Organizations in regulated industries recognize that the cost of doing business includes the time and expense of managing information. At their best, organizations successfully meet the needs of regulators while keeping their operations online and functioning efficiently.
It’s a lofty challenge. Many companies approach this by hiring extra staff to deal with the regulatory burden. These are often specialized positions that require audit support skills, ideally people who’ve been through the process before. It’s hard enough to find qualified resources, but then the business faces an additional challenge: determining what to do with this skilled workforce after their obligations have been met, and before the next round of audits occurs.
We recognize that the best way for a business to meet regulatory requirements is to have a well-designed, properly governed information management program in place. Auditors make very specific requests that need clear, unambiguous responses. If a company can’t demonstrate that their record keeping is reliable and authentic, it can face steep penalties and fines, or even a production shutdown.
Our teams provide support for information-centric audits and expert guidance when designing and executing corrective actions.
We assess existing information-centric practices and develop program roadmaps to address gaps.
We develop relevant, actionable information management and governance policies and processes.
Our professionals develop data maps to support internal and external audit requirements.
The first step after receiving a negative audit finding is to perform root cause analysis. Why did this occur? This analysis can be done internally or through an external third party. In order to create a plan for remediation, it’s important to identify the true causes as well as to review the IM program holistically. Possible causes could be related to people, process, or technology.
You will also want to engage business stakeholders to demonstrate how this audit finding can have impacts on the business in terms of reputation, costs, and most importantly, safe operations. Transparency and accountability are important during this process.
Once a plan for remediation has been set, don’t forget a framework to demonstrate progress to internal and external stakeholders.
This highly-regulated financial services company owns and operates more than 700 retail locations in North America and the United Kingdom. In recent years, changes to laws in many states have enabled regulators to enter a retail location, initiate an unscheduled (i.e., snap) audit, and then assess a fine when the location manager is unable to communicate and coordinate with company headquarters to respond to the audit within the statutory response time limit (typically 2-3 hours).
A global retailer with operations in multiple countries faced challenges preparing to meet data privacy rules under GDPR. With just over two months to spare and 600 applications with potentially relevant PII (personally identifiable information), they knew they needed help. Organizations in breach could be subject to costly fines – up to 20 million euros or 4 percent of annual global turnover.
For companies in regulated industries, information management is critical. It doesn’t matter how good your products or processes are: if you can’t produce the required documentation to demonstrate compliance, then you risk penalties or even closure.
Lisa is a Principal Consultant in the Information and Data Governance practice with Access Sciences Corporation. Since 2006, she has worked with clients to deliver program assessments, strategic plans and roadmaps, change management strategies, policies, retention schedules, data map development, and taxonomies. Lisa has over 30 years of business experience, with a career covering lifecycles related to manufacturing, information technology, and information management.