The organization requires a policy and training management architecture that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, a policy and training management architecture enables better performance, less expense, and more flexibility. Core technology capabilities to consider a policy management program are the ability to:
- Provide a consistent policy management framework for the entire enterprise instead of each department implementing its own policy management system.
- Manage the policy lifecycle throughout creation, communication, assessment, monitoring, tracking, maintenance, revision, archiving, and record keeping.
- Train individuals on what is required of them through links to learning systems, modules, quizzing, and attestation.
- Provide easy access to policy and communicate policy in the language of the reader, as well as to the differently abled.
- Gather and track edits and comments to policies as they are developed or revised.
- Map policies to obligations (e.g., regulatory or contractual requirements), risks, controls, and investigations so there is a holistic view of policies as they relate to other areas of GRC.
- Provide a robust system of record to track who accessed a policy as well as dates of attestation, certification, and read-and-understood acknowledgments.
- Provide a user-friendly portal for policies in the environment with workflow, content management, and integration requirements necessary for policy management.
- Provide a calendar view to see the policies being communicated to various areas of the business, and ensure policy communications do not burden the business with too many tasks in any given month.
- Provide links to hotlines for reporting policy violations.
- Publish access to additional resources such as helplines and FAQs.
- Enable cross-referencing and linking of related and supporting policies and procedures so users can quickly navigate to what they need to understand.
- Create categories of metadata to store within policies and display documents by category so policies are easily catalogued and accessed.
- Restrict access and rights to policy documents so (a) readers cannot change them, and (b) sensitive documents are not accessible to those who do not need to see them.
- Keep a record of all the versions and histories of each policy so the organization can refer to them when there is an incident or issue they must defend themselves against or provide evidence for.
- Maintain accountable workflows to allow certain people to approve policy documents and move tasks to others with full audit trails.
- Deliver comprehensive reporting with an extensive depth and breadth of reports.
GRC 20/20’s Final Perspective . . .
Effective policy and training management is about delivering value, integration, and alignment of strategy, process, information, and technology throughout the organization in the context of GRC. Organizations need to deliver an exceptional end-user experience: getting employees involved by providing intuitive interfaces into policies and training that are interactive, engaging, and social. Policy and training solutions need to instruct, inform, and be easy to use at all levels. It engages employees in policies and training without leaving them overwhelmed and confused. It is an integration of policy and training information, processes, and systems to engage employees and agents at all levels of the organization.
- Getting questions answered. Employees need to be able to ask questions and get them answered. This means that policy and training management processes and architecture should provide contextually relevant information as well as pathways to get questions answered.
- Provide two-way communication. Employees not only need to be able to ask questions and get them answered, they also come up with ideas and ways to improve policies and training. Perhaps it is an idea on a new initiative related to corporate values, to report a new risk, or make a control more efficient.
- Sharing information. Getting employees engaged is about sharing information, like the ability to like a training initiative and share it with others in the organization. This allows the organization to see what works and keeps employees engaged. It allows a way for employees to share information they find relevant and interesting. It provides feedback into what does not work.
- Connecting the dots through collaboration. Often elements of policies and training are done in ways that are not ultimately effective. A common problem is individuals often modify responses based on what they think people want to hear. This cognitive and behavioral bias has an impact on the accuracy of the results. Policy and training processes and architecture should bypass stakeholder interests by using technology to engage individuals in an environment in which to express true opinion, without fear of consequences. Social and collaborative technologies provide a way for individuals in a workshop to anonymously enter thoughts and opinions to captures unbiased information that builds toward stronger discussions and deeper analysis.
In the end, effective policy and training management is about delivering policy and training that minimizes the perception of getting in the way of business and instead becoming a part of business and the culture of the organization. There is an element to policies that will always be inhibitive, but the right approach overcomes this by delivering engaging user experiences that align with the needs of employees, integrates with organization architecture and systems, and delivers relevant content when needed wherever it is needed.
This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Policy Management by Design: a Blueprint for Enterprise Policy & Training Management
- Have a question about Policy & Training Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
- Policy Management by Design Workshop. Engage GRC 20/20 to facilitate and teach the Policy Management by Design Workshop in your organization.
- Looking for Policy Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 400 requirements for policy management solutions.
GRC 20/20’s Policy & Training Management Research includes . . .
Register for the upcoming Research Briefing presentation:
Access the on-demand Research Briefing presentation:
Strategy Perspectives (written best practice research papers):
- Policy Management by Design: A Blueprint for Enterprise Policy & Training Management
- Regulatory Change Management: Effectively Managing Regulatory Change in Financial Services
- Benchmarking Your Policy Management Program
- Policies, The Last Mile of Risk Management: The Relationship Between Risk and Policies
Solution Perspectives (written evaluations of solutions in the market):
- RegEd CODE™: Enabling an Integrated Compliance Lifecycle
- NAVEX Global’s Agile Code of Conduct
- MetaCompliance: Effectively Managing & Communicating Policies
- HITEC’S PolicyHub: Streamlining Policy Management
Case Studies (written evaluations of specific strategies and implementations within organizations):