Taina,
I would get some type of approval from your legal department before
putting any GAPs explanation into policy or any official documentation. My
experience is that they don't want anything written that can point to
noncompliance at any definitive point in time.
That being said I fully agree that risk assessments and GAP analysis
should be used to gain support for a RIM project and then developing a
plan and/or course of action moving forward. It should not be used to
CYA for noncompliance to the current situation.
My 2 cents on a snowy day in Iowa
Steve Petersen CRM
Records Manager
Rockwell Collins Inc
319.295.5244
"Bringing Order Out of Chaos"
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance