Next-Generation Policy Management: Collaborative Accountability

Written by The GRC Pundit

Published on2020-10-02Updated on2020-10-02Discussion4 Comments on Next-Generation Policy Management: Collaborative Accountability

Policy management is a critical issue for organizations across industries and geographies and various sizes. In a time of chaos and change, organizations must get control of an enterprise’s perspective and control of what policies they have and how they are communicated.

In 2020, I am finding organizations have realized what a mess policies are in their environment. They are out of date, scattered on different portals, sites, and file shares. Policies are in different templates with different writing styles. Most organizations could not even produce a list of what all the official policies are in their organization. In a time of crisis and change, organizations are scrambling to provide consistent policies in a singular portal the reflect the brand and reinforce the culture of the organization. A culture that needs policies and assures individuals that the company is in control and is part of a broader organization when working from home or an office.

One of the key elements I see in RFPs and inquiries for policy management software, particularly among large global organizations, is the need for collaborative accountability in policy authoring, approvals, and maintenance. Let’s break this apart into the two components:

1. Collaborative. Policy management needs to be collaborative. Multiple authors and subject matter experts provide input into policies and various regional/jurisdictional impacts of policies. Organizations want a collaborative policy authoring environment where multiple people can be working on the same policy at the same time. I can be writing the new conduct policy here in the USA, and someone else can be making edits, contributions, and comments in Singapore, and someone else can in London . . . all at the same time. What no longer works for organizations is document check-in and check-out where new or updated policies take 6 months to write and get approvals. In a time of continuous business, risk, and regulatory change, this needs to be brought to a few weeks to keep the organization agile, in control, and out of the hot waters of regulatory and legal actions. One business case I was recently advising on found that one recent policy went through 70 different reviewers, subject matter experts, and approvers. This took months and months to complete in a linear document check-in and check-out approach. Their business case is collapse this to weeks with a collaborative approach where everyone can access, comment, and edit the policy simultaneously.
2. Accountability. Policy management needs accountability. There needs to be a complete system of record and audit trail on who did what and when to a policy. Not at the document level, but down to the section, paragraph, clause, or event word level. Full traceability of who authored, who edited, what was modified. This is supported by workflow and task to that same section or clause level, not just the document level. Perhaps I am the primary policy author of the new anti-money laundering policy. But I want to assign a task and action item to someone in Australia to review a specific wording and paragraph to ensure it meets local regulatory requirements there. I need to assign that task not just to the document, but to the exact portion of the policy I need them to look at and approve. There needs to full accountability and traceability of policy authoring, edits, comments, and actions.

Collaborative accountability in policy management goes hand in hand. They are a symbiotic relationship that supports each other. Greater collaboration requires greater accountability.

This is causing a lot of change in the policy management technology world. Many older legacy solutions allow you only to attach policy documents. Some allow for a policy authoring environment but limit you to a linear approach with document check-in and check-out that takes months to write or update a policy. Newer solutions enable collaborative accountability authoring environments that bring policy development from several months to less than a month. Collaborative accountability delivers greater efficiency (e.g., time), effectiveness, and agility to policy management.

However, the handful of solutions that are offering collaborative accountability are not all created equal. Some do this natively with the most robust features and value. Others are parading an integration with other platforms such as Office365 or GoogleDocs that limit the collaborative accountability benefits, particularly as they are not purpose-built for policy management.

Some important things to consider are:

• Policy specific workflows and tasks. You want a solution that automates notifications that engage stakeholders to perform required tasks, actions, reviews, edits, comments, contributions, and approvals to the actual section, paragraph, or clause level. To point where they need to focus in the document with audit trails down to that level.
• Full audit and versioning. You want to see all collaboration across the entire history of versions of the same document down to that section and clause level. Some jimmy-rigged solutions that integrate with Office365 do not give you full visibility into the audit trail unless you download a local copy to your locally installed software, causing issues.
• Gap analysis. You want to ensure that the entire organization has a full view of policies and evidence of policies for compliance to provide assurances that policies are sufficient, non-contradicting, and integrate and are mapped to processes.
• Mapping. Part of this requires that the organization can map documents and even sections/clauses of policies to other policies as well as to regulations. When one changes, it can trigger changes and review in related items.
• Master language. You also should look for the capability to define master language elements. So if I have a clause in a policy, and I edit it, it can be reflected in other documents that reference or use that same language. Consider a Code of Conduct. You may have a statement on discrimination/racism that appears in the Code of Conduct, and if you change it you want that language changed in any associated policies that use that same language such as the discrimination policy itself, as well as procedures, manuals, and such.
• Security. Another important consideration is the security of your environment. One global firm that I helped with their RFP left a solution leveraging Office365/Sharepoint as they found security bugs that exposed their data and users in the integration with the policy management software leveraging it.

These are some considerations among many features and requirements I am advising on in enterprise policy management RFPs. I will be talking in detail on these and other elements of policy and compliance management in these upcoming webinars:

October 6 @ 10:00 am – 11:00 am CDT  – THE FUTURE OF COMPLIANCE IS DIGITAL, CONNECTED & AUTOMATED

• Industry experts come together online for a 30mins discussion on the future of compliance Between March and April 2020, businesses had 3,000 regulatory updates to deal with. But the compliance workload was huge even before the Covid-19 pandemic. In 2019, businesses received 200 regulatory updates a day, compared to just 10 a day in 2004. […]THU15

October 15 @ 10:00 am – 11:00 am CDT – DOJ GUIDANCE AND THE COMPELLING NEED FOR AN INTEGRATED COMPLIANCE PROGRAM

• Compliance and ethics programs are rapidly evolving. Organizations are required to have a structured and functional compliance and ethics program that monitors compliance continuously in the context of operations, transactions, and people. A program that is no longer bound by manual processes and point in time evaluations, but one that is built on a common strategy, […]