I hear the word ‘compliance’ tossed around all the time but I suspect that many of those using the word only have a very vague idea about what it means. Compliance usually refers to the adherence to the rules that have been imposed upon you by the law or some type of regulatory body. But what technical capabilities are required to actually comply with such legal and regulatory requirements?
First, let’s be clear. You don’t use the word compliance when you are referring to something that you really want to do. Compliance usually means an inconvenience that you are required to do. It rarely saves you time or money. However, compliance is designed to protect you from failure, from disruption, from poor quality, from wrong decisions, from danger, from injury, and - if you live in America you’ve probably guessed it - from lawsuits. Various parties may be interested in protecting you from all of those risks. It could be a consumer safety regulator (i.e. the FDA in the pharma industry), your government (federal, state, or local), or your employer. But how does that actually work?
First, compliance often means to assure that proper authorization is in place for important decision making. That starts with access control - making sure that the right people have access to pertinent information at the right time. That usually involves a dose of security - preventing any unauthorized actor from manipulating the information or the decisions.
The decisions themselves are often required to be documented in a non-repudiable way. This is where electronic signatures come in. Unlike digital signatures which deal with mimicking the paper-based ‘wet signature’ in a digital form, e-signatures are all about capturing who, when, what and why. Electronic signatures are simply a data object with name, date, and brief justification that become attached to a version of a document. When someone changes the document version, the e-signature is invalidated. “I didn’t sign off on this version of the medication packaging” is what e-signatures are all about in the pharma industry’s FDA’s CFR 21 Part 11 regulation.
Other compliance requirements, such as Six Sigma and the various ISO customer service quality standards, ask to ensure that certain mandatory process steps are completed before the process can advance to the next stage. This is where technologies such as workflow and BPM come in - workflow for processes where all steps occur within a single system and BPM for processes that cross multiple systems.
At the end of any process, many regulations require that all the artifacts are stored as proof in case of a potential audit or lawsuit. That’s the role of archiving and of course also records management. Records management not only stores the required information for a prescribed period of time, it also classifies the records to assign them a retention policy that specifies how long the record is to be kept and what should happen with it when the retention expires. Records management also deals with requirements such as legal holds (pausing of any record shredding during a lawsuit) and secure records disposal to prevent forensic recovery.
Finally, many regulations require the ability to trace back any steps for the purposes of an audit or investigation of an incident. This is where auditing comes in with the ability to record a timestamp for every event in an audit trail and the ability to easily review and analyze the audit trail.
There are many other capabilities that may be part of a compliance solution. The specific regulations drive the requirements. Beyond access control, e-signatures, workflow/BPM, archiving, records management, and auditing, compliance requirements may include search, publishing, secure communication, collaboration, and many other capabilities. Records management has been receiving plenty of attention lately; so much that many equate compliance to records management. Yet there is much more to compliance than records which is what I wanted to show in this post.