The GRC Pundit

Policy engagement: There is a lot to be said for how technology can make policies easier to find, social, and interactive. In fact, I have been on my soapbox proclaiming next-generation policy and training management for the past decade in which organizations deploy a portal that brings together policies, training, and related resources in one integrated interface that is intuitive and engaging for employees to use. 

Policies define boundaries for the behavior of individuals, business processes, relationships, and systems. At the highest level, policy starts with a code of conduct, establishes ethics and values to extend across the enterprise, and authorizes other policies to govern the entire organization. These filter down into specific policies for business units, departments, and individual business processes. 

To deliver engaging policy requires a firm foundation. We might be quick to think this foundation is technology itself. No. Technology is important, but the foundation for good policy is a well-written policy. A policy that is clear, void of cluttered language, written in the active voice, and delivers the message. 

The typical organization is a mess when it comes to policies. Policies are scattered across the organization, reside in a variety of formats ranging from printed documents to internal portals and fileshares, are out of date and poorly written. Policy writing that is wordy and confusing is damaging to the corporate image and leads to confusion and misunderstanding, which then costs time and money. Organizations are not positioned to drive desired behaviors or enforce accountability if policies are not clearly written and consistent. 

Well-written and presented policies aid in improving performance, producing predicable outcomes, mitigating compliance risk, and avoiding incidents and loss. Good policy writing and layout: 

• Articulates corporate culture 
• Shows that the organization cares about policy 
• Demonstrates professionalism 
• Avoids expensive misunderstandings 
• Aids those that struggle with reading or do not speak the language natively 
• Provides consistency across policies 

Consider a supply chain code of conduct I was asked to review for a global brand with thousands of suppliers. This code of conduct had long paragraphs that were written in the passive voice and not active voice. It was cluttered with unnecessary and complex language. The audience for this code of conduct is an international audience of whom many did not speak the language of the code of conduct as their native tongue. Further, the first sentence of the first paragraph stated “Company believes …” and the next paragraph began, “Company strongly believes …” Do we have different levels of belief in the code of conduct? 

We are working against ourselves when we deliver such rubbish. As a native English speaker this might be quick to glance over, but for someone that has English as a second language, they will analyze every word and come to the erroneous conclusion that the second paragraph is more important than the first. Organizations are full of individuals who are not native speakers (or in this case readers) of the language policies are written in. We do them a disservice when we write policy that is not clear and to the point. 

Good policy writing is not just about clear and concise language but also about layout and design. How we structure paragraphs and present them in print or digital form matters. 

I have three sons; two are now adults and the third is in his last year of high school. The oldest and youngest do well academically. My middle son is very reliable and can be counted on to get things done but has struggled academically. He is brilliant but has been plagued with a learning disability—dyslexia—his whole life. In educating him, my wife and I tried a variety of options. I remember giving him something to read that was a page of nearly solid text in just a few paragraphs. He struggled to get through it. I then gave him the same text broken out into many paragraphs with plenty of white space between them. His comprehension of the text skyrocketed with the revised version. The text itself did not change, simply the presentation of it. 

When we break policies out into shorter paragraphs and utilize white space it aids in the comprehension of the policy. White space, and in that context design and layout of the policy, is just as important as the actual written words of the policy. 

Critical to the success of policy engagement is a policy style guide. Every organization should have a policy style guide in place to provide clear and consistent policy. This establishes the language, grammar, and format guidance to writing policies. It expresses how to use active over passive voice, avoid complicated language and “legalese,” how to write for impact and clarity, use of common terms, how to approach gender in writing, and even internationalization considerations. 

Corporate policies define boundaries for the behavior of individuals, business processes, relationships, and systems. At the highest level, policy starts with a code of conduct, establishes ethics and values to extend across the enterprise, and authorize other policies to govern the entire organization. Unfortunately, most organizations do not connect the idea of policy to the establishment of corporate culture. Without policy, there is no written standard for acceptable and unacceptable conduct — an organization can quickly become something it never intended. Policy attaches a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policy can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal (both criminal and civil) and regulatory proceedings. Regulators, prosecuting and plaintiff attorneys, and others use policy violation and noncompliance to place culpability.

An organization must establish policy it is willing to enforce — but it also must closely manage and monitor policy in place. Policy is a necessary means to clearly define, articulate, and communicate boundaries, practices, and expectations. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot achieve strong and established culture without good policy.

Organizations often lack an auditable means of policy maintenance, communication, attestation, and training. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved supporting the business, including internal employees and third parties.

If policy documentation doesn’t conform to an orderly style and structure, uses more than one set of vocabulary, is located in different places, and don’t offer a mechanism to gain clarity and support (e.g., a policy helpline), organizations are not positioned to drive desired behaviors in corporate culture or enforce accountability.

With today’s complex business operations, global expansion, and the ever changing legal, regulatory and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

GRC 20/20’s Effective Policy Management Benchmark provides a framework for an organization’s approach to policy management to be measured against its peers within industry as well as organizations of similar size and structure across industries. The purpose is to identify whether an organization is Below Parity, at Parity, or Above Parity relative to its peers in the context of policy management.  Where an organization is significantly lacking ability it is ranked Inferior, while an organization that demonstrates outstanding ability is referenced as Best in Class.

The Effective Policy Management Benchmark can be used at a department or enterprise level. The Benchmark comparison is based on GRC 20/20 research and interactions. These interactions include projects, surveys, inquiries, and advisory engagements. The rankings are a guideline and represent GRC 20/20’s opinion and professional experience working with a variety of organizations across industries.

There is not a one-size fits all approach to policy management.  One organization’s approach to policy management will vary from another depending on size, nature of the business, scope of policies, resources, and executive sponsorship of a policy management program.  Care must be given when measuring an organization as many facets need to be taken into consideration.

GRC 20/20’s Effective Policy Management Benchmark synthesizes GRC 20/20 research and analysis of the following six key Policy Management Program components:

1. Governance of Policy Management Program. Policy management program governance comprises the program management architecture, policy review cycles, executive “tone from the top” on policy governance, extending policy governance to mergers and acquisitions, compliance monitoring and assurance activities, and management reporting and dashboards.
2. MetaPolicy.  The MetaPolicy, often referred to as the “policy on policies,” is the foundation on which to build an effective policy management program. It defines the critical elements of the organization’s policy management program. 
3. Supporting Policy Management Resources.  Supporting the MetaPolicy, is an array of other resources to build out the policy governance process within an organization.  
4. Policy Management Lifecycle.  The policy management lifecycle is the actual operation and process of the MetaPolicy in action to develop, manage, and maintain policies throughout their effective use. Failure to manage policy lifecycles results in policies that are out-of-date, ineffective, and not aligned to business needs. It also opens the door to liability when an organization is held accountable for a policy that is not appropriate or properly enforced. 
5. Operational Effectiveness of Policy Management Program.  The Operational Effectiveness component of the Effective Policy Management Benchmark addresses how effectively the GPM and policy management lifecycle are implemented and managed across the organization. 
6. Technology Enablement of Policy Management Program. A well-conceived technology strategy for policy management can enable a common policy framework across multiple entities, or just one entity or department as appropriate. Business requires a policy management platform that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, a governance, risk management, and compliance (GRC) technology approach to policy management enables better performance, less expense and more flexibility. 

GRC 20/20 does a number of benchmark projects for organizations.  The Effective Policy Management Benchmark is one among several, others include Effective GRC Management, Effective Risk Management, and Effective Compliance Management Benchmarks.

The latest GRC 20/20 research paper that provides more detail on the Effective Policy Management Benchmark has recently been published and can be accessed at the link below. It is free to access but requires registration on the GRC 20/20 Research website.

ACCESS BENCHMARK RESEARCH

There are also a variety of upcoming webinars GRC 20/20 is presenting on on the topic of Policy Management in August. These include:

• Policy Management, Part 1: When and How to Write a Policy; August 07, 2014 3:00 pm to August 07, 2014 4:00 pm
• Enabling GRC at All Levels of the Organization; August 13, 2014 1:00 pm to August 13, 2014 2:00 pm
• Policy Management, Part 2: Employee Engagement; August 14, 2014 3:00 pm to August 14, 2014 4:00 pm 
• The Next Generation Approach to Policy Management – Enhancing Employee Engagement; August 21, 2014 10:00 am to August 21, 2014 11:00 am
•  Policy Management, Part 3: Stewardship and Maintenance; August 21, 2014 3:00 pm to August 21, 2014 4:00 pm

Risk management is a huge topic these days with organizations looking for solutions to help them manage enterprise and operational risk across the departments and functions. However, there are many risk management technology projects that have failed to meet expectations, have gone over budget, and well past project deadlines.

Why? . . . there are many reasons. 

One is simply that the organization is trying to do too much too fast. They are overly ambitious on what can be achieved in a given time frame. This is particularly true when risk management has been an ad hoc “fly by the seat of our pants” operation (Urban Dictionary: to pilot a plane by feel and instinct rather than by instruments, to proceed or work by feel or instinct without formal guidelines or experience). Many areas of the organization have not thought through risk management and then it is pushed upon them.

Another reason is a failure to align risk with business strategy, objectives, and performance. The ISO 31000:2009 definition of risk is “risk is the effect of uncertainty on objectives.” This might be done well at a project or operational process, but as you rollout enterprise and operational risk technology the organization fails to provide the alignment of risk to business strategy and objectives.

The primary and disastrous failure of risk technology implementations I want to focus on in this post is risk normalization and aggregation. This is something that the major analyst firms leave out of their reviews and ranking of GRC solutions (note: GRC is a broad market and includes the range of risk management technology solutions available).

Risk normalization is simply the ability to compare apples to apples. If one department’s high risk is another department’s low risk this should be evident in risk reporting. Risk aggregation is the ability to take risks from different areas of the business and roll them up into an enterprise view of risk that makes sense. Risk normalization and risk aggregation work hand and hand. To aggregate risks properly requires that the technology have the logic to do risk normalization.

CASE IN POINT: I will never forget a panel I hosted at a GRC conference. On this panel was the Corporate Secretary/Assistant General Counsel for a major financial services brand. This role was responsible for the overall risk and GRC reporting that went to the Board of Directors. He stated to all in attendance that his Board never wants to see a risk report from their __________ GRC platform again (consistently a leader in major analyst reports).  Explaining this further he stated the risk reports were broken and meaningless as one departments high risk was discovered to be another departments low risk and everything globulated to the center on heat maps and made no sense (my view of risk heat maps is that they are often very broken and misused).

If Department A’s risk exposure is $10 million and ranked a high risk and Department B’s risk exposure is $100 million and ranked a medium risk, the overall risk report needs to reflect this accurately.  Organizations run the ‘risk’ that Department A’s risk will be focused on while Department B’s may be overlooked. This is oversimplification, there are many other variables such as frequency, probability/likelihood, velocity, and more to consider as well.

The challenge is that many risk management solutions (including some leading GRC platforms) were developed as a department level solution for risk.  They have a fairly flat view of the world. This leads to two points of risk technology failure in solutions that do not have native approaches for dealing with risk normalization and aggregation:

1. Force everyone into one flat view of risk. This essentially pushes every department and function into the lowest common denominator. All have to manage risk to a common set of criteria and scoring and individual departments lose out in depth and detail they need within their specific context. It limits the ability to get a true department perspective of risk for the sake of enterprise risk reporting that is in turn degraded and can no longer be trusted as departments lose their granularity needed to accurately measure and manage risk to their specific needs. There is a need to measure, model, and analyze risk in different ways in different departments/functions of the organization. The way an organization measures models market risk will be different than how it models health & safety risk.
2. Expensive services engagement to built out. Solutions that do not have risk normalization and aggregation as native features inherent in their technology will address this issue through implementation projects that are expensive and take a lot of time. GRC 20/20 has seen risk/GRC implementation projects that typically span from six months to over two years to rollout. The most common reason is customizing the platform to do risk normalization and aggregation. Then the platform breaks during the next upgrade process because of the behind the scenes customization of logic and rules done to support risk normalization and aggregation. 

BOTTOM LINE: when buying risk/GRC technology solutions that are to do risk reporting across risk areas, make sure that the solution has been designed from the ground up to measure and model risk in the variety of ways different areas need and that the solution supports risk normalization and aggregation without the need for expensive customization and implementation projects. Further, do not assume that a ‘Leader’ in analyst reports actually has addressed risk normalization and aggregation because many of them have not. Failure to consider this may mean expensive implementation projects that take more time than expected, result in broken upgrades, and outright scrapping the platform to move to a different solution. GRC 20/20 has seen it all happen.

I encourage you to share your experience and insight into this issue below.  It is one that GRC 20/20 has encountered several times in the market. Be bold; help other organizations understand this issue and its impact if not considered up front.

If you are considering risk technology to use within your environment, click on the Ask Inquiry button to the right.  GRC 20/20 offers complimentary inquiries to organizations evaluating GRC technology, solutions, and services. We are here to provide you insight into the market to make intelligent choices. GRC 20/20 can give you specific insight into what solutions do what aspects of risk management and GRC well and which do not.