



risk assessments, supplier due diligence, policy-signing, e-learning content distribution) and that also have built in repositories for associated records.Ī second key design consideration, for organizations of all sizes, is SCALABILITY. The best of these offerings are workflow tools for compliance that help manage key compliance tasks (e.g. Even better, let that person spend far less time on Records Control management tasks by using a SaaS (software as a service)-based compliance management system that has all compliance materials in an automated ‘system of record’. What is needed, if the system is to remain manual, is a smart, organized and motivated individual to manage what emerges from the design phase. The CCO’s time is well spent on helping to design the approach and making it fit the organization’s present and foreseeable needs the day to day management can and should be delegated to others. The system should be designed in a way that minimizes the involvement of the CCO or others at senior levels in the day to day administration of the system. One of the primary design and operational considerations that should come to mind is DELEGATION. Step 2: DesignĪs the Chief Compliance Officer (CCO) (and any task force member, if you choose to involve others in this form) step back to consider what the end product should look like based on the answers. The answers to the above types of questions help inform the “Design” (step 2) in the new Records Control system process. How long does it take to retrieve each such record, and what persons or systems are required to retrieve that record?.Where are these records located, and in what form?.The compliance program currently consists of, or is supported by (directly and indirectly) what types of records?.How likely is it that the organization’s risk appetite, existing operations and/or strategic plans will place increasing demands on the compliance program, and therefore on any Records Control system?.Lao Tzu had it right: “the longest journey begins with a single step.”Īs daunting as the overall task may seem, breaking it down into smaller pieces helps, and assessing certain current and foreseeable matters that apply to your organization, its compliance program and the current state of Records Control is a good first step. This article provides the latter, a non-technical four step path for taking a collection of compliance records spread throughout an organization and placing them into a Records Control system, and in so doing, turning a potential program liability into an objectively recognizable program asset. What is required is discipline, a system that makes sense to those who use it, and a roadmap to get there. It all sounds so logical and straight-forward – and therein lies the danger. Phrased differently, Records Control works well if the system’s contents are easily accessible, current and actually used by the appropriate persons for overall compliance program management. In simple terms, Records Control is basic organization: placing a draft or completed compliance record or file in a “place” or “places” where it can readily be identified and retrieved – and then applied, changed, linked and so forth. But with the compliance records quantity and variety generated by organizations of any reasonable size, there needs to be a systematic “method to the madness”, and the art performed by administrative assistants (with good memories) in the past has now evolved into more of a science. The unexciting element is a function of the essence of the task: paper (or electronic equivalent) shuffling. (And where the latter case exists, it is often because regulators have applied the adage “if it doesn’t exist in writing, it doesn’t exist” to conclude that an insufficiently documented program meant that a real program was not in place.) The importance stems from compliance records’ primary roles: memorializing, educating, informing and evidencing the existence of a genuine program, or not. (Want to get articles like this one by email? Here is the sign-up!)įew topics are so important, yet so unexciting to most, as compliance records management and control (Records Control).
