Post on 29-Mar-2015
The Impact of Auditing on Records Management Risk and Compliance
Susan B. Whitmire, CRM, FAIManager, Enterprise Records and Information ManagementBlueCross BlueShield of Tennessee
Agenda
Definitions Risks Compliance Auditing
Records Management
Definitions Records and Information Management Generally Accepted Recordkeeping
Principles ISO 15489 Retention Schedule
Definitions - RIM
Records and Information Management Systematic control of all recorded information an
organization needs to do business. creation, maintenance, use, preservation, protection
and disposition information may reside on various forms of media
RIM is designed to support the records management requirements of business processes and to reduce risks associated with litigation, investigation or audit through the proper management, protection and retention of information.
Definitions – ISO 15489
This standard defines records management as "The field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records".
Definitions – Retention Schedule
An established timetable for maintaining an organization’s records Establishes uniform retention practices and avoids duplication of
effort Application of retention
Context Grouping of related documents = Record Typically not a single email, word document or excel
spreadsheet Folders provide context
Event Based Retention Closed + 5 years Superseded + 10 years
Why is it important?
Information is an asset; holds value for the organization
RIM ensures that needed information is retrievable, authentic and accurate, which requires: Setting and following organizational policies and best
practices Identifying who is responsible and accountable for
managing records Integrating best practices and process flows for
information management throughout the organization Creating, communicating and executing procedures
consistently
Records Management Risks
Risks Too long or too short Protection Security PrivacyWhere to look? Email Unstructured electronic information Content in systems and applications Back up and archive media
Records Management Risks
Keeping information too long or too short Consistent practices according to policy
(and retention schedule) Demonstration to regulatory authorities
Protection from accidental or intentional events Restoration
Records Management Risks
Security Access to information beyond system
access Privacy
Destruction standards Proper disposal of various forms of media
with content
Records Management Risks
Classifying and ranking records and information management risks
o Contento Policies and Controlso E-Discovery
o Generally Accepted Recordkeeping Principles (GARP) Maturity Model
GARP
Generally Accepted Recordkeeping Principles Accountability Integrity Protection Compliance Availability Retention Disposition Transparency http://www.arma.org/garp/garp.pdf
Records Management
Compliance Everyone is responsible for managing
records and information Creating, using, retrieving, and
disposing of records in accordance with the organization’s established policies and procedures
Records Management
Auditing Mitigate records management risks Compliance with policies and
procedures Compliance with the records retention
schedule ISO 15489
Questions?
Susan_whitmire@bcbst.com 423-535-3328