ECM and Compliance
Marcelle Blasl
ECMm² (AIIM)
2014-07-01
Agenda
•
•
•
•
•
Compliance Overview
ECM
Records Management
Compliance in Context
Q&A
Compliance
The act or process of doing what you have been asked or
ordered to do.
To act according with any acceptable standard or criteria.
The “acceptable standard” can refer to any kind of criteria
including business goals, performance measurements,
laws, regulations or quality targets.
A level of quality, achievement, etc., that is considered
acceptable or desirable.
•
Merriam-webster dictionary
Why Compliance?
Transacting business is evident in the records of
such activities.
• Non-Compliance to legislation e.g. Section 13 of NARS
Act dealing with management of records
• Non-Conformance to Audits with respect to records
keeping
Audit:
– Unqualified / Clean
– Qualified
– Disclaimers
It is all about the records
Compliance?
• Regulatory drivers
–
–
–
–
–
–
–
–
–
–
–
–
Companies Act
National Archives of South Africa Act (Act No 43 of 1996) (NARS)
Promotion of Administrative Justice Act (Act No 3 of 2000) (PAJA)
Promotion of Access to Information Act (Act No 2 of 2000) (PAIA)
Electronic Communications and Transactions Act, (Act No 25 of 2002) (ECT)
DPSA Regulations regarding Information Management
Public Finance Management Act, 1999 (PFMA)
Municipal Finance Management Act, 1999 (MFMA)
Sarbanes-Oxley (SOX)
King 3
Protection of Private Information (POPI)
Other organisation specific
• Government Drivers
– The Constitution of the Republic of South Africa, 1996 Section 32
– White Paper on e-Government
– The Batho Pele White Paper (“People First”)
Regulations
Industries
450
400
350
300
250
200
150
100
50
0
Private
Government
Financial
Estimated
Medical
Construction
Mining
Compliance continued
• Internal drivers
– Lacks formal policies and standards and standardised structures for the management
of information and records
– Problems to retrieve documents and information
– Insufficient security
– Problems with reporting and auditing
– Lack of good corporate governance on records and information management
– Lacks accountability – no CIO or records manager as specified in MFMA and PAIA Acts
– Cumbersome processes and approvals
– Non compliance with legislation open to risk (PFMA, PAJA , PAIA Acts)
– Performance Management
– Filing space problems
– Backlogs of filing in registries
– Business operations at risk with lack of a disaster recovery plan regarding all records
under its control
• External drivers
– The public demands better services
– Other similar organisations are doing it better (competition)
– Emerging technologies (many products and vendors)
ECM
Enterprise Content Management (ECM) Solution is
the strategies, methods and tools used to
capture, manage, store, preserve, and deliver
content and documents related to organizational
processes.
High-Level ECM Architecture
Policies
Information
Management Policy
Records
Records
Managemnt
Management
Policy
Policy
Enterprise Content
Management (ECM)
Policy
Records
Centre Policy
Archiving Policy
Internet Policy
Intranet Policy
Other Affected Policies
Social Media &
Collaboration
Printing / Copying
Policy
E-Mail Policy
Telephone
policy
Digital Signatures
/ Approval Policy
Scanning
Policy
Information
Security Policy
Information
Classification
Policy
Good Records Keeping
According to the NARSSA records management is:
A process of ensuring the proper
creation, maintenance, use and
disposal of records throughout their
life cycle to achieve efficient,
transparent and accountable
governance
Records Management
SANS (ISO) 15489 Information and
documentation – Records management
Section 13
S.13(1)
S. 13(2)(a)
S. 13(2)
S.13(2)(b)(i)
S. 3(5)
S. 13(2)(b)(ii) and (iii)
Section 13 (1)
• Mandates National Archivist to regulate
records management practices
• Aligned with international best practice and
international standards
– SANS (ISO) 15489 Information and
documentation – Records management
• supports the records management requirements in
section 13 of the National Archives and Records Service
Act
Section 13 (5)
Designate a records manager to take
responsibility for the records
management practices and to ensure
that the office complies with the
National Archives Act
Section 13 (2) (a)
• No public record shall be :
- transferred
- destroyed
- otherwise disposed of
• without written authorization of the
National Archivist
Section 13 (2) (b) (i)
The National Archivist shall determine
the records classification systems to
be used by governmental bodies
File Plan
A plan to file records
• Paper environment
– File into physical folders opened
according to the File Plan
• Electronic environment
– Metadata
• Structured
• Visible
Section 13 (2) (b) (ii) and (iii)
• The National Archivist shall
determine the conditions subject to
which
– electronic records systems shall be
managed
– records may be reproduced
electronically
• Conditions contained in Managing
electronic records in governmental
bodies: Policy, principles and
requirements
Conditions for the management of
electronic records
• From a records management
perspective
– Capturing of authentic and reliable
records (authoritative records)
– Subject classification
– Retrieval
– Disposal
– Long term preservation
Manage records in an Integrated
Document and Records Management
System
• managing a corporate file plan according to
which records are filed;
– Including an e-mail integration that ensures that emails are filed to the corporate file plan;
• maintaining the relationships between
records and files, and between file series and
the file plan;
• identifying records that are due for disposal
and managing the disposal process;
Manage authenticity
• Metadata
– Guidelines in Managing electronic
records in governmental bodies:
Metadata requirements
– Based on SANS 23081: Information
and documentation – Records
management processes – Metadata
for records – Part 1: Principles
Manage authenticity
• Audit trail
– Guidelines in Managing electronic
records in governmental bodies:
Metadata requirements
– Based on SANS 15801: Electronic
imaging – Information stored
electronically – Recommendations
for trustworthiness and reliability
Long term accessibility
• Electronic records preservation
plan
– Technology watch
– Migration
– Budget
Conclusion
If it cannot be read, it does not exist
Financial
Resources- People
Data and Information
Security and Access Control
Technology & Infrastructure
Business – Processes
Regulatory
ECM Compliance
RM Standards
Standard
Compliance
US DoD
UK
RIMTech
Fortune 1000
Victoria Public Records
Office
ICA
ISO 15489
168
NARSSA
441
105
105
275
SP2013 OotB
NARRSA (441)
ICA (275)
Baseline US DoD 5015.2
(168)
Fortune 1000
(105)
SP OotB (72)
Differences
Technology
• Out of the Box implementation does
not give adherence to compliance
• Customisation does not guarantee
compliancy
• Require 3rd party tools
Managing Compliance
1.
Determine what the criteria should be
2.
Develop techniques (controls) to ensure that the criteria are
followed
3.
Identify the risks that an organisation faces and advise on
them
4.
Design and implement controls to protect an organisation
from those risks (prevention)
5.
Monitor and report on the effectiveness of those controls in
the management of an organisations exposure to risks
(monitoring and detection)
6.
Resolve compliance difficulties as they occur (resolution)
7.
Advise the business on rules and controls (advisory)
References:
http://www.national.archives.gov.za
http://www.rimtech.ca/f1000-requirements.html
http://www.gimmalsoft.com
Marcelle Blasl
blasl@global.co.za
Cell: 082 859 1507