Most organizations are waking up to find their policies in a complete disarray. Over the years policy portals have sprung up across the organization. HR has their portal, IT has one, Finance/Accounting has another, Legal/Compliance still another, and it goes on through other departments. Policies look different on each portal, sometimes they conflict with each other. Policies are stored on different shared drives and now mobile devices. There are out of date policies scattered across the organization.

The majority of organizations do not even know what policies they have. At a conference I keynoted at there were 200 attendees in the room. I asked the audience who in the room has a master index of all of their policies across departments and knows what is an official policy . . . only 2 people raised their hand. I was talking to a global bank the other day and they are doing a policy discover process and found over 1,200 policies in North America alone and have not even finished the discover in this geography, and they still have to do discovery in other geographies. A large hospital chain that has acquired nearly 30 hospitals over the past two decades panicked when they realized they now have over 18,000 policy and procedure documents across these hospitals.

Policies are critical governance documents. In fact, several organizations I work with call their policy management program their Governance Documents program. They are also risk documents, the very fact an organization has a policy means somebody has identified a risk. They are certainly compliance and control documents. They need to be managed and communicated with care.

Policies also establish a legal duty of care for the organization. A policy can be used against an organization in a lawsuit, legal action, and such. There is a major retailer I have been interacting with that is concerned about this as any store manager (across 1,000s of stores) can open up a word processor and write a document and call it a policy . . . putting a legal duty of care on the retailer. They are working to identify all the official policies of the organization and put them in one policy management system and portal. Anything that is referred to as a policy that is not in the system should be reported. Policy management and communication/awareness records also provide a strong defense for an organization when it should find itself in the boiling waters of legal and regulatory inquiries.

I can go on and on with these stories, and cover many of them in detail in my Policy Management by Design workshops. I am finding many organizations are building enterprise policy management strategies that span departments to manage, communicate, and monitor policies consistently across the organization. Most often this is lead by Corporate Compliance & Ethics (sometimes under legal), and at times it is lead by Human Resources). These organizations are finding that they need a solution designed and built for managing the lifecycle and communication of policies. I am interacting with five global banks on this topic right now. But it does not stop there, there are interactions/inquiries this past month from insurance, healthcare, retail, manufacturing, life sciences, hospitality, and more looking for policy management solutions. It is just not large organizations, two inquiries this past week have been from organizations with under 1,000 employees.

However, the needs and requirements for a policy management solution vary with these organizations. The needs of a large global organization managing policies across different lines of business and in different languages are not the same as a small organization in one geography. The needs of a financial services firm trying to keep policies current with regulatory change (there are 220 regulatory change events in financial services every business day around the world) are different from those of manufacturer or hospitality firm.

GRC 20/20 has identified just over 100 solutions available in the market that do policy management. Some of these are very narrow and specific (e.g., they just do IT policies, or EH&S policies, or policies in a healthcare environment), some are broad platforms that manage policies as well as other GRC related activities (e.g., risk, incidents, controls), and some are very deep and advanced solutions for policy management.

NOTE: organizations looking for policy management solutions in the market can ask GRC 20/20 inquiries to get your questions answered.

GRC 20/20 separates policy management solutions into basic and competitive solutions, but then also distinguishes advanced capabilities that separate solutions in the market.

  • Basic policy management solutions. These are solutions, and there are many of them, that address the workflow and task management of policy management with some basic reporting capabilities. Policies are typically authored outside of the solution in a word processor and attached as a file.
  • Competitive policy management solutions. These are the solutions that most often come up in RFPs regularly and have stronger capabilities too author policies within the solution itself (e.g., through a built in editor, or integration with a word processor). They have more advanced reporting capabilities and provide a stronger portal for the publication of policies.

However, what really separates policy management solutions in the market are the advanced capabilities. These include:

  • Collaborative policy authoring and editing. This is coming up frequently with global organizations. They find that the document check-in and check-out slows them down and want that modern collaborative experience that allows multiple people to be authoring, editing, and commenting on the same policy at the same time and to see in real-time the policy changes and edits as they are made by others.
  • Advanced workflow and task management. This is often the ability to define workflow and tasks down to a section/paragraph level to an individual and not just at a document level.
  • Regulatory change management. The ability to map regulations to policies and manage changes to policies as regulations change. The more advanced solutions with this capability will be able to manage a section, paragraph, or even ‘clause’ in a regulation to the same in a policy.
  • Global policy management. This is the need to manage policies across different languages. The master policy may be written in one language, but then it has to be written (or updated when being maintained) in several different languages. I worked on an RFP for one global firm managing policies in 8 languages to 160,000 employees. There are other organizations I am working with that manage policies in over 20 languages. This all involves organizational mapping of policies and detailed workflow and task management capabilities.
  • Engaging policy portal. I am finding more and more organizations looking for that next generation policy portal that brings policy and training management together in a unified experience. Organizations are telling me every week that employees can go out to Facebook and watch a YouTube video in Facebook. They do not have to go out too YouTube to watch the video. They want that integrated portal that provides a single point of access to policies and related training. This is particularly important for the millennial generation. They also want mobile policy portals that can be used on phones and tablets. Particularly where a tablet can become a policy and training kiosk for employees that do not have computers/laptops.
  • Awareness and communication campaigns. Organizations are looking for the ability to manage communication and awareness campaigns for a policy (or groups of policies). To define tasks, workflow, and such. A new policy, such as a Code of Conduct, may have been written. In the first month all employees need to read and acknowledge. The second month they have to complete training. The third month the CEO is going to talk about the new policy at the company meeting. The fourth month managers are to bring it up in their staff meetings and document any questions or discussion on it. The fifth month a funny video or some reminder is going to go out. Then we are going to put up posters by the elevators reminding employees on the policy . . . you get the picture. Each of these involve defining the campaign activities and assigning workflow and tasks to individuals.
  • Integration with business systems. This is where organizations want to be able to integrate their policy management system with their HR systems. So new employees or those that changes job roles/departments can be automatically sent the new policies and related training for their new role/function. I have worked with one life sciences company that there master employee record list came from their policy management system and not their HR systems as they has seven different HR systems and it was the policy management system that connected to each every night to gather the employee lists and identify changes to communicate policies and training. Another global high-tech firm integrated their policy and training platform with their login and access systems. If an employee was behind on critical policy training they would go to login to their computer and find that all they can access was the training. The same thing for physical access in an oil refinery and in a chemical manufacturer in a health and safety context.
  • Geo-location monitoring. I have had this asked for a few times in which an employees smartphone will pick up a location change and communicate to an employee policies and other things they need to know when entering a facility (perhaps in a different country) that they had not been to before.

These are some of the advanced capabilities that I am encountering regularly. If you are looking for or evaluating policy management solutions, feel free to ask an inquiry of GRC 20/20.

Here are some policy management rescuers and events you should be aware of:

Policy Management by Design Workshops



Published/Recorded GRC 20/20 Research

Have a question on Policy Management strategy, process, and/or technology?

Leave a Reply

Your email address will not be published. Required fields are marked *