FINRA, FDA, HIPAA, SARBOX and ITAR, are regarded as curse words in social media and workforce collaboration circles. People don’t want to say them. They don’t want to hear them and they really really don’t want the regulators to swing by for a “chat.” The outcomes created by this mentality are predictable: hesitancy when approaching new technology, over-engineered solutions that inhibit adoption and the pursuit of risky grassroots experimentation. These approaches are born out of hard-learned lessons, because let’s face it: collaborating in a regulated industry is hard. Regulations change, are enforced with different points of emphasis and are frequently incomprehensible to everyone except their authors. Our colleague Dion Hinchcliffe (@dhinchcliffe) has a great phrase for this: regulatory quicksand. Nonetheless, we can’t ignore the value that social technologies can bring to regulated industries. So, what’s the answer to regulated collaboration and social media implementation? Plan better and execute smarter. The rest of this blog post will focus on a high-level methodology for the strategic implementation of social technologies in regulated environments. The aim is to provide a framework within which regulated businesses can maximize social media and workforce collaboration tools in a compliant way*.
The goal here is to create a simple, repeatable strategic process. In a nutshell: start by building your business case, then identify your lowest compliant denominator,don’t miss the last responsible moment, and finally roll out to your workforce.
Build a Business Case
The first step is to establish a collaboration pilot in a controlled environment. Before you get antsy – this is not the same old advice to start with a ‘small pilot.’ The key difference here is the realization that even the most highly regulated business has processes that are just not that risky, but do offer high value returns on collaboration. The implication is that by identifying an internal area where risk of external data leakage is minimal and the fruits of collaboration would be valuable, an enterprise can initiate a much larger and more meaningful ‘pilot’ than otherwise possible. For example, a financial services firm might identify expertise location as a key challenge in their trading operations. Knowing that the regulatory expectations are the same across the whole of the ‘trader’ job role and that information would be bounded by that department’s lines it becomes feasible to pilot ad-hoc information seeking tools like enterprise micro-blogging to aid in expertise and knowledge location.
Find the Lowest Compliant Denominator
The second step is to synthesize all the data captured from the pilot (you were capturing data right?) into a collection of requirements and outcomes for broader implementation. One of the odd nuances of social software is that the best use cases are frequently only discovered once the users actually have their hands on the tools. The key insights you are scanning for are lowest common denominators for compliance or, “lowest compliant denominators.” Say to yourself: “What is the lowest barrier we can set while facilitating collaborative outcome X?” For example, the financial services firm we discussed earlier might find that their pilot revealed a mass of associate level employees asking questions that only more senior colleagues could answer with any confidence. This manual process might be a blessing in terms of knowledge transfer, but a curse because senior employees have better things to do with their time. The answer would be to maintain the emergent Q&A culture while also instating a better system for capturing and sharing institutional knowledge – perhaps a wiki. This need and solution might never have surfaced and been synthesized if not for the advanced ‘pilot.’
The Last Responsible Moment
There’s not a bad time to begin to plan for compliance, but there is a point where it is too late not to have done so. Now that you’ve run your pilot and with metrics, survey results and anecdotes created a business case, you are no doubt postulating how the benefits of collaboration multiply across your company. With the momentum and demand you created in the pilot, if you haven’t done so yet, now is the time to partner with HR & Legal to create a compliance map. Employees and artifacts in your business have characteristics. Characteristics are things like: geographic location, security training, department, job title, or government clearance. A compliance map simply details which combinations of characteristics are off-limits. As an example, US-defense industry employees have to abide by International Traffic in Arms Regulations (ITAR). Employees without ITAR training (characteristic) should not have access to ITAR protected artifacts. So, when an employee without ITAR training uses their company’s search engine, no ITAR protected artifacts should be returned.
Scale and Train
Once you have developed a compliance map, you can identify your boundaries and then roll out your solution as far as those boundaries allow. Of course, sufficient technology will be necessary to scale as well, but you’ve likely charted that course before. Linking departments together is technologically nothing new, understanding whether or not you can link them from a compliance stand point is. Your compliance map gives you the advantage of scaling accurately and aggressively. But, just as spell check doesn’t turn you into Hemingway, having a compliance map won’t turn every employee into a compliance officer. Training employees on compliance issues is the ultimate fail-safe. Where technology fails, humans should know better.
Regulated companies can be collaborative, but they must plan better and execute smarter than others. For many companies looking to become more collaborative FINRA, HIPAA, SARBOX and ITAR represent reality checks. However, these reality checks are not blanket cease and desist orders. You can remain in the good graces of your legal and HR departments AND still bring effective and beneficial collaboration to your company by following the framework outlined above. Of course, this framework will need to be customized for your company. Reach out to us if you’d like some help. For additional reading on this topic, check out Ellen Reynolds‘ case study on Managing Risk in Regulated Industries.
*One caveat to keep in mind is that this methodology presupposes a strategic executive commitment to adopting social tools and while it could work for a grassroots implementation the entry points into the process would be quite different.