Enterprise content management (ECM) creates great opportunities for compliance functions, but it can also come with great risk. Naive compliance officers everywhere are being blind-sided by ostensible upgrades in ECM functionality, only to be left with compromised systems and very little recourse.
You must take proper actions to prevent this from happening to your department.
The setup starts with the fanfare surrounding executive management’s new panacea: enterprise content management. To be fair, an ECM strategy, in and of itself, is not a bad thing. Done right, ECM can improve your operation at zero cost to your department. That’s the beauty of this great new direction companies are taking -- it’s an enterprise concern, so it’s funded with enterprise dollars.
The downside of ECM strategy is that although your compliance functions are theoretically subsumed by the new miracle software, the inherent purpose of the software suite has a new orientation: complete and total management of all unstructured data. Given too many liberties to support this new orientation, your ECM solution can actually compromise your core operation. To avoid this, take heed and secure three key agreements with executive management.
First, get agreement up front that the compliance function cannot be even slightly compromised. Certain subfunctions of ECM, like Web content management and document-centric collaboration, are very seductive. These are the shiny baubles that probably caught executive management's attention at the start. At first mention of an ECM solution, you should establish objectives with the executive management team. This includes getting some fundamental agreements for what the solution must do, and what you want it to have. Of course, maintaining the current performance levels of compliance functions like document and records management should be included in the category of “musts.” Be sure to have your business case for compliance readily available, in case you’re met with resistance.
Secondly, remind the executive team that some things aren’t as they seem. Flashy marketing brochures for enterprise-class software are notorious for being misleading, and ECM is no exception. The second agreement to establish with the executive team is for a thorough proof of concept demonstrated before any commitment is made, and testing before the implementation is accepted. Ensure that your compliance functions and current levels of performance are baselined for these acceptance tests.
Your third and final agreement with the executive team is for a parallel execution of the new ECM solution and your existing one, for at least one year. Yes, one full year. Compliance has a seasonal component, and you must be sure your new ECM solution can handle the compliance demand all year long, not just in the month of its deployment (which might carry a relatively light compliance demand). This type of implementation is expensive, but it’s even more expensive to undo an inadequate implementation under the realization several months later that it cannot handle the load.
The next step in an ECM strategy
Now that the basic agreements are place, it’s time to start considering how ECM can take your operation to the next level. It would be a shame to put all these implementation hooks in place without ever taking advantage of ECM’s real supplemental benefits.
Your second agreement, a thorough proof of concept and acceptance testing, can be leveraged to include additional compliance function points that can elevate your department’s effectiveness. Workflow is a great place to start, especially if all your compliance and audit processes are currently manual. Use one of your key manual compliance processes as a use case, and install test cases to understand how the workflow function of your proposed ECM solution can make your life not only easier, but also more effective.
Like the Sirens of Capri, ECM is alluring, seductive and sometimes fatal to the compliance function.
Another place to look is document-centric collaboration. Tools to collaborate on document creation, like policies or audit documents, can greatly increase inclusion and feedback from all the right people. Cross-functional stakeholder concerns around compliance can be addressed in near-real time while legal, process experts, IT and all other compliance support team members can model the compliance architecture properly the first time. This avoids unnecessary delays and rework.
Finally, Web content management can be a great addition to your compliance function. For instance, when building the functional requirements for your ECM strategy, build in e-discovery use cases that involve litigation holds. Write into your acceptance tests the ability for the ECM solution to effectively tag a subject area of concern with proper metatags, and prevent the destruction of any Web pages with the identified metatags once a litigation hold is put in place.
These are just some examples of how the newer features of ECM can boost your compliance efficiency and effectiveness. With very little effort and possibly a short brainstorming session with your team, you can come up with many more use cases like this to include in your proof of concept and/or acceptance tests.
Like the Sirens of Capri, ECM is alluring, seductive and sometimes fatal to the compliance function. To avoid this fate, secure three key agreements with executive management at the mere mention of ECM: to protect the current compliance function, to test the compliance functions thoroughly, and to run the solutions in parallel for at least one year. Without them, your fate could be rocky.
John Weathington is president and CEO of Excellent Management Systems Inc., a San Francisco-based management consultancy that helps companies improve efficiency and avoid penalties and fines. His clients include Fortune 100 firms such as Sun Microsystems, Cisco Systems Inc. and eBay Inc. For more information, visit www.excellentmanagementsystems.com.