I find that ineffective and unenforced policies are rampant within organizations, and are a thorn in the side of compliance and policy managers.
Mismanagement of policy has grown exponentially with the proliferation of documents, collaboration software, file shares, and Websites. Organizations end up with policies scattered on dozens of sites with no defined understanding of what policies exist and how they are enforced. An ad hoc approach to policy management allows anyone to create a document and call it a policy—exposing the organization to unnecessary liability. Policies end up being written poorly, out of sync, out of date, exceptions are not documented, and the organization has no evidence if the policy is enforced.
Document-centric approaches to policies—that lack technology to manage communication and enforcement—are a recipe for disaster. While it appears easy and cheap to just use documents and send them out via e-mail, or post them in a file-share or Website, the reality is that the cost to the organization is significant in the exposure of ineffective policy management.
The following is a checklist you can use to understand if your policy management system enables effective policy implementation and enforcement across the policy lifecycle:
- Provide a consistent policy management framework for the entire enterprise.
- Manage the policy lifecycle of creation, communication, implementation, monitoring, maintenance, revision, and archiving.
- Deliver a system to document, approve, monitor, and review exceptions to policies.
- Consistent format for policy assessments and surveys to gauge compliance and understanding.
- Integrated eLearning and training quizzing and attestation.
- Provide easy access to policies in the right language and format for the audience.
- Gather and track comments to policies.
- Map policies to obligations, risks, controls, and investigations so there is a holistic view of policies and metrics.
- Provide a robust system of records to track who accessed a policy as well as dates of attestation, training, and read-and-understood acknowledgments.
- Provide a user-friendly portal for policies with workflow, content management, and integration to other systems.
- Provide a calendar view to see policies being communicated to various areas of the business, and ensure policy communications do not burden employees with too many tasks in any given time period.
- Provide links to hotlines for reporting policy violations.
- Publish access to additional resources such as helplines, FAQs, and forms.
- Enable cross-referencing and linking of related and supporting policies and procedures so users can quickly navigate to what is needed.
- Create categories of metadata to store within policies, and display documents by category so policies are easily catalogued and accessed.
- Restrict access to policy documents so readers cannot change them, and sensitive documents are not accessible to those who do not need them.
- Keep a record of the versions and interactions of each policy so the organization can refer to them when there is an incident or issue to defend the organization or provide evidence for.
- Maintain accountable workflows to allow certain people to approve policy documents, and move tasks to others with full audit trails.
- Deliver comprehensive metrics and reporting on the status, implementation, understanding, and enforcement of policies.
Although you may be able to implement a few of these features using a build-your own or document centric approach, the cost in training, maintenance, and management time, let alone the legal ramifications due to lack of audit trails, makes it a risky venture for policy management.
I look forward to hearing your thoughts on the role of technology in policy management . . .