Daniel Chalef is CEO of KnowledgeTree Inc., a leading commercial open source document management software vendor. KnowledgeTree’s free open source document management community edition has been downloaded over 650,000 times. The company's commercial offering includes product support and features that assist companies in achieving regulatory compliance. Follow Daniel on twitter at @danielchalef or on the KnowledgeTree blog http://www.knowledgetree.com/blog/.
This is part of a broader guest columnist series I have been running on ECM topics. Check out the other titles. For details on how the whole guest columnist thing works, go to the "Twitter and business" post.
Some other titles in my "8 things" series --
- 8 steps you can take to better manage your inbox
- 8 things you need to know about Twitter and business
- 8 things vendors need to know about selling document management to small businesses
- 8 things you need to know to build an ECM strategy
- 8 things you need to know about SharePoint governance
8 Things You Need to Know About Using Enterprise Content Management (ECM) for Regulatory Compliance
1. Regulations are complex and can’t be ignored.
One of the challenges of being regulated is understanding exactly which regulations apply to your business. You may face “horizontal” reporting regulations, such as those contained in Sarbanes-Oxley that apply to all publicly-held companies. Or, you may be subject to vertical market specific regulations such as HIPAA in health care or the FDA’s 21 CFR 11 rules. Or, you may face a raft of regulations from different governments and agencies. One thing is for sure, you can’t pretend these regulations don’t exist or hope they go away. Non-compliance may present a very real legal and financial risk to your organization.
2. While enterprise content management (ECM) systems can help, they are only one part of the compliance solution.
Any good ECM application can help you track and control document revisions, but keep in mind, they are only as effective as your underlying business processes. Don’t implement ECM software with the expectation that it will magically solve your compliance problems; you have some hard work to do around standardizing and codifying your processes for document management.
3. ECM system vendors can’t certify their products for regulatory compliance.
A product itself is not compliant, rather it is the entire operating environment that must be compliant. This takes into account the unique contributions and actions of people, processes and technology present at your location. Again, your ECM software is only one piece of the compliance solution that will also include scrutiny of your business processes, training programs, standard operating procedures, etc.
4. Proper records management policies, retention schedules and document classes will keep the system from getting bogged down.
Even in a regulated industry, not every document in your ECM repository is subject to regulation and compliance. There are plenty of document types that would not be examined in an audit and that could be excluded from compliance-oriented processes. Examining types of documents and structuring classes, hierarchies and policies accordingly at the outset will save you a lot of extra work and system burden down the road. Adhering to stated retention schedules for archiving documents will also keep the system running smoothly.
5. Understand the requirements behind electronic signatures.
Many people confuse electronic signatures with encrypted signatures. Although documents can be cryptographically signed for security purposes, this is not required in most compliance scenarios, whereas electronic signatures are. An electronic signature assigns a clear identity to someone who has altered a document along with a timestamp and recorded reason for the alteration. This can occur in the form of authentication at the time the document is changed so that the action can be clearly recorded in an audit trail.
6. Audit trails must be…auditable.
Your ECM must provide not only the ability to create an audit trail but an easy way to access it! If you are ever the subject of an audit, you may need to produce reports on hundreds or thousands of document transactions. Make sure you can easily access and produce the document history and that it clearly shows the information needed during an audit.
7. Consistency and automation are your friends.
One of the very purposes of regulation is to ensure consistent and repeatable activities that conform to a set of standards. And there’s no better way to achieve consistency than through automation. Your ECM system can aid you via workflow automation, especially around review and approval processes. Automated workflow reduces the risk for error by ensuring each step of the process occurs in order and receives the appropriate oversight. Tie back to point 2 – once you’ve identified and standardized your business processes, you can carve them in stone with automated workflow.
8. Don’t think higher cost means better compliance.
Because of the way compliance is determined, a more expensive solution isn’t necessarily going to be better than a less expensive one. It’s all about functionality and how the system supports your individual circumstances. Especially for smaller businesses, a large expensive system is not an option and may in fact be more of a hindrance to compliance than a solution that is more affordable, and more easily implemented. Don’t be afraid to look at open source products in addition to proprietary systems. You may find you can achieve compliance with far less cost and headache than you thought.
This is part of a broader guest columnist series I have been running on ECM topics. Check out the other titles. For details on how the whole guest columnist thing works, go to the "Twitter and business" post.
Some other titles in my "8 things" series --
- 8 steps you can take to better manage your inbox
- 8 things you need to know about Twitter and business
- 8 things vendors need to know about selling document management to small businesses
- 8 things you need to know to build an ECM strategy
- 8 things you need to know about SharePoint governance
It is also important to check how e-signatures are compliant with the law and other rules and regulations. There are some guidelines that e signatures need to follow. Make sure that your vendor's services comply with these laws to protect you and your business from unintentionally committing a felony.
Posted by: Esignature | January 03, 2011 at 02:06 AM