Trends - Document Management

Smart documentation

How to get out of the compliance trap while future-proofing the digital transformation of business processes

Ralf Kaspras, managing director at InnoData Tech and Alexander Daniel Balzer, senior IT consultant at Consultec Dr. Ernst GmbH. Published in: DiALOG - THE MAGAZINE FOR DIGITAL CHANGE | 2021

Introduction Do you sometimes have the impression that we are bureaucratizing ourselves to death? Then you are not alone. Understandably, we cannot do without laws and rules, certainly not in a culture for which freedom and democracy are core values. But the more complex our challenges become, the more complex the necessary set of rules also becomes. Digitalization clearly demonstrates this to us. Under these circumstances, one can equally talk oneself to death and spontaneously fall into resistance against everything because it affects one's own comfort zone. But change is a necessary development process that involves leaving this comfort zone.

What would it be like to look at the opportunities of this process before we start offering blanket resistance?

Responsive Image

To this end, we have taken on the topic of "documenting in the context of digitization". It is about nothing less than turning a duty into a freestyle, securing one's own digital future viability and creating new business potential and competitive advantages.

The foundation for transparency and traceability is documentation. This was also true before the age of digitization.

Whether in paper or digital form, documentation was and is a resource-intensive task and an economic factor, the latter even in several respects:

  1. As an administrative act that needs to be optimized
  2. As a basis for control and verification
  3. As a repository of knowledge and information, the immediate availability of which in terms of access and content development is a prerequisite for value creation.

The digital transformation has further increased the need for documentation because we are also dealing with a virtualized world in which all functionalities per se are first and foremost a volatile structure of zeros and ones.

Do you sometimes have the impression that we are bureaucratizing ourselves to death? Then you are not alone.

Yet the starting position has changed significantly in terms of type, scope and usage options. And this is precisely where a problem begins, because digitization has serious implications for the admissibility of evidence and the protection of content. The variety of data-producing and data-processing end devices involved is increasing faster than adequate standards for proper and legally compliant integration are available.

In addition, the use of external IT services and service providers increases the problem if their processes are not sufficiently transparent and influence is not directly guaranteed. And then there is another problem: The necessary (compliance) measures in the scope with IT were often not sufficiently implemented for the sake of the quick advantage. As a result, companies are now under pressure to make up for this in the short term. Unfortunately, this cannot be accomplished in an ad hoc manner by means of a project.

Responsive Image

Challenges for documentation and verification
We will show you how to get out of this (compliance) trap with smart documentation and how this results in further synergy effects using the graphic Fig. 1 as an example.

First of all, we have an exemplary company structure with some classical business, support processes and the corresponding business and ECM systems. This is complemented by the integration of internal (blue) and external (orange) mobile devices as well as cloud resources and services. As soon as you have to document such or similar use cases with the goal of providing evidence, it quickly becomes complex and complicated to adequately map the situation and capture all compliance requirements.

In order to fulfill documentation requirements of this kind effectively and efficiently, a modular documentation approach should be selected due to the distributed and complex structure, which makes flexible and context-appropriate documentation of the processes and systems possible.

In order to fulfill documentation requirements of this kind effectively and efficiently, a modular documentation approach must be selected due to the distributed and complex structure, which makes flexible and context-appropriate documentation of the processes and systems possible. A first principle that is of central importance is that you always document your business logic processes detached from the corresponding technical solutions and operations. In terms of mobile work with internal and external devices, this means that in addition to the underlying business processes, they must describe the business logic integration, the technical / organizational protection of the connections, and the management of their own and external ("bring your own device") end devices. In addition, the general aspects of information security, outsourcing, cloud management and the affected IT infrastructure must be explicitly described in the scenario.

What do we gain from this approach?

  1. A clean and transparent separation of the technical issues that need to be differentiated from one another.
  2. Topics such as the location, the type of operation or the responsibilities do not initially need to be recorded when documenting the processes and technical systems. With the complete recording of the processes and systems, these aspects can then be assigned in a conclusive and controlled manner.
  3. Changes can be adjusted flexibly and precisely in the context of effects without jeopardizing the consistency of the content of the process documentation.

Responsive Image
Responsive Image

The synergy effects of "sm@rt documentation" beyond verification Fig. 2 shows the additional benefits if you consistently follow this approach:

  • The processes as well as technical and organizational fundamentals are documented transparently and comprehensibly.
  • The requirements for compliance and information security can be precisely assigned on a subject-specific basis, monitored and any deficiencies eliminated.
  • The coherent and holistic documentation makes it easier for you to identify optimization potential and can serve as the basis for more extensive TARGET concepts.
  • The procedural documentation becomes a management tool for reacting quickly and strategically to changes.

These and other benefits of the system presented by us improve your decision-making basis in order to be able to react adequately to the typical conflict situation - as shown in the tension triangle.

Solution by means of a sm@rt documentation approach.
For this purpose, we recommend a structure as shown in Fig. 4. The idea behind this is to have as transparent a presentation of the facts as possible, so that the specific controls for compliance mesh neatly.

Responsive Image

To build up this process and in parallel to get out of the compliance trap immediately, the 3-step procedure described in Fig. 5 helps.

The procedure model is structured in such a way that you can start immediately with your own resources and get the foundation for your procedural documentation with the first step. In the second step, the practical expansion follows, which is aligned with your current needs and establishes the basis for audit-proof management and design of the evidence. The third step is the sustainable implementation of the new process.

A best practice standard that helps
A suitable best practice standard - with whose approach and structure the recommended procedure can be completely mapped - is available: The VOI PK-DML "Audit Criteria for Digital Document Management Processes and Associated IT Solutions" of the IT trade association VOI e.V. (Bonn). This standard has been under further development for more than 20 years and is based on two pillars:
  • A holistic and coordinated coverage of the required documentation fields (Fig. 4) based on core and audit criteria.
  • A focus on matching with other regulations, such as ISO 27001 and others, with the aim of avoiding redundancies in documentation management, harmonizing interaction and reducing the effort required for audit preparations.

All of this is based on the experience that the fulfillment of compliance requirements in - in particular increasingly heterogeneous - IT landscapes is a process that can only be implemented step by step and generically due to the complexity and dynamics involved. In addition, it is possible to be certified in various ways on the basis of this standard.

Responsive Image

Conclusion
Chasing new laws and regulations is like buying a piece of clothing without reference to the size and then trying to make it fit. When you “document sm@rt,” you create your tailor-made suit and follow the Pareto principle: 80 percent of the requirements can be covered with 20 percent of the total effort. In addition to the goal of establishing the greatest common denominator for all verification requirements in the use of IT, “sm@rt documenting” enables you to react to changes - safely, practically and individually. This ensures you the best possible economic benefit and saves costs.

Responsive Image

Ralf Kaspras has a degree in computer science and has been working intensively with IT compliance and information security since 1996. He is, among other things, the initiator, co-author and editorial director of the VOI PK-DML framework (which includes, among other things, the “Audit criteria for document management processes and associated IT solutions”), on the basis of which TÜViT GmbH (TÜV Nord group of companies) and VOI Service GmbH certifies companies and organizations. For VOI Service GmbH, he is responsible for the establishment, development and operation of the “VOI CERT” certification area. He is managing director of InnoData Tech GmbH and member of the board of VOI e.V. www. innodatatech.de
Alexander Daniel Balzer is a senior IT consultant at Consultec Dr. Ernst GmbH and VOI Certified Expert. www.consultec.de