What's your e-Signature Policy?
It's 2017 and your department is still overrun with paper. Your customers, employees and vendors are becoming more and more frustrated with you. Going digital is "on the road map" but doesn't seem to be getting any closer to reality. Why?
From conversations with transformation leaders around the country, the seemingly simple concept of electronic signatures often gets intractably complicated soon after it's introduced to the organization. Internal resistance to change rears its head in many familiar ways, including dire predictions of unenforceability and loss of control, unsubstantiated conclusions about increased compliance risk or external adoption, and general concerns that the path forward is not clear enough to take such a significant step.
This is particularly true with mature organizations, where you must not only automate your current processes, but also investigate what they were intended to accomplish in the first place, appreciating the high likelihood that they are only in place as a result of the limitations of technology at the time they were put there. This can be extremely disruptive and, understandably, of great concern to those whose daily lives rely on keeping these processes in motion.
"The lack of [a policy] is the #1 reason for delaying critical digital transformation initiatives."
Many, if not all, of these fears can be addressed by an early look at how the organization is actually going to use technology -- and why -- with a documented set of principles that will guide the organization throughout. The the lack of these clear and broadly distributed principles is the number one reason for delaying critical transformation initiatives, and it's the primary contributor to failed projects.
Who needs a digital policy?
It's easy to get an eye-roll or two when we suggest yet another policy. But here's the reality: whether you're converting a single paper process or are fundamentally transforming your organization, you will need to guide your employees, customers, constituents and relying parties in adapting to your new business channel. The process of implementing any electronic solution will require answers to many questions that have never come up before, such as:
What documents will we sign electronically?
What documents will we accept electronically?
How do we authenticate electronically signed and stored records?
Whose workflow will we acknowledge in a multi-party transaction?
How do we control when and how we create a digital workflow?
How will we retain and preserve electronic records?
The three e-signature policy types below -- I call the trio a Digital Policy for short -- are essential to addressing risks and uncertainties that come with any major shift in operating dynamics. The lack of such policies--and the sense of certainty they provide-- is the number 1 reason for delaying critical digital transformation initiatives.
e-Signature Policy type I - internal workflows
Often the first step in digital transformation is the conversion of internal workflows to electronic processes. Considered by many as merely "paving the cow path", the process of implementing any electronic solution will require policy decisions that will shape your approach across the organization.
To develop an effective internal policy, you should ideally:
Get the "big picture" of the affected organization in order to take full advantage of the digital workflow -- why do we do the things we do?
Tackle any new compliance issues that arise when going digital
Evaluate barriers and risks, with a view toward designing mitigation strategies
Identify hot spots within the organization that will maximize opportunities for success.
These preliminary steps will help you set the right tone for your internal workflow policy, leaving your employees and auditors with a clear view of their new procedures and an appreciation for the improvement they bring to the organization.
e-Signature policy type II - digital transactions
Engaging with outside parties involves a different set of opportunities and risks. To maximize the benefits of going digital, organizations need to identify and confront issues that are likely to arise when transactions are challenged.
The SPeRS manual is a veritable world atlas of things to consider before implementing a mission-critical digital transaction management system. The manual specifies an approach that can be summarized as:
Agreements, notices and disclosures
Record retention and access
Distilling these concepts into actionable project plans is essential, and doing it poorly can mean the difference between implementing on time and derailing the project entirely.
e-Signature policy type III - accepting e-signed documents
Your organization now has a well-documented policy for creating electronic documents and managing your digital transactions. But what happens when you receive an electronic document from someone else? What is your standard for accepting that digital document or relying on an electronic signature?
You'll want to look to industry best practices if you haven't already. It's normally a better bet to have your own internal policy set before imposing one on third parties.
Design transaction profiles that reflect your organization's own risk mitigation standards
Develop customized assessment tools to apply your criteria to incoming transactions
Provide policy communication tools to cultivate professional levels of trust and expectations with transaction partners and regulators
The end result should be that your organization has the tools necessary to readily recognize and evaluate any externally-generated electronic record for compliance with your standards, without having to run to Legal first.
Who drafts digital policies?
There's no short cut here. Your legal and compliance departments will be the best places to start, but don't expect there to be a simple template or sample policy to cut-and-paste from. The only way to get an actionable digital policy is to custom-design it to your organization's specific set of circumstances. Outside help is available, but you must be ready to commit internal resources to get it right the first time.