3. Training and Communications
A key component of a well-designed compliance program is the training of employees and the communications used to integrate the policies within the company. Training and communication messages should be tailored for specific audiences. High-risk areas may require more training and/or more detailed examples during training. The training should take into consideration the form and language(s) that are used. Training should be an ongoing activity and incorporate lessons learned from past noncompliance events. Communications should include the leadership’s position on misconduct or non-compliance (i.e., warning, termination, discipline). Training and communications should provide guidance for employees to identify when they should seek assistance and where they can get that assistance.
Information management programs should have an annual required training program, and periodic communications should be sent out from senior leadership reminding the organization of the value of information and the potential risk of non-compliance with policies and procedures. Furthermore, training and communications should be targeted for specific audiences such as application owners, Google Workspace users, network/fileshare users, email users, third-party contract business owners, etc. The messages and training must be specific to the actions that are required. For example, if the company’s policy is to purge email after one year, define the specific action that must be taken in the rare event that an email would rise to the level of a record requiring longer retention.
4. Confidential Reporting Structures and Investigation Processes
Confidential reporting structures and investigation processes are essential in compliance programs. Employees must be able to report non-compliance and misconduct anonymously and confidentially. The company’s culture and processes should promote and measure the workplace environment to ensure that fear of retaliation doesn’t exist. Processes need to route issues quickly to a few, appropriate people so they may be dealt with in a timely manner. Employees must be made aware of how to report non-compliance and what happens once they report it. There should be a robust process including metrics, to investigate, manage, and discipline non-compliance.
The information gathered during non-compliance should be tracked, analyzed, and used for lessons learned. Information governance non-compliance can have serious consequences to the organization. The over-retention of private information can have reputational damage and financial consequences. Destruction of potentially relevant information that has been placed on a legal hold may not only cause fines and penalties but may also impact the outcome of litigation or a regulatory investigation.
5. Management of Third-Party Relationships
Third-party relationships should include a strong risk-based diligence process. The diligence should be appropriately aligned with the level of risk. As part of the risk assessment, sub-contractors to the third party should be assessed, and contract terms and conditions should be reviewed. Ongoing monitoring of the third-party relationship should be documented, audited, and tracked. Specifically related to information governance, any third party storing, managing, or accessing information on behalf of your company should have a risk assessment completed. Third parties with personal information, highly confidential information, or IP should have additional scrutiny and corresponding controls established.
Real actions and consequences need to take place when non-compliance exists. Follow up to non-compliance is required to ensure that the third party has addressed the issues. As it relates to information governance, all contracts should clearly identify the third party’s roles and responsibilities as they relate to retention, disposal, and preservation of information, including the redaction or anonymization of personal information.
6. Mergers and Acquisitions
Mergers and acquisitions need to be included in a well-designed compliance program to ensure timely and orderly integration of any acquired entity into the company’s compliance regime. Divestitures need to be evaluated to ensure the appropriate compliance activities are moved to the acquiring company in a timely manner. There should be a due diligence process, integration process, and implementation plan prepared prior to the actual transaction taking place. Information governance responsibilities need to be clearly outlined so the segregation of information can take place, claw-back clauses can be incorporated into contracts as necessary, and information related to open litigation, audits, or investigations can be addressed. Identification of all the information that is impacted by an acquisition or divestiture is becoming more complex as it relates to big data projects, privacy laws, and the expanding number of third parties storing the information.
7. Adequate Resources and Empowerment
Companies must adequately resource and empower their compliance programs. Issuing policies is no longer good enough. Compliance programs must have implementation plans to ensure appropriate staffing is in place to audit, document, analyze, and continuously improve compliance programs. This key component can be time-consuming when it comes to information governance compliance programs.
A few examples of areas requiring automated or manual plans for managing information are: applications, third parties managing information on the company’s behalf, end user information storage locations, communication systems, and off-site storage boxes. You should automate as much as you can, but there are realities where rules cannot be automated and will require manual intervention. Implementation cannot start until the company develops and enacts a documented retention schedule that outlines the rules for retaining specific categories of data. The retention schedule needs to be based on up-to-date legal research for each jurisdiction where the company conducts business. It must also address the business value of the information.
8. Commitment from Senior and Middle Management
For a compliance program to be successful, senior and middle management commitment and messaging is a necessity to foster a culture of compliance within the company. The C-suite and the board set the tone for the rest of the organization by messaging the importance of compliance and by demonstrating adherence. All leaders in the company need to take ownership and accountability for their employees when it comes to monitoring and checking for compliance with policies. When management finds non-compliance, management needs to address the matter and perhaps use it as a teaching moment for the rest of the staff.
9. Autonomy and Effective Resources
Program autonomy and effective resources are essential in a well-designed compliance program. Compliance programs need to have day-to-day oversight, and those responsible for that oversight must have adequate autonomy authority, seniority, and access to the Board of Directors. Team members should have the appropriate experience to address non-compliance issues. Internal audits should also be conducted to ensure that compliance personnel are in fact empowered and positioned to detect and prevent non-compliance. As for information governance programs, there should be a governance board that is represented by Legal, IT, Security, Privacy, Compliance, Audit, and select business units.
10. Incentives for Compliance and Disincentives for Non-Compliance
Implementation of a compliance program should consist of incentives for compliance and disincentives for non-compliance. Clear disciplinary procedures should be in place, consistently enforced across the organization, and commensurate with the violations. Communications from senior leadership should inform employees that unethical conduct and policy violations will not be tolerated and will have consequences. A company can consider implementing an incentive system that rewards compliance and ethical behavior. Information governance programs should be treated as equally as important as other compliance program.
11. Proof that the Compliance Program Works in Place
A compliance program should have the ability to prove that is it working, and more importantly, that it was working when a violation occurred. Documentation and evidence of actions taken is important—always document how a misconduct was detected, how the investigation was conducted, what resources participated in the investigation, and the remediation efforts. The compliance program should also document how the program has evolved over time and maintain an audit trail of changing risks and continuous improvements to the program to address new risks or non-compliance issues. The following should be part of a well-designed compliance program to prove that the program was working at the time of a non-compliance event:
- Continuous Improvement, Periodic Testing, and Review: An effective compliance program must have the ability to improve and evolve.
- Internal Audit: Internal audits must have a rigorous process that is followed and routinely conducted.
- Control Testing: Testing controls should be established, and collection of compliance data must be routinely collected and analyzed, and necessary actions taken.
- Evolving Updates: Risk assessments, policies, procedures, practices should routinely be improved to reflect the current risk profile and based on lessons learned.
- Culture of Compliance: Companies should routinely measure their culture of compliance through all levels of the organization.
12. Investigations of Misconduct
All examinations of allegations and suspicions of misconduct by the company, its employees, or third-party agents must work effectively and be appropriately funded to ensure a timely and thorough investigation that includes a documented response of its findings, disciplinary actions, and remediation measures. Investigations must be conducted by an objective party. For information governance compliance, automating monitoring for non-compliance should be considered. As an example, monitoring the volume of data leaving your organization can be an indication of an employee transferring data to a private account outside of the company. You can use tools such as MS 365 to both automate compliance and detect non-compliance. After evidence determines a questionable act, people, process, and technology should be in place to assess the alleged infraction and take necessary action.
13. Analysis and Remediation of Any Underlying Misconduct
Lastly, a well-designed compliance program that is working in practice must have a thoughtful root cause analysis of misconduct, and the company must timely and appropriately take action to remediate the root cause. Root cause analysis should consider what control failed (policy, procedure, training, etc.), the amount of funding provided, what vendors were involved, any prior indications of failure, what prior remediation efforts were taken to address a similar compliance issue, and any failures in supervision of employees. Information governance compliance often finds failures in generalized “off-the-shelf” training programs. Training programs must be 100% aligned with policy directives, practices, and procedures. Employees need to clearly understand where they are allowed to store certain types of information and how disposal of the information will happen in accordance with policy and business unit or IT practices and procedures.
Summary
Now more than ever, companies need to make an honest effort to do the right thing and comply with laws and regulations. However, in the event that employees or third parties managing data on your company’s behalf inadvertently (or intentionally) violate a law or regulation, a well-designed information governance compliance program can be used to demonstrate “reasonableness” and the company’s good faith efforts to comply with laws and regulations, which ultimately may be the difference between winning and losing.