Compliance and Information Management – Venturing Beyond Hide and Seek


By Edan Puritt

around-the-treeAs an IM specialist, or records manager, I generally work with records managers on a client site, but I have to make the case for my services to a business manager more interested in value than compliance. Still, the pitch usually ends up in one of two places:

  1.   Being compliant with a rule or regulation will not save the business from a penalty, a fine or an embarrassment—only DEMONSTRATING compliance can do that.
  2.   How much time and effort (read: cost) will it take to gather the information necessary to defend an action (eDiscovery) or demonstrate compliance?

Although that’s too much for one blog, they are obviously connected. Today, the focus will just be looking at the notion that being compliant and demonstrating compliance are not at all the same thing.

Nuance of Compliance: Having is NOT Presenting.

The nuance of the difference between being compliant and demonstrating compliance always seems to shock my clients. Each time this distinction requires extra time and discussion. As an aside, the shock runs especially deep if the client is represented by an engineer.

In a nutshell, an organization will be fined for its inability to demonstrate compliance with a regulation, regardless of whether or not it is in effect, compliant.

And that is really the essence of the issue.

In most organizations, being compliant with a regulation is a completely separate activity from demonstrating compliance. In fact, not only is it a separate business process, there are usually very different stakeholders, and almost always very different software.

Pity the poor compliance officers. They are the bridge between two very different worlds that traditionally don’t play well together.

Regulations and the Frontline

frontlineFrontline troops – be they doctors, engineers, bankers – all have a job to do. More importantly, the efficiency and effectiveness of that job is ALL about the bottom line of the organization. Whatever industry they operate in, new regulations emerge on a fairly regular basis. Why so many regulations? The regulations are designed for many reasons, including:

  1. to keep the staff themselves safe in their workplace,
  2. to ensure the safety of the consumers who use their services or products,
  3. to ensure the reliability of the service, and
  4. to provide some defence against the greed that permeates much of our corporate world.

These frontline women and men deliver, every day, the business value of their organization. They produce the medicines, keep the lights on, or keep our money safe while operating with more, and more onerous regulations.

Now don’t get me wrong, although libertarian in my political leanings, I’m not arguing here that we need less regulation (topic for a different blog), but these people are not generally trained lawyers, and they generally don’t have the time, nor inclination to keep up with all of the compliance reporting requirements. So, someone has to. Because, let’s face it, the doctors, engineers, and bankers all see these regulations as administrative overhead, just getting in the way of their real jobs, delivering on the mandate of their organization.

Where does Information Management Come into the Picture?

lost-foundAnd sitting in the trenches of demonstrating compliance are the records managers. They too are rarely lawyers or even up to date on all of the regulatory requirements of their industry. In addition, they are also rarely doctors, engineers, or bankers so their knowledge of the mandate of their respective organizations tends to be anecdotal at best. However, they do know how to sort and safely store the information that is entrusted to them.

They (we) have become the stewards of the information artefacts (paper documents, electronic documents, email, and databases) that have been deemed important enough to be handed over for storage.

Ready, Set, Action!

characterWith the opening scene cast of characters laid out, it’s time to examine the plot and introduce the remaining cast. The regulator arrives at the door. For those of you old enough, imagine Snidely Whiplash standing there—and that door may be electronic or real. Moreover, the arrival may be expected, or not.

The regulator might be here for an inspection to audit compliance, or here to receive the regularly scheduled report that describes compliance.

With that first rap on the door, the movie begins. It isn’t a mystery, as everything that will be required has been laid out, in advance, in black and white, and in great detail.  But it is still a suspense movie.

With that rap, the clock starts to tick. There is now a finite time for the records managers to provide all, yes all, which is required.

But we never have it all.

Or if we have it, we don’t know where it is. Or we don’t know what it’s called. Or we don’t know which database it’s hidden in. And it is hidden.

Not hidden by someone who didn’t want us to see it, or have it, but it has not been shared with us, so we only know, or surmise its existence, but not its location.

It’s now a game of frontline workers who have hidden something, and records managers who seek it.

Compliance Hide and Seek

And here comes the compliance officer.i

For most large organizations there really is a compliance officer, but even if there wasn’t, the role is always present. This is the person who manages the great game of hide and seek every time the regulatory beast must be fed.

Good compliance officers have a calendar with all the required filings marked and have pre-populated those calendars (paper or electronic) with the dates necessary to start getting things together to be able to file on time.  They have established a network of knowledgeable contacts throughout the business that they can turn to each time compliance must be demonstrated.

Great compliance officers? What makes them great? It’s almost as if they were watching as the game began. In a sense, they peeked and saw it all, as everyone ran off to hide on their various desktops, network drives, email systems, document management repositories, network drives, personal emails, smart phones and USB drives.

Hiding?? Make Storing and Accessing Information Assets Part of the Business Process

I used to work with an electrical engineer whose focus was on cyber security for the North American electrical grid. The secret, he told me, was to build the security right into the process.

Much like any good leader, he brought me to his understanding and then enabled me to keep going. The secret to compliance is to build it right into the process.

mapThe great compliance officers do exactly that. They build compliance to a regulation into the very process of getting the job done in compliance with a regulation.

Sure that means change, and suffice to say, we all know that we don’t like change. And yet, this really is good change. It’s re-writing the way we play hide and seek: all the frontline workers and all the records managers have a map revealing where everything is hiding.

In the end, it’s going to take a little more metadata than we had, and a little more agreement on taxonomies than we had, and probably even a little more workflow in our systems. Best of all, it means that when we do our jobs, we do it in compliance with all the regulations.

The bonus? When we produce an information asset that demonstrates that we did that task in compliance with the regulation, it is quickly, and easily available to hand over to the regulator.