So wrote a designer on planning a kitchen. You can build it fast and cheap, but it won't be everything you dreamed. You can build it fast and beautiful, but it won't be cheap. Or, you can build in everything you ever wanted and at a fair price, but it will be a long, slow process. I love this description because it warns the buyer that there will be compromises, but they still have the power to decide which way they want to go. (Here's a book on kitchen renovations that looks like it provides decent value for the money, Kitchen Redos, Revamps, Remodels, And Replacements: Without Murder, Madness, Suicide, Or Divorce
)Another favorite slogan of mine, from Shel Busey, home repair guru, is "Good, Better, Best". When offering solutions to a caller on his Saturday morning show, he gives them the good, better and best options, and what they get for their money. Again, the power is left in the consumer's hands, and they get a sense of what they are getting for their money.
I wonder as records and information management professionals, if we fail to engage our customer when we demand that the offered solution (such as an ECM implementation) have a perfect score. It may be that the consumer can settle for a less than perfect solution, if it meets their needs and budget. Which leads to the question, can we provide a heirarchy to the principles that an offered solution must meet up to?
I think we can, and while reviewing the eight principles of Generally Accepted Recordkeeping Principles (GARP), I propose the following order of criticality - Availability, Integrity, Protection, Retention, Disposition, Accountability, Compliance and Transparency.
Why did I pick availability as the most critical principle? At the end of the day, if you can't find what you need, you might as well pack it in. This is the reason businesses buy in to our solutions. But even within this principle, we need to engage our customer to find out what level of availability is critical. Can they tolerate delays in locating some types of information? How long can it be; seconds, minutes, hours? Very likely though, if some information falls in to the black hole of "never found again", the proposed solution fails.
About integrity of data, if we can't trust that what we put in stays the same, the system fails. I might point out that even in the paper world, we've never achieved perfect integrity. Check out files that have aged more than ten years. Check the quality of heat-sensitive paper like the receipts from the store, or ageing, brittle newspaper. We have coffee stains. We have bleeding markers. We have illegible handwriting, bad copies, ripped pages. If we have always lived with some degree of failure, can't we tolerate at least the same level of risk in the electronic world? Of course with data, errors loom large. A slip of a key and thousands of records can be lost.
All systems need some protection against unauthorized access. When I relate to levels of protection, I think of the various online registration processes out there. The general process is to provide your e-mail address, some personal information, and a password. Some verifying information is asked for, such as your mother's maiden name. An e-mail is sent to the provided address, confirming the person and place. When you respond by the link provided, you are registered. It is the registrant's responsibility to keep the password private. As hackers and 'bots have gained sophistication, new verifying elements have been added, such as those funny wiggly words.
I'm fairly comfortable in the e-world, and have registered and shopped all over the web. I've breezed through some registration processes, and wept bloody tears through the painful ones. If you would like to sample my pain, try out the Canada Revenue Agency registration process. You will be asked verifying personal information to a degree that reeks of paranoia. Can I even remember the name of my first love? Perhaps their degree of protection is justified. I wouldn't want my tax refund to go to someone else.
Applying Shel Busey's good-better-best principle, a consumer must evaluate their risk of exposure. If there is no money involved, and the personal information mundane (Harry registered for a fishing license), the level of protection does not need to be as secure.
I rated retention and disposition next, for the longevity of the system and protection of the organization in case of litigation. Contrary to the pack rat's base instincts, it is usually not in the organization's best interest to have random aged records hanging around. Once hit with litigation, all disposals are halted, and these bits and pieces of ancient history become potential evidence. Besides the high cost of managing, cataloguing, and referencing this old information, there may be bits of embarrassing comments buried in the muck. So there has to be a facility to retain records only as long as is needed for business purposes. As information professionals, we should be encouraging our businesses to develop simple retention schedules, easily applied. The simpler the schedule, the simpler the application developed to support it.
Accountability, compliance and transparency all have to do with the human element of managing a system. Here are the systems to make sure everyone knows what their responsibilities are and are doing what they are supposed to be doing. They are all critically important in supporting a high quality information management system. If these principles are critical, why did I rate them last? A consumer is not buying a product to be a watchdog on their own behavior. The assumption always is that everyone knows what they should be doing, and are honorable in fulfilling those duties. Checks and balances are there to catch the exceptions to the rule, the cheaters. Aside from audit logs, the checking of behavior is a matter of good written policy, consistently applied. Don't fault the system for a human failing. Businesses who are dealing with money, personal information, or attractive assets, must have more stringent checks and balances.
