physical document tracking projectrecordsmanagement.byu.edu/.../02/sample...report.docx · web...

29
Sample Assessment Prepared by John Doe Month/Year Records and Information Management Program Assessment Report Key Findings and Recommendations

Upload: trinhcong

Post on 11-Jun-2018

213 views

Category:

Documents


0 download

TRANSCRIPT

Sample Assessment

Prepared by John DoeMonth/Year

Records and Information Management Program Assessment Report Key Findings and Recommendations

Records and Information Management Assessment

1 Contents

2 EXECUTIVE SUMMARY................................................................................................................................ 3

2.1 BACKGROUND.................................................................................................................................................32.2 SUMMARY OF KEY FINDINGS.............................................................................................................................32.3 HIGH-LEVEL RECOMMENDATIONS.......................................................................................................................4

3 APPROACH................................................................................................................................................. 5

3.1 APPROACH.....................................................................................................................................................5

4 KEY FINDINGS AND RECOMMENDATIONS...................................................................................................5

4.1 PHYSICAL RECORDS – FINDINGS.........................................................................................................................54.2 PHYSICAL RECORDS – RECOMMENDATIONS..........................................................................................................64.3 MICROFILMING – FINDINGS..............................................................................................................................64.4 MICROFILMING – RECOMMENDATIONS...............................................................................................................74.5 SCANNING/DIGITIZATION – FINDINGS.................................................................................................................74.6 SCANNING/DIGITIZATION - RECOMMENDATIONS...................................................................................................74.7 ELECTRONIC RECORDS – FINDINGS.....................................................................................................................74.8 ELECTRONIC RECORDS - RECOMMENDATIONS.......................................................................................................84.9 GOVERNANCE AND POLICY – FINDINGS...............................................................................................................94.10 GOVERNANCE AND POLICY - RECOMMENDATIONS.................................................................................................94.11 TRAINING AND AWARENESS – FINDINGS............................................................................................................104.12 TRAINING AND AWARENESS - RECOMMENDATIONS..............................................................................................104.13 LEGAL HOLDS – FINDINGS...............................................................................................................................114.14 LEGAL HOLDS - RECOMMENDATIONS................................................................................................................11

5 PROPOSED HIGH-LEVEL ROADMAP........................................................................................................... 11

5.1 SHORT-TERM (BUSINESS READINESS STAGE).......................................................................................................115.2 MID-TERM (IMPLEMENTATION STAGE)..............................................................................................................125.3 LONG-TERM (SUSTAINABILITY STAGE)................................................................................................................13

APPENDIX A...................................................................................................................................................... 14

6 GARP MATURITY ASSESSMENT................................................................................................................. 14

6.1 APPROACH...................................................................................................................................................146.2 GARP MATURITY SCORES..............................................................................................................................146.3 GARP MATURITY SCORES BY PRINCIPLE............................................................................................................15

6.3.1 Principle of Accountability....................................................................................................................156.3.2 Principle of Transparency.....................................................................................................................156.3.3 Principle of Integrity.............................................................................................................................166.3.4 Principle of Protection..........................................................................................................................166.3.5 Principle of Compliance........................................................................................................................166.3.6 Principle of Availability.........................................................................................................................176.3.7 Principle of Retention...........................................................................................................................176.3.8 Principle of Disposition.........................................................................................................................17

6.4 GARP MATURITY SCORES BY PRINCIPLE – INDUSTRY TARGETS..............................................................................176.5 KEY FINDINGS AND RECOMMENDATIONS FROM GARP ASSESSMENT.......................................................................18

Page 2 of 21 Tuesday, May 09, 2023

Records and Information Management Assessment

2 Executive Summary

2.1 BackgroundOver the past three months, University Records and Information Management (URIM) reviewed current policies, procedures, and practices. URIM identified and met with approximately 20 stakeholders and departments that provided a representative sample of departments across the university’s colleges and divisions. These interviews were conducted in order to gain insight into UNIVERSITY’s current recordkeeping practices. As part of this assessment, current practices were then compared against existing policies, procedures and industry best practices. After completion of the departmental interviews, URIM sent a Records and Information Management survey to approximately 160 additional departments to gain insights into their current practices and needs regarding the management of paper records, microfilm, digital imaging and electronic records. Approximately 60 departments responded. The survey results were then incorporated into this assessment. After gaining an understanding of UNIVERSITY’s current recordkeeping practices, URIM completed an industry-based assessment using the Generally Accepted Recordkeeping Principles (GARP) Maturity Assessment Tool, from ARMA International. The GARP Assessment details are located in Appendix A of this report. The key findings of the GARP Assessment were incorporated into the body of this report.

2.2 Summary of Key Findings1. There is no active records management advisory committee to provide direction and oversight

2. There is no university-wide approach or use of technology for the management of electronic records

3. Electronic records are not identified by departments and are not making their way to the University Records Center or University Archives

4. Litigation hold procedures exist, but are undocumented and not consistently applied, exposing UNIVERSITY to possible risk during litigation

5. Records center inventory and departmental request activity is tracked using spreadsheets and is not adequate

6. Approximately half of departments are performing scanning activities on their own with little knowledge of industry best practices (format, compression, resolution, quality review). Many smaller departments do not have resources to complete imaging projects

7. Some websites contain historical information that is not being preserved

8. Some departments are preserving historical records onto CDs or DVDs that may begin to degrade in as little as 3 to 7 years

9. The retention schedule is outdated and lacks legal authorities

Page 3 of 21 Tuesday, May 09, 2023

Records and Information Management Assessment

2.3 High-Level Recommendations1. Develop organizational governance – establish a Records Management Committee

2. Utilize a Department Records Liaison network to assist departments in the management of paper and electronic records

3. Update the retention schedule and records management policy to support the management of electronic records

4. Develop a university-wide electronic records center using SharePoint or some other repository

5. Provide electronic records management guidance and services to assist departments, including imaging guidance

Page 4 of 21 Tuesday, May 09, 2023

Records and Information Management Assessment

3 Approach

3.1 ApproachOver the past three months, University Records and Information Management (URIM) reviewed current policies, procedures, and practices. URIM identified and met with approximately 20 stakeholders and departments that provided a representative sample of departments across the university’s colleges and divisions. These interviews were conducted in order to gain insight into UNIVERSITY’s current recordkeeping practices. As part of this assessment, current practices were then compared against existing policies, procedures and industry best practices. After completion of the departmental interviews, URIM sent a Records and Information Management survey to approximately 160 additional departments to gain insights into their current practices and needs regarding the management of paper records, microfilm, digital imaging and electronic records. Approximately 60 departments responded. The survey results were then incorporated into this assessment. After gaining an understanding of UNIVERSITY’s current recordkeeping practices, URIM completed an industry-based assessment using the Generally Accepted Recordkeeping Principles (GARP) Maturity Assessment Tool, from ARMA International. The GARP Assessment details are located in Appendix A of this report. The key findings of the GARP Assessment were incorporated into the body of this report.

In addition, URIM conducted an in-depth assessment of its own practices for the management of paper records, including the following areas:

The process for departments to box up records and send them to the records center The process for how records are requested by departments and then delivered The process for how physical records are identified and maintained in departments The process for how the inventory of records in the records center are managed The process for destroying records and the associated disposition approval process.

4 Key Findings and Recommendations

4.1 Physical Records – Findings1. Many departments have a departmental filing area for physical records. About one-third of

these departments are having a least minor difficulty finding their records.2. About half of the departments use some form of color-coded labeling to assist in the filing

and retrieval of department records, but there is no support to make this process more efficient.

3. About 60% of the departments store records outside of their department, one-third of these departments are storing records outside of their department, but in a storage area somewhere in their own building.

4. There are approximately 14,000 boxes of records in the University Records Center. The records center is nearing capacity. Disposition activity is being completed on a monthly basis to make room for the next month’s inflow of new boxes.

5. The disposition process for boxes of records require department approval. There is no process in place to ensure records approved for destruction are checked against current litigation holds.

Page 5 of 21 Tuesday, May 09, 2023

Records and Information Management Assessment

6. The records center inventory and circulation (requesting) activity is being tracked by a spreadsheet, resulting in time consuming, manual tasks to transfer data from phoned in and faxed requests.

7. The service level to the university is not always consistent. Several departments said they had to wait for at least a week to know what to do to have their boxes picked up.

8. There is no formal training program. Training is provided on a one-off basis, as requested by departments

9. Departments are disposing of paper records without Record Center awareness.10. Faculty want to get rid of exams but are not sure how long to keep them

4.2 Physical Records – Recommendations1. Publish guidance for filing efficiency and color labeling on the URIM website. Incorporate this

guidance into training materials and deliver ongoing communications to build departmental awareness of the available URIM services and drive URIM Liaisons to the URM website for guidance.

2. Work with the Legal Department to develop and document legal hold procedures. 3. Develop a disposition process where departments and legal will only need to review boxes

eligible for destruction on a semi-annual or annual basis.4. As a short-term measure, migrate the Google Doc-based records inventory and request log to an

Excel spreadsheet and management them on a departmental SharePoint site, in order to provide backup, access from multiple computers and version control. Work with IT to acquire a departmental SharePoint site for the URIM department to house the inventory in a multi-user environment. As a more permanent solution, develop requirements for a bar code tracking solution, then work with vendors to review functionality and pricing.

5. Identify and communicate to the departments a service level that can be consistently followed, in order to set appropriate departmental expectations and student courier commitment. Update URIM procedures to reflect the agreed upon service level agreement, as well as security procedures regarding the pickup and drop off of confidential boxes or backup tapes.

6. Update the University Records and Information Management Policy. Include language to define departmental disposition responsibilities and the role and purpose of the URIM Records Center. The policy should enable departments to dispose of records that are no longer needed, as long as retention requirements have been met and the records are not subject to a litigation hold order.

4.3 Microfilming – Findings1. Only two departments surveyed identified they have a potential need for microfilmed records

and only one made an attempt to have records microfilmed in the past three years.2. The records center has drawers of microfiche and boxes of microfilm created by URIM’s internal

microfilming efforts during the past few decades. URIM has been unable to locate indexes for these records and it has been verified that indexes were not created on the first few frames of each roll.

3. URIM no longer retains the expertise necessary to microfilm records.

Page 6 of 21 Tuesday, May 09, 2023

Records and Information Management Assessment

4.4 Microfilming – Recommendations1. It is recommended that URIM no longer provide microfilming services and that URIM use digital

imaging stored on M-Disc to service any future microfilming requests made by departments. 2. URIM should surplus, sell or transfer existing microfilming equipment. URIM should retain

enough equipment to fulfill department requests for viewing and printing microfilm, in order to fulfill requests from Legal or other departments.

4.5 Scanning/Digitization – Findings1. Approximately half of the departments are scanning records or are in the process of beginning a

scanning initiative. Approximately half of the departments that scan are disposing of records immediately after the scanning & verification process, while the other half are storing the records at the University Records Center or in a storage area within their building, indefinitely.

2. Most departments that scan are using available departmental scanning technology, such as an office copy/scanner. When scanning, no document imaging standards are being followed, such as file format, image resolution, file compression and quality control. Using industry best practices, each document should be scanned at 300 dpi with a resulting file size of 20KB (black & white) to 200KB (color) in file size. By conducting samples from several departments, it was determined that most documents ranged from 1MB to 5MB in file size and no compression technologies were utilized.

3. Approximately one-fourth of the departments transfer scanned documents onto DVDs, many of which require permanent retention. It is unclear whether the DVDs are copies of records retained in their systems or whether the DVD is the official, only remaining record. DVD, CD and Blu-ray discs normally begin to show signs of determination in as little as 3 to 7 years.

4.6 Scanning/Digitization - Recommendations1. URIM department should acquire at least one scanning station to enable the digitization of

department records.2. URIM should create and publish digitization guidance for departments, based on industry best

practices. This guidance should be published onto the URIM Website and regular communications should be sent to department records liaisons to build awareness of standards and URIM service offerings.

3. URIM should provide one-on-one assistance to departments that want to move to digital imaging or want to update their current scanning environment to use best practices.

4. URIM should consider providing digitization services for smaller departments on a cost recovery basis. Particularly if the department cannot justify providing dedicated resources for scanning equipment and personnel.

5. URIM should consider offering a “Scan on Demand” service for departments requesting files or boxes of records. This service would allow records requests to be fulfilled digitally.

4.7 Electronic Records – Findings1. Most records created or received by departments are electronic. Electronic records are not

being identified by the departments and are not making their way to Records Management or to the University Archives.

2. There is no university-wide electronic records repository, with records management controls, in which departments can safely store their records.

Page 7 of 21 Tuesday, May 09, 2023

Records and Information Management Assessment

3. In nearly every case, departmental electronic files are retained on Shared Drives, Outlook Folders and PC hard drives. These filing areas lack records management controls, audit trails and enhanced security. Department records could easily be deleted without others in the department knowing.

4. There is no metadata standard used when capturing records and there are no controls to prevent records or metadata from being altered.

5. Departments are not deleting electronic records and information after it is no longer needed for business purposes and after retention requirements have been met.

6. Some department records are stored on PCs that are not backed up. Many employees use external hard drives to make copies of their PC in case of a hard drive crash.

7. Electronic records are being stored in departments and in the Records Center on DVD and Blu-ray that can potentially deteriorate in as little as 3 to 7 years. The majority of these DVDs are used to store permanent records.

8. UNIVERSITY Websites contain information of historical value. In some cases, this information is not being preserved by departments.

4.8 Electronic Records - Recommendations1. An electronic records center should be established to facilitate the capture and storage of

electronic departmental records. As IT already supports SharePoint, it is recommended that URIM work with IT to develop an approach to capture departmental records into department SharePoint sites, and then having a mechanism for these records to flow into a centralized SharePoint Records Center, where records will be managed per approved retention policy.

2. Updates to the records retention schedule should include the identification of records series that are to be sent to the University Archives. Rules should be applied to the SharePoint Records Center to enable an automated approach for moving departmental records to the University Archives. Consideration should be given to retain some electronic records in the SharePoint Records Center instead of moving them to the Archives.

3. URIM should provide training and guidance to departments for the identification of electronic records and the correct use of the electronic records center for storing department records as well as provide guidance for moving away from the use of shared drives and personal computers for the storage of electronic departmental records.

4. The university should consider implementing technology to enable university employees to more easily store email records. After the SharePoint Records Center has been established, it is recommended that departments have the capability to move email records into the SharePoint environment.

5. URIM should work with departments to create an enterprise content type model and metadata standard before the implementation of a university-wide electronic records center.

6. URIM should provide guidance to departments regarding the storage of records onto DVD and other removable media. It is recommended where there is a need to store records onto a removable media for storage, M-Disc technology be used, to support long-term storage.

7. URIM should consider providing M-Disc guidance and services to departments. This service should include copying regular DVD or VHS to M-Disc.

Page 8 of 21 Tuesday, May 09, 2023

Records and Information Management Assessment

8. The university should consider supporting a campus-wide technology for backing up the personal hard drives of university supplied desktop and laptop computers. Mosey and Crash Plan are currently in wide use in industry.

4.9 Governance and Policy – Findings1. UNIVERSITY lacks adequate organizational governance over its records and information

program. UNIVERSITY does not have a Records Management Committee at this time.2. The Records Manager is responsible for implementing processes but has no direct authority over

departments to enforce policies.3. University Records Management has focused on the management of paper records, but needs

to become better equipped to transition into an electronic recordkeeping environment.4. Roles and responsibilities are not formally documented for department employees for the

management of records and information within their areas.5. The University Records Management Policy does not contain adequate language to facilitate the

transition from a paper to an electronic records environment.6. The University Records Retention Schedule does not contain citations to back up the defined

retention periods.7. The University Records Retention Schedule is not suitable for implementation into an electronic

environment, as it is not following the best practice functional/business activity approach. Retention periods are defined at the department level and there are inconsistencies in retention periods for the same records in different departments, perhaps based on unique department requirements. Different naming conventions are used for records between departments.

8. The general perception of University Records Management is that of dealing only with boxes of paper records in the records center. One department interviewed asked why University Records Management would be interested in their electronic information.

9. There are no formal goals set for departments to achieve a specific level of recordkeeping compliance and there is no compliance assessment process to ensure policy is being followed. Compliance to retention policy is left up to each college/division and is applied inconsistently across departments.

4.10 Governance and Policy - Recommendations1. The university should establish a Records Management Committee to provide oversight and

high-level guidance and goals to University Records and Information Management. It is recommended the committee meet monthly. The committee should have representation from Academic, Finance, Information Technology, Legal, Risk Management and the University Archives.

2. The role of the Departmental Records Liaison should be defined, formalized and supported by the university and department heads.

3. The URIM Policy should be updated to facilitate the movement of the university to an electronic records environment. The policy should define the ownership of records and the responsibility UNIVERSITY employees have in maintaining records.

4. The University Records Retention Schedule should be updated to reflect a best practice, functional retention model that is suitable for implementing into an electronic records

Page 9 of 21 Tuesday, May 09, 2023

Records and Information Management Assessment

environment. The records retention schedule should contain references to citations, so that the university can back up its approved retention periods.

5. A RIM Charter should be developed to define and document the roles and responsibilities of the URIM Committee, URIM Department and Departmental Records Liaisons.

6. After the URIM Policy and technology for electronic records management has been implemented, the university should consider measuring department compliance, possibly using a self-assessment process.

4.11 Training and Awareness – Findings1. There is a general lack of awareness among departments regarding their responsibility for the

management (records retention and disposition) of electronic records. Departments want guidance to know what to keep and for how long, then what to do with it.

2. Although department training is performed when specifically requested by the departments, there is not an active communication and training program to develop ongoing awareness and transfer knowledge to department employees responsible for the management of paper and electronic records. Many departments are not aware of the Records Management Program and the services being offered.

3. No records management training is delivered during the onboarding process for new employees.

4. It is unclear for many departments whether they have the official record or if they are maintaining a copy of the records and are not sure how long to keep these duplicates records. Often the department has a paper or electronic copy and a business application generates and retains the official record.

5. The Department Contact List is out of date. In many cases, University Records Management does not know who the records management contact is for a department, making it difficult to send out a guidance.

4.12 Training and Awareness - Recommendations1. Update the URIM Website to create a one-stop-shop for departmental Records and Information

Management guidance. Department guidance should include how to manage paper and electronic records. Guidance should also include specific information regarding digital imaging and the use of the M-Disc.

2. Develop departmental training materials that include guidance for the management of paper and electronic records. Training materials should include training for identifying electronic records within the department (departmental inventory) and the development of an action plan for each identified records (Records Management Plan).

3. Update the Department URIM Liaison Directory to include all university departments. Develop a method to associate each department of office to its parent College/Division, in order to facilitate the creation of College/Division-wide training opportunities.

4. Develop a training program to reach out to and educate departments about URIM service offerings. Whenever possible, train at the College/Division level.

5. Develop a communication plan to build awareness of the URIM Program and its service offerings. It is recommended that consistent, periodic communications be sent to Department URIM Liaisons to keep them updated on URIM service offerings. The communications plan

Page 10 of 21 Tuesday, May 09, 2023

Records and Information Management Assessment

should also map out communications that should come from senior level university/college/division leadership.

4.13 Legal Holds – Findings1. University Records Management is not always made aware of legal holds and there is a potential

for boxes of records being destroyed that may unknowingly be subject to a litigation matter.2. Box transmittal forms are in paper form and are not searchable by University Records

Management or Legal. It is not possible at this time to place legal holds onto specific boxes, based on their contents, as there is no searchable index.

3. Department employees are able to store email records in PST (personal archive) files. These emails can be deleted by users subject to a legal hold.

4. Electronic records stored in file shares and on PC hard drives may be intentionally or inadvertently deleted by users.

5. No data map exists to enable Legal to identify the location of records across the university. Legal is not always aware of where departmental records are stored.

6. There is no enterprise search capability across departmental records to assist in the identification of records relevant to a legal hold, nor is there the ability to apply legal holds onto those records.

4.14 Legal Holds - Recommendations1. Work with Legal to develop legal hold procedures. These procedures should ensure that

university records stored in the University Records Center or the future electronic records center are part of the legal hold discussions with targeted persons/departments.

2. Digitize Box transmittal forms and provide on-line access to Legal, in order to conduct key word searches and filterer by department and date ranges.

3. Utilize a records center tracking solution that has capability to manage the process of placing boxes on legal hold.

4. It is recommended that Legal work with IT and URIM to develop a data map that includes a list of systems and information storage repositories, along with a reference of the types of records that reside therein.

5. It is recommended that Legal/URIM utilize the available Legal Hold capability of SharePoint to place on hold, records stored in future department SharePoint sites and the future SharePoint Records Center.

6. The university should consider disabling the ability for users to create personal email archives (PST files). The university should consider the use of an email archiving solution or encourage users to store emails that contain university business value into an electronic records repository.

5 Proposed High-Level Roadmap

5.1 Short-term (Business Readiness Stage)1. Establish Records Management Committee2. Develop URIM Program Charter

a. Define roles and responsibilitiesb. Define goals and objectives of RIM program

Page 11 of 21 Tuesday, May 09, 2023

Records and Information Management Assessment

3. Update URIM Policy to support electronic records4. Update the University Records Retention Schedule – Functional approach with citations5. Document legal hold process

a. Work with Legal to document legal hold processb. Incorporate legal hold process into disposition approval activities

6. Digitize Box Transmittal Formsa. Provide online access of Box Inventoryb. Make available for use in legal hold review, department disposition review and archival

review processes7. Implement URIM department SharePoint site

a. Convert Google Doc spreadsheet to Excel spreadsheet managed by Sharepointb. Migrate all URIM department content from Shared Drives to SharePoint

8. Develop electronic records guidance for department and incorporate into URIM website and training materials

9. Update Department Liaison Directory10. Provide imaging and M-disc guidance to departments11. Microfilm

a. Remove microfilm equipment b. Create master index of existing microfilm holdings

12. Send out general UNIVERSITY communication to build awareness of URIM Program and website content

13. Deliver ongoing communications to department liaisons to build awareness of URIM services14. Conduct URIM Program Training to departments15. Identify Proof of Concept (POC) site for SharePoint RM Department Template/SharePoint

Records Center.

5.2 Mid-Term (Implementation Stage)1. Implement records center tracking solution2. Provide M-Disc transfer service to departments on a cost recovery basis3. Provide Imaging service to smaller departments on a cost recovery basis4. Provide scan on-demand service to departments

a. Fulfill file requests digitally5. Work with departments to develop Record Management Plan/Inventory6. Develop electronic records center requirements7. Work with IT to develop/secure infrastructure for RM template and SP Records Center8. Implement electronic records management solution

a. Develop Department template, Content Type Hub, Term Store and Records Centerb. Develop content type list and metadata modelc. Develop Data Map – locations of records across the universityd. Pilot RM Template e. Develop change management plan

i. Communicationii. Training

Page 12 of 21 Tuesday, May 09, 2023

Records and Information Management Assessment

iii. Developing supportiv. Coaching supervisors

f. Implement phased rollout

5.3 Long-term (Sustainability Stage)1. Measuring and reporting2. Auditing for compliance3. Ongoing training and support4. Email, PST

a. Disable PST (personal email archives)b. Enable departments to save email to SharePoint sites

5. Websites and structured IT systems

Page 13 of 21 Tuesday, May 09, 2023

Records and Information Management Assessment

Appendix A.

6 GARP Maturity Assessment

6.1 ApproachThe Generally Accepted Recordkeeping Principles (GARP) provide quantitative standards to guide information management and governance of record creation, security, maintenance, and other activities used to effectively support recordkeeping of an organization. The University Records and Information Management (URIM) department used the GARP assessment tool to determine the maturity of UNIVERSITY’s records and information governance and practices as compared against GARP and industry standards. The assessment was designed to rank UNIVERSITY’s maturity on topics like document security and protection, records retention and disposition practices, availability, transparency and integrity.

The GARP maturity assessment scores will be used to establish a baseline for records governance and to provide an approach to objectively compare performance during process improvement efforts. Also, the scores will be used to develop priorities for further development of the records and information management program, including process and technology improvement to ensure effective and efficient management of records and information.

The GARP assessment tool provided 108 questions. URIM conducted approximately 25 department interviews to gain insight into UNIVERSITY’s current practices regarding the management of both paper and electronic records. Following the interviews, URIM completed the 108 questions on the GARP assessment tool, based on their findings from the departmental interviews.

6.2 GARP Maturity ScoresThe GARP principles identify the critical hallmarks of information governance, which Gartner describes as an accountability framework that “includes the processes, roles, standards, and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.” The scores are simple averages of the responses from each interview, with responses of “do not know” and “does not apply” factored out. For each principle, the maturity model associates various characteristics that are typical for each of the five levels in the maturity model:

Level 1 (Sub-Standard): This level describes an environment where recordkeeping concerns are either not addressed at all, or are addressed in a very ad hoc manner. Organizations that identify primarily with these descriptions should be concerned that their programs will not meet legal or regulatory scrutiny.

Level 2 (In Development): This level describes an environment where there is a developing recognition that recordkeeping has an impact on the organization, and that the organization may benefit from a more defined information governance program. However, in Level 2, the organization is still vulnerable to legal or regulatory scrutiny since practices are ill-defined and still largely ad hoc in nature.

Level 3 (Essential): This level describes the essential or minimum requirements that must be addressed in order to meet the organization’s legal and regulatory requirements and is characterized by defined

Page 14 of 21 Tuesday, May 09, 2023

Records and Information Management Assessment

policies and procedures and more specific decisions taken to improve recordkeeping. However, organizations that identify primarily with Level 3 descriptions may still be missing significant opportunities for streamlining business and controlling costs.

Level 4 (Proactive): This level describes an organization that is initiating information governance program improvements throughout its business operations. Information governance issues and considerations are integrated into business decisions on a routine basis, and the organization easily meets its legal and regulatory requirements. Organizations that identify primarily with these descriptions should begin to consider the business benefits of information availability in transforming their organizations globally.

Level 5 (Transformational): This level describes an organization that has integrated information governance into its overall corporate infrastructure and business processes to such an extent that compliance with the program requirements is routine. These organizations have recognized that effective information governance plays a critical role in cost containment, competitive advantage, and client service.

6.3 GARP Maturity Scores by PrincipleFor each principle, baseline scores were generated and high-level observations were documented. URIM is reporting baseline scores assuming that the findings from the departmental interviews reflect the actual state of UNIVERSITY records and information management practices.

6.3.1 Principle of AccountabilityAn organization shall assign a senior executive who will oversee a recordkeeping program and delegate program responsibility to appropriate individuals, adopt policies and procedures to guide personnel, and ensure program auditability.

UNIVERSITY Baseline Score for Accountability = 2.5 Key observations:

a. The steering committee is not currently functioning and executive leadership is receiving little or no communications regarding the Information Governance program.

b. There does not appear to be documented roles and responsibilities to qualified employees for the conduct of records and information processing within departments.

c. Department employees are not always aware of their responsibility regarding records retention and disposition for paper or electronic filing areas within their area of control.

d. There is no compliance assessment process to ensure policy is being followed.

6.3.2 Principle of TransparencyThe processes and activities of an organization’s recordkeeping program shall be documented in an understandable manner and be available to all personnel and appropriate interested parties.

UNIVERSITY Baseline Score Transparency = 2.0 Key observations:

a. The organization has a lack of or near lack of information governance policies and procedures.

b. Policies, procedures, and work instructions are not well organized or are available to personnel only with difficulty. There are low levels of customer satisfaction related to information availability.

Page 15 of 21 Tuesday, May 09, 2023

Records and Information Management Assessment

c. There is a lack of documented roles and responsibilities for department employees to understand and perform information governance tasks and processes. The organization lacks a training program.

d. There seems to be a general lack of awareness of what records management services are offered.

6.3.3 Principle of IntegrityA recordkeeping program shall be constructed so the records and information generated or managed by or for the organization have a reasonable and suitable guarantee of authenticity and reliability.

UNIVERSITY Baseline Score for Integrity = 2.1 Key observations:

a. Integrity is promoted at UNIVERSITY, but there is no formal, ongoing communications regarding information integrity for the management of paper and electronic records.

b. The IT strategy and Information Governance Program goals are not aligned.c. No data map exists to enable UNIVERSITY to identify the locations of records. University

information systems are identified at the system level, but Legal does not always know where the records they need are located.

d. There is no metadata standard used when capturing records and there are no controls to prevent records or metadata from being altered.

6.3.4 Principle of ProtectionA recordkeeping program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, or essential to business continuity.

UNIVERSITY Baseline Score for Protection = 1.8 Key observations:

a. UNIVERSITY relies on individuals within departments to identify and manage important records so they are managed inconsistently across departments.

b. The organization has documented physical control processes and procedures but leave it up to individual departments or locations to implement.

c. Technologies and methodologies are not adequately implemented and monitored against information repositories containing confidential information (no audit trails, no electronic records repositories).

6.3.5 Principle of ComplianceThe recordkeeping program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization’s policies.

UNIVERSITY Baseline Score for Compliance = 2.2.9 Key observations:

a. The University Records Retention Policy is outdated and does not provide an association with laws/citations. There is no mechanism in place to refresh the retention schedule against changes in laws and regulations.

b. Compliance to Retention Policy is left up to each college/division and is applied inconsistently across departments.

c. No records management training exists during the onboarding process for new employees and little or no training is offered to department employees who are responsible for the management of departmental records.

Page 16 of 21 Tuesday, May 09, 2023

Records and Information Management Assessment

d. There is little or no interaction between the Records Management department and Legal regarding litigation holds, but UNIVERSITY is not heavily litigated. Formal Litigation Hold procedures are not documented.

6.3.6 Principle of AvailabilityAn organization shall maintain records in a manner that ensures timely, efficient, and accurate retrieval of needed information.

UNIVERSITY Baseline Score for Availability = 1.8 Key observations:

a. Individual employees decide what information to keep and store in repositories of their choice according to their own filing system.

b. No enterprise search capability.c. Some departments find it difficult to locate the ‘final’ version of a document or record.d. Legal discovery is difficult because it is not clear where information resides or where the

final copy of a record is located.

6.3.7 Principle of RetentionAn organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational, and historical requirements.

UNIVERSITY Baseline Score for Retention = 2.3 Key observations:

a. Retention schedules exist but there is no custodial oversight of legacy data to ensure it is maintained according to the schedule. Clean-up is done by IT and usually involves deletion of an entire data set.

b. Retention is mainly being applied to physical records and not to electronic records. Electronic records are not being identified and stored with RIM controls.

c. The organization does not have an established communication process for its retention schedule and records management policy. Retention is often done “after the fact” when the records goes to archive or the records center.

6.3.8 Principle of DispositionAn organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by applicable laws and the organization’s policies.

UNIVERSITY Baseline Score for Disposition = 2.3 Key observations:

a. The organization has disposition procedures that cover physical business records only, but do not address electronic records that reside in the departments.

b. The Records Manager is responsible for implementation of the process but has no direct authority over departments to enforce policies and may not receive sufficient support from senior leaders.

c. The organization has no information disposition goals established.d. Procedures that exist are at the departmental level and are not consistently written or

implemented across the organization.

6.4 GARP Maturity Scores by Principle – Industry TargetsThe following table displays the overall desired/target maturity score for each principle, based on industry best practices.

Page 17 of 21 Tuesday, May 09, 2023

Records and Information Management Assessment

UNIVERSITY’s desired target level for each GARP principle is noted below and will be used later in the overall assessment to identify gaps and develop recommendations. These target levels may be adjusted as the Records and Information Management Program matures.

GARP® Principle Target Level

Accountability 3.3

Transparency 2.8

Integrity 3.0

Protection 3.4

Compliance 3.0

Availability 3.8

Retention 3.3

Disposition 2.8

The following figure shows a comparison of UNIVERSITY maturity scores with that of industry targets. Although the scale goes to 5, the figure below displays only to 4, as no 5 scores were set as targets.

Accountability

Transparency

Integrity

Protection

Compliance

Availability

Retention

Disposition

0.0

1.0

2.0

3.0

4.0

Industry Target

Figure 1 - Radar Chart of GARP® Overall Scores by Principle

Page 18 of 21 Tuesday, May 09, 2023

Records and Information Management Assessment

6.5 Key Findings and Recommendations from GARP AssessmentThe key findings and recommends regarding the Records and Information Management Program are below and combine the key observations from the GARP Assessment and the Departmental Interviews.

Organizational Governance. There is no functioning steering committee. Roles and Responsibilities have not been formalized regarding the management of electronic records.

The Records Management Committee should be established. Roles and responsibilities should be defined and documented to include all elements of the Records Management Program, including department employees responsible for the management of paper and electronic records.

Policies. Some RM Policies exist for records, but provide little to no guidance for the management of electronic records. Policies are not easily found by departments and there is no one-stop-location to find them.

The Records Management Policy should be updated and approved by the Records Management Committee. The URIM website should be updated and should be used as a vehicle to publish all Records Management content related to the departments.

Training/Communication. Department employees involved in the management of records are not always aware of retention policy and where to find it, nor are they always aware of their responsibilities for the management of paper and electronic records. URIM does not always know who the records management contacts are within each department.

Training materials should be developed and department training should be offered on a consistent basis. The directory of departmental records management contacts should be refreshed and ongoing (monthly) communications should be sent, to inform department contacts of URIM service offerings and guidance for the management of electronic records. The URIM website should be kept up-to-date and department employees should be pointed to the website for records management guidance.

Retention Schedule. It is often difficult for departments to locate their records on the retention schedule and the retention periods and naming conventions are inconsistent across departments. URIM is unable to reference laws and citations used to establish retention periods found on the retention schedule. Some department employees are not aware of the existence of the records retention schedule.

The University Records Retention Schedule should be updated to an industry best practice “functional approach.” The major business functions of the university should be identified and URIM should work with each functional area to identify the major business activities/records series within each function, as well as a list of the types of records commonly found therein. Retention periods should be defined at the business activity/records series level and not at the record type level. All record types created or managed to support a business activity should inherit the retention for that business activity. Laws/citations should be identified and associated with each business activity/records series and

Page 19 of 21 Tuesday, May 09, 2023

Records and Information Management Assessment

reviewed by UNIVERSITY’s Legal department. Communications and training should be provided to build awareness of the approved University Records Retention Schedule and Records Management Policy.

A Records Management Plans should be developed for each department to identify records managed within each department. The plan should associate each record to the approved retention schedule, identify where the records are being stored (paper and electronic) and document the plan for managing each identified record.

Taxonomy/File Plan. No standard taxonomy nor file plan exists for managing electronic records.

A Content Type taxonomy will need to be established before department records can be effectively stored and managed within a SharePoint environment. The Content Types should be based on the Record Types defined in the records retention schedule with of goal of fewer than xx content types. A file plan will need to be created before an electronic records center can be established. The file plan should be based on the Business Activity/Records Series level of the records retention schedule.

Department Electronic Records. For most departments, no Records Management controls exist in department filing systems. Records are mainly stored on departmental file shares or personal hard drives. Records can be easily disposed of by individuals without others in the department being made aware, as there is no alerts or audit trails. Personal hard drives in most departments are not backed up. No enterprise-wide electronic records repository exists to provide adequate management of university records.

Develop electronic records guidance for departments and begin communicating and training departments on best practice approaches to identify, organize and manage electronic records in their area of control. Leverage UNIVERSITY’s SharePoint environment. Develop a SharePoint template for departments to use, with built in hooks into a single SharePoint Records Center. Promote the use of department SharePoint sites and offer training and guidance.

Email. Emails that contain business value are, for the most part, being stored and managed in Outlook.

Enable emails that contain business value to be stored in department SharePoint sites, when implemented.

Legal Holds. The Office of General Counsel (OGC) is responsible for preserving records that are potentially relevant to current or potential legal matters. Although OGC works with departments to identify records, there are no documented legal hold process to ensure that URIM is involved and that the disposition of potentially relevant paper records are not disposed.

URIM should work with OGC to develop and document a formal Legal Hold Process and ensure that records being disposed by URIM and departments are not subject to a legal hold order.

Disposition. Paper records are being disposed after department approval. Electronic records are not being identified by departments and are not being disposed of when retention requirements have been

Page 20 of 21 Tuesday, May 09, 2023

Records and Information Management Assessment

met. There is no life cycle management concept for non-record department information, legacy data and systems.

Establish and approve a life cycle management policy for the management of all university information (record and non-record, paper and electronic). This policy should be a section of the University Records and Information Management Policy and should be approved by the Records Management Committee.

Page 21 of 21 Tuesday, May 09, 2023