The Legal Records & Information Management World According to GARP®
ARMA International has recently introduced a set of eight Generally Accepted Recordkeeping Principles by which organizations can measure the maturity of their records management programs. GARP® illustrates the importance of supporting the relationships between policy, process and technology and gives you a valuable tool to evaluate exactly where your firm rates in this arena. In support of this initiative, Vendor Direct Solutions has been developing a series of presentations and discussions on the topic for associations such as the ALA. We were pleased to be invited to a San Diego Chapter meeting to discuss how GARP® could be used to help administrators get their firms on the right track.
As established by ARMA,[1] these eight principles, in unison with the metrics and standards which define them, are designed to provide guidance for:
- CEOs and Administrators in determining how to protect their organizations in the use of information assets, both physical and electronic;
- Legislators in crafting legislation meant to hold organizations accountable; and
- Records management and information technology professionals in designing and managing comprehensive and effective records management programs.
Properly applied, they provide the decision makers who run law firms with recordkeeping standards that are based primarily on the common yet fundamental elements of information governance. These elements include the policies, procedures, responsibilities and business processes that every organization should consider when:
- Managing day-to-day information management related operations
- Supporting budgeting and project planning activities
- Being tasked with answering questions regarding prior RIM[2] related decisions
- Demonstrating and documenting compliance with applicable laws and regulations
Although we outline all eights principles, we focus primarily on the last three. All eight principles described below may be applied to any industry while some will have more meaning to the legal industry and others have less. This article focuses on how Legal Administrators in particular can understand all eight and determine which principles are the most valuable to their firm. By doing so, they will be able to evaluate the strength of their existing policies, understand and identify what workflow processes are impacted by them, and know how changes to both manual process and technology can empower law firms to responsibly protect their intellectual property while better serving their clients.
Accountability Principle- An organization shall assign a senior executive who will oversee a recordkeeping program and delegate program responsibility to appropriate individuals, adopt policies and procedures to guide personnel, and ensure program audit ability. The Accountability Principle addresses law firms by expressing the need for executive support of RIM Policies, essentially stressing “Partner Ownership.” One example of this would be a firm requiring a Risk Management attorney, Managing Partner or General Counsel to have input and sign off on a retention policy which creates the foundation for ensuring that it will be carried out. Although the Accountability Principle relates primarily to the development of a policy, it also necessitates that processes are put in place to support that policy such as an adequate training and monitoring program.
Some questions a Legal Administrator may ask themselves regarding Accountability:
- Do we have partnership “ownership” of our RIM policy?
- Does the policy exist in paper only or in practice?
- Who in our firm is tasked with enforcing our policies?
Transparency Principle- The processes and activities of an organization’s recordkeeping program shall be documented in an understandable manner and be available to all personnel and appropriate interested parties. Although the focus for Transparency is more on public than private requests for information and is more applicable to other industries, it does relate to law firms with respect to Discovery.
Integrity Principle – A recordkeeping program shall be constructed so the records and information generated or managed by or for the organization have a reasonable and suitable guarantee of authenticity and reliability. The Principle of Integrity is critical to admissibility. For example, is your record legitimate? This differs from the Principle of Compliance which is critical to discovery (If asked to produce, can you do so quickly?) Integrity focuses on distinguishing client material from non-client/firm material, official records from un-official records, and handling of drafts and works in progress versus the final product. Ultimately, how you maintain the final record?
Your processes will be impacted in rolling out policies related to Integrity by ensuring that the processes are easy (i.e. taking advantage of technology) and that end users clearly understand the processes.
Some questions a Legal Administrator may ask themselves regarding Integrity:
- What is our definition of an “official record” and what is the “official repository” of that record?
- Is it easy to distinguish client material from a non-client material?
- Do we have system to separate work in progress or drafts from the final record?
- Do we have a functional and practical system to “lock down” the official record?
- What is our procedure and our file standards related to our identified policies?
- Does our firm have end user training and program monitoring?
- Does our DMS allow for version control?
- Do our DMS and RMS systems have standard folder structures and taxonomies?
Protection Principle – A recordkeeping program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, or essential to business continuity. The key focus for law firms is to ensure that their policies, processes and technology support the Principle of Protection and include a system, schedules and processes to address a variety of these issues.
Some questions a Legal Administrator may ask themselves regarding Protection:
- How does our firm back up IT information? Do we have a solid, up-to-date data map?
- How does our firm keep client information confidential and secure?
- What processes do we use to keep HR information confidential?
Compliance Principle – The recordkeeping program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization’s policies. Since typically law firms are private entities and not public entities, there are not as many governing agencies monitoring the compliance issues of a law firm. Therefore, compliance initiatives must be taken in order to avoid the imposition of penalties arising from a court order relating to failure to quickly and properly respond to a discovery request.
Availability Principle – An organization shall maintain records in a manner that ensures timely, efficient, and accurate retrieval of needed information. For law firms, administrators certainly know that time is money. Thus, not having easy availability to records and information can significantly impact billable hours, making this GARP® Principle of Availability a very important one for law firms. Policy and related processes impacting Availability can cover many elements of RIM including e-mail handling, DMS and/or RMS structure and loose policies that allow independent processes for handling information.
Some questions a Legal Administrator may ask themselves regarding Availability:
- Do we have a standard for keeping our e-mail, official records, non-official and non-client records?
- Can we define our official repository, whether physical or digital? Can it be different by practice group or client and should we address it in our policies?
- If we analyze our processes, are they in sync with policy? Are there duplicate steps we are taking that are counterproductive and can be eliminated while still properly managing risk?
- Is there a filing backlog? How is this affecting us and why?
- How are our firm’s physical files handled at close of matter?
- Do we need E-Mail routing and/or archiving software?
- Do we need a document routing or automated workflow solution?
- Are our DMS and/or RMS systems efficiently configured?
Retention Principle– An organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational, and historical requirements.
Disposition Principle - An organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by applicable laws and the organization’s policies.
The principles of Retention and Disposition are separate but inter-related and are both a very hot topic in legal environments. Simply put, retention refers to retaining of information where disposition refers to the disposing of information. Many firms have a policy to never destroy their records but they still need a policy to clarify how they keep them, where they keep them and how they are accessed throughout their lifecycle.
Some questions a Legal Administrator may ask themselves regarding Retention& Disposition:
- Do you have a retention policy? Does the retention policy address how and where to keep information at each stage of the cycle?
- Does it site authorities so that you do not have to recreate the wheel to update it?
- Does it need to vary by practice group or file collection?
- Does it address disposition?
- Does it factor in legal holds?
- Do you have a closing process?
- Who/when does what, are they the right person?
- What TECHNOLOGY do you have to support the POLICY and PROCESS?
- What date triggers when to send offsite?
- What date triggers when objects are eligible for disposition?
- What system/application has the date?
- Does your engagement letter address these principles?
VDS has always recognized that the key to attaining a sound records program has three main ingredients and addressing each of the GARP® principles with these in mind is extremely important:
- Policy – You must begin with determining a policy for functions related to records.
- Process – Once you have a policy (written or assumed), you should ensure that your process (from the end-user on up to the decision maker) supports the policy, that end users are trained, that there are not isolated or “rogue” practices or means of keeping information that are not in line with the policy. Certainly you will also want to ensure that the process is efficient and not duplicative.
- Technology – Are you fully using the technology you have in place to support both the processes and policy? Are there features of your technology that you are not aware of or are not using that could make your processes more efficient? Do you have the right technology?
This Maturity Model for Information Governance is a good tool to evaluate if you are strong or weak in areas and a valuable tool to see how your organization rates on a scale of sub standard to exceptional. To a degree, GARP® provides ammunition to finally gain approval or at least movement on RIM initiatives that may have been stalling at a firm for some time. Furthermore, given the rapid advancement of the firms relying more on digital information, as firms evaluate how they’re integrating their electronic files while still maintaining control over their physical files, GARP® proves to be an excellent tool for establishing benchmarks and bridging the gap between your physical and electronic records and information practices. The concept behind these principles is to offer you a solid framework to fix your records management program. It might not be a prescription but it can certainly be a great diagnostic tool to help clear the path to curing the issues that plague administrators around records and information management.
[1] More details on ARMA’s GARP® initiative can be found at
http://www.arma.org/GARP®/.
[2] RIM is a commonly used acronym for Records and Information Management.