This principle alludes to being able to prove lawful operation of the business, that the recordkeeping program meets and adheres to legislation, regulation and the laws of the land and that the records are retained for lawful amounts of time.
Compliance is the one word that I hear the most in corporate North America that seems to mean different things to different people. In fact if I ask C-level people at a boardroom table what compliance means to them I regularly get different answers from almost everyone at the table.
Number 1 in the Maturity Model says basically that we don’t know what to keep based on regulation and legislation, we don’t manage what we have now and let everyone do their own thing and if there was litigation we are just in a world of trouble. Ridiculous you say. I see almost this scenario often. The redeeming factor is that most of those organizations that I see this in actually know this is bad and would like to do something about it. Budget and the sheer size of the project sometimes get in the way.
Number 2 says that we have drafted some policies (but not all we need) and have identified some rules and legislation that we need to adhere to. That would be something like Canada Revenue Agency (IRS in the US) where it states that we must keep financial records for 6 years + the current year (basically 7 years). We also have a legal hold process so that if there is litigation we can put legal holds on appropriate information required by that litigation. It goes on to say though that we as a corporation are not sure that we actually have this nailed down and we still would have lots of trouble if we actually tried to place the legal holds. Unspoken here as well is that in this spot that we are we likely can’t find all the information to put on hold in the first place. I’m just saying that would likely be very hard as well.
Number 3 in this Principle (the level we need to be at) indicates that we have figured out which laws apply to us and that we create and capture information in a rational way corporately and our employees are following a plan and our policies. We value compliance (unspoken is that we must have a person that is in charge of this process in order to be at this level), trust our legal hold process have compliance goals going forward and we pretty much can deal with legal/legislation/regulatory things.
Number 4 speaks to our need for a correctly implemented electronic solution, employee training and regular information management audits to make sure we have adherence across the corporation. It also states that we have good and repeatable processes and that there are penalties if folks don’t do what we have trained them on. In order to make this work we would have to train existing employees as well as all new hires so you would have to get HR to buy in so that there is an information management training process. This is just like many of us get safety training today when we start in a new job in many market segments such as mining, manufacturing and construction among others.
Number 5 indicates that the highest people in the organization are onboard with this and we audit and improve as we go forward. Everyone knows what to do and does it and that our processes are tied into that. I am not sure that I know anyone that has reached this level but it would certainly be a comforting place to be compliance wise.
Availability is next and I hope that everyone has a good plan to get to at least number 3 in the maturity model for compliance.