Compliance mandates have evolved in recent years as regulators increasingly examine companies' internal processes that ensure data integrity and accuracy. This regulatory shift has also made company leaders realize that effective GRC processes could go beyond just keeping operations compliant, according to frequent SearchCompliance contributor Jeffrey Ritter.
In a recent webcast, Ritter explained how companies can best align data governance and compliance processes to realize new sources of digital business gain. In part two of the webcast, Ritter discusses how company leaders have come to recognize that proper records management and compliance business processes can be a revenue-driver for their companies.
Editor's note: The following is a transcript of the second of four excerpts of Ritter's webcast presentation on the relationship between information governance design and compliance business functions. It has been edited for clarity and length.
Jeffrey Ritter: We notice that the regulators' goals when authoring rules for how business records are to be preserved sound a lot like information governance objectives and best practices: Strong, rules-based information governance design drives reliability, the ability to trust the business records. But as the Deloitte survey confirmed, compliance as a business function struggles to be properly funded. Most corporate executives view that the only economic incentive for achieving proper compliance is to avoid fines and sanctions imposed by government. The economic disincentive is lost profits.
Records management and compliance historically have always been viewed as an administrative expense that doesn't actually help produce goods and services. They're just costs of doing business, and so the only way that they can be funded is out of net profits. That puts the business function, particularly for compliance, in conflict with the economic incentives of the shareholders. When this conflict exists between funding compliance business processes properly and achieving greater profits, many corporate execs respond to information governance and compliance business processes with a sneer, and the projects don't get funded.
There's one further complexity that's making this even a little bit more challenging: The integrity and accuracy of compliance records are no longer presumed. Even into the early years of the 21st century, we would see companies submit records and the public sector would accept their validity and accept their authenticity. But increasingly, agencies had to devote resources to testing the accuracy, the integrity and the authenticity. This is because regulations evolved to help assure that the records that were in companies' custody retained their integrity and were preserved as records of historical fact.
Webcast: Aligning governance and compliance processes
See other excerpts from this webcast presentation on information governance and compliance functions.
With that in mind, we look at the various rules and realize that what's needed is not just a matter of creating records of our processes but also working to make sure the rules preserve the authenticity and integrity of those records. Compliance is not just a matter of retaining the records but an obligation to do more to assure their integrity throughout their lifecycle.
There was an anecdote I learned back in the late 1990s as the FDA was developing rules for the authenticity of records. Nearly 70% of their budget in evaluating new drug applications for food and drug admin in the United States was devoted to testing the accuracy and authenticity of the records submitted by pharmaceutical companies to support their application for approval of the drug. This, to me, is very striking when chief compliance officers are reporting that record management is so low on their assigned responsibilities. If the records don't hold up to the public sector's rules, then the records may not satisfy government mandates to demonstrate the corporate practices are authentic and have been accurately documented.
Now let's shift to the other subject: information governance. This is a definition of information governance that I've been using for the last few years: Information governance is the rules-based management of digital information to advance the wealth-creation and wealth-preservation goals of an organization. There are several moving parts here. First of all, virtually all business data of value for evidential purposes or for compliance is going to be digital. Second it must be rules-based. And third is that it has to be connected to how we make money.
That definition represents an essential truth that is important, and I want to emphasize it: It's that information governance only achieves C-level support when it's shown to create new wealth or preserve existing wealth. That concept is changing the way information governance design, records management and compliance are succeeding in acquiring executive-level support. They are demonstrating that data that is authentic, that is secure, that is accessible and that is factual actually helps companies make better decisions, faster decisions. It also obviously enables these companies, particularly in the distributed, cloud-based ecosystem and environments in which companies do business by sharing information.