(This blog post was written by Diane K. Carlisle, executive director of content at ARMA International.)
So, your attempt to manage the governance, risk, and compliance (GRC) program with a series of complex spreadsheets leaves you in a state of massive depression. You’ve decided the obvious solution is to purchase a piece of software so you can easily track and monitor all your compliance issues. Simple enough, right?
While we’d all like to believe that technology is the magic answer to our woes, there are many factors to consider before you can make a wise software purchasing decision. You must have a clear understanding of organizational compliance requirements, internal business processes, and existing tools to avoid purchasing and implementing software only to find that you still have gaps and vulnerabilities in your compliance program.
The information governance/compliance intersection
The most stringent tests of an organization’s compliance with its internal and external requirements come through third parties, such as an agency regulator or — in the case of litigation — the opposing counsel or a judge. At the heart of these types of inquiry is that third parties need to judge the organization’s actions, or inactions, and the impact they have on compliance.
An organization’s compliance requirements spring from a complex array of legislation, regulation, industry expectations, and its own voluntary commitments regarding how it will conduct business. While the requirements for each organization will vary significantly, all organizations need a reliable means of demonstrating compliance with these requirements. That demonstration nearly always takes the form of documentation — and this is where compliance intersects with information governance.
A planning framework for information governance
An organization that can demonstrate it has established policies and procedures, a way to measure its compliance with them, and a plan for improving its compliance in areas that need it can show that it takes its compliance obligations seriously. These companies will typically fare better with auditors and judges than those that take a more ad hoc approach.
For organizations in the ad hoc category, ARMA International has two invaluable tools that can help them position themselves in the former category. They can use the Generally Accepted Recordkeeping Principles® (Principles) to develop an information governance framework, and the Information Governance Maturity Model (Maturity Model), which is based on the Principles, to assess its program, plan for improvements, and measure its progress.
The Principles framework defines the characteristics of a holistic information governance program and the essential hallmarks of effective records and information management, which is the foundation for information governance. There are eight Principles, each thoroughly explained on the ARMA International website.
The benefits of information governance
The Principles make it clear that to achieve reliable results, the organization must hold individuals accountable for their defined recordkeeping responsibilities. It also must put into place policies, procedure, and tools that apply throughout the records and information life cycle.
Adopting this framework and implementing the defined recordkeeping controls creates an information governance program that will:
- Serve as a guide to planning: The Principles specify key controls that will help the organization achieve compliance. These controls contribute to authentic records and information that can be relied upon for both business decisions and compliance requirements. Without these program elements in place, records may be incomplete, inaccurate or missing all together.
- Provide an objective means for measuring progress and sufficiency: A key part of the Principles framework is the Maturity Model mentioned earlier. This five-level metrics model is used to measure the maturity of the information governance program and identify gaps that can leave the organization vulnerable. Once the organization establishes this baseline, it can use the Maturity Model on an iterative basis to show progress improvement over time.
- Demonstrate a conscious focus on recordkeeping: The courts are not holding organizations to a standard of perfection. But they do want to see evidence that the organization is addressing issues as they arise. Even better, this information governance framework will help the organization pre-empt problems by guiding it in taking proactive steps to improve processes and technology tools.
- Prepare the organization for “pop up” audits: When there is consistent attention to recordkeeping policies and procedures and an appropriate use of tools, an organization needs not fear the “pop up” — or a surprise audit.
Governance and compliance: A natural collaboration
Information governance is central to an organization’s ability to demonstrate compliance with both internal and external requirements. The Principles framework provides a means to gain a solid understanding of the organization’s compliance requirements. There may already be software that can be adapted for compliance purposes, or new software may still be needed. But with a better understanding of the records and information management program, you can ensure that the new software complements what is already in place.
Diane K. Carlisle, IGP, CRM, is executive director of content at ARMA International, a not-for-profit professional association and authority on governing information as a strategic asset.