Priscilla EmeryPresident, ECM Scope

What is Compliance? What is GARP? What is considered Best Practice in this

area? A Framework for Compliance Governance is Still Key

Conformity in fulfilling official requirements (Source: Merriam-Webster Dictionary)

The act of willingly carrying out the wishes of others

Compliance is either a state of being in accordance with established guidelines, specifications, or legislation or the process of becoming so (Source: Whatis.com)

Implies consistency of practice and positive intent

Regulatory Company Specific Professional Confidentiality Discovery / Legal Subpoena Business Continuity

Culture of Compliance Comes From the Top Unwritten code of silence that resulted in

employees failing to report suspected wrongdoing when they saw it

Example: Boeing Corp◦ Problem: Alleged use of proprietary documents

brought by former Lockheed employee to Boeing:

◦ Fallout: Lost $1 billion of launches and suspended from the launch business for 20 months and Lockheed sued Boeing for more than $1 billion.

• Problem: Separate investigation into violations of conflict-of-interest laws related to the hiring of government employees

• Fallout: Lost Boeing the U.S. Government tanker market, and made Italy its only customer.

• Big Negative Impact to Boeing’s Reputation• Forced a senior executive to plead guilty to one

felony count of aiding and abetting a violation of the conflict-of-interest laws, serve time in a federal prison, pay a fine of $250,000, and forfeit approximately $5 million in equity-based compensation.

Boeing Example:◦ Denial of export licenses, ◦ Potential loss of security clearances◦ Potential prohibition of use and possession of explosive

devices (used to trigger airplane door “actuators”), ◦ Denial of State Department licenses, ◦ Millions of dollars in additional fines and penalties.

Source: Anatomy of Compliance Costs: The Boeing Cases, Christopher A. Myers, Holland & Knight LLP1

Generally Accepted Recordkeeping Principles◦ Maturity Model for Records Management Program◦ Helps to Define the Characteristics of Various

Levels of Recordkeeping Programs

Level 1 (Sub-standard): This level describes an environment where recordkeeping concerns are either not addressed at all, or are addressed in a very ad hoc manner.

Level 2 (In Development): This level describes an environment where there is a developing recognition that recordkeeping has an impact on the organization, and that the organization may benefit from a more defined information governance program. However, in Level 2, the organization is still vulnerable to legal or regulatory scrutiny since practices are ill-defined and still largely ad hoc in nature.

Level 3 (Essential): This level describes the essential or minimum requirements that must be addressed in order to meet the organization’s legal and regulatory requirements. Level 3 is characterized by defined policies and procedures, and more specific decisions taken to improve recordkeeping. However, organizations that identify primarily with Level 3 descriptions may still be missing significant opportunities for streamlining business and controlling costs.

Level 4 (Proactive): This level describes an organization that is initiating information governance program improvements throughout its business operations. Information governance issues and considerations are integrated into business decisions on a routine basis, and the organization easily meets its legal and regulatory requirements. Organizations that identify primarily with these descriptions should begin to consider the business benefits of information availability in transforming their organizations globally.

Level 5 (Transformational): This level describes an organization that has integrated information governance into its overall corporate infrastructure and business processes to such an extent that compliance with the program requirements is routine. These organizations have recognized that effective information governance plays a critical role in cost containment, competitive advantage, and client service.

Source: ARMA International

Accountability Transparency Integrity Protection Compliance Availability Retention Disposition

The recordkeeping program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization’s policies.

Source: ARMA International

There is no clear definition of the records the organization is obligated to keep.

Records and other business documentation are not systematically managed according to records management principles. Various groups of the organization define this to the best of their ability based on their interpretation of rules and regulations.

There is no central oversight and no consistently defensible position.

There is no defined or understood process for imposing “holds.”

Source: ARMA International

The organization has identified the rules and regulations that govern its business and introduced some compliance policies and recordkeeping practices around those policies. Policies are not complete and there is no apparent or well-defined accountability for compliance.

There is a hold process, but it is not well-integrated with the organization’s information management and discovery processes.

Source: ARMA International

The organization has identified all relevant compliance laws and regulations.

Record creation and capture are systematically carried out in accordance with records management principles.

The organization has a strong code of business conduct which is integrated into its overall information governance structure and recordkeeping policies.

Compliance and the records that demonstrate it are highly valued and measurable.

The hold process is integrated into the organization’s information management and discovery processes for the “most critical” systems.

The organization has defined specific goals related to compliance.

Source: ARMA International

The organization has implemented systems to capture and protect records.

Records are linked with the metadata used to demonstrate and measure compliance.

Employees are trained appropriately and audits are conducted regularly.

Records of the audits and training are available for review.

Lack of compliance is remedied through implementation of defined corrective actions.

The hold process is well-managed with defined roles and a repeatable process that is integrated into the organization’s information management and discovery processes.

Source: ARMA International

The importance of compliance and the role of records and information in it are clearly recognized at the senior management and board levels.

Auditing and continuous improvement processes are well-established and monitored by senior management.

The roles and processes for information management and discovery are integrated.

The organization’s stated goals related to compliance have been met.

The organization suffers few or no adverse consequences based on information governance and compliance failures.

Source: ARMA International

What Maturity Level Do you Think Your Organization Most Fits for Compliance of its Records Management Program?

ARMA – www.arma.org

Longwood, FL 32779 USALongwood, FL 32779 USAE-Mail: pemery@ecmscope.comE-Mail: pemery@ecmscope.com

www.ecmscope.comwww.ecmscope.com