Using Tech to Streamline Compliance Efforts
Data collection and monitoring tools now make it easier to access information quickly, but only if your company has the right content management and e-communications system in place. Rather than leaving the decision as to what system would work best solely up to the IT department, compliance officers should have a say in the functionality of such systems, given the time and resources involved in following compliance protocols and e-discovery searches arising from compliance audits, internal investigations and regulatory investigations.
When the alarm goes off, your general counsel and regulatory compliance team puts the IT department on high alert: find all institutional content related to a specific issue or event, and find it fast.
Perhaps the request is in response to a claim alleging a product defect, with all documents related to product design and testing needing to be collected, including blueprints, design specs, patent applications, emails and texts between designers and outside contractors and subcontractors, as well as beta testing results. Or the request relates to alleged insider trading, employee harassment, illegal payments to a foreign partner or leaking of clinical trial results.
When these requests come to an IT department, resources must be pulled from other projects and the team has to search the company’s cloud or network of files, and in some cases, depending on where information was saved, obtain laptops from their users so individual hard drives can be reviewed. The team also might need to recall where deleted emails are stored, identify the search parameters to gather the relevant ones and determine what to do with data from users who have left the firm or work from overseas offices, which may have conflicting privacy and e-discovery rules governing the accessing and downloading of information. And perhaps more challenging is that IT staff may suddenly be exposed to sensitive, confidential information, if only to capture and manage it.
Thankfully, technology has evolved to streamline the entire process, so this information can be gathered with just a few keystrokes, assuming of course senior leadership is committed to proactively preserving, managing and tracking all content. Compliance officers play a crucial role in convincing their organization’s C-suite to invest in the right tools and personnel to make that commitment a reality by highlighting how an integrated information management program reduces chaos, saves money long-term and reduces the stress of an internal or external investigation.
De4 Methodology
To facilitate the transition to an integrated corporate information architecture, smart organizations may wish to consider deploying the De4 methodology, which is segmented into four steps: Decide, Define, Design and Deploy. This article focuses solely on the first two segments as they benefit any entity looking to develop an integrated data information and monitoring program, regardless of what system is ultimately implemented.
Decide
This may appear as a simple first step, but it isn’t. Implementing new systems makes many employees, regardless of their department or seniority, uncomfortable and wary about whether they can learn the new tools and protocols and, if they do, whether they will be more effective. The HR department may use a locked file cabinet to store employee information, while a sales person produces customer proposals on her laptop. These systems work well for the individual, but are high hurdles to a project that transitions this content. Convincing these groups and most of the rest of the organization to change sometimes feels like trench warfare and takes a significant toll on project managers. Few individuals want to be the person who tells someone he has to change his work process, especially when the compliance, legal and other departments are the primary beneficiaries of the project. Most departments have systems that work well for them but not for the entire institution. Finding a solution that everyone can buy into is not easy.
Nonetheless, to determine if transitioning to an integrated data gathering, data sharing and data distribution system is right for your organization, in the “Decide” phase, ask:
- Which departments/divisions will be affected?
- How much legacy data will need to be converted to the new system?
- What regulations and retention practices will need to be incorporated? For instance, HIPAA, HR, ERISA, SOX.
- What types of messages will need to be captured? For instance, instant messaging, voice messaging and fax.
- What e-discovery/review capabilities will we want our legal department to be able to perform?
The deliverable of the “Decide” phase is a five- to 10-page outline of corporate policies and priorities and, in turn, the presentation to senior management’s sign-off.
Define
The “Define” phase translates the general policies above into a detailed departmental system specification and, eventually, a request for proposal to determine in the “Design” state the archival technologies that will support the requirements.
In the “Define” phase, IT personnel:
- Meet with each department to discuss how to implement the corporate policies into new requirements and procedures.
- Define special archive folders for differentiated retention.
- Define user access to archives, the size of the email information store, short-cutting parameters, the back-up plan, etc.
- Determine how to manage current local archives.
- Write up archive and technical specifications and present them to senior management.
Preventing a “Fire”
The real benefit in implementing an institutional information management program lies not with the remediation after the fire, but in preventing the fire in the first place. In retrospect, wouldn’t Volkswagen’s compliance team want to know about the “diesel dupe” before it was discovered by the State of California? Wouldn’t Wells Fargo want to know that thousands of its employees felt the only way to meet their marketing targets was to secretly create millions of unauthorized bank and credit card accounts? Settlements from these matters, not to the mention the reputational damage done to a company’s brand, are often in the billions of dollars and dwarf the costs of implementing the technologies to prevent them.
In the verbal world of the past, communications and transgressions were more difficult to discover. With the advent and widespread use of digital communications, today, institutions are slowly and painfully realizing just how sticky and problematic textual communication can be. Institutional deniability is far harder now to use as cover.
Improved forms of data analytics now also make it possible to respond to issues before they turn into problems. For example, some software can now analyze the sentiment of an email or text message and determine if a customer was satisfied with the exchange or upset. When this software is integrated with another e-communications collection tool, not only will someone in the compliance department be alerted when a customer expresses dissatisfaction online, but so will customer services, enabling a manager to directly contact the customer and, potentially, turn a negative situation into a positive one.
Compliance’s Proactive Role
Compliance officers face real challenges. Rather than sitting in the fire station waiting for the alarm to go off, undoubtedly, most would rather be proactive with tools to see what situations may be starting to emerge in order to act on them quickly and ideally prevent a full-blown crisis. For instance, if the sales people use inappropriate language, then a culture builds that may end up in a harassment claim. Or if software or pharmaceutical test results are being leaked, then action can be taken before your intellectual property loses its value.
The SEC and many other government organizations look to the institutions they monitor to build a “culture of compliance.” This means employees understand that the compliance department has the tools to find and address inappropriate behavior. This, in turn, cleans up language and potentially questionable practices. Undertaking a knowledge-management initiative has, in the end, the benefits of reducing costs, instilling efficiencies and building just such a compliance culture.
A well-instituted information management and governance program can deliver a significant return of investment, both in savings and proactive prevention. More importantly, it can enable compliance and other knowledge workers to mine or leverage institutional knowledge to identify potential problems and potential opportunities. An institution can now “know” what it knows.
