Shoring Up Information Governance with GARP®
ARMA International officially released its Generally Accepted Recordkeeping Principles® (GARP®) in February 2009 and the GARP® Maturity Model in 2010. Interest in GARP®, as measured by media mentions and registrations in web seminars and conference sessions, is high. But, not surprisingly for something so new, success stories and war stories of GARP® in records and information management (RIM) are rare, as it is still more a matter of conversation than implementation. Regardless, the need for GARP® as documented below has never been greater.
Gordon E.J. Hoke, CRM
One reason for the gradual adoption of GARP® is its nature. Its eight principles are not new in their essence:
- They reflect RIM’s best practices as of 2009. GARP® is a codification of these practices, a packaging, and a branding.
- They are not new ideas. Records managers already using best practices need not immediately change what they do. They may choose to change the way they describe their work, citing GARP®, but their practices need only evolve and mature, as before.
GARP® is a synthesis, an interpretation, a presentation, and an important iteration of a hallowed tradition. The discipline of recordkeeping enjoys a heritage and evolutionary path at least 4,500 years old (e.g., Sumerian stone carvings, circa 2500 BCE, show tax records, according to the University of Pennsylvania Almanac).
GARP® Meets Changing Challenges
Certainly GARP® addresses change. While best practices in RIM evolve slowly, recent years witnessed a rapid change in technology, a proliferation of record-holding media, and a major expansion of RIM’s role in
corporate and agency life. Before, when records managers kept to them-selves in basement record centers, there was little need to interpret best practices to outsiders.
In 2011, executives in technology, finance, law, operations, and other areas confront momentous issues that require modern records management to resolve. Until GARP®, however, records managers lacked the language and tools to demonstrate how their discipline could contribute to solving problems that vexed their executive colleagues.
Certified public accountants have their Generally Accepted Accounting Principles, IT staff has its Generally Accepted Practices for Securing Information, the legal community has its statutes and case law, and the compliance
area has its regulations. These criteria provide external benchmarks for evaluating professional practices.
Until GARP®, records management had nothing equivalent. Certainly standards existed, but none provided touch points for integrating RIM into the upper echelons of organizational leadership. GARP® serves as a great equalizer and a significant improvement to the quantification of its age-old discipline.
Every day, organizations that ignore GARP® find their names splashed across the news media in an unfavorable light. Their transgressions or neglect may be from any of the eight principles, but the effect is much the same: hurt individuals, financial loss, tarnished reputation, and even leaders in prison. Applying GARP® and its maturity model can be seen as risk management. The maturity model assesses an organization’s level in each of the eight areas. Low scores equal risk. Leaders can assess the gap between actual risk and their acceptable level of risk. This points the way for remediation.
Following are examples of why the eight principles of GARP® are necessary.
“The buck stops here.” That was a sign on the desk of U.S. President Harry S. Truman to indicate that no matter how many underlings denied responsibility, ultimately he was in charge. So it is in records management. Commonly, departments pass around RIM like a hot potato. A corporate counselor was heard to say, “I don’t want a records manager in legal. That’s one less attorney I can hire.”
The principle of accountability requires a person of authority to take responsibility for RIM. The effectiveness of the RIM program must be a criterion for this “buck-stopper’s” performance review. This records czar must be sure the RIM program has adequate budget year in and year out and is adequately staffed. This leader ensures policies and procedures are in place and activated. She or he authorizes, leads, and measures RIM governance, including a steering committee of stakeholders. Finally, this “buck-stopper” interprets and advocates for the RIM program to the highest level of the organization, including directors. They must hear that:
- Ensuring effective records management is part of their fiduciary responsibility.
- RIM policies and procedures apply to them: They are not above GARP®.
Lack of accountability within an organization leads to dire consequences. On November 16, 2010, U.S. Representative Charles B. Rangel (D-N.Y.) released a statement deploring a congressional panel for convicting him of 11 ethics violations. In The New York Times, Rangel said, “Any failings in my conduct were the result of ‘good faith mistakes’ and were caused by ‘sloppy and careless record keeping, but were not criminal or corrupt.’” Unfortunately, neither Rangel nor anyone on his staff was accountable for records management.
A few days earlier, on November 11, 2010, VoiceofOC.com lamented a potentially criminal lack of accountability in municipal governments in Orange County, Calif., saying, “A check into email retention policies across Orange County revealed wide inconsistencies. Some cities destroy emails after 30 days, some after 90 days. Some have no policy at all. Some direct their employees to save certain categories of emails and destroy the rest. Most are violating the California Public Records Act, according to the First Amendment advocacy group Californians Aware.”
These examples show that, even in the absence of criminal intent, the damage from a lack of accountability can be severe.
The principle of transparency is related to accountability. It effectively says, “It’s not enough to have a records ‘buck-stopper’ on staff. Who that person is and how he or she governs RIM should also be clear and apparent.”
Transparency actually has two parts. The first is governance. From the board of directors to the mailroom staff, it should be clear who is in charge of RIM and who has RIM responsibilities. This includes a stated chain of command.
Similarly, transparency means the policies and procedures by which records are managed are clear and readily available, preferably in hard copy and online.
When something goes wrong with records, there should be no ambiguity about who had immediate responsibility. Similarly, when situations call for a new evaluation, decision, or policy, there should be no ambiguity about who is in a position to do it.
In response to Rangel’s comment, Rep. Michael McCaul (R-Texas) said to RTTNews.com, “I am hopeful as we move forward with this matter into the next phase, [that] at the end of the day we will be able to begin an era of transparency and accountability, a new era of ethics that will restore the credibility of this House.”
The principle of integrity means that records have not been changed or altered since they were declared records. If a record is copied from another record, that action is noted and dated. There should be no ambiguity about authenticity. The antitheses of integrity in records are malfeasance and fraud. In malfeasance, records appear to be what they are not through sloppy or neglectful management. Perpetrators of fraud deliberately and criminally destroy records’ integrity.
Records lacking integrity can cause cataclysm. Every Ponzi scheme, such as that famously run by Bernie Madoff, depends on records without integrity. A criminal has to “cook the books” to hide the dastardly acts.
Also, records lose integrity through immature RIM programs. Records circulating without a chain of custodians lose integrity. When staffers make copies without showing the relationship of record to copy, the integrity of the original is threatened.
As mentioned, the consequences of records lacking integrity can be severe. Madoff received a 150-year prison sentence, and the ramifications of his scheme continue. As reported in Bloomberg News on November 18, 2010, Madoff’s associate Annette Bongiorno, “who started as an administrator for Madoff in 1968, was arrested [today] and charged with conspiracy, securities fraud, falsifying books and records of a broker-dealer, falsifying books and records of an investment adviser and committing tax evasion … Bongiorno faces as much as 75 years in prison if convicted of all charges.”
Like a coin, this principle has two sides. The first requires safety for records. A mature RIM program protects records from thievery and/or sabotage from outside and inside the organization. The principle of protection limits access to records and employs safeguards for physical and digital media. It means that every record has a custodian from the time it enters an organization (or is created) to its disposal. There are no orphan records.
The second side of protection is privacy. Access to records is a privilege granted only when appropriate and necessary. While privacy standards vary by nation and culture, breaking those standards is both common and direful.
On November 9, 2010, the Ponemon Institute and ID Experts released a study reported on InfoSecurity.com. After interviewing executives at 65 healthcare organizations, they found that the two-year cost to healthcare organizations for data breaches was $2 million each. Additionally, the lifetime cost per patient for lost data was $107,580.
Consider the case of Massachusetts’s South Shore Hospital. In February 2010, the records and IT staff sent three large boxes of private-but-outdated patient records (medical and business) and employee records to a record destruction facility in Texas. Only one box arrived. In June, when the hospital finally announced that an intense search for the missing boxes had failed, the patients and staff were horrified. The lost records included Social Security and credit card numbers and revealing medical information. The potential value was inestimable.
The hospital first promised to notify each of the 800,000 persons affected, then reneged when it found that the cost of notification alone would be $7 million. By July, none had reported identity theft or fraudulent credit charges. A probing investigation surmised the missing boxes likely went to a secure landfill and future threats from the data loss were unlikely.
South Shore’s experience illustrates both sides of the protection coin. Only the middle of the three boxes carried the shipping address; the side boxes were left unprotected. Additionally, it was only by luck that individuals’ privacy was preserved.
Virtually every organization and individual is subject to regulations. It’s been said, with tongue-in-cheek, that the first people subjected to sanctions for non-compliance were Adam and Eve. They were kicked out of the Garden of Eden for not following applicable regulations.
The problem is that regulations and standards vary tremendously by location and industry. The same business with branches in two adjoining governmental jurisdictions may be subject to different requirements. In some ways, each records manager needs to be the local, resident expert.
It is not enough for an organization to merely comply. It has to be able to prove its compliance by producing verifying records. Failure to do so can carry huge consequences. On November 17, 2010, onwallstreet.com reported that a Massachusetts state regulator fined a Bank of America investment unit $100,000 for providing investors with misleading information about Fannie Mae and Freddie Mac.
Further, the regulator ordered an extensive compliance training program for the firm’s advisers. This is not unusual. Virtually every day brings reports of significant fines for regulatory non-compliance. On November 19, 2010, ClaimsJournal.com reported the U.S. Department of Labor’s Occupational Safety & Health Administration fined Illinois baker Interstate Brands Corp. $274,500 for 20 alleged violations of worker safety regulations. News media report much larger fines with surprising frequency.
The principle of availability requires records be deliverable to the right place, to the right person, at the right time, and in the right format. Availability is generally an operational issue, and it is here that RIM meets enterprise content management (ECM). ECM software provides many of the tools RIM practitioners use to ensure digital availability, including workflow, report management, and document management.
Availability of paper is largely a logistical issue, including filing, storage, retrieval, and accompanying document management techniques, such as check-out, delivery, and check-in. Availability of digital records dives deeply into technology. Records retrieval depends upon accurate classification, although modern search engines and whole-text retrieval tools create a level of fault tolerance.
Real-world examples of impaired availability abound. On November 17, 2010, a Daily Telegraph (UK) headline screamed “Fiji Loses Historic Independence Document.” The report detailed how a five-year search for Fiji’s original Independence Order had delivered nothing. The island nation was reduced to using a photocopy provided by the British government.
Three days earlier, the Dallas Morning News carried a story beginning, “Judges irritated over missing court documents after the Dallas County courts’ switch to a paperless system are demanding that they be allowed to switch back to paper … Several judges are complaining of delays when documents can’t be found during court proceedings.”
The availability principle contributes to the legally important data map. It offers the dictum: “Know what you have and where you have it.” Toward the end of the Qualcomm v. Broadcom case in 2008, Qualcomm’s legal team found its company possessed previously unknown records germane to the case. Even though it was the plaintiff, Qualcomm was fined and had to pay seven-figure damages to the defendant.
What good is it to save records and not be able to produce them when needed? This leads directly to the seventh principle.
For many practitioners, the principle of retention feels like the heart and soul of records management. To borrow from electronic media prophet Marshall McLuhan, who coined the phrase “The medium is the message,” if availability is the medium, retention is the message.
This principle measures and maintains records for as long as there is a good reason to keep them. Retention relates to protection by ensuring the integrity of storage media, whether physical or digital. It matches the media’s life expectancy to the length of time an organization needs to keep its records.
Retention considers five organizational needs and sets a retention period equal to the most long-term need.
- Operational – How long does a record contribute to the organization’s function?
- Legal – How long can the laws or the courts lay claim to the records?
- Regulatory – How long is an organization obliged to demonstrate its compliance?
- Survival – What records are vital to the organization and, hence, must be preserved as long as the entity exists? This includes disaster recovery procedures.
- Historical – What records have persistent or historical value and, hence, must be kept for posterity?
Failure to retain records carries large penalties, especially in the courts. In civil proceedings, ineffective retention can lead to punitive damages. When the court finds that records that should have been retained were intentionally removed, the charge is “spoliation,” which carries an immediate assumption of guilt.
The most famous examples are Arthur Andersen’s shredding of documents related to the collapse of Enron in 2001 and the nearly $30 million spoliation settlement in the Zubulake v. UBS Warburg case in 2003-2005.
The principle of disposition is the flip side of retention. It may be just as important to get rid of unneeded records as it is to keep valued ones.
- Admissibility of records: Any records disposed according to an approved retention schedule (and not subject
to special holds) cannot be subpoenaed. As one attorney noted, “What’s properly disposed can’t be used against you.” Keeping excess records raises legal and regulatory risks.
- Ease of retrieval: The smaller the haystack, the easier it is to find the needle.
- Cost of storage: While these vary widely by medium and location, record storage expenses range from significant to oppressive. Generally, keeping fewer records is cheaper.
In 2008 a national outpatient healthcare provider, which had not purged its paper record stores in years, found itself bound by its offsite storage vendor. The provider could afford to pay the yearly storage fees, but it had insufficient budget to pay the “permanent removal fees” to get out-of-date boxes of paper records out of the warehouse. Regularly disposing outdated records would have prevented this impossible situation.
Every Organization Needs GARP®
These examples describe the misfortunes of organizations that do not subscribe to GARP®. There are commensurate benefits to organizations that do. The GARP® Maturity Model offers a real path for organizations seeking to lower their risk and improve the quality of their RIM programs. The maturity model is superb for performing a current state assessment. When that is quantified, it is a simple step to judge whether the measured risks of the records program are acceptable. The maturity model describes the qualities that will lower the risk.
An organization’s leaders may need the GARP® ’s executive-style presentation and ARMA International’s professional authority to expose and give full attention to their risks. Although the ideas are not new, the eight principles reflect the needs, exigencies, and sensibilities of 2011.
Download the PDF version here.
Gordon E.J. Hoke, CRM, can be contacted at firstname.lastname@example.org.
From January - February 2011