Few topics are so important, yet so unexciting to most, as compliance records management and control (Records Control). The importance stems from compliance records’ primary roles: memorializing, educating, informing and evidencing the existence of a genuine program, or not. (And where the latter case exists, it is often because regulators have applied the adage “if it doesn’t exist in writing, it doesn’t exist” to conclude that an insufficiently documented program meant that a real program was not in place.)
The unexciting element is a function of the essence of the task: paper (or electronic equivalent) shuffling. But with the compliance records quantity and variety generated by organizations of any reasonable size, there needs to be a systematic “method to the madness”, and the art performed by administrative assistants (with good memories) in the past has now evolved into more of a science.
In simple terms, Records Control is basic organization: placing a draft or completed compliance record or file in a “place” or “places” where it can readily be identified and retrieved – and then applied, changed, linked and so forth. Phrased differently, Records Control works well if the system’s contents are easily accessible, current and actually used by the appropriate persons for overall compliance program management.
It all sounds so logical and straight-forward – and therein lies the danger. What is required is discipline, a system that makes sense to those who use it, and a roadmap to get there.
This article provides the latter, a non-technical four step path for taking a collection of compliance records spread throughout an organization and placing them into a Records Control system, and in so doing, turning a potential program liability into an objectively recognizable program asset.
Step 1: Assess
Lao Tzu had it right: “the longest journey begins with a single step.”
As daunting as the overall task may seem, breaking it down into smaller pieces helps, and assessing certain current and foreseeable matters that apply to your organization, its compliance program and the current state of Records Control is a good first step.
Consider, for example:
- How likely is it that the organization’s risk appetite, existing operations and/or strategic plans will place increasing demands on the compliance program, and therefore on any Records Control system?
- The compliance program currently consists of, or is supported by (directly and indirectly) what types of records?
- Where are these records located, and in what form?
- How long does it take to retrieve each such record, and what persons or systems are required to retrieve that record?
- How accurate is each such record?
The answers to the above types of questions help inform the “Design” (step 2) in the new Records Control system process.
Step 2: Design
As the Chief Compliance Officer (CCO) (and any task force member, if you choose to involve others in this form) step back to consider what the end product should look like based on the answers. One of the primary design and operational considerations that should come to mind is DELEGATION.
The system should be designed in a way that minimizes the involvement of the CCO or others at senior levels in the day to day administration of the system. The CCO’s time is well spent on helping to design the approach and making it fit the organization’s present and foreseeable needs; the day to day management can and should be delegated to others.
What is needed, if the system is to remain manual, is a smart, organized and motivated individual to manage what emerges from the design phase. Even better, let that person spend far less time on Records Control management tasks by using a SaaS (software as a service)-based compliance management system that has all compliance materials in an automated ‘system of record’.
The best of these offerings are workflow tools for compliance that help manage key compliance tasks (e.g. risk assessments, supplier due diligence, policy-signing, e-learning content distribution) and that also have built in repositories for associated records.
A second key design consideration, for organizations of all sizes, is SCALABILITY. For any number of ordinary course of business and related compliance reasons, it is likely that the volume and overall quantity of compliance records that will need Records Control will increase – particularly if there is any mergers and acquisition or investigative activity. Anticipate and prepare for this certainty.
A third design consideration is USABILITY – will the intended users naturally gravitate to and use the system because of its simplicity, ease of use and/or value? If not, the exercise is that much more difficult – and the risks of non-use (e.g. incomplete, inaccurate or non-current compliance records) substantially increase, with attendant heightened risk for the overall program. Emphasize simplicity and ease of use.
The design also needs to reflect the basics of a complete records management approach, namely:
- Inventory: e.g. what exists where, in what forms, in what quantities and in what categories?
- Retention: e.g. focusing on the actual need cases associated with a given record’s lifecycle
- Usage strategy: e.g. general filing/storage, conversion, vital records classification and treatment
- Disaster prevention/recovery planning: e.g. having a separate Records Control prevention and recovery plan, as part of overall business continuity plans
- Disposition: e.g. transfer or destruction consistent with records retention plan and varying record needs
Step 3: Build
If you proceed with a manual system, now is the time to select the Records Control system administrator.
As CCO, you want that person to “own” the system and the associated tasks and responsibilities – so enhance that proprietary feeling by making him/her a full partner in the creation of the actual system by:
- Sharing the goals, anticipated management and control needs, and pro’s and con’s of the system as expressed in the design, and asking them to do a “fresh eyes” review: no pride of authorship, and no assumptions or projections are written in stone – ask him/her to give you his/her best thinking on how the Records Control system design can be improved.
- Investing in this person, and having them attend (physically or online) a records management or information governance course and/or obtain a certificate from one of the many learning providers in this space. The additional confidence gained from the combination of the positive gesture by the organization towards the individual and the subject matter expertise acquired through the course(s) may prove to be money well spent as the enormity of the task becomes apparent.
- Giving them latitude to involve other colleagues in the build (and review of design) project phases.
If you elect to use a SaaS-based system, the Build phase is largely completed. There may be various workflow components to select (e.g. the particular vendor’s training course offerings or automated connections - through “APIs” or application program interfaces - to training already used by the organization.)
The number of system users will also dictate variable system pricing. And the system administrator will still benefit from inclusionary activities along the lines described above, albeit with the workflow foundation of the SaaS system in place.
Step 4: Monitor/Audit
Regulatory investigations finding an inadequate Records Control system can carry major adverse consequences for companies and therefore having an “effective compliance program” (within the meaning of the US Sentencing Guidelines) in place is instrumental. Testing of the both the system’s design and operational aspects is also a necessity.
To help understand the nature and scope of the real-time monitoring and periodic auditing of the Records Control system, consider:
- What system capabilities are likely to get the most traffic and have the most users?
- What parts of the system are likely to be of the most interest to external threat actors (or internal parties acting on behalf of external threat actors)?
- What safeguards are in place concerning sensitive or otherwise desirable Records Control system information, and how would any attempt to circumvent these safeguards be flagged and escalated?
- What are leading practices, as found in ISO or other standards, for records management, and how is the Records Control system aligning with or inconsistent with any such standard(s)?
The compliance policy and law enforcement landscape has evolved rapidly in the last 12 months. In the Foreign Corrupt Practice Act/anti-corruption area, for example, the US Department of Justice has made policy shifts emphasizing the prosecution of individuals in bribery cases (the Yates Memo) and has introduced a pilot program to incentivize companies to self-disclose in return for reduced fines (the Fraud Section’s Foreign Corrupt Practices Act Enforcement Plan and Guidance.)
Similarly, in the UK, there has been an increase in the number of bribery-related prosecutions. And a new “by business, for business” anti-bribery standard is due to be released later this year: ISO 37001 – Anti-bribery management systems.
The need has never been greater for compliance chiefs to have organized and readily available records to demonstrate compliance program effectiveness. The above developments, and others to come, will only increase the need for a sound Records Control system. Be prepared.
(Want to get more compliance insights delivered directly to your inbox every week? Sign up here the Compliance Connection newsletter.)