Blog

So you wrote a policy—now what? Policies are only effective if you can show that they have been communicated and understood. Having a written policy that nobody knows about is just like having no policy at all. You cannot hold people accountable to a policy until you have made them aware of the policy. Unfortunately, many organizations have scattered approaches to publish and communicate policies.

I am on a mission to refocus organizations on how they approach policy management and communication. Not only are businesses failing in consistent and effective policy development and management, they are also behind the times in how they can communicate policies.

The written policy will always be critical as it defines what is allowed and disallowed explicitly in writing. The difficulty is that the written policy document, while necessary, is no longer good enough. We work and live in a YouTube world. Video and interactive content has become critical to every function of the world around us. Much to my disappointment people do not read as much as they used to. This is complicated by the fact that organizations have employees with varying learning levels and abilities. One of my own sons has struggled with dyslexia throughout his childhood; a hard worker but struggles to read.

Question to ponder: How do we ‘effectively’ communicate policies in a world where video and interactive content has become the preference of individuals? In other words, how do we communicate policies to a generation of workers that has been raised on YouTube and interactive content?

We have to make sure policies are communicated and understood. This requires that certain policies have training and interactive learning to ensure individuals understand. Survey and testing is an integral part of training to validate that policies are understood. Other mechanisms for communication involve comedy, e-mail reminders, mention at company meetings, policy-related learning activities, and other media. Policies do not have to be boring written documents—they can be written actively and use interactive learning to engage the audience. Even a written document itself can be engaging to read. Proof point: go out and Google for Google’s Code of Conduct, well written and engaging. Combine this with interactive learning to deliver the message and you have a powerful mechanism to guide behavior in the organization.

Effective policy communication requires that the organization has an ability to communicate and train individuals on policies that is easy to use and accessible. This includes the capabilities where:

1. Any employee (across geographies and abilities) is able to log into a centralized policy system and be able to find all of the policies that relate to their role in the organization.
2. Policies are written clearly in a consistent template and style that reflects the culture and tone of the organization and in a way that the average reader can understand (use active voice, remove cluttered language, 8th grade reading level).
3. Clearly communicate tasks for training or acceptance of policy and it should be apparent how to ask for clarification on policy if the individual has questions.
4. Critical policies are to have a video or interactive component in which the policy is explained to the individual. The goal is to leverage interactive content to engage the employee on how to comply with the policy.

A closing comment: Effective policy communication is a critical component of a strong compliance program. In the Morgan Stanley bribery incident, the U.S. Department of Justice stated that Morgan Stanley had a strong compliance program and was not pursuing further action against the company itself. Part of what Morgan Stanley was able to demonstrate was how often policies and training were completed by employees.

My point is simple—we need the written document, but we also need to make sure people understand it. Let’s not make this a burden for employees. Write clear policies that are accessible and easy to read, and provide the relevant training and interaction to make sure they are understood.

Download the latest GRC Policy Illustration and Roundtable on this topic.

There is an upcoming webinar on this topic this week on October 25th:

This fourth installment in the Policy Management webinar series addresses best practices for distributing policies and determining when and how to provide training.  We often think that once a policy has been formally issued the job is done, but that is far from the truth.  Properly communicating about the availability of the policy is only the start.  Join our panel of experts for a roundtable discussion of the challenges, best practices, and benefits of a well thought out policy communication plan.

Yes, the latest Gartner EGRC Magic Quadrant is out and I am left questioning what value it provides.  My first impression is that it is best for the compost pile to be used as fertilizer for the garden next spring and not used in organizations that may rely on it to make misinformed GRC technology decisions.

NOTE: this rant is not a reflection of individual vendors in the EGRC Magic Quadrant.  Though I have issues with how some vendors are represented and placed (good night, one in the leaders quadrant almost never comes up in RFPs), my rant is because of Gartner’s flawed understanding of the market and broken process for doing Magic Quadrants.  If you want my analysis on individual vendors then give me an email or call.

For historical purposes, I first defined and modeled the GRC (governance, risk management, and compliance) market back in February 2002 while at GiGa Information Group soon to be acquired by Forrester Research, Inc.  I published the first two Forrester Waves on GRC.  What is important to note is that the 2^nd Wave had four different Wave graphics as the market was too complex to represent in a single graphic to compare vendors with integrity.  Some solutions were stronger in audit, other stronger in risk, while others are stronger in compliance. The market has only grown more distributed and complex.  In fairness to Gartner, they recognize this and reference doing a Market Scope next year instead of a Magic Quadrant.

My single greatest issue with the 2012 Gartner EGRC Magic Quadrant is that the Magic Quadrant is very much as it states – MAGIC.  There is no transparency or clarity on how vendors are scored.  It is as if Gartner has a giant Magic Quadrant dartboard and hurls a vendor dart against it to see where they land – yes there is some aim involved but it is not really precise and objective.

The current Magic Quadrant is a mile wide and an inch deep.   I am left asking the question – what practical purpose does it serve?  Right now the graphic itself is misleading.  Those in the upper right quadrant – the leaders quadrant – are often short-listed to RFPs/RFIs but others get very little to no attention even though some have outstanding capabilities and can compete feature for feature with the Leaders.  Then there are those that are not even in the Magic Quadrant that have excellent capabilities, but perhaps they do not have the right revenue or are only operating in a single geography.

The truth is, the MQ does not really help you identify and select GRC vendors that are the right fit for your business.

• If your need is audit – how do you get a detailed comparison of the audit management features of workpaper management, calendaring, audit planning/scheduling, offline audit capabilities?
• If your need is compliance – how do you get an understanding of which vendors have the best content, can manage policies and investigations, track regulations, and conduct assessments?
• If your need is risk management – which vendors support your risk analytics needs?  Some just do heat maps, others do scenario modeling, bow-tie analysis, monte carlo simulations.  Are the risk management features built for risk management at a department level or can they scale because they have risk normalization and aggregation capabilities?
• If you need policy management – which vendors support versioning of policies and content management?  Which have integrated learning management systems to deliver courses, and which make you work with external systems?
• If you need regulatory change management – which vendors integrate with content providers for regulatory content?  Do they truly integrate or do they just take in RSS feeds?  What content do they have in the system itself?  How can this content be effectively mapped to policies and other items in the GRC system?  Is this mapping at a document level or can you map statements or paragraphs across documents?

Even basic information such as deployment models – on-premise, hosted, software as a service – are not transparent in the MQ. At least not consistently.  There are gems of insight that can be gathered from the summaries of the vendors, but what you learn about one vendor you have no way to objectively compare it to another vendor as it is not discussed or measured for the other vendor.

If your need is compliance management (or specific issues of compliance like anti-bribery and corruption), I can tell you how one of the vendors in the challengers quadrant can run circles around nearly everyone in the leaders quadrant.  Though if you wanted to do offline audits this vendor should not be in your RFP. If you want deep functionality in risk management how the same vendor will not perform where others in the visionaries quadrant excel at risk management and in many cases do it better than those in the leaders quadrant.

I had one major financial services firm tell me that they never want to see a heat map again as their GRC vendor in the leaders quadrant could not aggregate and normalize risk data properly as it was built for a departmental risk solution and is flawed (in the release they were using) to do proper risk normalization and aggregation.

Friends, the Gartner EGRC Magic Quadrant does not give you the objective detail you need to make informed decisions on the vendors to engage on an RFP/RFI let alone acquire.  It gives you little quips, but not the detail to save you time and money on an RFP/RFI.  In fact, several times this year I have been engaged by organizations after they went through the RFP process using vendors that performed well from last year’s EGRC MQ. Only after spending a lot of time and effort to realize that the vendors they looked at were too expensive, did not serve their industry, or did not have the capabilities they needed.

If Gartner made public their criteria and grading scale then users could dig into the details and see how vendors scored on individual criteria.  If a vendor is not on the MQ then the same criteria can be used to evaluate other vendors objectively. Forrester discloses their criteria.  You can download an entire spreadsheet of everything Forrester evaluated, how each vendor scored on each item, and what the scale was to score the vendor.  Gartner has never provided anything like this. So we are left with a lot of subjectivity instead of objectivity.  The issue is that any organization’s understanding and need for a GRC solution varies from others.  What Gartner has produced is absolutely useless in helping a organization select a vendor for an RFP as these solutions vary greatly in depth and breadth and there are major areas of functionality that are not revealed objectively in the MQ.

Gartner has a script and gives a vendor a short time period to demo their GRC product to Gartner.  They do not allow you to go off script – I have heard this from multiple vendors frustrated with the process.  A vendor may have an absolutely amazing differentiator but if it is off script you have to kick and scream to get even passing attention.  In other words, Gartner has their rigid view of the GRC capabilities of EGRC vendors and if you approach it differently then you are outside their myopic vision.

I also take issue with how Garter defines and presents the GRC market.  While they give lip service to a lot of areas of GRC throughout the document they assume that an EGRC platform is comprised of only the four categories of risk management, audit management, compliance and policy management, and regulatory change management.  I see a much broader definition of the GRC market and define it across 29 categories: with 9 categories being components of enterprise GRC that span across the business and 21 categories being role/function specific GRC areas.  GRC is a broad market – a macro market – with many micro marke
ts that it is comprised of.  EGRC puts several of these micro market segments together into an integrated technology and information architecture platform. There is not a single vendor that can bring all the components of GRC to your organization.

Gartner states that there are many businesses implementing a single EGRC platform.  My market research tells me that 80% of the buying activity in GRC the buying organization is trying to solve specific problems.  Less than 20% have an EGRC strategy, but even those have multiple vendors.  I would state it is less than 5% that are truly trying to consolidate on one platform.  In fact, one large retailer I spoke to a month back stated they have four GRC platforms (in this case Archer, SAP, SAS, and Enviance).  A defense contractor at the same event stated they had all those platforms plus two more (Thomson Reuters and MetricStream).  A financial services firm I have worked with has four different GRC vendors in their environment (Archer, SAI Global, Mitratech, and Wolters Kluwer).

What it means (a term Forrester uses in their research reports):  If you are looking for an objective understanding of how vendors stack up to each other the Forrester Wave process is much better than the Gartner MQ (though Forrester does not consistently update the GRC Wave so organizations are often left with out of date comparisons).  The MQ is fit for the compost pile.  However, what is really needed is objective comparisons that go deeper than either the Forrester Wave and Gartner MQ.  If you need audit functionality – here is how the vendors stack up on audit features (objective and open, not hidden).  If you need compliance – here is a detailed comparison of how the vendors compare on compliance features.  If you want to know which vendors support which type of risk modeling – here is a comparison.  That is the vision I am aiming for.  Objective, open, and straightforward comparisons of feature areas of GRC so organizations do not waste time and money in the vendors they look at.  If you have core requirements that are essential you should be able to mark those requirements and find which vendors support those features.

In my experience, policy management processes are in disarray when operating autonomously, introducing risk in today’s complex, dynamic, and distributed business environment. The typical organization lacks a structured means of policy development and governance with an inconsistent maze of templates and processes. Inconsistency in policy management means processes, partners, employees, and systems that behave like leaves blowing in the wind. Organizations struggle with policies that are out-of-date, ineffective, and not aligned to business needs. Policy inconsistency opens the doors of liability, as an organization may be held accountable for policy that is not appropriate or complied with.

Organizations require a consistent governance process to develop and maintain policies and procedures. Policies articulate culture, they establish a duty of care, define expectations for behavior, and establish how the organization is going to comply with obligations. Accountability in policy governance is made possible by three policy governance functions:

1. Policy Lifecycle Management. Policy Lifecycle Management is the process of managing and maintaining policies throughout their effective use within the organization. Implementation of Policy Lifecycle Management requires process and technology that is rich in content, workflow, process, and task management with a robust audit trail.
2. Policy Management Committee. The Policy Management Committee governs the oversight and guidance of policies to ensure policy collaboration across the enterprise and provide the structure and connective tissue to coordinate and drive consistency. It is comprised of team members that represent the best interest and expertise of the different parts of the organization.
3. Policy Manager. An individual should be assigned to the role of Policy Manager to assure accountability across the policy lifecycle to the standards, style, and process defined by the Policy Management Committee.

Critical to the success of policy governance is a “policy on writing policies” supported by a policy style guide and templates. Organizations are not positioned to drive desired behaviors or enforce accountability if policies are not consistent. Policy writing that is wordy and confusing is damaging to the corporate image and costs time and money. Every organization should have a structure in place to provide for clear and consistent policies. A significant shortcoming in policy management is the failure to define a policy style guide. A style guide for policies defines standardized:

• Taxonomy. Policies are to have a logical relationship to each other following a hierarchical categorization taxonomy.
• Format. Policies are to have a consistent look and feel. Anyone should be able to see a policy and recognize that it is a corporate policy by the consistent format.
• Structure. Related to format, policies are to have a consistent structured arrangement of the headings/sections.
• Language. Policies are to have consistent language. Good policies are written in the active voice and easy to read.
• Definitions. Terms used in policies are to be used consistently across the organization with a common understanding of what they mean.
• Process. The style guide should outline roles and responsibilities for writing, editing, and approving policies.

Policy lifecycle management that addresses accountability brings integrity and value to policy management. It provides accountability to policy management processes that are often scattered across the organization. It enables policy management to work in harmony across organization functions delivering efficiency, effectiveness, and agility. Well-governed and written policies aid in improving performance, producing predicable outcomes, mitigate compliance risk, and avoid incidents and loss.

I look forward to hearing your thoughts on the policy development and approval process . . .

This post is part of a broader roundtable and GRC Policy Illustration that was published by Compliance Week and hosted by OCEG.  The full piece can be accessed at:  Policy Development and Approval

There is also an webinar on this topic and illustration on October 4, 2012.

2012 marks the 10th anniversary since I first modeled a market for technology, content, and professional services and labeled it GRC. It all started with a vendor briefing with a software firm in which they demonstrated an integrated view of controls, policies, and assessments. A light bulb flashed within my head that there is a strategic approach to business combined with services, content, and technology to service it – organizations could achieve an integrated view of information to assist with Governance, Risk Management, and Compliance (GRC). That was February of 2002 and the GRC market was born.

From the beginning I always stated that GRC was about the business first and technology was a foundation for the business to build upon. It was first and foremost about understanding the business – its strategy, risks, obligations, commitments, objectives – and helping the organization manage risk and compliance in the context of business.

Over the years, GRC has grown in conception and understanding. The best thing to happen to GRC was the development of the OCEG GRC Capability Model, and with that the OCEG definition of GRC:

• GRC is a capability to reliably achieve objectives while addressing uncertainty and acting with integrity.

What has been a disappointment with GRC and needs us to cause some rethinking is our technology approach to GRC. It is impossible to define GRC as a package of software. There is not one vendor that can be your GRC band-aid and solve your problems. GRC is not a commodity that you buy from a technology vendor.

GRC is what is achieved in the business and its operations. To that point we need to rethink our understanding of GRC technology.

This means that we need to think of GRC in the context of business architecture. To achieve good GRC processes in our environment requires and understanding of what the business is about, how it operates, and how it should be monitored and controlled through information and technology.

Rethinking GRC is about taking an enterprise/business architecture approach to understanding the business and how it operates. This includes:

• Strategy architecture. Understanding what the business is about, where it is going, what the goals are. This requires that we understand GRC — and its components of governance, risk management, and compliance – in the context of business performance, strategy, objectives as well as its culture and values.
• Process architecture. Flowing from strategy are the processes that define the business and how it operates. Good GRC is done in the context of the business – the rhythm of the business. GRC technology and processes should be integrated with business processes and systems. We need a firm understanding of how the business operates and how to manage risk, policies, and controls in the context of business operations. GRC requires that we be able to model the organization, its operations, and its processes to understand GRC in context of the business.
• Information architecture. To support business operations and processes, we need a good definition of GRC related information. To define standards/schemas of information for risk, policies, controls and how information flows across the business. What GRC information is needed to make sure that the business is reliably achieving objectives while addressing uncertainty and acting with integrity.
• Technology architecture. Finally, we approach technology. GRC technology needs to be kept in perspective – it is about the business. We need to make sure that the GRC technologies (and I purposely use the plural) integrate with our business operations, systems, and processes. To put GRC before the business is to put the cart before the horse.

What does all of this mean? I will write more on that in the next article. For now, it means we need to take a business approach to GRC and not lead with a technology approach. It means that we should stop thinking that GRC is about one vendor that solves all the business’ problems. It may mean that there is a technology backbone for GRC consolidated to a single vendor, but it most likely means that there will be several vendors that do different parts of GRC well that form a GRC architecture supporting the business, its operations, and its processes.

I look forward to hearing your comments and thoughs on Rethinking GRC . . .

In the time it takes you to read this article your business has changed. The economic environment has changed, your employees have changed, and there are constant changes to technology, competition, and processes. Business drifts in a sea of change. One particular area of change that bears down on the organization is the siege of changing laws, regulations, and enforcement actions.

When regulatory change management is an ad hoc process with little to no documentation, accountability, and task management, there is no possibility to be intelligent about regulatory risk that impacts your business. The typical organization does not have adequate processes in place to monitor regulatory change, determine impact on business processes, prioritize, and make changes to policies. Information itself is not enough—organizations are overwhelmed by data through legal and regulatory newsletters, Websites, e-mails, and content aggregators. In fact, the vast amount of information is part of the problem. It is not uncommon to have a myriad of subject matter experts doing ad hoc monitoring of legal and regulatory change and sending e-mails with little or no follow- up, accountability, or impact analysis.

The organization needs a defined regulatory change management process—to assimilate the intake of relevant information, track accountability on who needs to perform what actions, model the potential impact on the organization, establish priorities, and determine if the organization’s policies, procedures, and controls need to be adjusted to address the change. The process must require a joint accountability and collaboration effort between legal, compliance, and the business.

Building a regulatory intelligence strategy requires the implementation of a process model that monitors regulatory change, measures impact on the business, while implementing appropriate policy, training, and control updates.

Regulatory change management processes include the following components . . .

This is the second part of a six part series (once a month) on the topic of Effective Policy Management and the Policy Management Lifecycle.  To access the second installment please click on the following link:  Tracking Change that Impacts Policy

• 9/6: Policy Management Part Two: Tracking Changes That Affect Policies
• 10/4: Policy Management Part Three: Authoring Policies
• 10/25: Policy Management Part Four: Policy Communication & Training
• 11/15: Policy Management Part Five: Policy Enforcement
• 12/13: Policy Management Part Six: Policy Maintenance

I look forward to hearing your comments and thoughs on Tracking Change that Impacts Policy . . .

P.S. – There are some complimentary seats available to my Effective Policy Management Workshop next week in Boston.  These are ONLY available to internal managers of policies within a corporation.  I typically charge $500 for this workshop – but a sponsor, HITEC,  has covered the costs to allow me to offer this for free this time to those who write and manage policies for their organization. Please register.

This is the start of a six part series (once a month) on the topic of Effective Policy Management and the Policy Management lifecycle.  To access the first installment please click on the following link:  Effective Policy Management

• 7/19: Policy Management Part One: An Effective Policy Management System Design
• 9/6: Policy Management Part Two: Tracking Changes That Affect Policies
• 10/4: Policy Management Part Three: Authoring Policies
• 10/25: Policy Management Part Four: Policy Communication & Training
• 11/15: Policy Management Part Five: Policy Enforcement
• 12/13: Policy Management Part Six: Policy Maintenance