Policy management is a crucial component of a larger corporate governance, risk management, and compliance (GRC) program. Adherence to external regulations and instilling employee accountability starts with well-established organizational policies and procedures.
In GRC 20/20’s recent workshop Policy Management by Design (Workiva hosted). Attendees from across industries came together to learn about policy management best practices and how they can be implemented to modernize compliance programs.
Here are three of the top takeaways from the Policy Management by Design Workshop.
1. Policy management affects organizations of all sizes
The challenges of managing policies and procedures were common across all attendees—impacting large and small, public and private companies alike. Attendees shared several concerns for internal compliance, including:
- Updating policies is a reactive process rather than proactive, meaning policies are often outdated
- Searching for policies is difficult without a cross-organizational master index
- Ownership and enforcement is insufficient
- Version control is not available and understanding what changed in the event of an audit is problematic
- Visibility into how policies link to other internal control frameworks is limited
- Measurement of policy effectiveness is inadequate or unavailable
2. Policy management can be like a “choose your own adventure”
A key part of the discussion revolved around how the creation, review, and update of policies is like a “choose your own adventure,” as no two programs are alike, even within the same company. Departments see varying levels of stakeholder commitment and uncoordinated use of policy management tools. Many in the room agreed: there is a need for standardization in order to create a clear path from point A to B.
3. Consistency, consistency, consistency
Many attendees cited the challenges of policies that are managed by multiple departments. Everyone has their own way of doing things, which means the way an employee code of conduct is written, accessed, and enforced may be very different than a non-disclosure agreement (NDA). A united approach keeps everyone on the same page and should include:
- Consistent user experience (UX): The number one criteria attendees want in policy management software is ease of use. How can leaders expect to engage employees if the tools they are given are disconnected, clunky, or require a steep learning curve?
- Consistent policies: Intent, messaging, and enforcement among policies must match. Conflicting messages between policies weakens buy-in and generates mistrust across the organization.
- Consistent governance: Leaders must be able to track issues or incidents back to policies in order to ensure the proper level of training. Selecting when and what to enforce is ineffective.
What should you look for in a policy management technology?
Evaluating policy management options can be daunting. Rasmussen suggested looking solutions which are proven to streamline the process of policy drafting, document management, and distribution across the team.
Rasmussen recommended comparing the following criteria when selecting a policy management solution:
- Ease of use and intuitiveness
- Defensible system of record with a precise, electronic record of who changed what policy, how, and when
- Access to a master index of all policies
- Ability to cross-reference linking to other policies
- Ability to link policy information across documents, spreadsheets, and presentations
- Tools for policy review and attestation workflow and tasking
- Survey capabilities
Continuing the conversation on governance, risk, and compliance
The Policy Management by Design Workshop enabled participants to learn from experts, share ideas, and network with peers on best practices for company policies. Attendees came away from the event with a number of new strategies for strengthening policy management in their own workplaces.
This post was originally published by Workiva.
On-Demand Policy Management Research Briefings
Published Research on Policy Management – Strategy Perspectives
- Policy Management by Design
- Benchmarking Your Policy Management Program
- Policies, The Last Mile of Risk Management: The Relationship Between Risk and Policies
- Technology Priorities for Compliance & Ethics: Aligning Technology to Changing Requirements
- Regulatory Change Management: Effectively Managing Regulatory Change in Financial Services
Published Research on Policy Management – Solution Perspectives
- Sword Policy Manager: Enablement of the Policy Management Lifecycle
- MetricStream GRC Pulse: Technology Innovation in Policy Management
- Workiva Wdesk: Innovation in User Experience in Policy Management
- RGP policyIQ: Delivering a Breadth of GRC Use Cases
- RegEd CODE™: Enabling an Integrated Compliance Lifecycle
- NAVEX Global’s Agile Code of Conduct
- MetaCompliance: Effectively Managing & Communicating Policies
- HITEC’S PolicyHub: Streamlining Policy Management