Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | jade-patterson |
View: | 217 times |
Download: | 0 times |
Agenda
• Compliance Programs• Monitoring Plans• Process Monitoring and
Auditing• Asset Monitoring• Asset Audits
What is Compliance?
Conforming to the controls and procedures imposed on
your organization by appropriate laws or rulings
Compliance ElementsSeven Elements of Effective Compliance Programs
1. Policies, Procedures and Controls
2. Compliance and Ethics Oversight
3. Exercise Due Diligence
4. Educate Employees
5. Monitor and Audit Compliance
6. Consistent Enforcement and Discipline
7. Respond Appropriately
Conceptual Framework
Accessibility program maturity is measured along ten key dimensions:•Governance, Risk Management, and Compliance•Communications•Policy and Standards•Legal•Fiscal Management•Development Lifecycle•Testing and Validation•Support and Documentation•Procurement•Training
Risk Prioritization
• Not all technology is warrants the same level of scrutiny
• Worry more about technology that:
– Is necessary for completion of core functionality
– Pertains specifically to users with disabilities
– Receives the highest amount of traffic
– Concerns job postings / applications
– Utilizes third party vendors
– Contains maps or other extensive graphics
• Higher Risk = Higher Priority
Risk Management
Prioritization Levels•Enterprise•Asset•Best Practice
Risk Model•Identify core factors for each level•Weight core factors•Rank
Legal Research
• Legal research is a continuous compliance process
• Must be executed at many levels:– Federal
– State
– Local
• New laws/regulations should be immediately analyzed for impact and tracked
• Know your rulemaking process• Know your OIRA
Compliance Cross-Pollination
• Compliance processes can be executed the “hard” way or the “easy” way
• Integrating accessibility into the existing compliance program gets you on the path to the “easy way”
Reporting, Metrics, Trends
• Center of the feedback loop
• Risk Management, Risk Assessment, Legal Research and Compliance Cross-Pollination feed the data
• Produce actionable summaries which can be turned into compliance process improvement programs
It All Starts with a Monitoring Plan
• Who is involved?
• What is being monitored?
• What resources are required?
• When is plan to be executed?
• Which compliance plan is monitoring associated with?
• What types of test methods are being utilized?
Monitoring Plan Goals
• Ensure that the program policies are being followed
• Periodically evaluate the effectiveness of the program
• Have and publicize a system to report violations
Monitoring Plan – Ad Hoc or Formal?
Issues with Ad-hoc plans•Sample size not consistent or risk-assessed •Testing staff lacks knowledge to identify key work flow structures •False negatives or positives if not utilizing users with disabilities•Doesn’t leverage automatic testing•Doesn’t provide metrics
Monitoring Types
• Process monitoring – operations are conforming to the accessibility policy in practice
• Asset monitoring – ICT being produced or utilized is accessible– Monitoring = High level ongoing tests
– Auditing = Detailed point in time tests
• Some concepts apply to both types– Monitoring Plan Creation
– Risk Prioritization
– Risk Management
Process Monitoring Approach
Roughly:•Define•Train•Measure, Manage, Coach•Report
Bulletproofing•Automate that which can be automated•Use software•Setup notifications•Define process variance tolerances
Process Auditing Methodology
• Process Walkthrough• Artifact Review• Operations Review• Analysis
• Draft Findings Review• Primary Draft Development• Primary Draft Review• Secondary Changes• Delivery
Accessibility Monitoring Test Types
• Automated Tests
• Global Tests
• Manual Tests
• Manual Tests with AT
Accessibility Compliance Levels - Minimum
• Automated ICT scan only
• Pages are rendered in a browser and tested directly against the DOM
• Results in roughly 25% testing coverage
Accessibility Compliance Levels - Baseline
• Extends minimum level to include manual tests of sample portions of the site
• Sample tests are extrapolated to remainder of the site
• Results in roughly 85% testing coverage
Accessibility Compliance Levels - Complete
• Extends base level to include functional use case testing by individuals with disabilities using assistive technology
• Focuses on key transaction paths in the system
• Increases compliance coverage to as close to 100% as possible
Is My ICT Accessible?
Three components need to be reviewed to answer this question:•Technical Compliance•Functional Compliance•Support Compliance
Technical Requirements
Does the technology conform to the coding requirements in the relevant standards? •Requires up-to-date standards•Requires the ICT be substantially conformant with standards•Requirements are assessed for risk and divided between those that can be tested:
˗ Automatically (24.8%)
˗ Manually (48.3%)
˗ Globally (26.9%)
Functional Requirements
Can people with disabilities use the application to complete its core tasks?•Requires system be usable to people with disabilities using current AT•Technical requirements focus on the trees – functional requirements on the forest
Support Requirements
Is the deployment context of the ICT accessible?•Is the ICT documentation accessible?•Can the organization provide accessible support for the ICT to its employees and the public? (TTY/TDD, accessible online chat)•Is the ICT training accessible?•Does the organization have a periodic audit program which assesses the compliance and ethics program?
Thank You
Contact Us
Tammy [email protected]
Download Slide DeckInfo.ssbbartgroup.com/CSUN2015
Follow Us
@SSBBARTGroup
linkedin.com/company/SSB-BART-Group
facebook.com/SSBBARTGroup
SSBBARTGroup.com/blog
About SSB BART Group
• Unmatched Experience• Focus on Accessibility• Solutions That Manage Risk• Real-World Strategy• Organizational Strength and
Continuity• Dynamic, Forward-Thinking
Intelligence
• Fourteen hundred organizations (1445)
• Fifteen hundred individual accessibility best practices (1595)
• Twenty-two core technology platforms (22)
• Fifty-five thousand audits (55,930)
• One hundred fifty million accessibility violations (152,351,725)
• Three hundred sixty-six thousand human validated accessibility violations (366,096)
Policies, Procedures and Controls
• Publish an accessibility statement• Modify existing policies (HR, Customer Support) • Set internal controls
– Protect resources
– Ensure accuracy and reliability
– Secure compliance with policies
– Evaluate performance
Oversight
• Visibility, knowledge, and oversight • High-level sponsorship • Roles and responsibilities clearly identified • Clearly assigned responsibilities • Day-to-day operations have resources, authority and access
to governing authority– Resources == budgets
– Authority == compliance can tell other departments what to do• In accessibility? Really?
– Direct access to the governing authority == if compliance thinks there is a problem, but their leadership is stonewalling them, they can do an end run straight to the BoD
Educate Employees on Programs
• Communicate policies, standards and procedures of compliance and ethics program
• Conduct effective training programs • Disseminate information appropriate to respective roles
Consistent Enforcement and Discipline
• Policies, Procedures, and Controls need to include disciplinary steps for all levels of employees/agents
• If retraining is an option:– Maintain metrics on improvement after retraining
– Document all training
• If termination is potential outcome, update contracts to define penalties
Respond to/Prevent Future Incidents
Two elements must be implemented: •Accessibility Issue Resolution Policy / Procedures
– Reasonable Accommodation must be provided
– Why did the accessibility violation get overlooked?
•Root Cause Analysis– Why did the accessibility violation get overlooked?
– What improvements can be made to procedures?