization has a RIM program that is legally defensible, including the all-important Legal Holds policy and procedures to avoid sanctions for spoliation (i.e., the wrongful destruction of documents or evidence).
John Isaza is a California-based attorney and founding partner of the Howett Isaza Law Group, a law firm that specializes in electronic information governance, records management and overall corporate compliance.
Compliance: The recordkeeping program shall be constructed to comply with applicable laws and other binding authorities, as well as, the organization’s policies.
ComplianceIt is the duty of every organization to comply
with applicable laws, including those maintaining records. An organization’s credibility and legal standing rest upon its ability to demonstrate that it conducts its activities in a lawful manner.
The absence of and/or the poor quality of
records may impair or jeopardize a business’s right to conduct business.
ComplianceDuty: 1. The recordkeeping system must contain
information documenting that the organization’s activities are conducted in a lawful manner.
2. The recordkeeping system is subject to legal requirements (i.e. tax, environmental, engineering, etc.).
Steps to Achieve ComplianceStep One: Identify the Key Stakeholders
Compliance – Legal and regulatory agencies and their associated staff members.
Legal – understand the firm’s litigation profileInformation Technology – understand technology
infrastructure of the firm. Risk ManagementBusiness Unit Line Managers
Steps to Achieve Compliance
Step Two: Gather Existing Information
Policies and ProceduresData MapsFunctional Workflows
Steps to Achieve Compliance
Step Three: Define Desired Compliance Outcome and CriteriaUse five level grading criteria
Substandard Indevelopment Essential Proactive Transformational
Steps to Achieve Compliance
Step Four: Identify Gaps between Current and Desired Compliance Criteria-Practices
Use the Principles Assessment ToolConduct a Gap AnalysisEstablish Benchmarks and/or Set Criteria
Steps to Achieve Compliance
Step Five: Prioritize Gaps to be addressed
List Gaps and set priorities Make them simple and clear
Steps to Achieve Compliance
Step Six: Develop a Roadmap to the Desired Compliance Criteria/Practices
Determine the actions to take along a timeline to reach the desired Compliance State with the new Criteria/Practices
Identify/assign resources to deliver action items.
Steps to Achieve ComplianceStep Seven: Develop a Roadmap to the
Desired Compliance Criteria/Practices
Determine the actions to take along a timeline to reach the desired Compliance State with the new Criteria/Practices
Identify/assign resources to deliver action items.
Steps to Achieve ComplianceStep Eight: Deliver New Criteria and
Audit ReportingSetup a Compliance auditing tool with the new
criteriaSchedule an audit annually and measure
against previous year’s compliance. Report Compliance Grade and FindingsSubmit Recommendations to close gaps and
address findings.
Maturity Model for Information Governance
Level 1 – SubstandardLevel 2 – In DevelopmentLevel 3 – EssentialLevel 4 – ProactiveLevel 5 - Transformational
Maturity Model can be found on ARMA website at: http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/metrics/metrics-compliance
Maturity Model
Level 1 (Sub-standard): This level describes an environment where recordkeeping concerns are either not addressed at all, or are addressed in a very ad hoc manner. Organizations that identify primarily with these descriptions should be concerned that their programs will not meet legal or regulatory scrutiny.
Maturity ModelLevel 2 (In Development): This level
describes an environment where there is a developing recognition that recordkeeping has an impact on the organization, and that the organization may benefit from a more defined information governance program. However, in Level 2, the organization is still vulnerable to legal or regulatory scrutiny since practices are ill-defined and still largely ad hoc in nature.
Maturity ModelLevel 3 (Essential): This level describes the
essential or minimum requirements that must be addressed in order to meet the organization's legal and regulatory requirements. Level 3 is characterized by defined policies and procedures, and more specific decisions taken to improve recordkeeping. However, organizations that identify primarily with Level 3 descriptions may still be missing significant opportunities for streamlining business and controlling costs.
Maturity ModelLevel 4 (Proactive): This level describes an
organization that is initiating information governance program improvements throughout its business operations. Information governance issues and considerations are integrated into business decisions on a routine basis, and the organization easily meets its legal and regulatory requirements. Organizations that identify primarily with these descriptions should begin to consider the business benefits of information availability in transforming their organizations globally.
Maturity ModelLevel 5 (Transformational): This level
describes an organization that has integrated information governance into its overall corporate infrastructure and business processes to such an extent that compliance with the program requirements is routine. These organizations have recognized that effective information governance plays a critical role in cost containment, competitive advantage, and client service.
In SummaryCompliance is the umbrella of all of The Principles. All firms are legally responsible to perform recordkeeping practices that are legally defensible
and responsible. This level of compliance can be achieved by using
The Principles.