Auditing RIM Programs for Improvement Helen Streck President/CEO

Auditing RIM Programs for

Improvement

Helen StreckPresident/CEO

Workshop Agenda

2

Introductions

Understanding Audits

Lifecycle and Elements of an Audit

Findings and Developing Initiatives

3Introduction

Introduction

4

Importance of Good Recordkeeping

Values for a RIM Program

Knowing Your Requirements

Strategic Review of Risks

Drivers for Continuous Improvement

Auditing’s Input

Value of RIM

5

IF - Information is a key asset to an organization then RIM Establishes the controls for compliance

Improves efficiency

Element of reasonableness

Removes costs when value no longer exits

Facilitates effective/efficient decision making

Improves system performance

Knowing Your Requirements

6

SEC 17-A, sections 3 & 4

Government Paperwork Elimination Act

NASD 3010

FACTA

USA Patriot Act

Gramm-Leach-Bliley Act

NASD 3110

Sarbanes-Oxley Act

HIPAA

NYSE 342

Check 21

Drivers for Continuous Improvement

7

Industry Competition

Data Storage Costs

Excessive Costs of eDiscovery – Obsolete Data

Rising Costs of Human Labor

“Personalization” of Information

Increased Regulations and Inspections

Over-Regulating

Using Audits for Improvement

8

This session will focus on how to plan and use an Audit (Assessment) to aid a RIM Program in building the improved services that meet the needs for continuous improvement.

9Understanding Audits

Defining an Audit

10

A RIM audit is an independent, objective

activity designed to “add value and improve”

an organization’s operations for creating and

managing information.

Understanding Audits

11

Independent Objective Evaluation Provide Assurances

Compliance Efficiencies Effectiveness

Evaluates Governance Controls Processes Risk Management

Auditing Characteristics

12

Holistic Approach

Consistent with Org’s Mission and Goals

Prioritized on a Risk-Based Approach

Conducted Routinely

Outside-Looking-In View

Audit’s Value Statement

13

Proves controls via documentation and evaluation

Checks for controls that reduce or eliminate unabated information growth

Ensures the application of rules that eliminate obsolete information that may be discoverable

Determines the effectiveness of procedures

Identifies isolated instances of duplication

Risks with Poor RIM Programs

14

Loss of Intellectual Property

Delayed Decision-making/Filings

Increased Technology Costs

Increased eDiscovery Costs/Penalties

Poor System/Operational Responsiveness Decreased Competitiveness

Unmanaged Liability

Using Industry Standards

15

Use industry standards and best practices to benchmark The Principles ISO and ANSI standards Best Practices Sedona Principles

Elements of Compliant Programs

16

Accountability Integrity Information protection Compliance Information is available Retention Disposition Transparency

www.arma.org

Generally Accepted Recordkeeping

Principles

17Audit Lifecycle

Follow-up5

PerformancePerformance3

Follow-up Preparation

Reporting4

Planning1

Preparation2

Reporting4

18

1

2

34

5

Audit Cycle

18

Reporting

Planning

Preparation

Performance

Follow-up

Steps in an Audit

19

Planning Define purpose, scope, criteria and objectives Prioritize based on risk

The Purpose

20

Start with defining the purpose of the audit – sets the tone Looking for mistakes Complying with requirements

Seeking opportunities to improve

Define the expected outcomes

What are the actions to follow

The Purpose

21

Why To meet regulatory requirements To verify the controls established to protect PHI To check the processes that document the use of public

funds

Outcomes Report of evaluation and findings Findings are prioritized as high, medium or low the high

being the most severe

Actions Develop corrective plan (initiatives) with timelines

Audit Objectives

22

Relate the elements of your program to the Corporate goal

Examples of objects include To determine the level of protection taken and routinely

followed to protect paper records

To assess management’s commitment by assignments and participation on the Steering Committee

To measure the rate of the department’s completion of the RIM learning course

Set Criteria Ratings

23

Next determine what you must have:

What program elements are critical

What program elements are important to have

What program elements are preferred but you could live without

Set Criteria Ratings

24

Critical Program has

mission and vision statement

Program mission and vision statement endorsed by executives

Important Mission and

vision statement are published for employees to access and see

Preferred

24

Program mission statement is included in business unit’s goals and mission

25

Program Element Documentation Available Principle Criteria Last Revision

Date Current Rating

Yes/No C/I/P Un/NI/S/NA

Policy – Sample Only Yes Accountability Critical Mar-08 Needs Improvement

Retention Schedule

Procedures (sampling only)

Transferring Hard Copy Records to Storage

Information Disposition Procedure

Decommissioning Plan/Procedure

Exiting Employee Procedure

System Taxonomy/File Plan

Training Materials

New Hire Training Slides

Communication

Website

Glossary

Decide on Ratings

26

Based on risk factors and known requirements how does the current documentation and practices measure up to the criteria?

Satisfactory

Needs Improvement

Unsatisfactory

N/A

Steps in an Audit

27

Planning Define scope, criteria, and objectives Prioritize based on risk

Steps in an Audit

28


Preparation Create a checklist – what do you want them to produce

for you to review

What is required by law to have

Submit checklist, questions and document request to the group being audited

Steps in an Audit

29


Preparation Create a checklist – what do you want them to produce for you to review What is required by law to have Submit checklist, questions and document request to the group being

audited

Performance Collect and review of physical and electronic

recordkeeping documentation

Conduct interview(s) with department(s) personnel as necessary

Steps in Performing an Audit

30

Ask the Department to identify your contact – Records Coordinator, Management – someone who can answer questions

Send checklist (what is being covered) in advance to contact

Obtain the list of names of employees to interview in advance

Schedule meetings with interviewees

Prepare a list of documents you want the department to provide you for review

Steps in an Audit

31



audited Performance

Collect and review of physical and electronic recordkeeping documentation

Conduct interview(s) with department(s) personnel as necessary

Reporting Draft Findings Report Discuss steps for improvement Recommend Timelines – be realistic

Steps in an Audit

32



audited Performance

Collect and review of physical and electronic recordkeeping documentation

Conduct interview(s) with department(s) personnel as necessary Reporting

Draft Findings Report Discuss steps for improvement Recommend Timelines – be realistic

Monitor the improvement steps

Using Audits for Improvement

33

Reviewing the risk, compliance requirements

Learning to rank initiatives

Understanding the resource requirements needed

Using a “Triage” approach

34

Using Findings to Create Initiatives

Triage Approach: General Description

35

Develops a plan that prioritizes the most pressing matters so that they receive immediate attention.

Places longer term goals on a drawing board to be reviewed with more analysis without pressure.

Postpone tasks that are of low risk and not urgent for the last phase of the project.

Triage approach prioritizes the needs and risks of the project into manageable groups.

Triage Approach: General Description

36

Provides a means for “building onto” a Program by ensuring the correct components are done first.

Allows the Program owner to measure success and “see” definable improvements and not wait on project completion to be successful.

Separates project components based on risk and need so that items which are most critical get the immediate attention to reduce existing or potential risks.

Prioritize Like Emergency Room

37

Stop The Bleeding RIM initiatives that address the immediate findings to

achieve compliance

Levels of Process Improvements

38

Stop the Bleeding RIM initiatives that address the immediate findings to achieve

compliance

Treat The Underlying Cause(s) Address the root symptoms


39


compliance Treat The Underlying Cause(s)

Address the root symptoms

Establish Preventive Measures Long-term initiatives and projects involving multiple

stakeholders, resources and automation to prevent future problems


40


compliance Treat The Underlying Cause(s)

Address the root symptoms Establish Preventive Measures

Long-term initiatives and projects involving multiple stakeholders, resources and automation to prevent future problems

Create Ongoing Efficiencies As systems are operating smoothly and consistently,

opportunities for streamlining arise

41

ImmediateImplementation

(<6 mo.)

Scheduled Implementation(4-12 mo.)

Delayed Implementation

(8-24 mo.)

Triage

42

ImmediateImplementation

(<6 mos)

Scheduled Implementation(6-15 mos)

Delayed Implementation

(15-24 mos)

Program governance

Phase in Program Governance to employees

Records Management criteria for system designs

Program assessment and strategy

Create educational curriculum and course content

Process to manage orphaned data

Program infrastructure

Data from departing employees.

Create business case and workflow for RM S

Communication plan and program toolkit

Protocol for decommissioning systems

Audit criteria

Immediate Project (<6 months)

43

Description Benefit Approach Cost

Program governance Revised global program policy Revise/consolidate records retention schedule Identify global processes and draft protocols Review and revise or create standards for archiving records and data

Clearly defined rules and expectations Developed center of expertise Policy simplification and alignment Flexible implementation

Identify all associated policies/revise and alignReview/collapse and reformat RRS Revise/create standards for archiving paper and electronic records

Program assessment and Strategy Conduct program assessment Realign and revise vision and mission Create Program strategy and timeline

Clearly articulated vision Measurable and achievable action steps towards a mature program Identifiable resources & dependencies

Conduct interviews with identified key employees Assess current goals and roles and responsibilities Identify risks and conduct gap analysis of risk and service

Program Infrastructure Complete entity appointed Records Managers Refine roles and responsibilities Draft Executive Sponsorship oversight role Identify and formalize key partnerships (CCO, GC, CIO)

Strengthen knowledge base Distributed implementation involvement Executive sponsorship and support

Define roles and responsibilities and support Engage entity senior management in selection and requirements Create Executive roles and responsibilities

Communication plan and toolkit Develop communication plan for build out Create tools and support communication for infrastructure Create communication templates

Concise and consistent messaging Increased employee awareness Support for entity Records Mgrs

Scheduled Projects (6-15 months)

44


Phase in Program Governance Create employee awareness Develop new hire orientation material Develop web page and includes links in governance documents

Ensure global awareness and feedback Awareness for new hires Provides point-in-time resource

Employee Education Create educational curriculum and strategy Identify all available modalities Draft course content for Program components and compliance requirements

Improved program awareness Enable employee compliance

Exiting Employees Assess current process and situation Partner with IT to determine employee data location and system requirements and controls Develop process for preserving data/records of departing staff to comply with legal holds and retention requirements

Risk avoidance of deleting litigation relevant data Inform supervisors of responsibility at point-in-time Ensures compliance with legal and RIM requirements

Decommissioning Systems Draft decommissioning compliance requirement needs that need to be met Create decision tree Draft protocol for decommissioning systems

Ensures preservation and required data Avoids over retention of obsolete data Reduces expenses

Scheduled Projects (15-24 months)

45


Phase in Program Governance Create employee awareness Develop new hire orientation material Develop web page and includes links in governance documents

Ensure global awareness and feedback Awareness for new hires Provides point-in-time resource

Employee Education Create educational curriculum and strategy Identify all available modalities Draft course content for Program components and compliance requirements

Improved program awareness Enable employee compliance

Exiting Employees Assess current process and situation Partner with IT to determine employee data location and system requirements and controls Develop process for preserving data/records of departing staff to comply with legal holds and retention requirements

Risk avoidance of deleting litigation relevant data Inform supervisors of responsibility at point-in-time Ensures compliance with legal and RIM requirements

Decommissioning Systems Draft decommissioning compliance requirement needs that need to be met Create decision tree Draft protocol for decommissioning systems

Ensures preservation and required data Avoids over retention of obsolete data Reduces expenses

Make Audits Work for You!

46

Audits of RIM Programs should be viewed as a mechanism for healthier programs

Plan, prepare, evaluate and report

Use the findings to create initiatives and identify needed resources

Focus on continuous improvement

Thank You !

Helen StreckPresident/CEO

Kaizen InfoSource

Documents

Auditing RIM Programs for Improvement Helen Streck President/CEO