Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.
The haphazard department and document centric approaches for policy and training management of the past compound these issues. With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.
Organizations need to wipe the slate clean and approach policy and training management by design with a strategy and architecture to manage the ecosystem of policies and training programs throughout the organization with real-time information about policy conformance and how it impacts the organization. The policy and training management strategy and policy is supported and made operational through the policy and training management technology. The organization requires complete situational and holistic awareness of policies and related training across operations, processes, employees, and third party relationships to see the big picture of policy and training performance and risk. The architecture defines how organizational processes, information, and technology is structured to make policy and training management effective, efficient, and agile across the organization.
Policy and training management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole. Successful policy and training management requires a robust and adaptable information and technology architecture. Policies and training need to come together in a unified employee experience where policies are displayed along with training. Policy management technology enables and operationalizes the overall policy and training management strategy. The right policy and training management solution enables the organization to effectively manage policy and training performance across the organization and facilitate the ability to document, communicate, report, and monitor the range of communications, training, documents, tasks, responsibilities, and action plans.
There can and should be a central core technology platform for policy and training management that connects the fabric of the policy and training management processes, information, and other technologies together across the organization. Many organizations see policy and training management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:
- Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active policy communication and training.
- Department specific point solutions. Implementation of a number of point solutions that are deployed and purpose built for department or specific risk and regulatory policy needs. The challenge here is that the organization ends up maintaining a wide array of solutions that do very similar things but for different purposes. This introduces a lot of redundancy in information gathering and communications that taxes the organization and its employees.
- Dedicated policy and training management platform. This is an implementation of a point solution dedicated to policy and training management. This is a complete solution that addresses the range of policy management as well as training and communication needs with the broadest array of built-in (versus build-out) features to support the breadth of policy and training management processes. These systems often can integrate with other systems to provide broader context of GRC and business intelligence.
- Enterprise GRC platforms. Many of the leading enterprise GRC platforms have policy and training management modules. These solutions enable the integration of policy information with other areas of GRC such as case/investigation management (showing violations of policies), issue reporting on potential policy violations, risks which policies govern, obligations such as regulations that mandate policies, and controls which policies authorize. However, these solutions can be more costly to purchase, implement, and manage over dedicated policy solutions.
The right policy and training technology choice for an organization often involves integration into ERP/HRMS systems and other GRC and business solutions to facilitate the integration, correlation, and communication of information, analytics, and reporting. Organizations suffer when they take a myopic view of policy and training management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operates in.
A well-conceived technology platform for policy and training management can enable a common policy and training framework across multiple entities, or just one entity or department as appropriate. Business requires a policy management platform that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, an architecture approach to policy management enables better performance, less expense, and more flexibility.
Some of the core capabilities organizations should consider in a policy and training management platform will be considered in this weeks live Research Briefing (which will be recorded and available on-demand):
GRC 20/20 has a detailed research piece that goes through why policy management is critical to organizations and their GRC strategies:
This same topic will be explored deeply in an interactive workshop in Houston on May 30th: