Record-Keeping: Don’t let it land you in hot water with regulators

Record-Keeping: Don’t let it land you in hot water with regulators

According to Deloitte (2015), comprehensive corporate records management with processes that are consistent, repeatable, and auditable is a crucial component to the overall success of any business. Compliance officers are often tasked with maintaining compliant record systems and reporting information to their relevant regulatory bodies in line with the legislation that governs their industry. Should an event arise that requires audit or investigation, the regulatory body will use business records (or a lack thereof) to determine if any wrongdoing or non-compliance with the law has taken place. An audit trail of activities and decisions made along the way will offer evidence of legal and regulatory compliance to mitigate the possibility of financial and/or criminal penalties. 

Best Practices and ISO Standards

Photo by Maksym Kaharlytskyi on Unsplash

Primarily developed for the management of business records, ISO 15489-1:2016 is the global standard for record management, establishing the core concepts and principles for the creation, capture, and management of records. Describing records as both evidence of business activity and information assets, they are distinguished from other information assets by their role as evidence in the transactions of business and their reliance on metadata, an essential component which indicates and preserves the context, content and structure, as well as their management through time. Approaches to record management based on the concept and principles of the standard ensure that “authoritative evidence of business is created, captured, managed and made accessible to those who need it, for as long as it is required”. Additionally, ISO 23081-1: 2017 sets out the framework for creating, managing and using record management metadata within the framework of ISO 15489. 

To be authoritative, a record must be:

1. Authentic

  • Be what it purports to be
  • Has been created or sent by the agent purported to have created or sent it
  • Has been created or sent when purported

2. Reliable

  • The content can be trusted as a full and accurate representation of the transactions, activities or facts to which they attest
  • Can be depended upon in the course of subsequent transactions or activities
  • Should be created at the time of the event to which they relate, or soon afterwards, by individuals who have direct knowledge of the facts, or by systems routinely used to conduct the transaction

3. Have integrity

  • It is complete and unaltered
  • It is protected against unauthorised alteration

4. Usable

  • It can be located, retrieved, presented and interpreted within a timeframe deemed reasonable by stakeholders
  • It is connected to the business or process or transaction that produced it
  • Metadata supports usability by providing information that may be needed to retrieve and present them, such as identifiers, format or storage information

Cited benefits when using the standard are multiple, but of particular interest are “improved transparency and accountability”,  “informed decision-making”, “compliance with legislation and regulations”, and “improved ability to demonstrate corporate responsibility”.

Essentially, the ISO standard provides the knowledge required by organisations to create robust and compliant record management systems. 

Legal Obligations

Photo by Tingey Injury Law Firm on Unsplash

Some legislation is generally applicable to most organisations. For example, the Health and Safety at Work etc. Act 1974, regulated by the Health and Safety Executive, requires organisations with more than four employees to have a health and safety policy, conduct risk assessments, and keep an accident book (Health and Safety Executive, 2014). The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 also both came into force on the same day in May 2018, and relate specifically to personal data held in records by organisations.

Others are more sector-specific. For example, the Freedom of Information Act 2000 applies only to some public authorities/organisations and requires them to publish certain information about their activities and allows members of the public to request recorded information. Even more specific are laws relating to very narrow settings, such as schools (e.g. The Education (Pupil Information) (England) Regulations 2005).

Many laws which contain record-keeping requirements for different sectors/settings are monitored, evaluated, and enforced by their respective regulatory bodies. As of 2017, there were 90 regulators operating in the UK, covering a wide range of sectors (National Audit Office, 2017). Additionally, the UK Regulators Network (UKRN) was established in 2014 and was formed by 13 of the UK’s sectoral regulators. 

Record-Keeping in Decision-Making

Photo by Startaê Team on Unsplash

“Records and information are the lifeblood of any organisation. They are the basis on which decisions are made, services provided and policies developed and communicated.”

These are the words of the Lord Chancellor in the foreword of the Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000 (Ministry of Justice, 2009). They go on to cite poor decision-making based on inaccurate or incomplete information as a risk created by poor record and information management. 

In further guidance released by The National Archives (2010) (produced to support the good practice recommendations in the Code of Practice) it is stated that records are not created just for the sake of it, but to provide information about what happened, what was decided, and how to do things in the future.

Individuals of an organisation cannot be relied upon to accurately remember or report past policies, discussions, actions, and decisions so keeping records ensures that they, and their successors, can refer back to in the future. Taking this systematic approach to records management makes information readily available, enabling better and more informed decision-making.

Record-Keeping in Compliance Communications

Photo by Cytonn Photography on Unsplash

A robust compliance programme is nothing without internal policies and procedures that are written in line with legislation/regulation, recorded and easily accessed, clearly and frequently communicated, and both agreed (attested) to and understood by employees. 

Attestations create a way to confirm that both internal and external stakeholders have received up-to-date and correct information or training on company policies that they are obligated to abide by. By recording and measuring them, organisations can potentially understand where communication gaps might have occurred, if the content was unclear, and who may pose a risk due to lack of policy knowledge. Creating this detailed audit trail and record of activity can help reduce liability and protect businesses against the risks of non-compliance (OneTrust, 2021). 

However, 41% of organisations surveyed in NAVEX’s report on policy and procedure management indicated that their ability to develop policies and track attestations was average, or worse, and 65% were only operating at a basic or reactive level. These policies and procedures, in theory, ensure employees understand how to implement critical tasks and meet behaviour expectations, but regulators have made it clear that it is not sufficient to merely document their existence, and that organisations must be able to demonstrate that employees know and understand them (NAVEX Global, 2018), which a simple attestation does not. 

Purposeful Has Your Back 

Photo by Kamila Maciejewska on Unsplash

Purposeful, by design, acts as a source of irrefutable truth and a secure repository of transferred information that can be referred back to at any point in the future. Such authoritative records could become crucial as evidence of good governance and legally compliant operations within your organisation.

When Purposeful messages are used to hold votes surrounding business decisions, it creates a permanent record of the outcome and who was involved. As previously covered in our decision-making blog, having a dedicated channel to share information and vote on decisions makes it easy to revisit them.

Looking back at what was discussed, what alternatives were explored, and how committed people were to the outcome facilitates an organisation to assess what went wrong and contributed to a negative outcome, or what worked well and contributed to a positive one. 

It additionally demonstrates transparency to regulators and that informed choices were made based on information that was available at the time. Properly documenting how decisions were reached, who was involved, and what information was considered in the making of the decision is stressed as more than just a best practice, but one that acts as evidence of compliance and ethical conduct in the event of audit or investigation. 

If Purposeful is used to send internal compliance communications within an organisation, such as policy updates and subsequent attestations, it not only creates a record of this activity but avoids using the strong-arm method of compliance which offers only one option: I understand and agree. By failing to offer a chance to gauge policy comprehension, firms open themselves up to regulatory and financial risk.

Using Purposeful in this way allows for compliance functions to measure and manage policy creation and comprehension by identifying which policies may be difficult to understand due to complicated language or concepts and enables them to take appropriate action.

Contact our team today to see how we can elevate your record-keeping to the next level and stay on the good side of your regulators.