News Stay informed about the latest enterprise technology news and product updates.

Eight principles of information governance and risk management

(This blog post was written by Marilyn Bier, chief executive officer of ARMA International.)

Organizations depend on information to manage day-to-day operations, comply with regulations, gauge financial performance, and monitor strategic initiatives. They’re all critical business processes, and they all share an important trait: An accounting of each resides in an organization’s business records.

As a key resource in the operation of any organization, records must be created, organized, secured, maintained, and used in a way that effectively supports the activities of that organization. This information facilitates operations, budgeting, and planning, and it documents compliance.

Identifying Information Risks

The risks are significant for those organizations with too much, too little, or incomplete information within their recordkeeping systems.

Numerous court rulings, for example, have established a legal demand that records be kept in accordance with legal requirements, that the records be accurate, and that organizations be accountable for ensuring their records and information are properly kept. Increasingly, organizations must defend their recordkeeping practices to courts, regulatory agencies, and other oversight organizations. In addition, organizations can be subject to excessive discovery costs for records that should have been disposed.

The transition from paper to predominantly electronic information has exponentially multiplied such challenges for organizations.

“When information was paper-based, organizations were likely to have detailed policies and procedures that ensured it was managed from its creation through the time it needed to be discarded or sent to archival storage,” says Paula F. Lederman, an information management consultant and principal with IMERGE Consulting Inc. and a contributor to Information Management magazine. “As organizations have shifted to electronic records, though, many have not managed their information with that same discipline because storage is cheap, stored information is invisible, and it is easy to keep everything. However, today’s exploding volumes of poorly managed electronic information present a number of risks and associated high costs, capturing the attention of C-level executives, particularly in legal, compliance, and risk management, and disputing the notion that keeping everything “just in case” is a good strategy.”

Unnecessary e-discovery costs, regulatory sanctions for being unable to produce required documentation, and poor business decisions based on incorrect or incomplete information are all risks that can be avoided by organizations with effective information governance processes.

Mitigating risks through information governance

To meet the challenge, organizations need to implement an effective information governance program, which is defined by ARMA International as “a strategic framework composed of standards, processes, roles, and metrics that hold organizations and individuals accountable to create, organize, secure, maintain, use, and dispose of information in ways that align with and contribute to the organization’s goals.”

Like any critical business process, an information governance program should be defined, endorsed by executive management, communicated throughout the organization, and assessed regularly. The Generally Accepted Recordkeeping Principles® (the Principles) and its complementary Information Governance Maturity Model (Maturity Model) can be used by organizations of any size and in any industry sector to establish and monitor an effective information governance program.

Complying with the Principles assures the organization that its:

  • Information will be protected against loss. Its critical records will be backed up, protected, and easily accessible, allowing it to continue business in the event of a disaster.
  • Information will be available when needed. The organization will have systems and processes in place that will enable it to locate, retrieve, and disseminate information to the right people at the right time so it can be used for decision making, transacting business, and responding to litigation.
  • Information will be retained as required and disposed of when no longer required. The organization will have a records retention schedule that will ensure that information is being retained to meet its operational, legal, regulatory, and historical requirements and that it is disposed of in the normal course of business when its required retention has been met.
  • External investigation and litigation obligations can be met easily. Processes will be in places that ensure that all information that is relevant to litigation or regulatory investigation can be located, placed on legal hold to ensure its availability and integrity, and produced when needed.

The Principles were created with the assistance of renowned records and information management (RIM), legal, and IT professionals, who reviewed and distilled global best practice resources, including the international records management standard (ISO15489-1 Information and Documentation – Records Management), American National Standards, and court case law. The Principles were vetted through a public call for comment process involving the professional RIM community.

The Principles are:

1. Principle of Accountability — A senior executive (or a person of comparable authority) shall oversee the information governance program and delegate responsibility for records and information management to appropriate individuals. The organization adopts policies and procedures to guide personnel and ensure the program can be audited.

2. Principle of Transparency — An organization’s business processes and activities, including its information governance program, shall be documented in an open and verifiable manner, and that documentation shall be available to all personnel and appropriate interested parties.

3. Principle of Integrity — An information governance program shall be constructed so the information generated by or managed for the organization has a reasonable and suitable guarantee of authenticity and reliability.

4. Principle of Protection — An information governance program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, classified, or essential to business continuity or that otherwise require protection.

5. Principle of Compliance — An information governance program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization’s policies.

6. Principle of Availability — An organization shall maintain its records and information in a manner that ensures timely, efficient, and accurate retrieval of needed information.

7. Principle of Retention — An organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational, and historical requirements.

8. Principle of Disposition — An organization shall provide secure and appropriate disposition for records and information that are no longer required to be maintained by applicable laws and the organization’s policies.

Organizations should view the Principles as a map for a road that is safely winding through an operational and legal minefield that has always existed but has recently become even more treacherous. An organization that doesn’t adhere to the Principles is teetering on the edge of the minefield. By using the Maturity Model, organizations can track their progress in becoming more compliant, moving away from that dangerous edge and toward safety.

Marilyn Bier is chief executive officer of ARMA International, an authority on governing and managing information as critical business assets. As a not-for-profit professional association founded in 1955, it provides its 10,000+ global members and countless external customers the education, publications, and resources they need to be able to create, organize, secure, maintain, use, and dispose of information in ways that align with and contribute to their organization’s goals.