Models for Monitoring Digital Accessibility Compliance

Tim Springer

Tammy Cosseboom

Agenda

• Compliance Programs• Monitoring Plans• Process Monitoring and

Auditing• Asset Monitoring• Asset Audits

Compliance Programs

What is Compliance?

Conforming to the controls and procedures imposed on

your organization by appropriate laws or rulings

Compliance ElementsSeven Elements of Effective Compliance Programs

1. Policies, Procedures and Controls

2. Compliance and Ethics Oversight

3. Exercise Due Diligence

4. Educate Employees

5. Monitor and Audit Compliance

6. Consistent Enforcement and Discipline

7. Respond Appropriately

Conceptual Framework

Accessibility program maturity is measured along ten key dimensions:•Governance, Risk Management, and Compliance•Communications•Policy and Standards•Legal•Fiscal Management•Development Lifecycle•Testing and Validation•Support and Documentation•Procurement•Training

Risk Prioritization

• Not all technology is warrants the same level of scrutiny

• Worry more about technology that:

– Is necessary for completion of core functionality

– Pertains specifically to users with disabilities

– Receives the highest amount of traffic

– Concerns job postings / applications

– Utilizes third party vendors

– Contains maps or other extensive graphics

• Higher Risk = Higher Priority

Risk Management

Prioritization Levels•Enterprise•Asset•Best Practice

Risk Model•Identify core factors for each level•Weight core factors•Rank

Legal Research

• Legal research is a continuous compliance process

• Must be executed at many levels:– Federal

– State

– Local

• New laws/regulations should be immediately analyzed for impact and tracked

• Know your rulemaking process• Know your OIRA

Compliance Cross-Pollination

• Compliance processes can be executed the “hard” way or the “easy” way

• Integrating accessibility into the existing compliance program gets you on the path to the “easy way”

Reporting, Metrics, Trends

• Center of the feedback loop

• Risk Management, Risk Assessment, Legal Research and Compliance Cross-Pollination feed the data

• Produce actionable summaries which can be turned into compliance process improvement programs

Monitoring Plans

It All Starts with a Monitoring Plan

• Who is involved?

• What is being monitored?

• What resources are required?

• When is plan to be executed?

• Which compliance plan is monitoring associated with?

• What types of test methods are being utilized?

Monitoring Plan Goals

• Ensure that the program policies are being followed

• Periodically evaluate the effectiveness of the program

• Have and publicize a system to report violations

Monitoring Plan – Ad Hoc or Formal?

Issues with Ad-hoc plans•Sample size not consistent or risk-assessed •Testing staff lacks knowledge to identify key work flow structures •False negatives or positives if not utilizing users with disabilities•Doesn’t leverage automatic testing•Doesn’t provide metrics

Monitoring Types

• Process monitoring – operations are conforming to the accessibility policy in practice

• Asset monitoring – ICT being produced or utilized is accessible– Monitoring = High level ongoing tests

– Auditing = Detailed point in time tests

• Some concepts apply to both types– Monitoring Plan Creation

– Risk Prioritization

– Risk Management

Process Monitoring and Auditing

Process Monitoring Approach

Roughly:•Define•Train•Measure, Manage, Coach•Report

Bulletproofing•Automate that which can be automated•Use software•Setup notifications•Define process variance tolerances

Process Auditing Methodology

• Process Walkthrough• Artifact Review• Operations Review• Analysis

• Draft Findings Review• Primary Draft Development• Primary Draft Review• Secondary Changes• Delivery

Asset Monitoring

Accessibility Monitoring Test Types

• Automated Tests

• Global Tests

• Manual Tests

• Manual Tests with AT

Accessibility Compliance Levels - Minimum

• Automated ICT scan only

• Pages are rendered in a browser and tested directly against the DOM

• Results in roughly 25% testing coverage

Accessibility Compliance Levels - Baseline

• Extends minimum level to include manual tests of sample portions of the site

• Sample tests are extrapolated to remainder of the site

• Results in roughly 85% testing coverage

Accessibility Compliance Levels - Complete

• Extends base level to include functional use case testing by individuals with disabilities using assistive technology

• Focuses on key transaction paths in the system

• Increases compliance coverage to as close to 100% as possible

Asset Audits

Is My ICT Accessible?

Three components need to be reviewed to answer this question:•Technical Compliance•Functional Compliance•Support Compliance

Technical Requirements

Does the technology conform to the coding requirements in the relevant standards? •Requires up-to-date standards•Requires the ICT be substantially conformant with standards•Requirements are assessed for risk and divided between those that can be tested:

˗ Automatically (24.8%)

˗ Manually (48.3%)

˗ Globally (26.9%)

Functional Requirements

Can people with disabilities use the application to complete its core tasks?•Requires system be usable to people with disabilities using current AT•Technical requirements focus on the trees – functional requirements on the forest

Support Requirements

Is the deployment context of the ICT accessible?•Is the ICT documentation accessible?•Can the organization provide accessible support for the ICT to its employees and the public? (TTY/TDD, accessible online chat)•Is the ICT training accessible?•Does the organization have a periodic audit program which assesses the compliance and ethics program?

Questions?

Thank You

Contact Us

Tim Springertim.springer@ssbbartgroup.com

Tammy Cosseboomtammyc@ssbbartgroup.com

Download Slide DeckInfo.ssbbartgroup.com/CSUN2015

Follow Us

@SSBBARTGroup

linkedin.com/company/SSB-BART-Group

facebook.com/SSBBARTGroup

SSBBARTGroup.com/blog

About SSB BART Group

• Unmatched Experience• Focus on Accessibility• Solutions That Manage Risk• Real-World Strategy• Organizational Strength and

Continuity• Dynamic, Forward-Thinking

Intelligence

• Fourteen hundred organizations (1445)

• Fifteen hundred individual accessibility best practices (1595)

• Twenty-two core technology platforms (22)

• Fifty-five thousand audits (55,930)

• One hundred fifty million accessibility violations (152,351,725)

• Three hundred sixty-six thousand human validated accessibility violations (366,096)

Appendix A – Compliance Programs

Policies, Procedures and Controls

• Publish an accessibility statement• Modify existing policies (HR, Customer Support) • Set internal controls

– Protect resources

– Ensure accuracy and reliability

– Secure compliance with policies

– Evaluate performance

Oversight

• Visibility, knowledge, and oversight • High-level sponsorship • Roles and responsibilities clearly identified • Clearly assigned responsibilities • Day-to-day operations have resources, authority and access

to governing authority– Resources == budgets

– Authority == compliance can tell other departments what to do• In accessibility? Really?

– Direct access to the governing authority == if compliance thinks there is a problem, but their leadership is stonewalling them, they can do an end run straight to the BoD

RACI Matrix

Educate Employees on Programs

• Communicate policies, standards and procedures of compliance and ethics program

• Conduct effective training programs • Disseminate information appropriate to respective roles

Consistent Enforcement and Discipline

• Policies, Procedures, and Controls need to include disciplinary steps for all levels of employees/agents

• If retraining is an option:– Maintain metrics on improvement after retraining

– Document all training

• If termination is potential outcome, update contracts to define penalties

Respond to/Prevent Future Incidents

Two elements must be implemented: •Accessibility Issue Resolution Policy / Procedures

– Reasonable Accommodation must be provided

– Why did the accessibility violation get overlooked?

•Root Cause Analysis– Why did the accessibility violation get overlooked?

– What improvements can be made to procedures?