Governance & Risk Services

17a-4 has been assisting institutions with cost effective implementation of e-Discovery services since 2001. We have worked with many clients on developing, implementing and testing in-house e-Discovery production procedures and policies.  E-Discovery costs for most of our clients are, on average, half of those using outside legal service vendors.  We have found, in part, the reason for the high cost is the lack of a formal Information Governance plan in place. As such, e-Dis.co provides Information Governance and Risk Mitigation services to help institutions prepare for legal productions while still controlling expenditures.

Information Governance & Risk Mitigation Services:

  • Regulatory Compliance Risk Management and Advisory Services:  While acknowledging that information governance functions have graduated from the role of a support function to that of a strategic area within compliant, efficient organizations, organizations must follow rigorous compliance and governance principles to maximize the value of their records and document management investments. Improper methodologies can lead to content clutter as new tools and applications, rather than processes, proliferate in organizations. A Regulatory Compliance Risk Management Program can pay for itself. Records and documents are managed effectively throughout their life cycle, thus reducing potential liabilities and penalties to the organization.
  • Regulatory Compliance Documentation including legally compliant, fully cited, Records Retention Schedules and Policy and Procedures documents with associated forms:  Our Project approach for delivering this documentation is three pronged: Research, Deliverables and Rollout. In Phase I, Research, we interview knowledgeable staff of each functional area to ascertain all physical and electronic document types so we can identify record classes, operational needs, workflow, vital records and security needs, et al. We then accomplish our legal research and follow up with preliminary reports of findings to the Client. Once Client approval is achieved, we go on to Phase II, Deliverables, in which we provide Client with an enterprise-wide Records Retention Schedule and File Plan and a Records Policy and Procedures Manual. We then await approval of our deliverables by the Client’s internal or external counsel and/or Compliance department. Please note that our deliverables include a strategy for electronic records, email and vmail integration and a structured records plan and taxonomy. Once approval process is finalized, we move to Phase III, Rollout, which includes all implementation (e.g. record clean outs, legally sufficient document destructions, etc.), staff training, follow up support for any EDMS, document management or electronic document scanning requirements and any relocation support since many of our engagements revolve around Client moves.
  • Development of Vital Record Programs:  Vital Records, or records needed to recreate and re-establish business after a disaster, are 5% to 10% of an institution’s active documents. Vital Records Programs, delineated as part of the Records Retention Schedule, enable businesses to quickly return to their core business elements from a record keeping perspective.
  • Interpretation of Industry Specific Regulations: Compliance and Information Governance services have become more critical than ever due to the changed business landscape. For example, the ability to manage records for legally mandated retention times is a crucial component of Sarbanes-Oxley (SOX) compliance, and expertise in managing corporate records can be a competitive advantage. It is estimated that firms with poor records management are likely to spend at least three times as much on compliance per year, as those with comprehensive Information Governance Programs.
  • Development of Information Governance Disaster Recovery and Business Continuity Programs: Information Governance is also a key constituent of organizational initiatives such as Business Continuity and Disaster Recovery Planning. Accordingly, building a strong Information Governance Program, inclusive of Vital Records identification and protection, shields firms against unforeseen events and enables the efficient reestablishment of an organization’s financial and operating position.
  • Regulatory Compliance Audits:  Many firms base their Information Governance Programs on superseded research and methodologies. Third party auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. A complete audit program and plan is established in advance of the audit before all of the firm’s functional areas begins. During the audit preparation, an audit calendar, checklist and question sheet are created. Approximately 15% of the staff within each functional area are audited. After audit, a draft report is created for discussion with management. A final audit report is then disseminated for signature. A corrective action spreadsheet is then prepared to correspond to each functional area’s audit report. The spreadsheet clearly details each item and outlines the steps to be undertaken to correct the audit deficiency. Milestone dates are decided with management and each corrective action spreadsheet is approved again by management. Many firms consider these audits a dynamic, value added tool to assess the company’s position related to business, legal and regulatory Information Governance requirements.
  • Project Management Processes and Process Excellence Tools:  Prior to the implementation of a successful application (e.g. Custom Records Retention Schedule Application, Metadata Repository or Electronic Document and Records Management System (EDRMS)), a firm may need third party assistance to embark upon a comprehensive Self Assessment. The Self Assessment tools focus on requirements gathering for a future Program and evaluates existing records and document management practices. User, functional and technical requirements are necessary to support the correct development or purchase of an application which specifically meets the Client’s needs. Tools include document analysis, requirements workshops, prototyping, use cases, interfaces analysis, modeling, etc.
  • Design and Establishment of Comprehensive Regulatory Compliance Programs:  The impact of a compliant Program is felt in several areas of an organization. Some areas affected by recent regulatory requirements are: Human Resources, HIPAA compliance is mandatory. Finance functions, Sarbanes-Oxley and tax code compliance must ensure that internal controls are in place and monitored to ensure the necessary transparency to regulatory agencies and stockholders ensues. Key elements of such Programs include: Records Retention Schedules, Regulatory Compliance Policy and Procedures, Annual Record Cleanouts, Periodic Records Management Audits, Comprehensive Training and Monitoring Program, etc.
  • Regulatory Compliance Training:  Once deliverables are approved by Client, Counsel and Compliance executives, staff is trained on the full complement of Policy and Procedures, developed with the firm’s corporate culture in mind. Train the trainer or train the user sessions are taught to support and enforce adherence to the current approved Records Retention Schedules, for example. Components of the training also include: Vital Records identification and protection, offsite box storage control and destruction, management of human resource and “orphan files”, litigation support procedures, management of records in third party relationships, business continuity planning, records responsibilities with transferring/terminating employees, onsite paper/electronic records cleanouts, process specifications for the long term management of electronic records, et al.
  • Regulatory Compliance Monitoring:  Information Governance Programs are developed to be the foundation of a Client’s compliance architecture. As such, it is a component of the company’s control structure. That control structure must be subjected to periodic examinations to ensure that it is operating as intended. This examination typically is conducted as a third party audit (see above). An audit is an independent, objective assurance and consulting activity designed to add value by evaluating the control structure of the compliance program. It usually occurs periodically, after the Information Governance Program has been implemented.
  • Development of Remediation Strategies:  When areas of non-compliance are detected during regulatory compliance monitoring, a monitoring plan is developed, tailored to the Client, that clearly demonstrates staff understanding and implementation of the Program. The monitoring plan is designed to be part of the control structure of the firm. The plan contains the following controls: execution/operating controls: policy and procedures, data integrity; supervisory/monitoring controls: supervisory reviews of operating controls; oversight controls: exception reports, status reports; audit controls: independent party with no involvement in the operations, periodic internal/external audits of high risk area or compliance program (may include peer reviews).
  • Automation of Information Governance processes with software solutions:  Most Document Management applications are designed to be used by records and document management professionals. As a result, most are tremendously complex. In most systems, filing a document presents the user with a huge dialog box with dozens of drop down lists, buttons and options. While the design of these systems has served the records and document management community well, the systems do neglect the needs of many users, i.e., general staff throughout organizations. General staff is not always well versed in records and document management concepts, and, using a records management application can appear daunting. The difficulties inherent in using some of these systems are some of the greatest barriers to success. Thus, a simple interface is required. Document Management solutions should ensure the following: centralizing the creation of new files, limiting the areas of the software that most users have to interact with, providing training, “cheat sheets” and other support tools. Users will use the solution which is easiest and most effective for them. We take every effort to reduce barriers which make it difficult for users to file records and provide successful implementations. For example, in order to protect the investment in a technical solution, the effective design of the software is imperative. Product selection and training must appeal to the “what’s in it for me” factor. The system must be quick and easy to use and the classification (indexing) scheme must be designed so that all users can file and retrieve documents. These critical success factors will lead to sustained system use.
  • Transferring/Terminating Staff: Records Responsibilities: As previously mentioned, HIPAA compliance is mandatory for all employee record keeping best practices. A separate section in the Information Governance Policy and Procedures manual must address all of these regulatory requirements including: Records Retention requirements, how employee files must be set up, filed and maintained, employee privacy laws, etc. Special considerations must also be allowed for all states and countries in which a firm conducts business.
  • Onsite Paper/Electronic Records Clean Out:  An annual Records Clean Out provides a firm with the opportunity to set aside a specific block of time to devote to the review and destruction of records which have met their mandated retention periods and are not required for litigation holds. It further provides an opportunity for employee training and awareness and ensures that records are not being hold longer than required, thus creating an unnecessary liability to the company. Comprehensive records clean out materials should be created including training and marketing materials to ensure this endeavor’s success. For example, we have acted as liaisons with Facilities departments to coordinate trash and recycling. Resultant statistics used as metrics have shown demonstrable results. We have acted as personal assistants during the clean out to ensure that all staff understood the importance of clean out participation.
  • Process Specifications for the Long Term Management of Electronic Records:  Projects of this nature are usually broken down into Phases: Phase I: User and Functional Requirements; Phase II: Technical Requirements and Phase III: Development. Typical deliverables for Phase I are: Project vision/Scope document, Project Glossary and Final User and Functional Requirements Specification document. Typical deliverables for Phase II are: Final Technical Specifications (e.g. TR1: The system shall be available 99.99% of the time; TR2: A search will occur within less than three seconds 95% of the time, etc.). Typical deliverables for Phase III are: Classification Scheme; Meeting User Needs; Workflow Integration with existing systems, etc.  Based upon Client meetings of every functional area, we use specific requirements ascertained to establish a preliminary baseline for the long term management of electronic records. The scoring levels are roughly: exemplary (highest score), advanced, basic and commitment (lowest score). The lowest score indicates commitment to establish an Information Governance Program and exposes gaps which must be addressed. The highest indicates tight, secure compliance to all aspects of the Program.  Building on the results gathered, a Gap Analysis is completed. The Gap Analysis is instrumental, in conjunction with the functional and technical requirements documents, for the evaluation and selection of the appropriate technology solution for the Client.
  • Work Instructions for the Short Term Archival of Electronic Records:  These instructions are developed in conjunction with the above captioned Long Term Management of Electronic Records Engagement.
  • Additional Regulatory Requirements Consulting Offerings include, but are not limited to the following:  The Sarbanes-Oxley (SOX) Act and Tax Code Compliance, HIPAA Compliance, PCI Compliance, The Red Flags Rule Compliance, General Security/Privacy requirements including the Gramm-Leach Bliley Act and the Financial Data Protection Act, Information Technology/Information Management functions such as ISO 15489 requirements and the National Fire Protection Association requirements (NFPA 232, 75 and 909), etc.
  • Outsourcing Solutions for Onsite/Offsite Record Centers and Records Management Departments:  Typical outsourced engagements include, but are not limited to the following: Management of both Client Records Management departments and file rooms; records relocation internally or for a move; file mapping with electronic indicators; record inventories and indexing; file audits; record clean outs; projects for records stored at commercial record centers; file conversions and labeling for a new filing system, etc. etc. All worked is performed by bonded paralegals and records management professionals.
  • Imaging Services:  Many Clients look to scan their physical records to save valuable office space, when they are embarking on a new Document Management software solution, etc. Before documents are scanned, it is essential that they have more records retention life and should not be purged by following the Records Retention Schedule for every records series and record type maintained in each functional area. We recommend that in advance of any ongoing or “back file” scanning project, a record clean out is first performed toward this end. Once accomplished, records can be scanned in your offices (additional equipment can be brought in as needed), or at an audited and bonded scanning facility, all documents indexed as per your Records Retention Schedule for perfect naming convention continuity and Records and Document Management best practice.

For more information please contact sales@17a-4.com or call 212-949-1724