According to sonaku.com, a compliance manager is a professional that keeps the legal and ethical integrity of a company intact through policy enforcement and program planning. He or she makes sure all departments of a business are complying with the rules and regulations the company upholds.
Compliance managers are responsible for keeping up-to-date with changing laws that affect the corporate world, and are responsible for preparing reports to present to their upper management detailing these laws and how the employees of the company are following them.
Compliance Managers and IG
It's pretty easy to see how a compliance manager can be integral to an organization's overall information governance strategy. By taking on the overarching strategy behind the compliance of the company, this role is responsible for directing the policies on the data that is kept and for how long in order to be in compliance with federal, state, local and industry regulations.
Although they may not be involved in the day-to-day administration of the actual information, their expertise in regulations sets the framework for a file plan and the associated retention schedule. As we have discussed before, one of the key factors in a successful information governance program is cooperation and understanding between business units. Because of their relationship with the general counsel as well as nearly every department, the compliance manager is in a unique position to positively affect information governance.
Depending on the structure of the organization, this role may sit inside of a particular department such as human resources or finance, however, they are most effective when unaffected by departmental silos. This "horizontal" framework allows for consistent policies across the enterprise.
Why Compliance Managers Need to be Involved
As mentioned above, if your organization has a compliance manager (or similar role such as a Compliance Review Manager or even a General Counsel), there is no doubt they should be involved in the creation, implementation and ongoing maintenance of your information governance program.
Having a role in the company that cuts across departments will increase "buy-in" from the necessary stakeholders needed to properly execute a complete information governance strategy.
Additionally, and more importantly, having a compliance expert allows the business to leverage knowledge that is not often known to general employees. And this knowledge is critical to ensuring your organization is not subject to compliance violations that can be extremely costly to the business. Most compliance violations are due to lack of knowledge or simple carelessness, so continued reinforcement and training through this role can mitigate these potential damages.
Beyond avoiding compliance violations, all organizations must now be aware of the financial and productivity danger of litigation. The same policies and principles that help to avoid violations can also be applied in the case of eDiscovery.
As discussed in a previous blog post, eDiscovery can be a significant burden if companies are not prepared. By having proactive information governance strategies and policies in place, this burden can be greatly reduced by saving time and money searching for the needed information. Additionally, if information has been defensibly disposed of, it is not subject to eDiscovery. Similar to compliance, being able to show an audit trail and rationale for the lifecycle this data went through proves it was handled correctly.
The threat of data breaches has steadily risen in the past few years. In fact, just in 2016, there have been 584 recorded breaches and over 20 million records exposed.
One of the ways to mitigate such risks in connection with the aforementioned data breaches is to develop an information governance program with the expertise of a compliance manager. An information governance program will clearly define access permissions and outline best practices for sharing documents with third parties. Furthermore, it will ensure only the people who absolutely need access to sensitive data (social security numbers, tax returns, etc.) have access.
Creating a Compliance-Focused IG Program
Now that we know some of the reasons a compliance manager needs to be involved, let's discuss a few key points in creating a compliance-focused information governance program.
Often, organizations have defaulted to the "keep everything" approach. We know by now this is a flawed approach as it leaves the company open to both compliance violations if they are unable to find the necessary documents and eDiscovery challenges. It is important that the compliance manager uses their expertise to inform the stakeholders of the required minimum retention timeline while also balancing the appropriate schedule for disposition to ensure a streamlined enterprise data strategy. This ensures the organization and its employees are not held back by the data, but can actually leverage it to be more successful, profitable and compliant.
Classification is a key part of an information governance program which is often the first step in automating the entire process. Here at RecordLion, we believe that effecting the end users' workflow as little as possible leads to to the highest chance of success.
The compliance manager needs to be involved in the classification process to establish the appropriate guidelines and to give their perspective on how classification can potentially affect compliance. The rules that are created based on this classification will drive your information governance program and thus must be based on input from all parties, especially the compliance manager.
This is where the "rubber meets the road" during the information governance process. The detailed work that was put into the creation of the file plan, retention schedules, rules, and triggers must now be implemented. All of this preparation is worthless if it cannot be successfully executed.
As mentioned, the goal here is to balance the needs of the compliance regulations with the everyday workflows and business processes. An information governance program should not be a hardship on an organization. In fact, it should be quite the opposite: it is a chance for the company to advance their short and long term business goals through the information they use every day.
All of these strategies are crucial for success, but one that can be overlooked because of improper structure, or more often improper technology, is including all of the records within an organization. In the past, companies relied on disparate systems that could not integrate and required duplicated efforts to achieve consistent policy application.
We've talked about how involving a compliance manager can address the structural hurdles due to their ability to include the stakeholders from every department. The next hurdle is the technology itself.
By starting with a dedicated team focused on the correct strategy and combining that with revolutionary software that governs information "in-place", any organization can execute a simple, automated, complete and compliant information governance program.