Record-keeping irregularities have been at the heart of several high-profile cases that have resulted in corporate failures and economic devastation. It started in 2001, with the Enron/Arthur Andersen LLP fiasco, and continued through recent cases involving Bernie Madoff's $65 billion investor swindle, American International Group Inc.'s $3 trillion in credit default swaps, and risky mortgage derivatives that resulted in the housing collapse.
More compliance FAQs?
Get caught up on regulations and more with our IT compliance FAQs.
What went wrong in each of these cases is simple: Although these business transactions generated voluminous records, those records weren't necessarily accurate or useful, and discrepancies weren't apparent. These organizations did not have effective information governance structures operating under clearly defined principles that would have ensured integrity, transparency and accountability in recordkeeping.
Until 2009, when ARMA International developed the Generally Accepted Recordkeeping Principles (GARP), there was no single set of principles to assist organizations in implementing records systems and policies that are the hallmarks of information governance. Effective information governance helps organizations succeed in operations, comply with legal and regulatory requirements, and avoid the type of catastrophes described above. This FAQ provides an introduction to GARP and information governance.
- What is information governance?
- What are the GARP principles and the best practices they promote?
- How does GARP improve information governance?
- What is the value proposition for implementing GARP?
- How can an organization know it is doing information governance well?
Information governance, as defined by Stamford, Conn.-based Gartner Inc., is "an accountability framework that includes the processes, roles, standards and metrics that ensure the effective use of information in enabling an organization to achieve its goals." Information governance has records and information management (RIM) as a foundation. In the absence of a single guiding set of principles organizations could use to evaluate the effectiveness of their information governance programs, ARMA International developed the Generally Accepted Recordkeeping Principles.
Managing records and information according to the GARP principles ensures effective information governance to help organizations run more smoothly from an operations standpoint, stay in compliance with legal and regulatory requirements and mitigate risk. It also provides accountability and transparency, allowing others to understand the context surrounding business decisions and transactions, making the principles a critical part of any audit or investigative process.
Learn more about GARP principles.
The GARP principles were created with the assistance of RIM, legal and IT professionals, who reviewed and distilled global best practice resources. These included the international records management standard ISO15489-1 Information and Documentation -- Records Management, guidelines from the American National Standards Institute and court case law. The principles were vetted through a public call-for-comment process involving the professional RIM community.
GARP applies to organizations of any size, across all types of industries and both the private and public sectors. Multinational organizations can also use GARP to establish consistent practices across a variety of business units.
The eight GARP principles create information governance best practices for an organization:
- Providing accountability and transparency for its actions;
- Proving the integrity of its records;
- Providing protection for its customers' personal information;
- Ensuring compliance with applicable laws and other binding authorities;
- Guaranteeing the availability of records and ensuring the timely, efficient and accurate retrieval of those records;
- Substantiating that retention and disposition requirements are adhered to based on the records retention schedule.
Read more about GARP's eight guiding principles.
GARP creates a structure to manage all records in a way that supports an organization's immediate and future regulatory, legal, risk mitigation, environmental and operational requirements.
Numerous court rulings have established a demand that records be kept in accordance with legal requirements, that those records be accurate and that an organization establish accountability to ensure the records are properly maintained. GARP provides a roadmap for organizations to follow to meet these criteria.
Today's environment is regulation-heavy and prone to litigation. How exposed an organization is to the risk of legal sanctions and its ability to respond to audits or lawsuits is heavily dependent on how well its records and information are managed. Establishing GARP within an organization demonstrates reasonable adherence to best practices.
The benefits of implementing GARP in an information management program are realized when the organization's records accurately and efficiently demonstrate what it has done and promote its plans for the future.
Learn more about records and information management.
Applying the GARP principles can help an organization reach its strategic objectives. GARP not only helps an organization properly manage its information in compliance with legislative mandates and regulatory requirements, but it also improves business operations by guaranteeing that:
- Information will be protected against loss. It ensures that an organization's critical records are backed up, protected and easily accessible, allowing it to continue business in the event of a disaster.
- Information will be available when needed. It allows employees to locate, retrieve and disseminate information needed for making decisions, transacting business and responding to litigation -- all of which have a positive impact on an organization's bottom line.
- Information will be retained as required and disposed of when no longer required. It ensures that organizations have records retention schedules and that records are disposed of in the normal course of business. To ensure that employees are complying with records retention and other records management policies, organizations must regularly conduct internal audits.
- External investigations and litigation obligations can be easily met.
It is not always easy to describe what "good record keeping" looks like. Yet, this question gains in importance as regulators, shareholders and customers are increasingly concerned about the business practices of organizations. The GARP Information Governance Maturity Model begins to paint a more complete picture of what effective information governance looks like by assessing and measuring an organization's level of adherence to each principle.
The Maturity Model describes for each principle and at each level the characteristics that are typical:
- Level 1 (Sub-Standard): Record-keeping concerns are either not addressed at all, or they are addressed in an ad hoc manner;
- Level 2 (In Development): There is a developing recognition that record keeping has an impact on the organization and that the organization may benefit from a more defined information governance program;
- Level 3 (Essential): There are defined policies and procedures, and more specific decisions are taken to improve record keeping;
- Level 4 (Proactive): Information governance issues and considerations are integrated into business decisions on a routine basis, and the organization easily meets its legal and regulatory requirements;
- Level 5 (Transformational): Information governance has been integrated into an overall corporate infrastructure and business processes to such an extent that compliance with the program requirements is routine.
Effective information governance requires a continuous focus. But in order to get started, organizations can look to the following steps:
- Identify the gaps between the organization's current practices and the desirable level of maturity for each principle;
- Assess the risk(s) to the organization, based on the biggest gaps;
- Determine whether additional information and analysis is necessary;
- Develop priorities and assign accountability for further development of the program.
The Maturity Model is most useful to leaders who wish to achieve the maximum benefit from their information governance practices. Initially, it is not unusual for an organization to be at differing levels of maturity for the eight principles; it represents a preliminary assessment of the program's maturity. Further analysis and consultation with experts may be needed to achieve necessary program improvements.
Learn more about the GARP Maturity Model.
Let us know what you think about the FAQ; email firstname.lastname@example.org.