Policy & Training Management Information Architecture
The policy and training management information architecture supports the process architecture and overall policy and training management strategy. With processes defined and structured in the process architecture, the organization can now get into the specifics of the information architecture needed to support policy and training processes.
The policy and training management information architecture involves the structural design, labeling, use, flow, processing, and reporting of policy and training management information to support policy and training management processes. Categories of policy and training management information that organizations often collect and process include:
- Master data records. This includes data on individuals and their role and history of interaction and communication with policies and training.
- Compliance requirements. Listing of compliance/regulatory requirements that are mapped to policies.
- Policy and training libraries. The indexing and versions of policies and training.
- SLAs, KPIs, and KRIs. Documentation and monitoring of service level agreements, key performance indicators, and key risk indicators for the policy and training program.
- Exceptions/exemptions. Documentation of exceptions and exemptions that have been requested, granted, and/or denied.
- Forms. The design and layout of information needed for specific policies and related processes.
- Incidents & issues. Record of policy violations and details.
Policy and training management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole. Successful policy and training management information architecture will be able to integrate information across the organization. Successful policy and training management requires a robust and adaptable information architecture. Policies and training come together into a unified employee experience where policies are displayed along with training. Training is more than just playing a video but is interactive, showing employees are behind their desk engaged in the activity and not off to get a coffee. Relevant resources are easily accessible and provided in the same interface without hopping between disconnected systems.
Policy & Training Management Technology Architecture
The policy and training management technology architecture enables and operationalizes the information and process architecture to support the overall policy and training management strategy. The goal of the technology architecture is to operationalize the process and information architecture. The right policy and training management architecture enables the organization to effectively manage policy and training performance across the organization and facilitate the ability to document, communicate, report, and monitor the range of communications, training, documents, tasks, responsibilities, and action plans.
There can and should be a central core technology platform for policy and training management that connects the fabric of the policy and training management processes, information, and other technologies together across the organization. Many organizations see policy and training management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:
- Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active policy communication and training.
- Department specific point solutions. Implementation of a number of point solutions that are deployed and purpose built for department or specific risk and regulatory policy needs. The challenge here is that the organization ends up maintaining a wide array of solutions that do very similar things but for different purposes. This introduces a lot of redundancy in information gathering and communications that taxes the organization and its employees.
- Enterprise GRC platforms. Many of the leading enterprise GRC platforms have policy and training management modules. However, these solutions often have a predominant focus on policy and do not always have complete capabilities in training.
- Enterprise policy and training management platform. This can be an enterprise implementation of point solution dedicated to policy and training management or an enterprise GRC platform that has the breadth of capabilities needed for policy and training management. This is a complete solution that addresses the range of policy management as well as training and communication needs with the broadest array of built-in (versus build-out) features to support the breadth of policy and training management processes.
The right policy and training technology architecture choice for an organization often involves integration into ERP/HRMS systems and other GRC and business solutions to facilitate the integration, correlation, and communication of information, analytics, and reporting. Organizations suffer when they take a myopic view of policy and training management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operates in.
A well-conceived technology architecture for policy and training management can enable a common policy and training framework across multiple entities, or just one entity or department as appropriate. Business requires a policy management platform that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, an architecture approach to policy management enables better performance, less expense, and more flexibility. Some of the core capabilities organizations should consider in a policy and training management platform are:
- Integration. Policy and training management is not a single isolated competency or technology within a company. Policy and training management often requires information from human resources, vendor management systems and other sources to automatically maintain a single record. These applications must integrate with other systems. It needs to integrate well with other technologies and competencies that already exist in the organization – ERP and GRC. So the ability to pull and push data through integration is critical.
- Content, workflow, and task management. Content should be able to be tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis. Standardized formats for measuring business impact, risk, and compliance.
- 360° contextual awareness. The organization should have a complete view of what is happening with policies and training metrics and processes. Contextual awareness requires that policy and training management have a central nervous system to capture signals as changing risks and regulations, analysis, and holistic awareness in the context of changing and evolving business environment.
- Organization management. Policies and training apply to something within the organization, whether it is a business process, a physical asset, an information asset, a business relationship, or the entire organization. The system must model the organization and map policies to where they apply.
- Accessibility. Policies and related training are only of value if they are accessible. A policy management system must provide a complete system of record any individual can log into and find policies that apply to their role, along with required tasks, attestations, and training they must complete. The system should be available in the official languages recognized by the organization. It should also support the communication needs of the differently abled (e.g., vision impaired, etc.).
- Training management. Training management includes support for classroom, offsite or vendor training, e-learning programs, recorded presentations, simple document delivery and attestation, registration, and attendance completions. The challenge for companies is integrating learning management systems with policy management systems. This can be done by adopting a policy management solution that provides training management. In this model, the courses, scheduling, attestations, and automatic assignment of policies and training based upon the organization matrix are integrated with workflow, task management, and monitoring. Mature policy management systems automatically reschedule training if a policy is updated and assign additional training if a person is promoted or changes roles. This greatly simplifies administration and maximizes accountability and measurability.
- Notifications. The most effective means of providing accountability in policy management is through notifications. Notifications are delivered when policy authors receive a new work assignment, when a due date draws near, or when a task is overdue and an escalation notice must be sent to management. If a person, or perhaps a whole business unit, needs to read and attest to a revised policy, reminders and escalation are required. Policy management systems provide configuration capabilities to customize messages, provide links to tasks, consolidate notifications, and help enforce goals, plans, and accountability. Notifications must be able to integrate with the organization’s e-mail system to deliver messages and drive accountability.
- Audit trail. If it’s not documented, it’s not done. An audit trail should record each who, what, where, and when for every document, assignment, person, and piece of content collected, developed, changed, distributed, archived, surveyed, trained, notified, and read. This ensures that when an incident occurs, an audit takes place, or a regulatory exam or investigation happens, you are prepared with accurate and timely evidence. The level of audit trail required for policy management cannot be maintained with manual processes and ad hoc systems spread across an organization.
- Intuitive interface design. Policy & training management is using leading concepts in interface design to make user experience of applications simpler, easy to navigate, aesthetically appealing, and minimizing complexity.
- Socialization and collaboration. Collaboration and socialization is used to conduct risk workshops, understand compliance in the context of business, and get individuals involved in policy and training at all levels of the organization.
- Gamification. Gamification is used, where appropriate, through interactive content and incentives to drive the culture of GRC into decision-making. Getting employees involved through video, comedy, and games to educate on risk, policy, and compliance. It could be an interactive adventure where employees choose their path when presented with different ethical options in the context of business. Games, puzzles, and illustrations help answer questions, develop skills, and communicate a point. Employees can engage policies and training to gain points, accomplish levels, earn badges, and recognition of skills achieved. Perhaps an employee has gone through all the health and safety training, has read and attested to policies and has taken a quiz to validate understanding. As a result they get a health and safety badge on their corporate profile/avatar. Recognition can be given when people complete assessments, discover and report issues, educate others and champion policies in different ways. This is all linked back to GRC technology to track and promote this activity as well as broader corporate HR and collaboration technologies.
- Mobility. A lot of employees do not have computers, and some that did are now being issued tablets. Policy and training engagement includes delivery of policies and training on mobile devices. This works particularly well in manufacturing and retail environments where a tablet could be deployed as the policy and training kiosk for employees. Effective policy and training is embracing mobile technology on tablets and other devices to engage employees in their preferred languages and bring policies to all levels of business operations.
This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Policy Management by Design: a Blueprint for Enterprise Policy & Training Management
Have a question about Policy & Training Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
Engage GRC 20/20 to facilitate and teach the Policy Management by Design Workshop in your organization.
Looking for Policy Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 400 requirements for policy management solutions.
GRC 20/20’s Policy & Training Management Research includes:
Register for the upcoming Research Briefing presentation:
Access the on-demand Research Briefing presentation:
Strategy Perspectives (written best practice research papers):
- Policy Management by Design: A Blueprint for Enterprise Policy & Training Management
- Regulatory Change Management: Effectively Managing Regulatory Change in Financial Services
- Benchmarking Your Policy Management Program
- Policies, The Last Mile of Risk Management: The Relationship Between Risk and Policies
Solution Perspectives (written evaluations of solutions in the market):
- RegEd CODE™: Enabling an Integrated Compliance Lifecycle
- NAVEX Global’s Agile Code of Conduct
- MetaCompliance: Effectively Managing & Communicating Policies
- HITEC’S PolicyHub: Streamlining Policy Management
Case Studies (written evaluations of specific strategies and implementations within organizations):