Priscilla Emery
President, ECM Scope





What is Compliance?
What is GARP?
What is considered Best Practice in this area?
A Framework for Compliance
Governance is Still Key

Conformity in fulfilling official requirements
(Source: Merriam-Webster Dictionary)


The act of willingly carrying out the wishes of
others
Compliance is either a state of being in accordance
with established guidelines, specifications, or
legislation or the process of becoming so
(Source: Whatis.com)

Implies consistency of practice and positive intent






Regulatory
Company Specific
Professional
Confidentiality
Discovery / Legal Subpoena
Business Continuity



Culture of Compliance Comes From the Top
Unwritten code of silence that resulted in
employees failing to report suspected wrongdoing
when they saw it
Example: Boeing Corp
◦ Problem: Alleged use of proprietary documents
brought by former Lockheed employee to Boeing:
◦ Fallout: Lost $1 billion of launches and
suspended from the launch business for 20
months and Lockheed sued Boeing for more than
$1 billion.
• Problem: Separate investigation into violations of
conflict-of-interest laws related to the hiring of
government employees
• Fallout: Lost Boeing the U.S. Government tanker
market, and made Italy its only customer.
• Big Negative Impact to Boeing’s Reputation
• Forced a senior executive to plead guilty to one
felony count of aiding and abetting a violation of
the conflict-of-interest laws, serve time in a federal
prison, pay a fine of $250,000, and forfeit
approximately $5 million in equity-based
compensation.

Boeing Example:
◦ Denial of export licenses,
◦ Potential loss of security clearances
◦ Potential prohibition of use and possession of explosive
devices (used to trigger airplane door “actuators”),
◦ Denial of State Department licenses,
◦ Millions of dollars in additional fines and penalties.
Source: Anatomy of Compliance Costs: The Boeing Cases,
Christopher A. Myers, Holland & Knight LLP1

Generally Accepted Recordkeeping Principles
◦ Maturity Model for Records Management Program
◦ Helps to Define the Characteristics of Various Levels
of Recordkeeping Programs





Level 1 (Sub-standard): This level describes an environment where recordkeeping concerns are
either not addressed at all, or are addressed in a very ad hoc manner.
Level 2 (In Development): This level describes an environment where there is a developing
recognition that recordkeeping has an impact on the organization, and that the organization may
benefit from a more defined information governance program. However, in Level 2, the
organization is still vulnerable to legal or regulatory scrutiny since practices are ill-defined and still
largely ad hoc in nature.
Level 3 (Essential): This level describes the essential or minimum requirements that must be
addressed in order to meet the organization’s legal and regulatory requirements. Level 3 is
characterized by defined policies and procedures, and more specific decisions taken to improve
recordkeeping. However, organizations that identify primarily with Level 3 descriptions may still be
missing significant opportunities for streamlining business and controlling costs.
Level 4 (Proactive): This level describes an organization that is initiating information governance
program improvements throughout its business operations. Information governance issues and
considerations are integrated into business decisions on a routine basis, and the organization
easily meets its legal and regulatory requirements. Organizations that identify primarily with these
descriptions should begin to consider the business benefits of information availability in
transforming their organizations globally.
Level 5 (Transformational): This level describes an organization that has integrated information
governance into its overall corporate infrastructure and business processes to such an extent that
compliance with the program requirements is routine. These organizations have recognized that
effective information governance plays a critical role in cost containment, competitive advantage,
and client service.
Source: ARMA International








Accountability
Transparency
Integrity
Protection
Compliance
Availability
Retention
Disposition

The recordkeeping program shall be
constructed to comply with applicable laws
and other binding authorities, as well as the
organization’s policies.
Source: ARMA International




There is no clear definition of the records the
organization is obligated to keep.
Records and other business documentation are
not systematically managed according to records
management principles. Various groups of the
organization define this to the best of their
ability based on their interpretation of rules and
regulations.
There is no central oversight and no consistently
defensible position.
There is no defined or understood process for
imposing “holds.”
Source: ARMA International


The organization has identified the rules and
regulations that govern its business and
introduced some compliance policies and
recordkeeping practices around those
policies. Policies are not complete and there
is no apparent or well-defined accountability
for compliance.
There is a hold process, but it is not wellintegrated with the organization’s
information management and discovery
processes.
Source: ARMA International






The organization has identified all relevant compliance laws
and regulations.
Record creation and capture are systematically carried out in
accordance with records management principles.
The organization has a strong code of business conduct
which is integrated into its overall information governance
structure and recordkeeping policies.
Compliance and the records that demonstrate it are highly
valued and measurable.
The hold process is integrated into the organization’s
information management and discovery processes for the
“most critical” systems.
The organization has defined specific goals related to
compliance.
Source: ARMA International






The organization has implemented systems to
capture and protect records.
Records are linked with the metadata used to
demonstrate and measure compliance.
Employees are trained appropriately and audits are
conducted regularly.
Records of the audits and training are available for
review.
Lack of compliance is remedied through
implementation of defined corrective actions.
The hold process is well-managed with defined roles
and a repeatable process that is integrated into the
organization’s information management and
discovery processes.
Source: ARMA International





The importance of compliance and the role of records
and information in it are clearly recognized at the
senior management and board levels.
Auditing and continuous improvement processes are
well-established and monitored by senior
management.
The roles and processes for information management
and discovery are integrated.
The organization’s stated goals related to compliance
have been met.
The organization suffers few or no adverse
consequences based on information governance and
compliance failures.
Source: ARMA International

What Maturity Level Do you Think Your
Organization Most Fits for Compliance of its
Records Management Program?

ARMA – www.arma.org
Longwood, FL 32779 USA
E-Mail: pemery@ecmscope.com
www.ecmscope.com