What Features Ensure Compliance?

I hear the word ‘compliance’ tossed around all the time but I suspect that many of those using the word only have a very vague idea about what it means. Compliance usually refers to the adherence to the rules that have been imposed upon you by the law or some type of regulatory body. But what technical capabilities are required to actually comply with such legal and regulatory requirements?

First, let’s be clear. You don’t use the word compliance when you are referring to something that you really want to do. Compliance usually means an inconvenience that you are required to do. It rarely saves you time or money. However, compliance is designed to protect you from failure, from disruption, from poor quality, from wrong decisions, from danger, from injury, and - if you live in America you’ve probably guessed it - from lawsuits. Various parties may be interested in protecting you from all of those risks. It could be a consumer safety regulator (i.e. the FDA in the pharma industry), your government (federal, state, or local), or your employer. But how does that actually work?

First, compliance often means to assure that proper authorization is in place for important decision making. That starts with access control - making sure that the right people have access to pertinent information at the right time. That usually involves a dose of security - preventing any unauthorized actor from manipulating the information or the decisions.

The decisions themselves are often required to be documented in a non-repudiable way. This is where electronic signatures come in. Unlike digital signatures which deal with mimicking the paper-based ‘wet signature’ in a digital form, e-signatures are all about capturing who, when, what and why. Electronic signatures are simply a data object with name, date, and brief justification that become attached to a version of a document. When someone changes the document version, the e-signature is invalidated. “I didn’t sign off on this version of the medication packaging” is what e-signatures are all about in the pharma industry’s FDA’s CFR 21 Part 11 regulation.

Other compliance requirements, such as Six Sigma and the various ISO customer service quality standards, ask to ensure that certain mandatory process steps are completed before the process can advance to the next stage. This is where technologies such as workflow  and BPM come in - workflow for processes where all steps occur within a single system and BPM for processes that cross multiple systems.

At the end of any process, many regulations require that all the artifacts are stored as proof in case of a potential audit or lawsuit. That’s the role of archiving and of course also records management. Records management not only stores the required information for a prescribed period of time, it also classifies the records to assign them a retention policy that specifies how long the record is to be kept and what should happen with it when the retention expires. Records management also deals with requirements such as legal holds (pausing of any record shredding during a lawsuit) and secure records disposal to prevent forensic recovery.

Finally, many regulations require the ability to trace back any steps for the purposes of an audit or investigation of an incident. This is where auditing comes in with the ability to record a timestamp for every event in an audit trail and the ability to easily review and analyze the audit trail.

There are many other capabilities that may be part of a compliance solution. The specific regulations drive the requirements. Beyond access control, e-signatures, workflow/BPM, archiving, records management, and auditing, compliance requirements may include search, publishing, secure communication, collaboration, and many other capabilities. Records management has been receiving plenty of attention lately; so much that many equate compliance to records management. Yet there is much more to compliance than records  which is what I wanted to show in this post.

How Come Fax Isn't Dead?

When was the last time you sent a fax? I bet your answer is probably going to suggest that you don’t use fax machines much anymore. Yet the statistics are surprising. According to the industry analysts Davidson Consulting, there are almost 100 billion faxes sent each year worldwide. CouponChilli estimates a smaller number - 17 billion faxes annually - but either way, it is still a lot. The market for fax services is growing at impressive 15.2% CAGR as new technologies such as Fax over IP and cloud-based fax are dramatically reducing the the cost of faxing.

But let’s face it - fax? In the age of email, interactive web sites, and omnipresent mobile devices? There are so many alternatives - from email, FTP, managed file transfer, to interactive web sites, sophisticated BPM solutions and most recently even the easy-to-use cloud-based shared folders. How come we are still using faxes so much?

One of the arguments is usually the legality of the “wet signature”. Supposedly, our legal system is perfectly satisfied with an illegible scribble transmitted at 204×98 dpi but an electronic or digital signature on an electronic document is not good enough. I’d argue that’s a bogus argument - after all, a digital signature can use a much stronger authentication of the signatory which should make the digital signature much more legally binding. Only when notarized, do wet signatures come close in terms of security and legal admissibility.

Another argument is the confirmation that you get when you send a fax. That fax confirmation page (sometimes called the Transmission Verification Report) can act as legal proof that the recipient actually received the fax. That might come handy, for instance, when you fax an invoice. However, it also assumes that the right person has actually picked up the received fax and that it didn’t end up in the waste bin by accident.

This argument is also not very convincing. Electronic transmissions via email, ftp, managed file transfer, or shared folder usually all come with an audit trail. There is also no reason why an email system could not be setup to automatically send a confirmation - most e-commerce and customer service solutions do it today. A secure audit trail should be a much better proof of delivery than the easily falsifiable fax transmission report.

Then there is the cultural argument. We are all used to faxing, right? The New York Times reported recently that this is a big issue in Japan. Japan has by far the highest number of fax machines per capita. But give me a break. Japan is a country with thousands of years of tradition - from Zen gardens to calligraphy to the sword swinging samurai. And all the sudden,  they are culturally attached to a fax? Or a technology that was adopted at the end of the 1980s? Ah, come on!

Maybe, it is the ease of use - everybody knows how to use a fax, right? Right. To sign a document, I have to print it, sign it by hand, and stand next to a fax machine to wait to see if the transmission was successful. If the line is busy, I have to try again later. Yeah, right...that’s really easy and convenient...

I suspect that the reason is complacency. Complacency of organizations in banking, insurance, healthcare, government and other sectors. The Customer Service group would probably like to replace faxes but they are scared of Legal. The Legal group is scared of technology. And, IT does what Customer Services asks them to do after checking with Legal. In a way, this is actually about culture. But not in a good way.

Picture from the 1999 cult movie Office Space. I'm sure it's copyrighted but it fits so well here.
You have to see it, by the way! (That should get me off the hook with 20th Century Fox).

The result is that you can hardly open a bank account, refinance a mortgage, buy a car, or submit an insurance claim without having to send a fax. In some countries like Canada and Germany, it gets even harder as they require signed documents for stock trades, change of  address, and other relatively mundane tasks. No you can’t just call them. They need it in writing and signed...

But don’t despair, if you need a fax solution, you don’t need a fax machine on every floor anymore. There are some pretty cool network and cloud-based fax systems out there and OpenText (my employer) happens to be the market leader in this space. Just check out that Davidson Consulting page.

As consumer, though, I hope that the fax will soon die. It ought to be replaced by the interactive web or mobile BPM solutions. In any case, OpenText has a solution for you here ;-)