Knowledge Trumps Fear: Four Steps to E2.0 Compliance

By Joe Shepley posted 02-24-2011 20:22


My last post was all about fear: I looked in detail at how the growth in discoverable content types, the increasing complexity in the technology landscape, and the lack of regulatory guidance have all come together to make embracing E2.0 a risky proposition for many organizations.

But as I said at the end of that post, despite very real fears about E2.0, there’s no feasible way for organizations to avoid it forever. The market is changing and fast, so every organization in the not-so-distant-future will need to chart its own course to E2.0, one that fits its culture, keeps it compliant, and helps it realize the benefits E2.0 has to offer.

And while this course will be quite different for each organization, there are some basic things any organization can do, no matter how risk averse, to begin this journey.

1. Determine what laws and regulations you are actually required to follow

At many organizations, the fear of non-compliance surrounding the use of E2.0 tools and techniques is out of proportion with the reality of in force laws and regulations. Like those folks who once upon a time ran around invoking “Sox compliance!” to everything they didn’t agree with, I come across lots of people inside and outside corporate compliance functions who use the specter of unspecified “legal and compliance risks” to halt the advance of E2.0.

And while I don’t want to downplay the importance of compliance for E2.0, I think it’s critical to be absolutely clear about what is and is not stipulated in actual laws and regulation. Otherwise, you’re acting on fear and speculation—not a good place to build an effective enterprise strategy from.

So step one for every organization is to figure out precisely what laws and regulations are in force for them and their use of E2.0 tools and techniques. Start by researching the key documents that govern how you do business:

  • Determine whether they address E2.0 in the first place. Many regulators are just now getting around to email and IMs, so there’s a good chance that most E2.0 tools and techniques aren’t specifically called out in the regulations you have to adhere to.
  • If they do, begin collecting what’s said about E2.0. This will form the foundation for a reasoned, fact-based approach to E2.0 compliance.
  • If they don’t, look for places where it’s reasonable to extrapolate specifics to E2.0 tools and technologies. For example, if a regulator stipulates that a customer should be able to opt out of receiving email correspondence, it’s a good bet they would stipulate the same for messages delivered via SMS through community membership.

The goal is to build a database of all known, relevant compliance rulings on E2.0 for your organization. This can be an actual database or simply a list or spreadsheet. Either way, you’ll have the data points needed to facilitate a rational consideration of how to pursue compliant E2.0 at your organization.

2. Determine the split between regulated and unregulated E2.0 activity at your organization

Now that you have a better idea of what is and isn’t actually addressed by regulators, you can begin to analyze the impact for your organization.

The first analysis you need to do is to determine what E2.0 tools and techniques fall into regulated versus unregulated activities.

For example, at a financial services organization, the main split would be between product recommendations to investors and everything else; whereas at a health care provider, the split would be between personal health information (PHI) and non-PHI.

By doing this, you get a high-level idea of how pervasive the applicable regulation is for your organization (and therefore how challenging E2.0 will be). If only a small portion of your business falls under regulation, that leaves you with more E2.0 to enable outside the scope of compliance. And if the reverse is true, then you’re likely faced with more stringent compliance requirements for your E2.0 implementation.

3. Determine the value of the unregulated activities to the organization

Once you understand what is and isn’t regulated and what activities are and aren’t covered by that regulation, you need to determine the value these activities have to the organization, because ultimately this will determine if it’s worthwhile to enable them with E2.0 tools and techniques regardless of whether or not they’re regulated.

In my opinion, it’s best to begin with unregulated activities. After all, if we can deliver value without having to jump through compliance hoops, we definitely want to do so wherever possible. For example, at a financial services organization or health care provider, there might be great value in applying E2.0 tools and techniques to expertise management—a domain virtually free from regulation in these verticals.

4. Determine the value of the regulated activities to the organization

Just because an activity is regulated, however, doesn’t mean it won’t be valuable to apply E2.0 tools and techniques to it; it just means that the value needs to be significant enough to offset the resources required to be compliant.

So for financial services organizations or health providers, the value to be derived, for example, from using E2.0 to strengthen the broker/investor relationship or to enable communities to help patients manage chronic illness might (far) outweigh the cost and difficulty of doing so in a compliant way.

The final word

With these four activities complete, you’re in a much better place to have a realistic, fact-based conversation about how your organization can embrace E2.0 in a compliant way. The result? Undifferentiated fear and analysis paralysis can give way to effective risk management and incremental execution.

#E20 #compliance #regulation