Transcript Document
Models for Monitoring Digital Accessibility Compliance Tim Springer Tammy Cosseboom Agenda • Compliance Programs • Monitoring Plans • Process Monitoring and Auditing • Asset Monitoring • Asset Audits Compliance Programs What is Compliance? Conforming to the controls and procedures imposed on your organization by appropriate laws or rulings Compliance Elements Seven Elements of Effective Compliance Programs 1. Policies, Procedures and Controls 2. Compliance and Ethics Oversight 3. Exercise Due Diligence 4. Educate Employees 5. Monitor and Audit Compliance 6. Consistent Enforcement and Discipline 7. Respond Appropriately Conceptual Framework Accessibility program maturity is measured along ten key dimensions: • • • • • • • • • • Governance, Risk Management, and Compliance Communications Policy and Standards Legal Fiscal Management Development Lifecycle Testing and Validation Support and Documentation Procurement Training Risk Prioritization • Not all technology is warrants the same level of scrutiny • Worry more about technology that: – Is necessary for completion of core functionality – Pertains specifically to users with disabilities – Receives the highest amount of traffic – Concerns job postings / applications – Utilizes third party vendors – Contains maps or other extensive graphics • Higher Risk = Higher Priority Risk Management Prioritization Levels • Enterprise • Asset • Best Practice Risk Model • Identify core factors for each level • Weight core factors • Rank Legal Research • Legal research is a continuous compliance process • Must be executed at many levels: – Federal – State – Local • New laws/regulations should be immediately analyzed for impact and tracked • Know your rulemaking process • Know your OIRA Compliance Cross-Pollination • Compliance processes can be executed the “hard” way or the “easy” way • Integrating accessibility into the existing compliance program gets you on the path to the “easy way” Reporting, Metrics, Trends • Center of the feedback loop • Risk Management, Risk Assessment, Legal Research and Compliance Cross-Pollination feed the data • Produce actionable summaries which can be turned into compliance process improvement programs Monitoring Plans It All Starts with a Monitoring Plan • Who is involved? • What is being monitored? • What resources are required? • When is plan to be executed? • Which compliance plan is monitoring associated with? • What types of test methods are being utilized? Monitoring Plan Goals • Ensure that the program policies are being followed • Periodically evaluate the effectiveness of the program • Have and publicize a system to report violations Monitoring Plan – Ad Hoc or Formal? Issues with Ad-hoc plans • Sample size not consistent or riskassessed • Testing staff lacks knowledge to identify key work flow structures • False negatives or positives if not utilizing users with disabilities • Doesn’t leverage automatic testing • Doesn’t provide metrics Monitoring Types • Process monitoring – operations are conforming to the accessibility policy in practice • Asset monitoring – ICT being produced or utilized is accessible – Monitoring = High level ongoing tests – Auditing = Detailed point in time tests • Some concepts apply to both types – Monitoring Plan Creation – Risk Prioritization – Risk Management Process Monitoring and Auditing Process Monitoring Approach Roughly: • Define • Train • Measure, Manage, Coach • Report Bulletproofing • Automate that which can be automated • Use software • Setup notifications • Define process variance tolerances Process Auditing Methodology • • • • Process Walkthrough Artifact Review Operations Review Analysis • • • • • Draft Findings Review Primary Draft Development Primary Draft Review Secondary Changes Delivery Asset Monitoring Accessibility Monitoring Test Types • Automated Tests • Global Tests • Manual Tests • Manual Tests with AT Accessibility Compliance Levels - Minimum • Automated ICT scan only • Pages are rendered in a browser and tested directly against the DOM • Results in roughly 25% testing coverage Accessibility Compliance Levels - Baseline • Extends minimum level to include manual tests of sample portions of the site • Sample tests are extrapolated to remainder of the site • Results in roughly 85% testing coverage Accessibility Compliance Levels - Complete • Extends base level to include functional use case testing by individuals with disabilities using assistive technology • Focuses on key transaction paths in the system • Increases compliance coverage to as close to 100% as possible Asset Audits Is My ICT Accessible? Three components need to be reviewed to answer this question: • Technical Compliance • Functional Compliance • Support Compliance Technical Requirements Does the technology conform to the coding requirements in the relevant standards? • Requires up-to-date standards • Requires the ICT be substantially conformant with standards • Requirements are assessed for risk and divided between those that can be tested: ˗ Automatically (24.8%) ˗ Manually (48.3%) ˗ Globally (26.9%) Functional Requirements Can people with disabilities use the application to complete its core tasks? • Requires system be usable to people with disabilities using current AT • Technical requirements focus on the trees – functional requirements on the forest Support Requirements Is the deployment context of the ICT accessible? • Is the ICT documentation accessible? • Can the organization provide accessible support for the ICT to its employees and the public? (TTY/TDD, accessible online chat) • Is the ICT training accessible? • Does the organization have a periodic audit program which assesses the compliance and ethics program? Questions? Thank You Contact Us Tim Springer Follow Us @SSBBARTGroup [email protected] Tammy Cosseboom linkedin.com/company/ SSB-BART-Group [email protected] Download Slide Deck facebook.com/ SSBBARTGroup Info.ssbbartgroup.com/CSUN2015 SSBBARTGroup.com/blog About SSB BART Group • • • • • Unmatched Experience Focus on Accessibility Solutions That Manage Risk Real-World Strategy Organizational Strength and Continuity • Dynamic, Forward-Thinking Intelligence • Fourteen hundred organizations (1445) • Fifteen hundred individual accessibility best practices (1595) • Twenty-two core technology platforms (22) • Fifty-five thousand audits (55,930) • One hundred fifty million accessibility violations (152,351,725) • Three hundred sixty-six thousand human validated accessibility violations (366,096) Appendix A – Compliance Programs Policies, Procedures and Controls • Publish an accessibility statement • Modify existing policies (HR, Customer Support) • Set internal controls – – – – Protect resources Ensure accuracy and reliability Secure compliance with policies Evaluate performance Oversight • • • • • Visibility, knowledge, and oversight High-level sponsorship Roles and responsibilities clearly identified Clearly assigned responsibilities Day-to-day operations have resources, authority and access to governing authority – Resources == budgets – Authority == compliance can tell other departments what to do • In accessibility? Really? – Direct access to the governing authority == if compliance thinks there is a problem, but their leadership is stonewalling them, they can do an end run straight to the BoD RACI Matrix Educate Employees on Programs • Communicate policies, standards and procedures of compliance and ethics program • Conduct effective training programs • Disseminate information appropriate to respective roles Consistent Enforcement and Discipline • Policies, Procedures, and Controls need to include disciplinary steps for all levels of employees/agents • If retraining is an option: – Maintain metrics on improvement after retraining – Document all training • If termination is potential outcome, update contracts to define penalties Respond to/Prevent Future Incidents Two elements must be implemented: • Accessibility Issue Resolution Policy / Procedures – Reasonable Accommodation must be provided – Why did the accessibility violation get overlooked? • Root Cause Analysis – Why did the accessibility violation get overlooked? – What improvements can be made to procedures?