Information Governance Insights: Records Compliance Can Cost You

Robin Woolen, MBA, IGP has worked in the field of information lifecycle management since 1994 with a specialty in strategic consulting focused on enterprise-scale information management.

There’s a lot of discussion around realizing value from an organization’s data. Business Intelligence is all the rage nowadays and everyone is busy building data warehouses and that is a good thing. However, if you are in a regulated industry, it is extremely important to be vigilant on your compliance program so that you do not inadvertently cost your organization serious money in terms of fines and sanctions.

Despite what anyone says, regulations will never completely go away and most of those regulations involve some form of documentation. Managing documentation is what the Information Governance Professional lives for! When the Auditor comes knocking it will not be the people in the Executive Suite that greets them, it will be someone in the Information governance department.

An audit can be one of the most intimidating things that can happen to any organization in the course of a normal work day. In many cases they are unannounced, and the auditor expects your complete attention and acceptance of whatever protocols they deem necessary to accomplish their agenda. I have been involved in many of these exercises over the years and have found most auditors to be real, caring individuals that just want to do their jobs – as long as you do things their way. Take my advice and do exactly what they say, it will go smoother for everyone.

Regulatory compliance is not as intimidating as many people think. If you ensure your organization has a process, trains on that process and verifies the process is followed you will do just fine.

ROBIN WOOLEN

The key to surviving an audit is to remember that the auditor is there to ensure your organization is following the rules for whatever process they are looking into. You have nothing to worry about as long as your organization is following the process. Some of the best tools that an organization can have for this is a fully documented process that is verifiably trained across all affected personnel and, last but not least, a retention schedule with a properly documented disposition process.

This is one of those instances where it is absolutely essential to properly dispose of any outdated material in a timely manner. It is hard enough to keep track of the current stores of documentation without the additional time and expense of maintaining old material to the mix. Do yourself and the entire organization a favor and get rid of whatever you can per your retention schedule.

A key element in any regulatory audit is to demonstrate your organization has a methodology in place to comply with the targeted process. A “good faith effort” is more important in terms of mitigation in the assessment of any penalties than anything else. You must show that you have a documented process, you train all affected personnel on the process and you have an internal system to verify the process is followed. For the most part, if you follow these simple guidelines you should survive an audit with a minimum of outstanding issues. To put a finer point on this, it is important to note that the most important word in this entire paragraph is “documented”.

Have a fully documented process that ensures regulatory compliance so that you can demonstrate that everyone that needs to use the process is trained on it (have those training attendance sheets available if requested). Have a fully documented internal auditing procedure along with all logs and paperwork involved to demonstrate you periodically review the process to ensure compliance as well. Finally, have a copy of your organization’s retention schedule along with a fully documented disposition procedure along with all logs and paperwork involved to demonstrate you have properly disposed of any outdated process documentation.

Regulatory compliance is not as intimidating as many people think. If you ensure your organization has a process, trains on that process and verifies the process is followed you will do just fine. With these things in place, you will go a long way to making the auditor’s job as easy as it can be, which in turn makes for a better experience for everyone.

Want new articles before they get published? Subscribe to our Awesome Newsletter.