Where GARP Gets It Wrong

By Jeffrey Lewis posted 06-20-2013 14:26


I hope the title is not misleading, but to be more specific, this is where the GARP health check up gets it wrong. Line 50 in the health check up states, "records managers responsible for paper records; IT responsible for electronic records." I read this statement and was surprised and wondering if others felt the same way, so I went to twitter and LinkedIn with the question "GARP health checkup states IT should be responsible for electronic records. Agree or disagree and why?" The response from Amy Dondy, Database and Risk Manager from Trucker Huss captured the general sentiment well:

GARP really has this one wrong. IT people rarely have a concept of what constitutes a record. Digital or physical, records should be managed by records professionals. We need to work with IT to have the tools necessary to manage electronic records, but they should never be in charge of their management.

Many responses were along this same line and some even called this statement from GARP an example of a severely outdated mindset and another said that this would be a symptom of an organization in trouble or on the pathway to trouble.  

My main issue with the statement and several people mentioned this is that it is not detailed enough.  What does "responsible" mean? IT can be responsible for the tools and infrastructure but that does not make them responsible for the records.  Richard Jeynes, consultant at Memnet, states it well when he says 

Depends what you mean by 'responsible for'. If you mean ownership of the records and the information they contain, then I disagree, because the business asset owner has that role. If you mean ensuring their security, then I agree, once the levels of security and other governance around that have been agreed with the asset owners. 

The role of IT is to be a collaborating partner with RIM.  RIM needs to be the one to set the policies and IT needs to be the enforcer.  Managing electronic records is not a task RIM can do alone and needs IT to share partial responsibility.  On the topic of IT's responsibility Sue Darby, BS, MOS, wisely stated

IT should be fully responsible for hardware, backup and software along with data security and even archiving and records retention but the users should be responsible for organizing it in a way that works for their team. IT should also be responsible for providing information on best practices for version control so the data does not get duplicated thus costing more to backup and store.

Carol Rittereiser, CRM, director of Records and Information Management at Pitney Bowes is spot on with the collaboration aspect with her statement, "IT should be responsible only in part for electronic records insofar as to ensure that the data is backed up in accordance with its established rotational cycles and to ensure its functionality, protection, security and privacy. Their primary responsibility is the management of the hardware, software and operation of the "production environment" of the data centers or third party providers. IT should not "own" the information. The electronic data itself should be under the management of the business owner/function and records management/legal to ensure the data complies with the respective enterprise's retention policy as well as any legal holds and extended audit requirements."

IT cannot replace RIM when it comes to managing electronic records.  If RIM's expertise is only paper records our future is very brink.  A record is a record no matter the format, so the principle for managing it should not be in IT.  I believe the issue is summed up really well by Mary Binkholder, CRM/NS, Administration Supervisor at Ameren and Bill McDaniel, CEO of SemantiStar inc. 

Mary Binkholder, CRM/NS "I disagree. IT may have the tools, but we (records managers) have the rules. While we work very closely with our IT staff for our records processing and storage, we have to maintain control. IT is generally not as familiar with all of our standards, guidelines, etc.; their focus is ensuring the systems work. For example, we ensure that we have exception reports for electronic transfer and we monitor any "glitches" or errors to make sure all of our records are successfullly transferred. I don't think it is their job description, nor their expertise, to have the records' responsibility." - Binkholder 

Bill McDaniel "I agree with Mary. Saying IT should have responsibility for e-records is like saying the facilities management people should have been responsible for them, before computers, because they provided the file cabinets. Understanding what a corporate Record is, what it implies, how it fits in the corporate policy structure, and how it should be managed is a specialized skill. Understanding the technology used to retain and manage records properly and how to deploy that technology to provide for the requirements of IT users is a specialized skill as well. The IT department should SUPPORT the records management department, not BE it. -McDaniel

#electronic records management #GenerallyAcceptedRecordkeepingPrinciples(GARP) #InformationGovernance #InformationgGovernance #ElectronicRecordsManagement


07-03-2013 14:25

I thought I had left a comment last night, but apparent it did not post. Thank you for your remarks. I feel like I definitely have a better understanding of the GARP health checkup now. I was out of line saying that the health checkup was wrong. My primary issue is not with the rightness or wrongness of the health check as the statement is indeed correct. Where I take issue is with the lack of clarity. What does it mean for IT to be responsible for electronic records? This is the shortest item in the health checkup so it does not seem unreasonable to me that more detail can be added. IT does have a role in managing electronic responsibility, but that responsibility should be spelled out as different people can interpet it different ways.

07-02-2013 17:37

As the creator of the Health Checkup, I can perhaps respond to this issue.
I think this post is a result of a basic misunderstanding regarding both the Health Checkup and the Maturity Model. On the Health Checkup, you do indeed get a point if the records manager is in charge of paper and IT is in charge of electronic records. That's because having someone in charge of each is better than no one being in charge of either, a point on which I am sure you will concur. Neither the Health Checkup or the Maturity Model urge or mandate this as an ideal outcome or ideal end state, however, and the scoring in the Health Checkup does not in any way support such a conclusion. With this item, as with other items on both the Maturity Model and Health Checkup, each data point represents a place on a spectrum from fully non-compliant to transformationally compliant. And with respect to the scoring on the Health Checkup, the answers are therefore necessarily cumulative -- you get a point for minimal compliance, more points for more effective compliance and a better program, until you achieve a top score for that transformational program.
Bottom line, the Health Checkup, like the Maturity Model itself, cannot be picked apart into little bits, and each bit analyzed without reference to the rest of it. Each item is, and must be viewed, as a part of a larger construct that only makes sense when viewed in its entirety.
John Montana

07-02-2013 14:01

Thank you so much for your comment and the feedback. As I look back on it, I wish I would have titled this differently and I even alluded to this in a follow-up blog post. The statement in the health check up is not wrong, but it is unclear. I am ok with this being one level of maturity, but where I take issue is the lack of clarity and what "responsible" means. That is why before writing this blog and formulating my own thoughts I asked others in the profession on Twitter and LinkedIn if I was interpreting this statement correctly.
I am a major advocate of GARP, the maturity model and the health check up. Do I believe they are perfect? No. I am not afraid to state where I disagree because I want to be proved wrong and understand better. I think this is a correct statement and one level of maturity, I just want it to be less vague so that all readers can interpret it the same way.

07-02-2013 13:06

With all due respect, you have misinterpreted the Health Check Up and the intent of that particular line in the tool.
I entirely disagree with your premise that the Generally Accepted Recordkeeping Principles, its Maturity Model, or the free Health Check Up get this topic wrong.
The Health Check Up, created by John Montana and made available by ARMA International, is a quick maturity assessing tool not a re-statement of the Generally Accepted Recordkeeping Principles themselves; nor do all of the lines represent fully-mature characteristics.
As with ANY maturity assessment tool, the goal is to make available to the respondent a variety of characteristics that help you determine your relative maturity - not just an "am I perfect, or not perfect" answer.
You made an erroneous assumption that Line 50, which says "Records Managers responsible for paper records, IT responsible for electronic records" is a statement of ideal maturity. It merely represents ONE level of maturity that an IG program may be in.
There are plenty of examples throughout the Check Up that provide shades of maturity on a topic, for example:
Line 66 says "Some sort of Retention Schedule is available", while Line 67 says "Formal and current Retention Schedule is available".
The premise of the underlying scoring is that if you only have "some sort of schedule" you get one point; but if you have a formal and current schedule you get two points - and therefore are more mature.
I strongly encourage you to reconsider your assessment of the Health Check Up tool.
If you still feel the Principles or the Check Up are wrong, I'd love to hear the argument.
Julie J. Colgan, CRM
1. The Health Check Up Excel-based tool is a free maturity assessment developed and written by John Montana. It is not a restatement of the principles.
2. The Health Check Up serves as a "quick assessment" tool and is not intended to serve as a formal audit tool.
3. As with ANY maturity assessing tool, the questions asked will range from a low-maturity response to a high-maturity response.
Your assumption that Line 50 in the tool