This is a guest post by Dana Simberkoff, AvePoint Vice President of Risk Management & Compliance.
(Note: This is part of our series “Collaborate with Confidence”. Previous posts: SharePoint Governance: Putting Your Plan into Action)
According to Merriam Webster the dictionary definition of compliance is as follows:
The act or process of complying to a desire, demand, proposal, or regimen, or to coercion
Conformity in fulfilling official requirements
A disposition to yield to others
The ability of an object to yield elastically when a force is applied
While regulatory compliance for businesses around the world most clearly falls under the second definition, there are many records managers, general councils, and policy officers that would nod their heads in agreement at any of the other definitions as well. So, what really is compliance?
Whether an organization is subject to external regulatory compliance from a government agency, by statute or law, or seeks to comply with its own organization-specific mandates and policies, compliance in “real life” means conforming to requirements and in most situations, being able to prove that your organization has done so. This is typically achieved through the development of organizational policies that will map out the expected behaviors.
From a policy perspective, there are many factors that go into the determination of an organization’s policies, including statutory and regulatory requirements, company or organizational best practices, and market demands. If we look at the following groups - government/public sector agencies, financial service businesses, and healthcare providers - we find that they are regulated and must develop internal policies in order to ensure compliance with the law. On the other hand, retailers and public companies have more flexibility but still may be regulated by government agencies.
The real challenge comes from the intersection of policy and practice. It is important to understand that regardless of the source of the mandate, one challenge faces all of these organizations - once they have created their policies they must decide how to enforce those policies and measure their effectiveness. On the surface this may seem like a simple task. In practice, though, the dilemma is that creating a policy – without any mechanism (automated, manual, or third-party) to measure and monitor compliance of the aforementioned policy – is somewhat like setting a curfew for a teenager and then going away for the weekend. How do we know if people will live up to our expectations? How do we know if those expectations are even reasonable? In order to build effective policies, we must not only have an understanding of the legal and statutory requirements that will shape the policy within our organizations, but we also must understand how these policies relate to the business practices, people, and technologies within our organizations.
Regardless of the requirements to which an organization must adhere, an effective model will be one that integrates policy with their people, processes, and technology. This includes education, monitoring, and enforcement. A best practices approach to compliance incorporates not only understanding requirements and conforming to them, but also being able to prove that you have done so. As part of this methodology, organizations should look to use technologies and to create policies that make it easier to do the right thing than it is to do the wrong thing or to simply disregard the policy all together.
The organization should actively review, monitor, enforce, and/or adapt the policies as necessary to ensure that they effectively and accurately measure and report on conformance. This will ensure not only the highest degree of compliance, but also will provide the data that is necessary for the organization to react quickly should policy or processes require adaptation in the rapidly evolving business environment.#Collaboration
#Collaboration #compliance #SharePoint #policy