Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Human Resource Management

Sample Records and Informatin Management Assessment Report

advertisement 
Sample Assessment
Records and Information
Management Program
Assessment Report
Key Findings and
Recommendations
Prepared by John Doe
Month/Year
Records and Information Management Assessment
1 Contents
2
EXECUTIVE SUMMARY................................................................................................................................... 3
2.1
2.2
2.3
3
APPROACH .................................................................................................................................................... 5
3.1
4
APPROACH.......................................................................................................................................................5
KEY FINDINGS AND RECOMMENDATIONS ..................................................................................................... 5
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
4.11
4.12
4.13
4.14
5
BACKGROUND ..................................................................................................................................................3
SUMMARY OF KEY FINDINGS ...............................................................................................................................3
HIGH-LEVEL RECOMMENDATIONS ........................................................................................................................4
PHYSICAL RECORDS – FINDINGS ...........................................................................................................................5
PHYSICAL RECORDS – RECOMMENDATIONS ............................................................................................................6
MICROFILMING – FINDINGS ................................................................................................................................6
MICROFILMING – RECOMMENDATIONS .................................................................................................................7
SCANNING/DIGITIZATION – FINDINGS ...................................................................................................................7
SCANNING/DIGITIZATION - RECOMMENDATIONS.....................................................................................................7
ELECTRONIC RECORDS – FINDINGS .......................................................................................................................7
ELECTRONIC RECORDS - RECOMMENDATIONS .........................................................................................................8
GOVERNANCE AND POLICY – FINDINGS .................................................................................................................9
GOVERNANCE AND POLICY - RECOMMENDATIONS ...................................................................................................9
TRAINING AND AWARENESS – FINDINGS ..............................................................................................................10
TRAINING AND AWARENESS - RECOMMENDATIONS ...............................................................................................10
LEGAL HOLDS – FINDINGS .................................................................................................................................11
LEGAL HOLDS - RECOMMENDATIONS ..................................................................................................................11
PROPOSED HIGH-LEVEL ROADMAP ............................................................................................................. 11
5.1
5.2
5.3
SHORT-TERM (BUSINESS READINESS STAGE) ........................................................................................................11
MID-TERM (IMPLEMENTATION STAGE) ...............................................................................................................12
LONG-TERM (SUSTAINABILITY STAGE) .................................................................................................................13
APPENDIX A. ........................................................................................................................................................ 14
6
GARP MATURITY ASSESSMENT.................................................................................................................... 14
6.1
APPROACH.....................................................................................................................................................14
6.2
GARP MATURITY SCORES ................................................................................................................................14
6.3
GARP MATURITY SCORES BY PRINCIPLE ..............................................................................................................15
6.3.1 Principle of Accountability .....................................................................................................................15
6.3.2 Principle of Transparency .......................................................................................................................15
6.3.3 Principle of Integrity ...............................................................................................................................16
6.3.4 Principle of Protection ............................................................................................................................16
6.3.5 Principle of Compliance..........................................................................................................................16
6.3.6 Principle of Availability ..........................................................................................................................17
6.3.7 Principle of Retention .............................................................................................................................17
6.3.8 Principle of Disposition ...........................................................................................................................17
6.4
GARP MATURITY SCORES BY PRINCIPLE – INDUSTRY TARGETS ................................................................................17
6.5
KEY FINDINGS AND RECOMMENDATIONS FROM GARP ASSESSMENT ........................................................................18
Page 2 of 20
Tuesday, February 09, 2016
Records and Information Management Assessment
2 Executive Summary
2.1 Background
Over the past three months, University Records and Information Management (URIM) reviewed current
policies, procedures, and practices. URIM identified and met with approximately 20 stakeholders and
departments that provided a representative sample of departments across the university’s colleges and
divisions. These interviews were conducted in order to gain insight into UNIVERSITY’s current
recordkeeping practices. As part of this assessment, current practices were then compared against
existing policies, procedures and industry best practices. After completion of the departmental
interviews, URIM sent a Records and Information Management survey to approximately 160 additional
departments to gain insights into their current practices and needs regarding the management of paper
records, microfilm, digital imaging and electronic records. Approximately 60 departments responded.
The survey results were then incorporated into this assessment. After gaining an understanding of
UNIVERSITY’s current recordkeeping practices, URIM completed an industry-based assessment using the
Generally Accepted Recordkeeping Principles (GARP) Maturity Assessment Tool, from ARMA
International. The GARP Assessment details are located in Appendix A of this report. The key findings of
the GARP Assessment were incorporated into the body of this report.
2.2 Summary of Key Findings
1. There is no active records management advisory committee to provide direction and oversight
2. There is no university-wide approach or use of technology for the management of electronic
records
3. Electronic records are not identified by departments and are not making their way to the
University Records Center or University Archives
4. Litigation hold procedures exist, but are undocumented and not consistently applied, exposing
UNIVERSITY to possible risk during litigation
5. Records center inventory and departmental request activity is tracked using spreadsheets and is
not adequate
6. Approximately half of departments are performing scanning activities on their own with little
knowledge of industry best practices (format, compression, resolution, quality review). Many
smaller departments do not have resources to complete imaging projects
7. Some websites contain historical information that is not being preserved
8. Some departments are preserving historical records onto CDs or DVDs that may begin to
degrade in as little as 3 to 7 years
9. The retention schedule is outdated and lacks legal authorities
Page 3 of 20
Tuesday, February 09, 2016
Records and Information Management Assessment
2.3 High-Level Recommendations
1. Develop organizational governance – establish a Records Management Committee
2. Utilize a Department Records Liaison network to assist departments in the management of
paper and electronic records
3. Update the retention schedule and records management policy to support the management of
electronic records
4. Develop a university-wide electronic records center using SharePoint or some other repository
5. Provide electronic records management guidance and services to assist departments, including
imaging guidance
Page 4 of 20
Tuesday, February 09, 2016
Records and Information Management Assessment
3 Approach
3.1 Approach
Over the past three months, University Records and Information Management (URIM) reviewed current
policies, procedures, and practices. URIM identified and met with approximately 20 stakeholders and
departments that provided a representative sample of departments across the university’s colleges and
divisions. These interviews were conducted in order to gain insight into UNIVERSITY’s current
recordkeeping practices. As part of this assessment, current practices were then compared against
existing policies, procedures and industry best practices. After completion of the departmental
interviews, URIM sent a Records and Information Management survey to approximately 160 additional
departments to gain insights into their current practices and needs regarding the management of paper
records, microfilm, digital imaging and electronic records. Approximately 60 departments responded.
The survey results were then incorporated into this assessment. After gaining an understanding of
UNIVERSITY’s current recordkeeping practices, URIM completed an industry-based assessment using the
Generally Accepted Recordkeeping Principles (GARP) Maturity Assessment Tool, from ARMA
International. The GARP Assessment details are located in Appendix A of this report. The key findings of
the GARP Assessment were incorporated into the body of this report.
In addition, URIM conducted an in-depth assessment of its own practices for the management of paper
records, including the following areas:





The process for departments to box up records and send them to the records center
The process for how records are requested by departments and then delivered
The process for how physical records are identified and maintained in departments
The process for how the inventory of records in the records center are managed
The process for destroying records and the associated disposition approval process.
4 Key Findings and Recommendations
4.1 Physical Records – Findings
1. Many departments have a departmental filing area for physical records. About one-third of
these departments are having a least minor difficulty finding their records.
2. About half of the departments use some form of color-coded labeling to assist in the filing
and retrieval of department records, but there is no support to make this process more
efficient.
3. About 60% of the departments store records outside of their department, one-third of these
departments are storing records outside of their department, but in a storage area
somewhere in their own building.
4. There are approximately 14,000 boxes of records in the University Records Center. The
records center is nearing capacity. Disposition activity is being completed on a monthly
basis to make room for the next month’s inflow of new boxes.
5. The disposition process for boxes of records require department approval. There is no
process in place to ensure records approved for destruction are checked against current
litigation holds.
Page 5 of 20
Tuesday, February 09, 2016
Records and Information Management Assessment
6. The records center inventory and circulation (requesting) activity is being tracked by a
spreadsheet, resulting in time consuming, manual tasks to transfer data from phoned in and
faxed requests.
7. The service level to the university is not always consistent. Several departments said they
had to wait for at least a week to know what to do to have their boxes picked up.
8. There is no formal training program. Training is provided on a one-off basis, as requested by
departments
9. Departments are disposing of paper records without Record Center awareness.
10. Faculty want to get rid of exams but are not sure how long to keep them
4.2 Physical Records – Recommendations
1. Publish guidance for filing efficiency and color labeling on the URIM website. Incorporate this
guidance into training materials and deliver ongoing communications to build departmental
awareness of the available URIM services and drive URIM Liaisons to the URM website for
guidance.
2. Work with the Legal Department to develop and document legal hold procedures.
3. Develop a disposition process where departments and legal will only need to review boxes
eligible for destruction on a semi-annual or annual basis.
4. As a short-term measure, migrate the Google Doc-based records inventory and request log to an
Excel spreadsheet and management them on a departmental SharePoint site, in order to
provide backup, access from multiple computers and version control. Work with IT to acquire a
departmental SharePoint site for the URIM department to house the inventory in a multi-user
environment. As a more permanent solution, develop requirements for a bar code tracking
solution, then work with vendors to review functionality and pricing.
5. Identify and communicate to the departments a service level that can be consistently followed,
in order to set appropriate departmental expectations and student courier commitment. Update
URIM procedures to reflect the agreed upon service level agreement, as well as security
procedures regarding the pickup and drop off of confidential boxes or backup tapes.
6. Update the University Records and Information Management Policy. Include language to define
departmental disposition responsibilities and the role and purpose of the URIM Records Center.
The policy should enable departments to dispose of records that are no longer needed, as long
as retention requirements have been met and the records are not subject to a litigation hold
order.
4.3 Microfilming – Findings
1. Only two departments surveyed identified they have a potential need for microfilmed records
and only one made an attempt to have records microfilmed in the past three years.
2. The records center has drawers of microfiche and boxes of microfilm created by URIM’s internal
microfilming efforts during the past few decades. URIM has been unable to locate indexes for
these records and it has been verified that indexes were not created on the first few frames of
each roll.
3. URIM no longer retains the expertise necessary to microfilm records.
Page 6 of 20
Tuesday, February 09, 2016
Records and Information Management Assessment
4.4 Microfilming – Recommendations
1. It is recommended that URIM no longer provide microfilming services and that URIM use digital
imaging stored on M-Disc to service any future microfilming requests made by departments.
2. URIM should surplus, sell or transfer existing microfilming equipment. URIM should retain
enough equipment to fulfill department requests for viewing and printing microfilm, in order to
fulfill requests from Legal or other departments.
4.5 Scanning/Digitization – Findings
1. Approximately half of the departments are scanning records or are in the process of beginning a
scanning initiative. Approximately half of the departments that scan are disposing of records
immediately after the scanning & verification process, while the other half are storing the
records at the University Records Center or in a storage area within their building, indefinitely.
2. Most departments that scan are using available departmental scanning technology, such as an
office copy/scanner. When scanning, no document imaging standards are being followed, such
as file format, image resolution, file compression and quality control. Using industry best
practices, each document should be scanned at 300 dpi with a resulting file size of 20KB (black &
white) to 200KB (color) in file size. By conducting samples from several departments, it was
determined that most documents ranged from 1MB to 5MB in file size and no compression
technologies were utilized.
3. Approximately one-fourth of the departments transfer scanned documents onto DVDs, many of
which require permanent retention. It is unclear whether the DVDs are copies of records
retained in their systems or whether the DVD is the official, only remaining record. DVD, CD and
Blu-ray discs normally begin to show signs of determination in as little as 3 to 7 years.
4.6 Scanning/Digitization - Recommendations
1. URIM department should acquire at least one scanning station to enable the digitization of
department records.
2. URIM should create and publish digitization guidance for departments, based on industry best
practices. This guidance should be published onto the URIM Website and regular
communications should be sent to department records liaisons to build awareness of standards
and URIM service offerings.
3. URIM should provide one-on-one assistance to departments that want to move to digital
imaging or want to update their current scanning environment to use best practices.
4. URIM should consider providing digitization services for smaller departments on a cost recovery
basis. Particularly if the department cannot justify providing dedicated resources for scanning
equipment and personnel.
5. URIM should consider offering a “Scan on Demand” service for departments requesting files or
boxes of records. This service would allow records requests to be fulfilled digitally.
4.7 Electronic Records – Findings
1. Most records created or received by departments are electronic. Electronic records are not
being identified by the departments and are not making their way to Records Management or to
the University Archives.
2. There is no university-wide electronic records repository, with records management controls, in
which departments can safely store their records.
Page 7 of 20
Tuesday, February 09, 2016
Records and Information Management Assessment
3. In nearly every case, departmental electronic files are retained on Shared Drives, Outlook
Folders and PC hard drives. These filing areas lack records management controls, audit trails
and enhanced security. Department records could easily be deleted without others in the
department knowing.
4. There is no metadata standard used when capturing records and there are no controls to
prevent records or metadata from being altered.
5. Departments are not deleting electronic records and information after it is no longer needed for
business purposes and after retention requirements have been met.
6. Some department records are stored on PCs that are not backed up. Many employees use
external hard drives to make copies of their PC in case of a hard drive crash.
7. Electronic records are being stored in departments and in the Records Center on DVD and Bluray that can potentially deteriorate in as little as 3 to 7 years. The majority of these DVDs are
used to store permanent records.
8. UNIVERSITY Websites contain information of historical value. In some cases, this information is
not being preserved by departments.
4.8 Electronic Records - Recommendations
1. An electronic records center should be established to facilitate the capture and storage of
electronic departmental records. As IT already supports SharePoint, it is recommended that
URIM work with IT to develop an approach to capture departmental records into department
SharePoint sites, and then having a mechanism for these records to flow into a centralized
SharePoint Records Center, where records will be managed per approved retention policy.
2. Updates to the records retention schedule should include the identification of records series
that are to be sent to the University Archives. Rules should be applied to the SharePoint
Records Center to enable an automated approach for moving departmental records to the
University Archives. Consideration should be given to retain some electronic records in the
SharePoint Records Center instead of moving them to the Archives.
3. URIM should provide training and guidance to departments for the identification of electronic
records and the correct use of the electronic records center for storing department records as
well as provide guidance for moving away from the use of shared drives and personal computers
for the storage of electronic departmental records.
4. The university should consider implementing technology to enable university employees to
more easily store email records. After the SharePoint Records Center has been established, it is
recommended that departments have the capability to move email records into the SharePoint
environment.
5. URIM should work with departments to create an enterprise content type model and metadata
standard before the implementation of a university-wide electronic records center.
6. URIM should provide guidance to departments regarding the storage of records onto DVD and
other removable media. It is recommended where there is a need to store records onto a
removable media for storage, M-Disc technology be used, to support long-term storage.
7. URIM should consider providing M-Disc guidance and services to departments. This service
should include copying regular DVD or VHS to M-Disc.
Page 8 of 20
Tuesday, February 09, 2016
Records and Information Management Assessment
8. The university should consider supporting a campus-wide technology for backing up the
personal hard drives of university supplied desktop and laptop computers. Mosey and Crash
Plan are currently in wide use in industry.
4.9 Governance and Policy – Findings
1. UNIVERSITY lacks adequate organizational governance over its records and information
program. UNIVERSITY does not have a Records Management Committee at this time.
2. The Records Manager is responsible for implementing processes but has no direct authority
over departments to enforce policies.
3. University Records Management has focused on the management of paper records, but needs
to become better equipped to transition into an electronic recordkeeping environment.
4. Roles and responsibilities are not formally documented for department employees for the
management of records and information within their areas.
5. The University Records Management Policy does not contain adequate language to facilitate the
transition from a paper to an electronic records environment.
6. The University Records Retention Schedule does not contain citations to back up the defined
retention periods.
7. The University Records Retention Schedule is not suitable for implementation into an electronic
environment, as it is not following the best practice functional/business activity approach.
Retention periods are defined at the department level and there are inconsistencies in retention
periods for the same records in different departments, perhaps based on unique department
requirements. Different naming conventions are used for records between departments.
8. The general perception of University Records Management is that of dealing only with boxes of
paper records in the records center. One department interviewed asked why University Records
Management would be interested in their electronic information.
9. There are no formal goals set for departments to achieve a specific level of recordkeeping
compliance and there is no compliance assessment process to ensure policy is being followed.
Compliance to retention policy is left up to each college/division and is applied inconsistently
across departments.
4.10 Governance and Policy - Recommendations
1. The university should establish a Records Management Committee to provide oversight and
high-level guidance and goals to University Records and Information Management. It is
recommended the committee meet monthly. The committee should have representation from
Academic, Finance, Information Technology, Legal, Risk Management and the University
Archives.
2. The role of the Departmental Records Liaison should be defined, formalized and supported by
the university and department heads.
3. The URIM Policy should be updated to facilitate the movement of the university to an electronic
records environment. The policy should define the ownership of records and the responsibility
UNIVERSITY employees have in maintaining records.
4. The University Records Retention Schedule should be updated to reflect a best practice,
functional retention model that is suitable for implementing into an electronic records
Page 9 of 20
Tuesday, February 09, 2016
Records and Information Management Assessment
environment. The records retention schedule should contain references to citations, so that the
university can back up its approved retention periods.
5. A RIM Charter should be developed to define and document the roles and responsibilities of the
URIM Committee, URIM Department and Departmental Records Liaisons.
6. After the URIM Policy and technology for electronic records management has been
implemented, the university should consider measuring department compliance, possibly using
a self-assessment process.
4.11 Training and Awareness – Findings
1. There is a general lack of awareness among departments regarding their responsibility for the
management (records retention and disposition) of electronic records. Departments want
guidance to know what to keep and for how long, then what to do with it.
2. Although department training is performed when specifically requested by the departments,
there is not an active communication and training program to develop ongoing awareness and
transfer knowledge to department employees responsible for the management of paper and
electronic records. Many departments are not aware of the Records Management Program and
the services being offered.
3. No records management training is delivered during the onboarding process for new
employees.
4. It is unclear for many departments whether they have the official record or if they are
maintaining a copy of the records and are not sure how long to keep these duplicates records.
Often the department has a paper or electronic copy and a business application generates and
retains the official record.
5. The Department Contact List is out of date. In many cases, University Records Management
does not know who the records management contact is for a department, making it difficult to
send out a guidance.
4.12 Training and Awareness - Recommendations
1. Update the URIM Website to create a one-stop-shop for departmental Records and Information
Management guidance. Department guidance should include how to manage paper and
electronic records. Guidance should also include specific information regarding digital imaging
and the use of the M-Disc.
2. Develop departmental training materials that include guidance for the management of paper
and electronic records. Training materials should include training for identifying electronic
records within the department (departmental inventory) and the development of an action plan
for each identified records (Records Management Plan).
3. Update the Department URIM Liaison Directory to include all university departments. Develop a
method to associate each department of office to its parent College/Division, in order to
facilitate the creation of College/Division-wide training opportunities.
4. Develop a training program to reach out to and educate departments about URIM service
offerings. Whenever possible, train at the College/Division level.
5. Develop a communication plan to build awareness of the URIM Program and its service
offerings. It is recommended that consistent, periodic communications be sent to Department
URIM Liaisons to keep them updated on URIM service offerings. The communications plan
Page 10 of 20
Tuesday, February 09, 2016
Records and Information Management Assessment
should also map out communications that should come from senior level
university/college/division leadership.
4.13 Legal Holds – Findings
1. University Records Management is not always made aware of legal holds and there is a potential
for boxes of records being destroyed that may unknowingly be subject to a litigation matter.
2. Box transmittal forms are in paper form and are not searchable by University Records
Management or Legal. It is not possible at this time to place legal holds onto specific boxes,
based on their contents, as there is no searchable index.
3. Department employees are able to store email records in PST (personal archive) files. These
emails can be deleted by users subject to a legal hold.
4. Electronic records stored in file shares and on PC hard drives may be intentionally or
inadvertently deleted by users.
5. No data map exists to enable Legal to identify the location of records across the university.
Legal is not always aware of where departmental records are stored.
6. There is no enterprise search capability across departmental records to assist in the
identification of records relevant to a legal hold, nor is there the ability to apply legal holds onto
those records.
4.14 Legal Holds - Recommendations
1. Work with Legal to develop legal hold procedures. These procedures should ensure that
university records stored in the University Records Center or the future electronic records
center are part of the legal hold discussions with targeted persons/departments.
2. Digitize Box transmittal forms and provide on-line access to Legal, in order to conduct key word
searches and filterer by department and date ranges.
3. Utilize a records center tracking solution that has capability to manage the process of placing
boxes on legal hold.
4. It is recommended that Legal work with IT and URIM to develop a data map that includes a list
of systems and information storage repositories, along with a reference of the types of records
that reside therein.
5. It is recommended that Legal/URIM utilize the available Legal Hold capability of SharePoint to
place on hold, records stored in future department SharePoint sites and the future SharePoint
Records Center.
6. The university should consider disabling the ability for users to create personal email archives
(PST files). The university should consider the use of an email archiving solution or encourage
users to store emails that contain university business value into an electronic records repository.
5 Proposed High-Level Roadmap
5.1 Short-term (Business Readiness Stage)
1. Establish Records Management Committee
2. Develop URIM Program Charter
a. Define roles and responsibilities
b. Define goals and objectives of RIM program
Page 11 of 20
Tuesday, February 09, 2016
Records and Information Management Assessment
3. Update URIM Policy to support electronic records
4. Update the University Records Retention Schedule – Functional approach with citations
5. Document legal hold process
a. Work with Legal to document legal hold process
b. Incorporate legal hold process into disposition approval activities
6. Digitize Box Transmittal Forms
a. Provide online access of Box Inventory
b. Make available for use in legal hold review, department disposition review and archival
review processes
7. Implement URIM department SharePoint site
a. Convert Google Doc spreadsheet to Excel spreadsheet managed by Sharepoint
b. Migrate all URIM department content from Shared Drives to SharePoint
8. Develop electronic records guidance for department and incorporate into URIM website and
training materials
9. Update Department Liaison Directory
10. Provide imaging and M-disc guidance to departments
11. Microfilm
a. Remove microfilm equipment
b. Create master index of existing microfilm holdings
12. Send out general UNIVERSITY communication to build awareness of URIM Program and website
content
13. Deliver ongoing communications to department liaisons to build awareness of URIM services
14. Conduct URIM Program Training to departments
15. Identify Proof of Concept (POC) site for SharePoint RM Department Template/SharePoint
Records Center.
5.2 Mid-Term (Implementation Stage)
1.
2.
3.
4.
5.
6.
7.
8.
Implement records center tracking solution
Provide M-Disc transfer service to departments on a cost recovery basis
Provide Imaging service to smaller departments on a cost recovery basis
Provide scan on-demand service to departments
a. Fulfill file requests digitally
Work with departments to develop Record Management Plan/Inventory
Develop electronic records center requirements
Work with IT to develop/secure infrastructure for RM template and SP Records Center
Implement electronic records management solution
a. Develop Department template, Content Type Hub, Term Store and Records Center
b. Develop content type list and metadata model
c. Develop Data Map – locations of records across the university
d. Pilot RM Template
e. Develop change management plan
i. Communication
ii. Training
Page 12 of 20
Tuesday, February 09, 2016
Records and Information Management Assessment
f.
iii. Developing support
iv. Coaching supervisors
Implement phased rollout
5.3 Long-term (Sustainability Stage)
1.
2.
3.
4.
Measuring and reporting
Auditing for compliance
Ongoing training and support
Email, PST
a. Disable PST (personal email archives)
b. Enable departments to save email to SharePoint sites
5. Websites and structured IT systems
Page 13 of 20
Tuesday, February 09, 2016
Records and Information Management Assessment
Appendix A.
6 GARP Maturity Assessment
6.1 Approach
The Generally Accepted Recordkeeping Principles (GARP) provide quantitative standards to guide
information management and governance of record creation, security, maintenance, and other activities
used to effectively support recordkeeping of an organization. The University Records and Information
Management (URIM) department used the GARP assessment tool to determine the maturity of
UNIVERSITY’s records and information governance and practices as compared against GARP and
industry standards. The assessment was designed to rank UNIVERSITY’s maturity on topics like
document security and protection, records retention and disposition practices, availability, transparency
and integrity.
The GARP maturity assessment scores will be used to establish a baseline for records governance and to
provide an approach to objectively compare performance during process improvement efforts. Also, the
scores will be used to develop priorities for further development of the records and information
management program, including process and technology improvement to ensure effective and efficient
management of records and information.
The GARP assessment tool provided 108 questions. URIM conducted approximately 25 department
interviews to gain insight into UNIVERSITY’s current practices regarding the management of both paper
and electronic records. Following the interviews, URIM completed the 108 questions on the GARP
assessment tool, based on their findings from the departmental interviews.
6.2 GARP Maturity Scores
The GARP principles identify the critical hallmarks of information governance, which Gartner describes
as an accountability framework that “includes the processes, roles, standards, and metrics that ensure
the effective and efficient use of information in enabling an organization to achieve its goals.” The
scores are simple averages of the responses from each interview, with responses of “do not know” and
“does not apply” factored out. For each principle, the maturity model associates various characteristics
that are typical for each of the five levels in the maturity model:
Level 1 (Sub-Standard): This level describes an environment where recordkeeping concerns are either
not addressed at all, or are addressed in a very ad hoc manner. Organizations that identify primarily with
these descriptions should be concerned that their programs will not meet legal or regulatory scrutiny.
Level 2 (In Development): This level describes an environment where there is a developing recognition
that recordkeeping has an impact on the organization, and that the organization may benefit from a
more defined information governance program. However, in Level 2, the organization is still vulnerable
to legal or regulatory scrutiny since practices are ill-defined and still largely ad hoc in nature.
Level 3 (Essential): This level describes the essential or minimum requirements that must be addressed
in order to meet the organization’s legal and regulatory requirements and is characterized by defined
policies and procedures and more specific decisions taken to improve recordkeeping. However,
Page 14 of 20
Tuesday, February 09, 2016
Records and Information Management Assessment
organizations that identify primarily with Level 3 descriptions may still be missing significant
opportunities for streamlining business and controlling costs.
Level 4 (Proactive): This level describes an organization that is initiating information governance
program improvements throughout its business operations. Information governance issues and
considerations are integrated into business decisions on a routine basis, and the organization easily
meets its legal and regulatory requirements. Organizations that identify primarily with these
descriptions should begin to consider the business benefits of information availability in transforming
their organizations globally.
Level 5 (Transformational): This level describes an organization that has integrated information
governance into its overall corporate infrastructure and business processes to such an extent that
compliance with the program requirements is routine. These organizations have recognized that
effective information governance plays a critical role in cost containment, competitive advantage, and
client service.
6.3 GARP Maturity Scores by Principle
For each principle, baseline scores were generated and high-level observations were documented. URIM
is reporting baseline scores assuming that the findings from the departmental interviews reflect the
actual state of UNIVERSITY records and information management practices.
6.3.1 Principle of Accountability
An organization shall assign a senior executive who will oversee a recordkeeping program and delegate
program responsibility to appropriate individuals, adopt policies and procedures to guide personnel, and
ensure program auditability.


UNIVERSITY Baseline Score for Accountability = 2.5
Key observations:
a. The steering committee is not currently functioning and executive leadership is
receiving little or no communications regarding the Information Governance program.
b. There does not appear to be documented roles and responsibilities to qualified
employees for the conduct of records and information processing within departments.
c. Department employees are not always aware of their responsibility regarding records
retention and disposition for paper or electronic filing areas within their area of control.
d. There is no compliance assessment process to ensure policy is being followed.
6.3.2 Principle of Transparency
The processes and activities of an organization’s recordkeeping program shall be documented in an
understandable manner and be available to all personnel and appropriate interested parties.


UNIVERSITY Baseline Score Transparency = 2.0
Key observations:
a. The organization has a lack of or near lack of information governance policies and
procedures.
b. Policies, procedures, and work instructions are not well organized or are available to
personnel only with difficulty. There are low levels of customer satisfaction related to
information availability.
c. There is a lack of documented roles and responsibilities for department employees to
understand and perform information governance tasks and processes. The organization
lacks a training program.
Page 15 of 20
Tuesday, February 09, 2016
Records and Information Management Assessment
d. There seems to be a general lack of awareness of what records management services
are offered.
6.3.3 Principle of Integrity
A recordkeeping program shall be constructed so the records and information generated or managed by
or for the organization have a reasonable and suitable guarantee of authenticity and reliability.


UNIVERSITY Baseline Score for Integrity = 2.1
Key observations:
a. Integrity is promoted at UNIVERSITY, but there is no formal, ongoing communications
regarding information integrity for the management of paper and electronic records.
b. The IT strategy and Information Governance Program goals are not aligned.
c. No data map exists to enable UNIVERSITY to identify the locations of records. University
information systems are identified at the system level, but Legal does not always know
where the records they need are located.
d. There is no metadata standard used when capturing records and there are no controls
to prevent records or metadata from being altered.
6.3.4 Principle of Protection
A recordkeeping program shall be constructed to ensure a reasonable level of protection to records and
information that are private, confidential, privileged, secret, or essential to business continuity.


UNIVERSITY Baseline Score for Protection = 1.8
Key observations:
a. UNIVERSITY relies on individuals within departments to identify and manage important
records so they are managed inconsistently across departments.
b. The organization has documented physical control processes and procedures but leave
it up to individual departments or locations to implement.
c. Technologies and methodologies are not adequately implemented and monitored
against information repositories containing confidential information (no audit trails, no
electronic records repositories).
6.3.5 Principle of Compliance
The recordkeeping program shall be constructed to comply with applicable laws and other binding
authorities, as well as the organization’s policies.


UNIVERSITY Baseline Score for Compliance = 2.2.9
Key observations:
a. The University Records Retention Policy is outdated and does not provide an association
with laws/citations. There is no mechanism in place to refresh the retention schedule
against changes in laws and regulations.
b. Compliance to Retention Policy is left up to each college/division and is applied
inconsistently across departments.
c. No records management training exists during the onboarding process for new
employees and little or no training is offered to department employees who are
responsible for the management of departmental records.
d. There is little or no interaction between the Records Management department and
Legal regarding litigation holds, but UNIVERSITY is not heavily litigated. Formal
Litigation Hold procedures are not documented.
Page 16 of 20
Tuesday, February 09, 2016
Records and Information Management Assessment
6.3.6 Principle of Availability
An organization shall maintain records in a manner that ensures timely, efficient, and accurate retrieval
of needed information.


UNIVERSITY Baseline Score for Availability = 1.8
Key observations:
a. Individual employees decide what information to keep and store in repositories of their
choice according to their own filing system.
b. No enterprise search capability.
c. Some departments find it difficult to locate the ‘final’ version of a document or record.
d. Legal discovery is difficult because it is not clear where information resides or where the
final copy of a record is located.
6.3.7 Principle of Retention
An organization shall maintain its records and information for an appropriate time, taking into account
legal, regulatory, fiscal, operational, and historical requirements.


UNIVERSITY Baseline Score for Retention = 2.3
Key observations:
a. Retention schedules exist but there is no custodial oversight of legacy data to ensure it
is maintained according to the schedule. Clean-up is done by IT and usually involves
deletion of an entire data set.
b. Retention is mainly being applied to physical records and not to electronic records.
Electronic records are not being identified and stored with RIM controls.
c. The organization does not have an established communication process for its retention
schedule and records management policy. Retention is often done “after the fact”
when the records goes to archive or the records center.
6.3.8 Principle of Disposition
An organization shall provide secure and appropriate disposition for records that are no longer required
to be maintained by applicable laws and the organization’s policies.


UNIVERSITY Baseline Score for Disposition = 2.3
Key observations:
a. The organization has disposition procedures that cover physical business records only,
but do not address electronic records that reside in the departments.
b. The Records Manager is responsible for implementation of the process but has no direct
authority over departments to enforce policies and may not receive sufficient support
from senior leaders.
c. The organization has no information disposition goals established.
d. Procedures that exist are at the departmental level and are not consistently written or
implemented across the organization.
6.4 GARP Maturity Scores by Principle – Industry Targets
The following table displays the overall desired/target maturity score for each principle, based on
industry best practices.
UNIVERSITY’s desired target level for each GARP principle is noted below and will be used later in the
overall assessment to identify gaps and develop recommendations. These target levels may be adjusted
as the Records and Information Management Program matures.
Page 17 of 20
Tuesday, February 09, 2016
Records and Information Management Assessment
GARP® Principle
Target
Level
Accountability
3.3
Transparency
2.8
Integrity
3.0
Protection
3.4
Compliance
3.0
Availability
3.8
Retention
3.3
Disposition
2.8
The following figure shows a comparison of UNIVERSITY maturity scores with that of industry targets.
Although the scale goes to 5, the figure below displays only to 4, as no 5 scores were set as targets.
Accountability
4.0
Disposition
3.0
Transparency
2.0
1.0
Retention
0.0
Availability
Integrity
Industry Target
Protection
Compliance
Figure 1 - Radar Chart of GARP® Overall Scores by Principle
6.5 Key Findings and Recommendations from GARP Assessment
The key findings and recommends regarding the Records and Information Management Program are
below and combine the key observations from the GARP Assessment and the Departmental Interviews.
Organizational Governance. There is no functioning steering committee. Roles and Responsibilities
have not been formalized regarding the management of electronic records.
Page 18 of 20
Tuesday, February 09, 2016
Records and Information Management Assessment
The Records Management Committee should be established. Roles and responsibilities should be
defined and documented to include all elements of the Records Management Program, including
department employees responsible for the management of paper and electronic records.
Policies. Some RM Policies exist for records, but provide little to no guidance for the management of
electronic records. Policies are not easily found by departments and there is no one-stop-location to
find them.
The Records Management Policy should be updated and approved by the Records Management
Committee. The URIM website should be updated and should be used as a vehicle to publish all Records
Management content related to the departments.
Training/Communication. Department employees involved in the management of records are not
always aware of retention policy and where to find it, nor are they always aware of their responsibilities
for the management of paper and electronic records. URIM does not always know who the records
management contacts are within each department.
Training materials should be developed and department training should be offered on a consistent
basis. The directory of departmental records management contacts should be refreshed and ongoing
(monthly) communications should be sent, to inform department contacts of URIM service offerings and
guidance for the management of electronic records. The URIM website should be kept up-to-date and
department employees should be pointed to the website for records management guidance.
Retention Schedule. It is often difficult for departments to locate their records on the retention
schedule and the retention periods and naming conventions are inconsistent across departments. URIM
is unable to reference laws and citations used to establish retention periods found on the retention
schedule. Some department employees are not aware of the existence of the records retention
schedule.
The University Records Retention Schedule should be updated to an industry best practice “functional
approach.” The major business functions of the university should be identified and URIM should work
with each functional area to identify the major business activities/records series within each function, as
well as a list of the types of records commonly found therein. Retention periods should be defined at
the business activity/records series level and not at the record type level. All record types created or
managed to support a business activity should inherit the retention for that business activity.
Laws/citations should be identified and associated with each business activity/records series and
reviewed by UNIVERSITY’s Legal department. Communications and training should be provided to build
awareness of the approved University Records Retention Schedule and Records Management Policy.
A Records Management Plans should be developed for each department to identify records managed
within each department. The plan should associate each record to the approved retention schedule,
identify where the records are being stored (paper and electronic) and document the plan for managing
each identified record.
Page 19 of 20
Tuesday, February 09, 2016
Records and Information Management Assessment
Taxonomy/File Plan. No standard taxonomy nor file plan exists for managing electronic records.
A Content Type taxonomy will need to be established before department records can be effectively
stored and managed within a SharePoint environment. The Content Types should be based on the
Record Types defined in the records retention schedule with of goal of fewer than xx content types. A
file plan will need to be created before an electronic records center can be established. The file plan
should be based on the Business Activity/Records Series level of the records retention schedule.
Department Electronic Records. For most departments, no Records Management controls exist in
department filing systems. Records are mainly stored on departmental file shares or personal hard
drives. Records can be easily disposed of by individuals without others in the department being made
aware, as there is no alerts or audit trails. Personal hard drives in most departments are not backed up.
No enterprise-wide electronic records repository exists to provide adequate management of university
records.
Develop electronic records guidance for departments and begin communicating and training
departments on best practice approaches to identify, organize and manage electronic records in their
area of control. Leverage UNIVERSITY’s SharePoint environment. Develop a SharePoint template for
departments to use, with built in hooks into a single SharePoint Records Center. Promote the use of
department SharePoint sites and offer training and guidance.
Email. Emails that contain business value are, for the most part, being stored and managed in Outlook.
Enable emails that contain business value to be stored in department SharePoint sites, when
implemented.
Legal Holds. The Office of General Counsel (OGC) is responsible for preserving records that are potentially
relevant to current or potential legal matters. Although OGC works with departments to identify records,
there are no documented legal hold process to ensure that URIM is involved and that the disposition of
potentially relevant paper records are not disposed.
URIM should work with OGC to develop and document a formal Legal Hold Process and ensure that
records being disposed by URIM and departments are not subject to a legal hold order.
Disposition. Paper records are being disposed after department approval. Electronic records are not
being identified by departments and are not being disposed of when retention requirements have been
met. There is no life cycle management concept for non-record department information, legacy data
and systems.
Establish and approve a life cycle management policy for the management of all university information
(record and non-record, paper and electronic). This policy should be a section of the University Records
and Information Management Policy and should be approved by the Records Management Committee.
Page 20 of 20
Tuesday, February 09, 2016
Related documents
Chap001
Chap001
Staff Learning and Development Policy
Staff Learning and Development Policy
Government Agencies
Government Agencies
Collaboration between Works Departments and Innovation and
Collaboration between Works Departments and Innovation and
Determination of Core Service
Determination of Core Service
minority physicians and research careers
minority physicians and research careers
Local Service Delivery and the challenges that the NAO faces
Local Service Delivery and the challenges that the NAO faces
Name of individual completing this report
Name of individual completing this report
Download
advertisement