3 Focus Areas of Compliance to Ensure Records are Assets

Regulatory compliance starts where it ends; Records. A business that is required to meet any kind of regulatory standards (every business) must have a good records management policy and process in place, preferably embedded within their Enterprise Content Management (ECM) system.

Regulatory Compliance is often narrated in terms of quick documentation discovery, agency deadlines, and/or archival preservation, but those are all goals to be achieved. The means to these ends lie in end user adoption, internal ISO records standards policy, and a proper ECM governance system, all operating smoothly well before any compliancy audit, or government inspector requires documentation.

The first area of focus for regulatory compliance should be on user adoption. A system is only as strong as those who use it. This is a topic large enough for its own post, or even an entire dissertation, so let us simply say that users must feel they are stakeholders in the process and that training is not just a class on system operational knowledge.

Focus on informing users how and why the processes will ultimately benefit them in their jobs. This is especially important in compliance as the benefit is often one of delayed gratification in avoidance of penalties and legal action, rather than an instant reduction of user workload. In fact, many times proper compliance requires additional steps to a user’s daily routine, and that must be accounted for with effective management strategies.

The solutions must be structured in a way the end user will immediately relate with. It must show how the process will be implemented within current business cases, with special attention on any habits or operations that will need to be significantly adjusted. Finally, don’t implement everything all at once. All your users will appreciate a step-by-step approach.

“ISO 15489 Information and documentation records management is an international standard for the management of business records, consisting of two (2) parts: Part 1: Concepts and principles and Part 2: Guidelines. ISO 15489 is the first standard devoted specifically to records management; providing an outline for comprehensive assessment of full and partial records management programs.”- www.iso.org

Some regulatory compliance is mandatory, a legal obligation related to your industry, but some regulatory compliance is optional in terms of legal compliance. Just because it is an option doesn’t mean your organization can disregard it. The inherent implementation and application of ISO 15489 and 16175 will help you meet many of the numerous ISO compliance standards for security, reliability, and quality of Records Management that no organization should be without. Specifically;

•  ISO 15489 is devoted specifically to records management; the principles, guidelines, and records control policies
•  ISO 15489 allows for comprehensive assessment of records management systems
•  ISO 16175 is devoted to the principles and guidelines of functional requirements for digital records management systems
•  ISO 16175 allows for standardization of records in business systems across electronic office environments

Every Enterprise Content Management system must include a governance program to define what information can be used, by whom, and in what context. This is as large a topic as user adoption, but we will limit it to the access, permissions, and monitoring components of records. We are almost entirely concerned with data security and data privacy in organizational records, which are the two biggest risks to records becoming an enterprise liability.

To reduce risks, implement EMC security and privacy governance actions and policies as listed below;

• Rule setting should be straightforward and metadata should direct which record declarations are sent to the file plan
• File plans are configurable to give effortless control over retention schedules for review, hold, transfer, archive, disposition and destruction of records as needed
• Administrative functions individualized for report generation and rules definition with digital signature, encryption, and authentication features
• Create as many classification guides as required with automatic redaction of sensitive information, data encryption, and certified authentication
• Mandatory permissions-based access for records file plans, transfer requests, and borrow requests

Beyond protection of access, the secured storage of records in accordance with archival regulations is a tremendous factor of risk reduction in compliance governance. Your ECM should provide granular access controls with intelligent security permissions to specific archives, as well as traceable audit tracking for records being stored, borrowed, and hopefully, returned on time. Also, notifications should be sent automatically to overdue borrowers of records, and if those are ignored, it is acceptable to remind via blog post… looking at you John. Lastly, connectors allowing manage in place, migrate on-demand, or migrate with manage in place options significantly reduce audit liabilities.

Regulatory compliance relies on strong ECM records management, and that in turn relies on good people, but the people must also rely on a strong ECM records management platform. If the platform is too difficult to use, or not integrated well enough then users will simply choose not to use it. That is why you should rely on a proven provider of services with verified experience and accomplishment, like Skytizens. Learn more about Regulatory Compliance, General Governance, Security and Controlled Access, or Contact Us to get a detailed consultation.