1

Privacy Policy Enforcement and the New Compliance Business Case

Craig RhinehartDirector, Product Marketing for Records Management

Presentation OverviewPresentation Overview

Today’s question …Is having a privacy policy good enough?

Privacy and records management.Some simple rules.How to build business value and guarantees cost effective enterprise wide privacy policy enforcement.How privacy management reduces risk and creates a return on investment (ROI).A few words on Email.

Privacy and Records … Most Organizations

Privacy and Records … Most Organizations

85% have formal records management programs, 47% do not include electronic records.

38% do not regularly follow own policy

46% do not have formal process for holds, 65% do not include electronic records

93% believe outcome of future litigation based on electronic records policy, 62% doubt they could defend own records

67% doubt own IT department understands policy

Survey data from Cohasset Associates “A Call To Action” AIIM and ARMA 2003 study

Records get lost or misfiled.Records aren’t getting destroyed at all.

High storage costs are unnecessary and avoidable.

Records are lost or destroyed too soon.Inability to produce in court. Costly to recreate.

Records are kept too long.Expensive to discover and defend.

Process information not recorded.Breaks legal chain of custody.Now required for audit and compliance.

Privacy policy not enforced.Reliance on users to make decisions.IT systems do not implement privacy policy.

2

Rely on Users?Rely on Users?

Large organizations lose a document every 12 seconds

67% of data loss is directly related to user blunders

Business workers typically misfile 2-7% of all records

Law of Small Numbers:Business workers take 5-15 seconds each time they declare a record.

Actual use case ….

10 seconds X 72 records/day= 720 seconds/day= 12 minutes/day= 60 minutes/week= 1 hour/week (2.5%)

Can any company afford a 2.5%drop in office productivity solely to declare records?

Source: PRISM International, FileNet and National Archives and Records Administration

Significant loss of worker productivity.Law of small numbers … they become big numbers.

Business workers make mistakes.Large % will get misfiled and lost.

Process information not captured.Proof of process adherence (plus content) now required for compliance, audit and chain of custody.

RIM policy inconsistently applied or not enforced at all.

Creates privacy, legal and compliance liability.

Simple Rules for Risk Reduction and ROI

Simple Rules for Risk Reduction and ROI

Manage the actual process not just the records and people.Capture the process info (and data). It’s required now anyway.Retain what you need to, for only as long as you need to, as determined by law, regulatory statute and/or sound business policy.Only destroy (delete) records at the right time, for the right reason and by the right person.Enforce privacy policy consistently and uniformly.

Know Your Risk or Total Cost of FailureKnow Your Risk or Total Cost of Failure

Consider the following areas of exposure:Likelihood

Likelihood of experiencing a given information management failure?

FrequencyHow often would your organization experience such a failure?

MagnitudeWhat would the magnitude of the failure be?

Potential CostsWhat would the impact be on legal costs, fines, company and professional reputation, investor confidence, stock price, cost of reconstruction, etc.

An extremely enlightening and possibly very scary exercise!

Sources: Information Nation by Randolph Kahn, Esq., and Barclay Blairand Records and Information Management by William Saffady

3

It’s About About YOUR ProcessIt’s About About YOUR Process

The active - inactive model has changed for records.

The line is very fuzzy and it’s the actual process that matters most.

Manage records in the line-of-business process.Manage records in the compliance and privacy process.Use the data you already have.

Privacy Process• Create

• Edit

• Use

• Publish - Transact

Most Get Destroyed (~95%)

Records Process• Retain - Store

• Migrate

• Defend

• Expunge - Archive

Payables

Compliance

CallCenter

HumanResource

Statements

AssetMgmt

ConsumerLending

PaymentsSystems

Letters ofCredit

FundsTransfer

Lockbox

CashMgmt

Regulatory Reporting

Clearing/Settlement

Investment Mgmt

ElectronicPayments

Under-writing

LoanOrigination

Collections/Disputes

ConsumerLending

PortfolioMgmt

Stock Transfer

Trade Order

Tracking

RegulatoryReporting

PolicyMgmt

Claims Processing

Under-writing

Collections

RetailBanking

WholesaleBanking Securities

MortgageBanking Trust Insurance

EntireEnterprise

Compliance Process Spans the Entire Organization

Compliance Process Spans the Entire Organization

Privacy can enable line-of-business ROI.Nice Bonus = Enforce your privacy policy in these processes.

Requirements

Capture records for legal compliance.

Scalable processes to manage growth through mergers / acquisitions.

Process improvement with the banks adoption of Total Quality Management into the culture.

Banks stated objective to be a top 5% performer.

Desire to be an industry leader in efficiency and quality.

$

Commercial and Retail LoanDocuments are Originated in the

Branch

Loan Documentsare mailed to Loan

Services

Mailbags areOpened and Loan

Documents areSorted andDistributed

How are they sortedand distributed

where

NewBusiness

Loans

Retail LoanMods/

Renewals

New RetailLoans

BusinessLoan

Exceptions

BusinessMods/

Renewals

Retail LoanDeferralsInsurance

Retail LoanExceptions

LoanOperations

Wilson

HazardInsurance

Wilson

Retail LoanOperations

Wilson

DocumentationReview

Lumberton

Wilson, NC

Lumberton, NC

Virginia

ComplianceReviewWilson

DocumentationReviewVirginia

DocumentationReviewWilson

ComplianceReview

Lumberton

VaultWilson

VaultVirginia

VaultLumberton

AllAllAll

NC

VA

SC

ComplianceReviewVirginia

All

NC

SC

VA

All

MicrofilmLumberton

MicrofilmWilson

All Retail Deferrals

SC

NC

VA

All

All

Process Improvement (BPM)

ABC Bank Customer Process - BEFORE

4

ABC Bank Customer Process - AFTERResults

Projected Cost Benefit– Payback - 35.8 months

– IRR - 22.41%

Results– Cost reduced 50-60%

– $13 Million Saved Annually

– Payback every 4-6 months

Other Projects Affecting Results

– TQM Focus and Flowcharting

– Performance Matrix– Quality Forum– Privacy and Records Management

$

Commercial and Retail LoanDocuments are Originated in the

Branch

Loan Documentsare mailed to Loan

Services inWhiteville

Mailbags areOpened and LoanDocuments are

Sorted andPrepped

Documents areScanned/Indexed/

Verified andCommitted

Original Legal/LienPerfection

Documents areStored in Vault

All OtherDocuments are

Destroyed

Images are storedto Juke Boxes

Workobjects arecreated and sentthrough ImagingWorkflow to be

processed

What is theWorkflowProcess

Loan OperationsDocumentation

Review Hazard Insurance

Process Complete

Automated ReviewProcesses builtinto Workflow

Process time prior to Imaging: 1 day to 2 weeksProcess time after Imaging: 1 day to 3 days

Turn-around time for document request prior to Imaging:2 days to 5 daysTurn-around time for document request after Imaging:1 sec to 15 minutes

• Prior to BPM, the Process took as long as 2 weeks

• After BPM, the Process was reduced to 1 to 3 days and File Information is available in 1 sec to 15 minutes (versus 2 to 15 days)

Process Improvement (BPM)

Process enforced privacy

Records and privacy process information automatically declared and accurately classified as a record.

Process is invisible to the end-users and ensures compliance with law, regulation or business policy.

Privacy policy is enforced invisibly across the line-of-business.

$

Commercial and Retail LoanDocuments are Originated in the

Branch

Loan Documentsare mailed to Loan

Services inWhiteville

Mailbags areOpened and Loan

Documents areSorted andPrepped

Documents areScanned/Indexed/

Verif ied andCommitted

Original Legal/LienPerfection

Documents areStored in Vault

All OtherDocuments are

Destroyed

Images are storedto Juke Boxes

Workobjects arecreated and sentthrough ImagingWorkf low to be

processed

What is theWorkflowProcess

Loan Operations DocumentationReview Hazard Insurance

Process Complete

Automated ReviewProcesses built into

Workf low

Process time prior to Imaging: 1 day to 2 weeksProcess time after Imaging: 1 day to 3 days

Turn-around time for document request prior to Imaging: 2days to 5 daysTurn-around time for document request after Imaging:1 sec to 15 minutes

BPM, Privacy and Records Management

Records and Transcripts …

Are generated at key milestones in the business process.

Enforcing policy in the business process

Arkansas BCBS BeforeArkansas BCBS Before

5

6

Arkansas BCBS AfterArkansas BCBS After

Created a standard optimized process to request medical records.All medical records are secure, organized, imaged and retained/available for future use.Privacy (HIPAA), security and recordkeeping policy enforced.

October 6, 2003

Susan BlockEditor, BlueCard InfoFAX

Blue Cross and Blue ShieldAssociation225 North Michigan AvenueChicago, Illinois 60601-7680312.297.5831Fax: 312.297.6581susan.block@bcbsa.com

In this issue:

Provider Relations Update –2

Updated BlueCard PPOProvider Directory FulfillmentCenter Procedures Guide onBlueWeb – 2

Arkansas Blue Cross Blue shield Devises InnovativeMedical Record Request Process

Arkansas Blue Cross Blue Shield has develope d a secure, tec hnology-driven Medical Re cor d request (MRR) system that has dra stic allyimproved the ir inte rnal routing procedures and medic al recordmanageme nt. The Pla n designed this streamlined proce ss to workwithin the Plan’s existing infrastructure and functionality and toleverage the use of fours systems already in place.

The MRR system is the result of a 16-month effort to produce acentralized and automated paperless system that previously involved15 de partments that used more than 200 versions of medical recordrequest letter s. This system is currently in place for local business and

7

Email Capture and Policy Audit

Email and PrivacyEmail and Privacy

Do you have an email privacy problem?

Aggressively adopting email for highly sensitive and valuable business processes and transactions

- 93% answer inquiries

- 84% discuss business strategy

- 71% negotiate contracts

- 69% exchange invoices, payment info

- 44% to file with official bodies

Electronic Records Management

DeleteCopy

File Plan

Email and Attachments

Exchange or NotesEmail Server

Inbound

Read Send

Outbound

AutomaticPull

Monitor and Pull Copy of

Message

Business User

Declare and

Classify Copy as Record

Triggers Rules,

Events and Meta Data

How You Can Reduce Risk and Create ROI

How You Can Reduce Risk and Create ROI

Help educate about the value of privacy in all business processes.

Don’t forget records retention and all compliance issues.

Having a policy isn’t good enough.Manage and improve the process … don’t just manage the people and records

Enforce policy consistently and uniformly.People don’t scale and make mistakes.

Know the business case for compliance.Risk reduction = TCF (total cost of failure).Business improvement = ROI (multiple areas).

Thank YouTo learn more about FileNet Records Manager, download the whitepaper …

www.filenet.com/iapp

Craig RhinehartDirector, Product Marketing for Records Management

CRhinehart@filenet.com