I’m here to talk some more about that fun little acronym I know you all are so fond of: ECM. Enterprise Content Management can be a great tool to meet the compliance requirements of your business, but like all things, you need to understand it to do it right. I’m here to save you from plummeting head-first into some common pitfalls when it comes to ECM and regulation.
Thanks to AIIM, you can be eight steps ahead! This list will give you the lowdown on what you need to know before using ECM for regulatory compliance in your business:
- Regulations are complex and can’t be ignored. One of the challenges of being regulated is understanding exactly which regulations apply to your business. You may face “horizontal” reporting regulations, such as those contained in Sarbanes-Oxley that apply to all publicly-held companies. Or, you may be subject to vertical market specific regulations such as HIPAA in health care or the FDA’s 21 CFR 11 rules. Or, you may face a raft of regulations from different governments and agencies. One thing is for sure, you can’t pretend these regulations don’t exist or hope they go away. Non-compliance may present a very real legal and financial risk to your organization.
- While enterprise content management (ECM) systems can help, they are only one part of the compliance solution. Any good ECM application can help you track and control document revisions, but keep in mind, they are only as effective as your underlying business processes. Don’t implement ECM software with the expectation that it will magically solve your compliance problems; you have some hard work to do around standardizing and codifying your processes for document management.
- ECM system vendors can’t certify their products for regulatory compliance. A product itself is not compliant, rather it is the entire operating environment that must be compliant. This takes into account the unique contributions and actions of people, processes and technology present at your location. Again, your ECM software is only one piece of the compliance solution that will also include scrutiny of your business processes, training programs, standard operating procedures, etc.
- Proper records management policies, retention schedules and document classes will keep the system from getting bogged down. Even in a regulated industry, not every document in your ECM repository is subject to regulation and compliance. There are plenty of document types that would not be examined in an audit and that could be excluded from compliance-oriented processes. Examining types of documents and structuring classes, hierarchies and policies accordingly at the outset will save you a lot of extra work and system burden down the road. Adhering to stated retention schedules for archiving documents will also keep the system running smoothly.
- Understand the requirements behind electronic signatures. Many people confuse electronic signatures with encrypted signatures. Although documents can be cryptographically signed for security purposes, this is not required in most compliance scenarios, whereas electronic signatures are. An electronic signature assigns a clear identity to someone who has altered a document along with a timestamp and recorded reason for the alteration. This can occur in the form of authentication at the time the document is changed so that the action can be clearly recorded in an audit trail.
- Audit trails must be…auditable. Your ECM must provide not only the ability to create an audit trail but an easy way to access it! If you are ever the subject of an audit, you may need to produce reports on hundreds or thousands of document transactions. Make sure you can easily access and produce the document history and that it clearly shows the information needed during an audit.
- Consistency and automation are your friends. One of the very purposes of regulation is to ensure consistent and repeatable activities that conform to a set of standards. And there’s no better way to achieve consistency than through automation. Your ECM system can aid you via workflow automation, especially around review and approval processes. Automated workflow reduces the risk for error by ensuring each step of the process occurs in order and receives the appropriate oversight. Tie back to point 2 – once you’ve identified and standardized your business processes, you can carve them in stone with automated workflow.
- Don’t think higher cost means better compliance. Because of the way compliance is determined, a more expensive solution isn’t necessarily going to be better than a less expensive one. It’s all about functionality and how the system supports your individual circumstances. Especially for smaller businesses, a large expensive system is not an option and may in fact be more of a hindrance to compliance than a solution that is more affordable, and more easily implemented. Don’t be afraid to look at open source products in addition to proprietary systems. You may find you can achieve compliance with far less cost and headache than you thought.