The amount of published material (including blog entries) on compliance continues to grow exponentially, which is not surprising given the pervasiveness of the issues. By pervasiveness I mean not only the applicability of at least some compliance requirements on virtually every size and sort of organization, but also that compliance cuts across the breadth of disciplines that we place under the umbrella of Content Management (CM). These disciplines include Digial Asset Management (DAM), Records Management (RM), Digital/Enterprise Rights Management (DRM/ERM), Knowledge Management (KM), et al.
Making sense of this alphabet soup of activities touching and touched by compliance is one of the primary tasks facing legal and content management professionals. It occurs to me that while compliance needs and solutions are reflected in virtually all CM activities, there are certain core concepts that can frame our thinking. Being in an alliterative mood, I offer the Five R’s of compliance. They are perhaps not as fundamental as the Three R’s of learning, but they address many of the challenges surrounding compliance.
1. Requirements: regulatory, litigation, and internal policies.
2. Roles & Responsibilities: identification of all the various participants, i.e. managers and users, in the organization’s content management process and delineation of the responsibilities of these participants.
3. Risk Management: Compliance requirements, perhaps especially in the area of litigation/discovery, but also in the seemingly structured world of SOX, HIPAA and other regulations, are not black-and-white. There is room for the application of a reasonableness test (which could probably be an “R” unto itself) to many compliance policies and activities.
4. Rights/Rules Management: Balancing requirements, roles and risks, organizations must build a compliance policy infrastructure. This policy infrastructure manifests itself in the form of rules which control ACCESS TO and USAGE OF various types of content in various settings. In essence, this is the function of Digital Rights Management or Enterprise Rights Management.
5. Records Management: In addition to rules governing ACCESS TO and USAGE OF content, the compliance policy infrastructure must also include rules for recordation and retention of various types of records. By “recordation” I mean the capture and designation of pieces of content as business records. This task is probably playing out most intensely, at least at the moment, in the area of email management policies.
In the end, compliance, in all its forms, requires a relatively sophisticated policy infrastructure enabled and enforced by equally sophisticated technology tools. To effectively apply various policy frameworks, such as the COSO recommendations for internal financial controls or the Sedona Guidelines for legal/litigation compliance, I think we must address the Five R’s.
Is this view too simplistic? Too complicated? Incomplete? Sort of on target but just a little bit off? Totally out in left field? I look forward to your comments.