Many of you have closely followed my commentary over the past few years on Effective Policy Management and its role in a broader GRC architecture. It is apparent that I am an advocate for technology to manage policies. Document centric approaches fail. When we manage policies in word processors and distribute them in email or intranet sites we quickly lose control.
The fact is – organizations struggle with out of date policies. As soon as I make a policy revision and distribute it, there are still perhaps hundreds (depending on organization size) of versions of the old policy scattered in file shares, email inboxes, local hard-drives, mobile/tablet devices, SharePoint sites, etc.
What is worse is that any employee (or worse yet, a business partner such as a contractor) can create a document and call it a policy. This puts the organization at risk. Policies can establish a duty of care to the organization. Rogue policies that are not officially approved/authorized may throw the doors of liability and legal exposure wide open to the organization.
Organizations need better technology to effectively manage the development, distribution, communication, and maintenance of policies throughout the enterprise. Technology is enhanced when the organization has standard templates and development/lifecycle process for policy management. Any employee should be able to open a policy and be able to validate that it is an official policy by comparing it to the current official version on the centralized policy management portal. They should be able to know if it is an official policy by the template it is in and the fact that it is properly catalogued.
Further, to defend the organization we need audit trails on who interacted with any specific policy. Organizations need audit trails around interactions with policy – who read/accessed it, when did they access it, where did they access it, how often did they access it – to defend themselves in the current legal/regulatory climate. Want proof – consider the Morgan Stanley FCPA case in 2012 when they were the first company in 35 years of FCPA history to not be prosecuted. If you read the DoJ/SEC press release you will find that Morgan Stanley maintained policies (kept them current), and could defend their compliance program by telling how many times Mr. Petersen in their Asian real-estate business was communicated a policy, reminded of one, was trained, etc.
How does an organization go about selecting a policy management solution? Should they build one in house on tools such as SharePoint? Should they purchase a policy management solution built on SharePoint? What about stand-alone policy management software? What value do these offerings bring that a SharePoint implementation cannot achieve? When does an enterprise GRC platform make sense that can cross-reference policies to issues, investigations, risks, controls, and even regulatory change management to manage policies when regulations change?
GRC 20/20 Research tracks approximately sixty different solutions providers in the policy management space. This is among the over 500+ solution providers in the broad GRC market with its various market segments. Some of these solutions are what is understood as an enterprise GRC platform where policy management is one module/app integrated with a series of others to provide insight and intelligence across policies and broader GRC. Other solutions are policy management pure-plays that focus exclusively (or nearly so) on policy management. Still others are solutions that are built upon content management systems such as SharePoint.
How does an organization make sense of all this? It can be challenging.
GRC 20/20 Research is happy to interact with any organization looking for solutions in the GRC space – and in this context, policy management solutions. This ranges from ½ hour email or phone inquiries to discuss the market, players in the market, and what differentiates them. for organizations evaluating or implementing solutions. GRC 20/20 provides open access to our research analysts to any organization looking to purchase GRC technologies. If deeper help is needed, GRC 20/20 can be engaged on projects to help you develop/customize an organization’s RFP and select the right vendors to evaluate based on your organization size, locations, industry, and other demographics. Every solution provider has its strengths and weaknesses – you need to end up with the one that best fits your business.
Some additional things to consider:
- Later in February, GRC 20/20 Research will be releasing two market research reports. One will be a GRC 20/20 Market Landscape: Policy Management Solutions that defines the market, size, growth/direction, drivers, trends, and key players. The other will be a GRC 20/20 Buyer Perspective: Selection Criteria for Policy Management Solutions focused to help organizations in developing RFPs for policy management solutions.
- My Effective Policy Management Lifecycle and workshops have been very popular – and continue to do them in public and private formats. The eBook combining my commentary and work with OCEG, Compliance Week, and several solution providers is also available for download. The OCEG GRC Policy Management Illustrated series is contained in the eBook.
- GRC 20/20 is proud to announce that Lisa Hill is now a contributing analyst of GRC 20/20 Research. Lisa is the former policy manager at VISA – and has built one of the most mature approaches to policy management process and lifecycle that I have encountered. She has her own consulting business, PolicyScape, that works directly with organizations to help them define and build their policy management process. As a contributing analyst, she works through GRC 20/20 Research as an analyst in the GRC technology market to assist with GRC/policy technology RFPs, deliver GRC 20/20 policy training, and assist solution providers in their strategies.
- I chair the OCEG Policy Management Group. While some collaboration started in 2012, the group (comprised of policy managers and others interested in policy management) is ready to fully launch with activities later in February. OCEG has established a collaboration management platform that we will be utilizing to develop the OCEG policy management guide; provide templates for a style guide, policy on writing policies, and a library of policies themselves that is contributed to by members. Further, we will be working on a Policy Manager certification to help establish this critical role in organizations. If interested in this group, please contact me.
GRC 20/20 is providing the following (paid) research webinar on this topic: Policy Management Market Landscape & Selection Criteria. This is a one-hour webinar to layout the policy management market size, players, differentiators, and direction. We will also explore the core selection criteria organizations should be considering when purchasing a policy management solution. While the webinar does not go into specific comparisons of individual vendors, we will present a model that characterizes the market into basic, mature, and advanced offerings.