Information Governance: Records, Risk, Responsibility

What is involved in a compliance audit, such as for ISO certification or a review by the SEC or CMS?

This is what to expect.  An auditor will want to see policies, procedures and process documentation. He or she will question employees about their understanding of these documents and may request an employee show them how they do a particular task and compare what is actually done against the procedures and processes documents.  Reports on training received, error tracking and remediation often accompany an auditor’s list of requests.  “Findings” are then provided which have to be addressed before the next audit, which will usually be scheduled from three to six months from the initial audit.

In order to be compliant and to report on the compliance, organizations need to develop a comprehensive, enterprise-wide records and information management (RIM) program that supports client services, governance, audit response and litigation support and litigation preparedness, for the organization as a business.  Such a program provides a structure to address the business concerns listed below. Additionally, these programs help to avoid the risk of non-responsiveness during legal discovery.  Think of these types of engagements as a “twofer” of both structure and responsiveness needed to be compliant.  Further, ignorance of “Say It, Do It, Prove It” in managing records and data in today’s business environment isn’t a sufficient defense any longer.

More benefits of a RIM audit ready program include litigation readiness, awareness of communication and education, cost controls, improved customer service and even “Safe Harbor” coverage.  Here’s more detail:

• Litigation readiness – Organizations need to maintain business records that support business decisions, operations and treatment of individuals for the length of time required by agencies regulating the organization’s offered services and as dictated by the statutes of limitations to bring a claim. A RIM program communicates these requirements in a clear, concise manner.
• Awareness of communication and education
  • How to “write for the record”: no jargon, abbreviations or slang
  • How to write a business email: to the point, one subject per email
  • How and when to dispose of drafts: once the final document is approved, delete the drafts
  • How to consistently classify and label documents: no jargon, abbreviations or slang
  • How to dispose of records and non-records: shred paper, delete and empty the recycle bin
• Built-in Cost Control
  • Keeping records beyond the requirement leaves your business open to discovery
  • Paying for storage of records beyond the obligation impacts the bottom line, whether the storage is electronic or hardcopy
  • Disposing of duplicates and convenience copies reduces the questions as to which is the “real” record (a favorite question of an auditor)
  • Retrieving the right record at the right time reduces the time the auditor will be on site
• Improved Customer Service – When you keep only the most current records in active storage, retrieval time takes seconds or minutes instead of hours and even days.
• Legal Case Law requires it – leveraging Safe Harbor
• • The “safe harbor” regulations describe various payment and business practices that, although they potentially implicate the Federal anti-kickback statute, are not treated as offenses under the statute. The safe harbor regulations, in their entirety, can be found here: Safe Harbor Regulations.
  • But – Safe Harbor is not available to you if you do not have a program in place.

“Failure to adopt a compliant records retention and destruction protocol that permits cost effective access to relevant records and creates an audit trail subjects the non-compliant litigant to sanctions and constitutes spoliation”

Starbucks Corp. v. ADT Security Services, Inc. 2009

A Records and Information Procedure Manual is a living document, not a “one and done” binder filler to be stuck on a shelf or in a word document saved in a shared drive that no one can find.

If your retention schedule was last updated more than two years ago, it’s time to review and edit it so that it is relevant to how you do business now, and, incorporate the business logic in the manual into a records management application.