Just to clarify (because email is hard way to express my intent), I am not against ARMA attempting to establish information governance criteria, but as an auditor and a records manager, I have concerns.  I am not trying to pick a fight, but point out things that I have not seen addressed in the emails on this subject.

I would hate to see a lot of effort put into a new framework and have it die on the vine like SII (which was a great concept in my opinion because I badly needed to cross over into IT environments, but the execution was a bit confusing for me...I never got what my employers told me I needed). This is going to be an expensive effort and will require a great deal of strategic planning to promote acceptance outside of ARMA. Historically, ARMA has had some opportunities to improve the track record on that score.

I am questioning why so many groups are consolidating their efforts on risk management frameworks that are shared by many groups responsible for risk management, security, information governance, corporate compliance, disaster recovery, business continuity, internal audit, etc.? And, I am asking why ARMA thinks that they can do it better when auditing and risk management has not been one of the strong core functions although it is part of what we should do whether we like it or not? I cannot remember a single time when formal education has been offered on the subject of writing audit plans, creating audit work papers, or creating strong controlled self-assessments. There have been some presentations on the NEED to do it, but I have seldom seen presentations on how to do it in accordance with generally accepted audit guidelines that would be accepted by an internal audit organization.

I recall that many have stated on this listserv that "a record is a record is a record..." regardless of the media. So, why does their need to be a separate framework for paper records when COBIT, ITIL, and at least four other information security/risk management frameworks are addressing retention scheduling, record classification, management of output (queries, reports, search results, etc.), destruction, and lifecycle management of information, alternate media management (paper, disks, fiche, film), etc.? And, if our framework is going to address all records regardless of the media, including electronic records, why not take a look at what has already been adopted for widespread use in the governance industry and make strategic alliances to influence changes that address those controls that we feel need further refinement? ARMA does have a lot to offer, but I am not yet convinced that we should take a "stand alone and apart" approach since I've actually worked in compliance and internal audit departments and hold some of those credentials. It may be one of the reasons that CRM's are not recognized as part of the risk management/compliance "cloud" that is forming around these risk management frameworks and driving further refinement. Maybe we should consider mainstreaming as part of a larger effort to help our organizations perform risk management/governance/compliance activities rather than simply functioning as a "service" organization as we are often perceived.

If we are going to write a new framework (and I am open to any argument that we might a separate framework if there are valid reasons why we cannot add on ot the existing frameworks as other groups have done successfully), who is qualified to write that framework? This is not an inference that no one at ARMA is qualified, but rather I am asking who is qualified to write that framework so that it has validity in the eyes of other professionals that we are going to market it to as a tool for governance, compliance, risk management, diaster recovery planning and business continuity, business process planning, etc.? Why will they want to switch nationally recognized, accepted models that they are currently using to adopt ours instead? Do we have qualified, experienced professionals in those areas at ARMA or are we going to develop strategic alliances to bring those areas of expertise to the table?  If not, how are we going to gain global acceptance of the framework by those professionals in lieu of frameworks that are more mature?  How do we plan to get our organization compliance, internal audit, IT, risk management, and IT governance groups to use the new criteria?  It is one thing to write a framework, and quite another to get other groups who are supposed to use it to see the value.  It is why there are multiple frameworks already in existence today and many argue the value of one or the other depending on which approach to risk management/governance/compliance best fits the organization.

Is adding another framework to the mix the only way to achieve acceptance of best practice in our industry? I just think that some further feasibility studies ought to be done. Whether or not ARMA thinks it is qualified to write a new framework is one issue. Whether or not other professional groups that are expected to use it in order to measure us against best practice are going to give it credibility and use it is another. So, as an auditor and a records manager who has used other frameworks, I am asking....have we considered other options besides a new, standalone framework that might possibly not gain much acceptance outside of ARMA itself?  If not, I think that we should consider increasing the likelihood of acceptance by joining forces with other groups who also control, audit, secure, govern, and manage compliance to see how we can encourage acceptance of our profession as part of the risk management "cloud" of professionals who work hard to assess their organizations and/or close the gaps?

Warmest regards,
Angie Fares


Angela Fares

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]