Misplaced Pages

#314685

72-429: An organization's records preserve aspects of institutional memory. In determining how long to retain records, their capacity for re-use is important. Many are kept as evidence of activities, transactions, and decisions. Others document what happened and why. The purpose of records management is part of an organization's broader function of governance, risk management, and compliance and is primarily concerned with managing

144-558: A backup site . A hot site is fully equipped to resume operations while a cold site does not have that capability. A warm site has the capability to resume some, but not all operations. A cost-benefit analysis is needed. Data backup : An audit of backup processes determines if (a) they are effective, and (b) if they are actually being implemented by the involved personnel. The disaster recovery plan also includes information on how best to recover any data that has not been copied. Controls and protections are put in place to ensure that data

216-639: A "lessons learned" brainstorming session. To maximize their effectiveness, DRPs are most effective when updated frequently, and should: Adequate records need to be retained by the organization. The auditor examines records , billings , and contracts to verify that records are being kept. One such record is a current list of the organization's hardware and software vendors . Such list is made and periodically updated to reflect changing business practices and as part of an IT asset management system. Copies of it are stored on and off site and are made available or accessible to those who require them. An auditor tests

288-479: A badly planned transport system, every individual route will operate, but the network will lack the qualities that allow them to work together effectively. If not integrated, if tackled in a traditional "silo" approach, most organizations must sustain unmanageable numbers of GRC-related requirements due to changes in technology, increasing data storage, market globalization and increased regulation. A GRC program can be instituted to focus on any individual area within

360-438: A control log to track access. Digital records systems may include role-based access controls, allowing permissions (to view, change and/or delete) to be allocated to staff depending on their role in the organization. An audit trail showing all access and changes can be maintained to ensure the integrity of the records. Just as the records of the organization come in a variety of formats, the storage of records can vary throughout

432-672: A correlation between higher spending on auditing fees and lower rates of incidents . According to Geoffrey H. Wold of the Disaster Recovery Journal, the entire process involved in developing a Disaster Recovery Plan consists of 10 steps: Initial testing can be plan is done in sections and after normal business hours to minimize disruptions. Subsequent tests occur during normal business hours. Due to high cost, various plans are not without critics. Dell has identified five "common mistakes" organizations often make related to BCP/DR planning: Site designation : choice of

504-468: A disaster". The disaster could be natural , environmental or man-made . Man-made disasters could be intentional (for example, an act of a terrorist) or unintentional (that is, accidental, such as the breakage of a man-made dam or even "fat fingers" - or errant commands entered - on a computer system). Although there is no one-size-fits-all plan, there are three basic strategies: The latter may include securing proper insurance policies , and holding

576-399: A domain specific approach, three or more findings could be generated against a single broken activity. The integrated solution recognizes this as one break relating to the mapped governance factors. Domain specific GRC vendors understand the cyclical connection between governance, risk and compliance within a particular area of governance. For example, within financial processing — that

648-596: A need for close working relations between records managers and IT managers, particularly including the legal aspects, focused on compliance and risk management. Privacy , data protection, and identity theft have become issues of increasing interest. The role of the records manager in the protection of an organization's records has grown as a result. The need to ensure personal information is not retained unnecessarily has brought greater focus to retention schedules and records disposal. The increased importance of transparency and accountability in public administration, marked by

720-524: A need for effective management of such records. Implementing required changes to organisational culture is a major challenge, since records management is often seen as an unnecessary or low priority administrative task that can be performed at the lowest levels within an organization. Reputational damage caused by poor records management has demonstrated that records management is the responsibility of all individuals within an organization. An issue that has been very controversial among records managers has been

792-415: A record so they can be managed. Once declared, a record cannot be changed and can only be disposed of within the rules of the system. Records may be covered by access controls to regulate who can access them and under what circumstances. Physical controls may be used to keep confidential records secure – personnel files, for instance, which hold sensitive personal data, may be held in a locked cabinet with

SECTION 10

#1732801107315

864-473: A record, modification of a record, movement of a record through its different states while in existence, and destruction of a record. Throughout the records life cycle, issues such as security, privacy, disaster recovery, emerging technologies, and mergers are addressed by the records and information management professional responsible for organizational programs. Records and information management professionals are instrumental in controlling and safeguarding

936-432: A review of existing MOA and contracts to ensure that the organization's legal liability for lack of performance in the event of disaster or any other unusual circumstance is minimized. Agreements pertaining to establishing support and assisting with recovery for the entity are also outlined. Techniques used for evaluating this area include an examination of the reasonableness of the plan, a determination of whether or not

1008-406: A review of the ratings assigned by independent rating agencies, that the insurance company or companies providing the coverage have the financial viability to cover the losses in the event of a disaster. Effective DR plans take into account the extent of a company's responsibilities to other entities and its ability to fulfill those commitments despite a major disaster. A good DR audit will include

1080-416: A rift in a corporate environment. However, there are vendors in the marketplace that, while remaining domain-specific, have begun marketing their product to end users and departments that, while either tangential or overlapping, have expanded to include the internal corporate internal audit (CIA) and external audit teams (tier 1 big four AND tier two and below), information security and operations/production as

1152-406: A risk will either relate to the absence of a control (need to update governance) and/or the lack of adherence to (or poor quality of) an existing control. An initial goal of splitting out GRC into a separate market has left some vendors confused about the lack of movement. It is thought that a lack of deep education within a domain on the audit side, coupled with a mistrust of audit in general causes

1224-424: A round-the-clock disaster recovery effort are included in any good disaster recovery plan. Procedures for the stocking of food and water, capabilities of administering CPR / first aid , and dealing with family emergencies are clearly written and tested. This can generally be accomplished by the company through good training programs and a clear definition of job responsibilities. A review of the readiness capacity of

1296-479: A separate, non-degreed, professional certification for practitioners, the Certified Records Manager designation or CRM. Governance, risk management, and compliance Governance, risk management and compliance ( GRC ) is the term covering an organization's approach across these three practices: governance , risk management , and compliance . The first scholarly research on GRC

1368-767: A size where coordinated control over GRC activities is required to operate effectively. Each of these three disciplines creates information of value to the other two, and all three impact the same technologies, people, processes and information. Substantial duplication of tasks evolves when governance, risk management and compliance are managed independently. Overlapping and duplicated GRC activities negatively impact both operational costs and GRC matrices. For example, each internal service might be audited and assessed by multiple groups on an annual basis, creating enormous cost and disconnected results. A disconnected GRC approach will also prevent an organization from providing real-time GRC executive reports. GRC supposes that this approach, like

1440-512: A specific industry or set of industries. Examples include but are not limited to medical industry records (e.g., the Health Insurance Portability and Accountability Act ), pharmaceutical industry records, and food industry records. Legal hold records are those records that are mandated, usually by legal counsel or compliance personnel, to be held for a period of time, either by a government or by an enterprise, and for

1512-458: A system may be paper-based (such as index cards as used in a library ), or may involve a computer system, such as an electronic records-management application. A defensible solution is one that can be supported with clearly documented policies, processes and procedures that drive how and why work is performed, as well as one that has clearly documented proof of behavior patterns, proving that an organization follows such documented constraints to

SECTION 20

#1732801107315

1584-403: A variety of forms of expertise. Commercially available products can manage records through all processes active, inactive, archival, retention scheduling and disposal. Some also utilize RFID technology for the tracking of physical file. The general principles of records management apply to records in any format. Digital records, however, raise specific issues. It is more difficult to ensure that

1656-711: A viable purpose. However, because they tend to have been designed to solve domain specific problems in great depth, they generally do not take a unified approach and are not tolerant of integrated governance requirements. Information systems will address these matters better if the requirements for GRC management are incorporated at the design stage, as part of a coherent framework. GRC vendors with an integrated data framework are now able to offer custom built GRC data warehouse and business intelligence solutions. This allows high value data from any number of existing GRC applications to be collated and analysed. The aggregation of GRC data using this approach adds significant benefit in

1728-427: Is a record needed to perform current operations, subject to frequent use, and usually located near the user. In the past, 'records management' was sometimes used to refer only to the management of records which were no longer in everyday use but still needed to be kept – "semi-current" or "inactive" records, often stored in basements or offsite. More modern usage tends to refer to the entire " lifecycle " of records – from

1800-456: Is a record that is no longer needed to conduct current business but is being preserved until it meets the end of its retention period , such as when a project ends, a product line is retired, or the end of a fiscal reporting period is reached. These records may hold business, legal, fiscal, or historical value for the entity in the future and, therefore, are required to be maintained for a short or permanent duration. Records are managed according to

1872-850: Is achieved through the design, maintenance, and application of taxonomies , which allow records managers to perform functions such as the categorization, tagging, segmenting, or grouping of records according to various traits. Enterprise records represent those records that are common to most enterprises, regardless of their function, purpose, or sector. Such records often revolve around the day-to-day operations of an enterprise and cover areas such as but not limited litigation, employee management, consultant or contractor management, customer engagements, purchases, sales, and contracts. The types of enterprises that produce and work with such records include but are not limited to for-profit companies, non-profit companies, and government agencies. Industry records represent those records that are common and apply only to

1944-484: Is not damaged, altered, or destroyed during this process. Drills : Practice drills conducted periodically to determine how effective the plan is and to determine what changes may be necessary. The auditor's primary concern here is verifying that these drills are being conducted properly and that problems uncovered during these drills are addressed. Backup of key personnel - including periodic training , cross-training , and personnel redundancy. The auditor determines

2016-768: Is predicting and managing risks that could hinder the organization from reliably achieving its objectives under uncertainty. Compliance refers to adhering with the mandated boundaries (laws and regulations) and voluntary boundaries (company's policies, procedures, etc.). GRC is a discipline that aims to synchronize information and activity across governance, and compliance in order to operate more efficiently, enable effective information sharing, more effectively report activities and avoid wasteful overlaps. Although interpreted differently in various organizations, GRC typically encompasses activities such as corporate governance , enterprise risk management (ERM) and corporate compliance with applicable laws and regulations. Organizations reach

2088-725: Is someone who is responsible for records management in an organization. Section 4 of the ISO 15489-1:2001 states that records management includes: Thus, the practice of records management may involve: Records-management principles and automated records-management systems aid in the capture, classification, and ongoing management of records throughout their lifecycle. ARMA International defines records management as "the field of management responsible for establishing and implementing policies, systems, and procedures to capture, create, access, distribute, use, store, secure, retrieve, and ensure disposition of an organization's records and information". Such

2160-425: Is tied to the tracking of records through their entire information life cycle so that it's clear, at all times, where a record exists or if it still exists at all. The tracking of records through their life cycles allows records management staff to understand when and how to apply records related rules, such as rules for legal hold or destruction. As the world becomes more digital in nature, an ever-growing issue for

2232-409: Is typically measured in terms of two key concepts: An auditor examines and assesses A disaster recovery plan ( DRP ) is a documented process or set of procedures to execute an organization's disaster recovery processes and recover and protect a business IT infrastructure in the event of a disaster . It is "a comprehensive statement of consistent actions to be taken before, during and after

Records management - Misplaced Pages Continue

2304-410: Is unclear if an IRS auditor would accept a JPEG , PNG , or PDF format scanned copy of a purchase receipt for a deducted expense item. While public administration, healthcare and the legal profession have a long history of records management, the corporate sector has generally shown less interest. This has changed in recent years due to new compliance requirements, driven in part by scandals such as

2376-547: The Enron / Andersen affair and more recent problems at Morgan Stanley . Corporate records compliance issues including retention period requirements and the need to disclose information as a result of litigation have come to be seen as important. Statutes such as the US Sarbanes–Oxley Act have resulted in greater standardization of records management practices. Since the 1990s the shift towards electronic records has seen

2448-685: The School of Library, Archival and Information Studies at the University of British Columbia , in Vancouver, British Columbia, Canada, the InterPARES Project is a collaborative project between researchers all across the world committed to developing theories and methodologies to ensure the reliability, accuracy, and authenticity of digital records. Functional requirements for computer systems to manage digital records have been produced by

2520-689: The US Department of Defense , The United Kingdom's National Archives and the European Commission, whose MoReq ( Model Requirements for the Management of Electronic Records ) specification has been translated into at least twelve languages funded by the European Commission . Particular concerns exist about the ability to access and read digital records over time, since the rapid pace of change in technology can make

2592-474: The (business) operations that are managed and supported through GRC. In applying this approach, organisations long to achieve the objectives : ethically correct behaviour, and improved efficiency and effectiveness of any of the elements involved. Disaster recovery plan Given organizations ' increasing dependency on information technology (IT) to run their operations, business continuity planning (and its subset IT service continuity planning ) covers

2664-675: The DRP as well as threat prevention, detection, recovery, and resumption of operations should a data breach or other disaster event occur. Therefore, BCP consists of five component plans: The first three components (business resumption, occupant emergency, and continuity of operations plans) do not deal with the IT infrastructure. The incident management plan (IMP) does deal with the IT infrastructure, but since it establishes structure and procedures to address cyber attacks against an organization's IT systems, it generally does not represent an agent for activating

2736-513: The DRP; thus DRP is the only BCP component of active interest to IT. The overall categorization of tests are functional- and discussion-based. Types of tests include: tabletop exercises, checklists, simulations, parallel processing (testing recovery site while primary site is in operation), and full interruption (fail over) tests. These apply to both BC and DR. Like every insurance plan, there are benefits that can be obtained from proper business continuity planning, including: Studies have shown

2808-472: The IT GRC management market into these key capabilities. The distinctions between the sub-segments of the broad GRC market are often not clear. With a large number of vendors entering this market recently, determining the best product for a given business problem can be challenging. Given that the analysts do not fully agree on the market segmentation, vendor positioning can increase the confusion. Owing to

2880-447: The ability of a business to continue critical functions and business processes after the occurrence of a disaster, whereas DR refers specifically to the IT functions of the business, albeit a subset of BC. The primary objective is to protect the organization in the event that all or part of its operations and/or computer services are rendered partially or completely unusable . Minimizing downtime and data loss during disaster recovery

2952-448: The adequacy of the company's insurance coverage (particularly property and casualty insurance ) through a review of the company's insurance policies and other research. Among the items that the auditor needs to verify are: the scope of the policy (including any stated exclusions), that the amount of coverage is sufficient to cover the organization's needs, and that the policy is current and in force. The auditor also ascertains, through

Records management - Misplaced Pages Continue

3024-714: The best of their ability. While defensibility applies to all aspects of records life cycle, it is considered most important in the context of records destruction, where it is known as " defensible disposition " or " defensible destruction ", and helps an organization explicitly justify and prove things like who destroys records, why they destroy them, how they destroy them, when they destroy them, and where they destroy them. Records managers use classification or categorization of record types to logically organize records created and maintained by an institution. Such classifications assist in functions such as creation, organization, storage, retrieval, movement, and destruction of records. At

3096-435: The board itself. Governance, risk management, and compliance are three related facets that aim to assure an organization reliably achieves objectives, addresses uncertainty and acts with integrity. Governance is the combination of processes established and executed by the directors (or the board of directors) that are reflected in the organization's structure and how it is managed and led toward achieving goals. Risk management

3168-407: The business of the organization. Correspondence regarding a product failure is written for internal leadership, financial statements and reports are generated for public and regulatory scrutiny, the old corporate logo is retired, and a new one – including color scheme and approved corporate font – takes its place in the organization's history. Examples of records phases include those for creation of

3240-514: The content, context and structure of records is preserved and protected when the records do not have a physical existence. This has important implications for the authenticity, reliability, and trustworthiness of records. Much research is being conducted on the management of digital records. The International Research on Permanent Authentic Records in Electronic Systems (InterPARES) Project is one example of such an initiative. Based at

3312-449: The core disciplines – Governance, Risk Management and Compliance – consists of the four basic components : strategy, processes, technology and people. The organisation's risk appetite , its internal policies and external regulations constitute the rules of GRC. The disciplines, their components and rules are now to be merged in an integrated, holistic and organisation-wide (the three main characteristics of GRC) manner – aligned with

3384-486: The dynamic nature of this market, any vendor analysis is often out of date relatively soon after its publication. Broadly, the vendor market can be considered to exist in three segments: Integrated GRC solutions attempt to unify the management of these areas, rather than treat them as separate entities. An integrated solution is able to administer one central library of compliance controls, but manage, monitor and present them against every governance factor. For example, in

3456-517: The early identification of risk and business process (and business control) improvement. Further benefits to this approach include (i) it allows existing, specialist and high value applications to continue without impact (ii) organizations can manage an easier transition into an integrated GRC approach because the initial change is only adding to the reporting layer and (iii) it provides a real-time ability to compare and contrast data value across systems that previously had no common data scheme.' Each of

3528-581: The early theorization of archives as organic aggregations of records, that is "the written documents, drawings and printed matter, officially received or produced by an administrative body or one of its officials". Not all documents are records. A record is a document consciously retained as evidence of an action. Records management systems generally distinguish between records and non-records (convenience copies, rough drafts, duplicates), which do not need formal management. Many systems, especially for electronic records, require documents to be formally declared as

3600-406: The enterprise, or a fully integrated GRC is able to work across all areas of the enterprise, using a single framework. A fully integrated GRC uses a single core set of control material, mapped to all of the primary governance factors being monitored. The use of a single framework also has the benefit of reducing the possibility of duplicated remedial actions. When reviewed as individual GRC areas,

3672-431: The entire organization, while disaster recovery focuses on IT. Auditing documents covering an organization's business continuity and disaster recovery (BCDR) plans provides a third-party validation to stakeholders that the documentation is complete and does not contain material misrepresentations. Often used together, the terms business continuity (BC) and disaster recovery (DR) are very different. BC refers to

SECTION 50

#1732801107315

3744-442: The evidence of an organization's activities as well as the reduction or mitigation of risk associated with it. Recent research shows linkages between records management and accountability in governance. The concept of record is variously defined. The ISO 15489-1:2016 defines records as "information created, received, and maintained as evidence and as an asset by an organization or person , in pursuit of legal obligations or in

3816-787: The general public to access permanent records. Archives New Zealand is also setting up a digital archive. Electronic Tax Records are computer-based/non-paper versions of records required by tax agencies like the Internal Revenue Service . There is substantial confusion about what constitutes acceptable digital records for the IRS , as the concept is relatively new. The subject is discussed in Publication 583 and Bulletin 1997-13 , but not in specific detail. Businesses and individuals wishing to convert their paper records into scanned copies may be at risk if they do so. For example, it

3888-630: The highest level of classification are physical versus electronic records. (This is disputable; records are defined as such regardless of media. ISO 15489 and other best practices promulgate a functions based, rather than media based classification, because the law defines records as certain kinds of information regardless of media.) Physical records are those records, such as paper, that can be touched and which take up physical space. Electronic records , also often referred to as digital records , are those records that are generated with and used by information technology devices. Classification of records

3960-525: The hold location. A records retention schedule is a document, often developed using archival appraisal concepts and analysis of business and legal contexts within the intended jurisdictions, that outlines how long certain types of records need to be retained for before they can be destroyed. For the retention schedule to be utilized a number of guidelines need to be put in place so as to be considered for implementation. Managing physical records involves different disciplines or capabilities and may draw on

4032-419: The importance of context and process in the determination and meaning of records. In contrast, previous definitions have emphasized the evidential and informational properties of records. In organizational contexts, records are materials created or received by an organization in the transaction of business, or in pursuit of or in compliance with legal obligations. This organizational definition of record stems from

4104-546: The information assets of the entity. They understand how to manage the creation, access, distribution, storage, and disposition of records and information in an efficient and cost-effective manner using records and information management methodology, principles, and best practices in compliance with records and information laws and regulations. The records continuum theory is an abstract conceptual model that helps to understand and explore recordkeeping activities in relation to multiple contexts over space and time. A records manager

4176-445: The life cycle of information, including creation, maintenance (use, storage, retrieval), and disposal, regardless of media". The records life-cycle consists of discrete phases covering the life span of a record from its creation to its final disposition. In the creation phase, records growth is expounded by modern electronic systems. Records will continue to be created and captured by the organization at an explosive rate as it conducts

4248-405: The most common individual headings are considered to be Financial GRC, Operational GRC, WHS GRC, IT GRC, and Legal GRC . The AICD (Australian Institute of Company Directors) however splits risk into three super groups Analysts disagree on how these aspects of GRC are defined as market categories. Gartner has stated that the broad GRC market includes the following areas: They further divide

4320-811: The organization. File maintenance may be carried out by the owner, designee, a records repository, or clerk. Records may be managed in a centralized location, such as a records center or repository, or the control of records may be decentralized across various departments and locations within the entity. Records may be formally and discretely identified by coding and housed in folders specifically designed for optimum protection and storage capacity, or they may be casually identified and filed with no apparent indexing. Organizations that manage records casually find it difficult to access and retrieve information when needed. The inefficiency of filing maintenance and storage systems can prove to be costly in terms of wasted space and resources expended searching for records. An inactive record

4392-468: The plan takes all factors into account, and a verification of the contracts and agreements reasonableness through documentation and outside research. The auditor must verify that planning ensures that both management and the recovery team have effective communication hardware, contact information for both internal communication and external issues, such as business partners and key customers. Audit techniques include Procedures to sustain staff during

SECTION 60

#1732801107315

4464-646: The point of creation right through until their eventual disposal. The format and media of records is generally irrelevant for the purposes of records management from the perspective that records must be identified and managed, regardless of their form. The ISO considers management of both physical and electronic records. Also, section DL1.105 of the United States Department of Defense standard DoD 5015.02-STD (2007) defines Records Management as "the planning, controlling, directing, organizing, training, promoting, and other managerial activities involving

4536-446: The procedures used to meet this objective and determine their effectiveness. Disaster recovery is a subset of business continuity. Where DRP encompasses the policies, tools and procedures to enable recovery of data following a catastrophic event, BCP involves keeping all aspects of a business functioning regardless of potential disruptive events. As such, a business continuity plan is a comprehensive organizational strategy that includes

4608-514: The purposes of addressing potential issues associated with compliance audits and litigation. Such records are assigned Legal Hold traits that are in addition to classifications which are as a result of enterprise or industry classifications . Legal hold data traits may include but are not limited to things such as legal hold flags (e.g. Legal Hold = True or False), the organization driving the legal hold, descriptions of why records must be legally held, what period of time records must be held for, and

4680-607: The records management community is the conversion of existing or incoming paper records to electronic form. Such conversions are most often performed with the intent of saving storage costs, storage space, and in hopes of reducing records retrieval time. Tools such as document scanners , optical character recognition software, and electronic document management systems are used to facilitate such conversions. Many colleges and universities offer degree programs in library and information sciences which cover records management. Furthermore, there are professional organizations which provide

4752-496: The retention schedule. Once the life of a record has been satisfied according to its predetermined period and there are no legal holds pending, it is authorized for final disposition, which may include destruction, transfer, or permanent preservation. A disaster recovery plan is a written and approved course of action to take after a disaster strikes that details how an organization will restore critical business functions and reclaim damaged or threatened records. An active record

4824-727: The software used to create the records obsolete, leaving the records unreadable. A considerable amount of research is being undertaken to address this, under the heading of digital preservation . The Public Record Office Victoria (PROV) located in Melbourne, Australia published the Victorian Electronic Records Strategy (VERS) which includes a standard for the preservation, long-term storage and access to permanent electronic records. The VERS standard has been adopted by all Victorian Government departments. A digital archive has been established by PROV to enable

4896-594: The target audience. This approach provides a more 'open book' approach into the process. If the production team will be audited by CIA using an application that production also has access to, is thought to reduce risk more quickly as the end goal is not to be 'compliant' but to be 'secure,' or as secure as possible. You can also try the various GRC Tools available in market which are based on automation and can reduce your work load. Point solutions to GRC are marked by their focus on addressing only one of its areas. In some cases of limited requirements, these solutions can serve

4968-464: The transaction of business". While there are many purposes of and benefits to records management, as this definition highlights, a key feature of records is their ability to serve as evidence of an event. Proper records management can help preserve this feature of records. Recent and comprehensive studies have defined records as "persistent representations of activities" as recorded or created by participants or observers. This transactional view emphasizes

5040-502: The uncritical adoption of electronic document and records management systems . Another issue of great interest to records managers is the impact of the internet and related social media, such as wikis , blogs , forums , and companies such as Facebook and Twitter , on traditional records management practices, principles, and concepts, since many of these tools allow rapid creation and dissemination of records and, often, even in anonymous form. A difficult challenge for many enterprises

5112-618: The widespread adoption of freedom of information laws , has led to a focus on the need to manage records so that they can be easily accessed by the public. For instance, in the United Kingdom, Section 46 of the Freedom of Information Act 2000 required the government to publish a Code of Practice on Records Management for public authorities. Similarly, European Union legislation on Data Protection and Environmental Information, requiring organisations to disclose information on request, create

5184-419: Was published in 2007 where GRC was formally defined as "the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity." The research referred to common "keep the company on track" activities conducted in departments such as internal audit, compliance, risk, legal, finance, IT, HR as well as the lines of business, executive suite and

#314685