I've always been terribly interested in measuring how well my third parties are performing because, at times, their performance determines whether or not my own programs are compliant.  In some cases, the consequences can be devastating when a third party is not performing well and there is little or no scrutiny taking place.  For example, you may find out too late that a third party doing your imaging has not met quality requirements AFTER a record has been destroyed.  Or that copies of a medical record were sent to the wrong location AFTER a HIPAA complaint has been filed by the patient in question.

One area that has surprised me most in terms of NOT measuring itself is the shred industry.  I measure my vendor based on their performance to the schedule and, if the schedule is not met, how quickly the site is contacted and service completed.  If I have a complaint or adverse event, I also monitor how quickly it was resolved and how satisfied we were with the result.  I also measure how well my vendor maintains proof of service by either producing a signed service ticket or a bar code swipe that shows that the vendor was actually at the assigned location.  Failure to maintain proof of service means I don't pay.  I also measure whether or not service took place within my service level agreement.  Some organizations require very tight scheduling whereas other can accommodate a schedule shift of a week or two.

I am constantly surprised at the fact that measuring performance to a schedule is a manual procedure for most shred vendors because, for the most part, they either do not measure themselves on that particular metric or their logistics scheduling systems do not allow them to measure that metric (Iron Mountain is the only one that I know that was moving in that direction...if there are others, let me know).  Most shred vendors also never seem to have a customer profile where a customer can consistently block out days where service is not permitted (holidays, weekends, etc).  All of that has to be done manually after the wrong schedule has been sent to the customer unless you have a very attentive account manager checking that for you.  You almost never see online portals where customers can pull shred schedules (Iron Mountain has one), create customer service tickets (nobody has that), or chat online with their service provider (some have email).  Many shred providers guarantee to meet their schedule with 30 days of publication, but not many of them can actually measure it (ask your vendor for a record of the scheduled date vs. the actual date of service to test that fact).  Few vendors will voluntarily contact your customer sites by phone in the event of a schedule change unless required to do so by contract.  I have yet to see anyone with the capability to set up automated reminders for scheduled shred visits via email addresses in a customer profile.  I have only seen one vendor offer to comp visits that are not performed within a service level agreement, but I have yet to see a vendor that automates a definition what the acceptable "window" of service is to the customer when the actual service date is not met.  In fact, when I recently started looking at who was in my local market, many shred providers readily admitted that they did not check or reconcile the manual service tickets each day because they were too numerous to manage.  Unless the customer complained, it was assumed that service was provided if it was on the schedule.  For large corporations, this could represent large amounts of money for services not performed.

In my days at a large retail network where there were 7,000+ stores with very tiny back rooms that could barely accommodate a small console, I had to build control processes to tell my stores when the shred event was scheduled so that they could fill their shred consoles and stage additional boxes from storage, then make sure that the vendor showed up on time (because we could not leave excess material blocking the fire exit, bathroom, or sitting on shelves where revenue generating product was meant to be stored...nor could we leave it on the retail floor), verify that service took place, chase the vendor down if they didn't show up, reschedule any store that was missed if the vendor had not already done so, and then monitor the content levels of each store to ensure that the store was not shirking any responsibilities to shred consistently (an empty container report was required from my third party to ensure that every store was disposing of material properly and, if not, Loss Prevention was dispatched to audit the store).  All of this was designed to manage risk and ensure compliance to various state, federal, and PCI rules.  If a vendor didn't show up on the scheduled date or at the scheduled location, the onus always seemed to be on me to prove that service was or wasn't provided.  My only defense was withholding payment unless proof of that service was provided and I had to dispute each individual event.  Many shred vendors stepped up to the plate to be part of my service program and were shocked at their performance to their schedules after their salespeople had guaranteed service.  Failure rates hovered as high as 38% for some vendors, no matter how hard they tried to resolve the issues (and believe me, they tried).  It was hard to carve out a risk management program with so little automation in the shred industry.
Fortunately, I am not in the dynamic environment that I once managed, but risk management is still an issue.  Having a shred program is part of my risk management program.  I still require all of the service controls in my program that I required in previous organizations and all of it is still manual on the part of my provider.  A single breach can bring a lot of grief to your organization and the fines are excessively devastating, not to mention the negative publicity if the event is publicized.  A vendor who doesn't show up or who delays for a day or two and hasn't called to reschedule can make a frustrated worker bee take crazy chances with a dumpster instead of doing the right thing, particularly if that worker bee is at a remote site and doesn't understand the implications of inappropriate records disposal.  But, if there is proof of a consistent program with appropriate controls, and an adverse event occurs, there is some leverage in having that information to demonstrate that the organization exerts itself to comply with all state and federal requirements and that the event was singular in nature and not an overall lack of organization control.  I've had personal experiences where having this information reduced liability or protected my organization from a lawsuit.

I am curious to know...are other records managers out there measuring your third party shred provider?  If so, what metrics out there being used to measure shred vendors?  If not, how do you know that your program is compliant?  If you have multiple sites to manage, how do you know that your vendor is showing up regularly to provide service on a timely basis?

Do you think it is time for ARMA or NAID to develop customer service ratings that measure more specific statistics so that potential customers can assess their shred providers in various markets in terms of performance, complaint resolution, adverse events, etc., like they do with health care?  How do you know how your vendor stacks up BEFORE you sign on the dotted line?






List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]