Have You Done your Policy Enforcement Push-ups?

I love teaching my By Design” Workshops! This past Monday it was Policy Management by Design, my favorite of all of them, in New York City. It is great to be back live teaching these interactive workshops, and it was a great day in New York with engaged attendees from a range of organizations.

The Policy Management by Design Workshop has a lot of new content. Including the Policy Management Capability Model that I worked hard on publishing with OCEG in our joint venture with www.PolicyManagementPro.com. It also includes my new Policy Management Maturity Model.

In discussing Policy Enforcement, one of the 5 components of the Policy Management Capability Model, one organization in attendance stated how they increased policy awareness and compliance by getting creative in policy enforcement. The example this person gave was in the context of their Background Check Policy. If an employee does not follow the background check policy then they and their manager have to do push-ups in front of others. That is one example of creatively building a culture of integrity and policy compliance.

In a previous workshop, before lockdowns, a global software firm stated they take their inclusion, diversity, equality, harassment, and discrimination policies very seriously. If an employee gets behind in their policy acknowledgment and required related training in these areas . . . they go to log in to their computer and they will find all they can access is the policy management portal with the policy acknowledgment and training they have to complete. Another example of policy enforcement.

This is what I love about these workshops. I can lecture and teach all day, but attendees learn from each other as much as they do from me.

Myself teaching on the Policy Management Capability Model in the New York Policy Management by Design Workshop this week.

Upcoming Workshops . . .

November 30

Enterprise GRC Management by Design – Minneapolis

Blueprint for an Effective, Efficient & Agile Enterprise GRC Program Governance, risk management & compliance (GRC) is something an organization does and not something an organization buys. GRC, done properly, is what is achieved throughout the business and its operations. By definition, GRC is “a capability to reliably achieve objectives  while addressing uncertainty  and acting with integrity .” This requires that GRC needs […]December 2021THU2

December 2

Compliance Management by Design – New York

Blueprint for an Effective, Efficient & Agile Compliance Management Program Compliance is not easy. Organizations across industries have global clients, partners, and business operations. The larger the organization the more complex its operations. Complicating matters, today’s organization is dynamic and constantly changing. The modern organization adjusts by the minute. New employees come, others leave, roles change. […]March 2022THU10

March 10 

Risk Management By Design Workshop – New York

Risk is pervasive throughout business strategies, operations, and processes. Siloed approaches to risk management leave the organization not seeing the big picture of risk. The reaction is often to centralize risk management which forces different areas of the organization into a one-size-fits-all risk management model that fails to adequately manage and monitor risk. Defining strategy, […]

Next-Generation Policy Management: Collaborative Accountability

Policy management is a critical issue for organizations across industries and geographies and various sizes. In a time of chaos and change, organizations must get control of an enterprise’s perspective and control of what policies they have and how they are communicated.

In 2020, I am finding organizations have realized what a mess policies are in their environment. They are out of date, scattered on different portals, sites, and file shares. Policies are in different templates with different writing styles. Most organizations could not even produce a list of what all the official policies are in their organization. In a time of crisis and change, organizations are scrambling to provide consistent policies in a singular portal the reflect the brand and reinforce the culture of the organization. A culture that needs policies and assures individuals that the company is in control and is part of a broader organization when working from home or an office.

One of the key elements I see in RFPs and inquiries for policy management software, particularly among large global organizations, is the need for collaborative accountability in policy authoring, approvals, and maintenance. Let’s break this apart into the two components:

  1. Collaborative. Policy management needs to be collaborative. Multiple authors and subject matter experts provide input into policies and various regional/jurisdictional impacts of policies. Organizations want a collaborative policy authoring environment where multiple people can be working on the same policy at the same time. I can be writing the new conduct policy here in the USA, and someone else can be making edits, contributions, and comments in Singapore, and someone else can in London . . . all at the same time. What no longer works for organizations is document check-in and check-out where new or updated policies take 6 months to write and get approvals. In a time of continuous business, risk, and regulatory change, this needs to be brought to a few weeks to keep the organization agile, in control, and out of the hot waters of regulatory and legal actions. One business case I was recently advising on found that one recent policy went through 70 different reviewers, subject matter experts, and approvers. This took months and months to complete in a linear document check-in and check-out approach. Their business case is collapse this to weeks with a collaborative approach where everyone can access, comment, and edit the policy simultaneously.
  2. Accountability. Policy management needs accountability. There needs to be a complete system of record and audit trail on who did what and when to a policy. Not at the document level, but down to the section, paragraph, clause, or event word level. Full traceability of who authored, who edited, what was modified. This is supported by workflow and task to that same section or clause level, not just the document level. Perhaps I am the primary policy author of the new anti-money laundering policy. But I want to assign a task and action item to someone in Australia to review a specific wording and paragraph to ensure it meets local regulatory requirements there. I need to assign that task not just to the document, but to the exact portion of the policy I need them to look at and approve. There needs to full accountability and traceability of policy authoring, edits, comments, and actions.

Collaborative accountability in policy management goes hand in hand. They are a symbiotic relationship that supports each other. Greater collaboration requires greater accountability.

This is causing a lot of change in the policy management technology world. Many older legacy solutions allow you only to attach policy documents. Some allow for a policy authoring environment but limit you to a linear approach with document check-in and check-out that takes months to write or update a policy. Newer solutions enable collaborative accountability authoring environments that bring policy development from several months to less than a month. Collaborative accountability delivers greater efficiency (e.g., time), effectiveness, and agility to policy management.

However, the handful of solutions that are offering collaborative accountability are not all created equal. Some do this natively with the most robust features and value. Others are parading an integration with other platforms such as Office365 or GoogleDocs that limit the collaborative accountability benefits, particularly as they are not purpose-built for policy management.

Some important things to consider are:

  • Policy specific workflows and tasks. You want a solution that automates notifications that engage stakeholders to perform required tasks, actions, reviews, edits, comments, contributions, and approvals to the actual section, paragraph, or clause level. To point where they need to focus in the document with audit trails down to that level.
  • Full audit and versioning. You want to see all collaboration across the entire history of versions of the same document down to that section and clause level. Some jimmy-rigged solutions that integrate with Office365 do not give you full visibility into the audit trail unless you download a local copy to your locally installed software, causing issues.
  • Gap analysis. You want to ensure that the entire organization has a full view of policies and evidence of policies for compliance to provide assurances that policies are sufficient, non-contradicting, and integrate and are mapped to processes.
  • Mapping. Part of this requires that the organization can map documents and even sections/clauses of policies to other policies as well as to regulations. When one changes, it can trigger changes and review in related items.
  • Master language. You also should look for the capability to define master language elements. So if I have a clause in a policy, and I edit it, it can be reflected in other documents that reference or use that same language. Consider a Code of Conduct. You may have a statement on discrimination/racism that appears in the Code of Conduct, and if you change it you want that language changed in any associated policies that use that same language such as the discrimination policy itself, as well as procedures, manuals, and such.
  • Security. Another important consideration is the security of your environment. One global firm that I helped with their RFP left a solution leveraging Office365/Sharepoint as they found security bugs that exposed their data and users in the integration with the policy management software leveraging it.

These are some considerations among many features and requirements I am advising on in enterprise policy management RFPs. I will be talking in detail on these and other elements of policy and compliance management in these upcoming webinars:

October 6 @ 10:00 am – 11:00 am CDT  – THE FUTURE OF COMPLIANCE IS DIGITAL, CONNECTED & AUTOMATED

  • Industry experts come together online for a 30mins discussion on the future of compliance Between March and April 2020, businesses had 3,000 regulatory updates to deal with. But the compliance workload was huge even before the Covid-19 pandemic. In 2019, businesses received 200 regulatory updates a day, compared to just 10 a day in 2004. […]THU15

October 15 @ 10:00 am – 11:00 am CDT – DOJ GUIDANCE AND THE COMPELLING NEED FOR AN INTEGRATED COMPLIANCE PROGRAM

  • Compliance and ethics programs are rapidly evolving. Organizations are required to have a structured and functional compliance and ethics program that monitors compliance continuously in the context of operations, transactions, and people. A program that is no longer bound by manual processes and point in time evaluations, but one that is built on a common strategy, […]

The Intersection of GRC and Policy Management

Policies matter, and policy management matters. Period.

Policies are critical governance documents for every organization. They set guardrails and parameters of acceptable and unacceptable behavior for individuals, processes, and transactions. When they are managed and enforced properly, policies guide and define corporate culture.

So, why do organizations approach and manage policies so carelessly?

Policies set a duty of care for the organization, and the wrong or mismanaged policy could expose the entire operation to liability and risk. But, I find that most organizations do not even know what policies they have in place. 

Why policies are critical to GRC

Since policies are critical governance documents of the organization, they require structured management and monitoring. They simply cannot be approached haphazardly, as many organizations do.

Changes to risks and regulations, as well as constant modifications to internal business environments, can quickly make policies out of date, misaligned, and irrelevant to the organization.

As defined by OCEG, GRC is “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.” Dissecting this definition hints at the importance of policies in the context of GRC:

  • Policies enable . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Workiva site, follow the link below to read more]

Enabling the 1st Line of Defense with Policy, Training & Issue Reporting

Like battling the multi-headed Hydra in Greek mythology, redundant, manual, and uncoordinated governance, risk management, and compliance (GRC) approaches are ineffective. As the Hydra grows more heads of regulation, legal matters, operational risks, and complexity, scattered departments of GRC responsibilities that do not work together become overwhelmed and exhausted and start losing the battle. This approach increases inefficiencies and the risk that serious matters go unnoticed. Redundant and inefficient processes lead to overwhelming complexity that slows the business, at a time when the business environment requires greater agility.

Successful GRC strategy in complex business environments requires layers of protection to ensure that the organization can “reliably achieve objectives [Governance] while addressing uncertainty [Risk Management] and act with integrity [Compliance].”[1] Any strategist, whether in games, sports, combat, or business, understands that layers of defense are critical to the protection of assets and achievement of objectives. Consider a castle in the Middle Ages in which there are layers of protection by moats, gates, outer walls, inner walls, with all sorts of offensive traps and triggers along the way. Organizations are modern castles that require layers of defense to protect the organization and allow it to reliably achieve strategic objectives.

The Three Lines of Defense model is the key model that enables organizations to organize and manage layers of GRC controls and responsibilities. The European Commission originally established it in 2006 as a voluntary audit directive within the European Union. Since this time, it has grown in popularity and is now a globally accepted framework for integrated GRC across lines of defense within organizations – from the front lines, to the back office of GRC, to the assurance and oversight roles. GRC 20/20 sees the Three Lines of Defense Model as critical to enable organizations to reliably achieve objectives while addressing uncertainty and act with integrity.

As the name suggests, the Three Lines of Defense model is comprised of three layers of GRC responsibility and accountability in organizations. These are:

  1. Business Operations.The front lines of the organization across operations and processes comprise the roles that make risk and control decisions every day. This represents the functions within departments and processes that ultimately own and manage risk and controls in the context of business activities. These roles need to be empowered to identify, assess, document, report, and respond to risks, issues, and controls in the organization. This first layer operates within the policies, controls, and tolerances defined by the next layer of defense, GRC professionals.
  2. GRC Professionals.The back office of GRC functions (e.g., risk management, corporate compliance, ethics, finance, health & safety, security, quality, legal, and internal control) are the roles that specify and define the boundaries of the organization that are established in policy, procedure, controls, and risk tolerances. These roles oversee, assess, monitor, and manage risk, compliance, and control activities in the context of business operations, transactions, and activities.
  3. Assurance Professionals.The third layer of defense is assurance professionals (e.g., internal audit, external audit) that provide thorough, objective, and independent assurance on business operations and controls. It is their primary responsibility to provide assurance to the Board of Directors and executives that the first and second lines of defense are operating within established boundaries and are providing complete and accurate information to management. This is accomplished through planning and executing audit engagements to support assurance needs.

While a lot of attention has been given to effective management of the second (risk and compliance managers) and third line (internal audit) of defense, not a lot has focused on how to effectively engage the first line of defense: the employees and managers in the front line of the organizations.

Front line employees are making risk and compliance decisions every day and can either protect or expose the organization to unwanted issues. Risk and compliance are not just about the back office of risk, compliance, and audit management but it is about the front office engagement and education of employees on what is acceptable and unacceptable and how to report issues.  While a lot of attention has been given to effective management of the second (risk and compliance managers) and third line (internal audit) of defence, not a lot has focused on how to effectively engage the first line of defence: the employees and managers in the front line of the organizations.

GRC 20/20 is presenting on a webinar on how to engage and enable the front lines of your organization through effective communication and training on policies and how to report issues and incidents in the organization.

Attendees will learn:

  • GRC in the context of the Three Lines of Defence Model
  • How the second and third line of defense depend on the first line to protect the organization
  • How to effectively communicate and train the first line of defence on policies
  • Methods for first line employees to identify and report issues and incidents
  • How technology can automate and enable the first line of defense
  • Driving efficiency, effectiveness and agility into all three lines of defense

[button link=”https://www.brighttalk.com/webcast/11811/333341?utm_campaign=user_webcast_register&utm_medium=email&utm_source=brighttalk-transact&utm_content=title”]REGISTER[/button]

[1]This is the official definition of GRC that is found in the OCEG GRC Capability Model. www.OCEG.org

3 Key Findings from the Policy Management by Design Workshop

Policy management is a crucial component of a larger corporate governance, risk management, and compliance (GRC) program. Adherence to external regulations and instilling employee accountability starts with well-established organizational policies and procedures.

In GRC 20/20’s recent workshop Policy Management by Design (Workiva hosted). Attendees from across industries came together to learn about policy management best practices and how they can be implemented to modernize compliance programs.

Here are three of the top takeaways from the Policy Management by Design Workshop.

1. Policy management affects organizations of all sizes

The challenges of managing policies and procedures were common across all attendees—impacting large and small, public and private companies alike. Attendees shared several concerns for internal compliance, including:

  • Updating policies is a reactive process rather than proactive, meaning policies are often outdated
  • Searching for policies is difficult without a cross-organizational master index
  • Ownership and enforcement is insufficient
  • Version control is not available and understanding what changed in the event of an audit is problematic
  • Visibility into how policies link to other internal control frameworks is limited
  • Measurement of policy effectiveness is inadequate or unavailable

2. Policy management can be like a “choose your own adventure”

A key part of the discussion revolved around how the creation, review, and update of policies is like a “choose your own adventure,” as no two programs are alike, even within the same company. Departments see varying levels of stakeholder commitment and uncoordinated use of policy management tools. Many in the room agreed: there is a need for standardization in order to create a clear path from point A to B.

3. Consistency, consistency, consistency

Many attendees cited the challenges of policies that are managed by multiple departments. Everyone has their own way of doing things, which means the way an employee code of conduct is written, accessed, and enforced may be very different than a non-disclosure agreement (NDA). A united approach keeps everyone on the same page and should include:

  • Consistent user experience (UX): The number one criteria attendees want in policy management software is ease of use. How can leaders expect to engage employees if the tools they are given are disconnected, clunky, or require a steep learning curve?
  • Consistent policies: Intent, messaging, and enforcement among policies must match. Conflicting messages between policies weakens buy-in and generates mistrust across the organization.
  • Consistent governance: Leaders must be able to track issues or incidents back to policies in order to ensure the proper level of training. Selecting when and what to enforce is ineffective.

What should you look for in a policy management technology?

Evaluating policy management options can be daunting. Rasmussen suggested looking solutions which are proven to streamline the process of policy drafting, document management, and distribution across the team.

Rasmussen recommended comparing the following criteria when selecting a policy management solution:

  1. Ease of use and intuitiveness
  2. Defensible system of record with a precise, electronic record of who changed what policy, how, and when
  3. Access to a master index of all policies
  4. Ability to cross-reference linking to other policies
  5. Ability to link policy information across documents, spreadsheets, and presentations
  6. Tools for policy review and attestation workflow and tasking
  7. Survey capabilities

Continuing the conversation on governance, risk, and compliance

The Policy Management by Design Workshop enabled participants to learn from experts, share ideas, and network with peers on best practices for company policies. Attendees came away from the event with a number of new strategies for strengthening policy management in their own workplaces.

This post was originally published by Workiva.

On-Demand Policy Management Research Briefings

Published Research on Policy Management – Strategy Perspectives

Published Research on Policy Management – Solution Perspectives

Published Research on Policy Management – Case Studies

Improving Policies Through Metrics

It is unfortunate that many policies are written and then left to slowly rot over time. What was a good policy five years ago may not be the right policy today. Those out-of-date but still existent policies can expose the organization to risk if they are not enforced and complied with in the organization.

Effective policy management requires that the policy lifecycle have a regular maintenance schedule. My recommendation is that every policy goes through an annual review process to determine if the policy is still an appropriate policy for the organization. Some organizations rank their policies on different risk levels that tie into periodic review cycles—some annually, others every other year, and others every three years. In my opinion, best practice is for every policy to undergo an annual review.

A system of accountability and workflow facilitates the periodic review process. The policy to be reviewed gets assigned to the policy owner(s) and has a set due date for completion. The decision from this review process will be to retire the policy, keep the policy as it is, or revise the policy to meet the current needs and obligations of the organization.

Policy owners need a thorough understanding of the effectiveness of the policy. This requires the policy owner have access to metrics on the effectiveness of the policy in the environment. Some of the things that the policy owner will want to look at are:

  • Violations. Information from hotline as well as investigation systems to determine how often the policy was violated. The data from these systems indicate why it was violated—lack of awareness, no training, unauthorized exceptions, outright violations.
  • Understanding. Completion of training and awareness programs, policy attestations, and related metrics show policy comprehension. Questions to a helpdesk or compliance department uncover ambiguities in the policy that need to be corrected.
  • Exceptions. Metrics on the number of exceptions that have been granted and the reasons they were granted. Too many exceptions indicate that the policy is inappropriate and unenforceable and needs to be revised.
  • Compliance. At the end of the day the policy needs to be complied with. Any controls that the policy governs and authorizes and the state of those controls is to be reviewed by the policy owner to determine policy effectiveness.

Environment. The risk, regulatory, and business environment is in constant change. The policy may have been written to address a state that no longer exists. Changes to the business (e.g., mergers/acquisitions, relationships, strategy), changes to the legal environment (e.g., laws, regulations, enforcement actions), and changes to the external risk environment (e.g., economic, competitive, industry, society, technology) are to be reviewed to determine if the policy needs to change.

When a policy does change it is critical that the organization be able to keep a history of the versions of the policy, when they were effective, and the audit trail of interactions around the policy. The audit train is used to present evidence of effective policy management and communication and includes a defensible history of policy interactions on communications, training, acknowledgments, assessments, and related details needed to show the policy was enforced and operational.

I am presenting in detail on this specific topic in the following webinar . . .

On-Demand Policy Management Research Briefings

Published Research on Policy Management – Strategy Perspectives

Published Research on Policy Management – Solution Perspectives

Published Research on Policy Management – Case Studies

Policy Management Requires Attention

Policies: A Foundation in GRC Strategies

Policies are critical to organizations as they establish boundaries of behavior for individuals, processes, relationships, and transactions. An organization must establish policy it is willing to enforce – but it also must clearly train and communicate the policy to ensure that individuals understand what is expected of them.

GRC, by definition, is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].” [note: this definition is from the GRC Capability Model at www.OCEG.org] Policies are a critical foundation of GRC. When properly managed, communicated, and enforced, policies accomplish the following:

  • Provide a framework of governance. Policy defines the organization’s governance culture and structure. Without good policy as a guide, corporate culture and control morphs, changes, and takes unintended paths.
  • Identify and treat risk. Policy articulates a culture of risk. Policy addresses risk and establishes risk responsibility, communication, appetites, tolerance, and risk ownership. Without clearly written policy, risk governance is ineffective.
  • Define compliance. Policy establishes a culture of compliance. Policy details how an organization meets its obligations and commitments and how it will stay within legal, regulatory, and contractual boundaries to avoid exposure to liabilities.

Hordes of Policies Scattered Across the Organization

Policies matter. However, the way the typical organization manages policies would leave the impression they are irrelevant and considered a nuisance. The typical organization has:

  • Policies managed in documents and fileshares. Policies are haphazardly managed as document files are dispersed on a number of fileshares, websites, local hard drives, and mobile devices. The organization has not fully embraced centralized online publishing and universal access to policies and procedures.There is no single place where an individual can see all the policies in the organization and those that apply to specific roles – thus, limiting defense of legal liability.
  • Policies that fail to cross-reference standards, rules, or regulations. The typical organization has no historical or auditable record of policies that address legal, regulatory, or contractual requirements. Validating compliance to auditors, regulators, or other stakeholders becomes a time-consuming, labor-intensive, and error-prone process.
  • Rogue policies. Anyone can create a document and call it a policy. As policies establish a legal duty of care, organizations face exposure and liability with any misaligned, mismanaged, and unauthorized rogue policies.
  • Out-of-date policies. In most cases, published policy is not reviewed and maintained on a regular basis. In fact, most organizations have policies that have not been reviewed in years for applicability, appropriateness, and effectiveness.The typical organization has policies and procedures without a defined owner to make sure they are managed and current.
  • Policies that do not adhere to a consistent style. The typical organization has policies that do not conform to a corporate style guide and standard template that would require policies to be presented clearly (e.g. active voice, concise language, and reading level).
  • Policies without lifecycle management. Many organizations maintain an ad-hoc approach to writing, approving, and maintaining policy. They have no system for managing policy workflow, tasks, versions, approvals, and maintenance.
  • Policies that do not map to exceptions or incidents. Often organizations are missing an established system to document and manage policy exceptions, incidents, issues, and investigations. The organization has no information about where policy is breaking down or how it can be addressed.
  • Reactive and inefficient training programs. Organizations often lack any coordinated policy training and communication program. Instead, different departments go about developing and communicating their training without thought for the bigger picture and alignment with other areas.

Inevitable Failure of Policy ManagementExposes the Organization to Significant Liability

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved in supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.

With today’s complex business operations, global expansion, and the ever-changing legal, regulatory, and compliance environments, a well-defined policy management program is vital. It enables an organization to effectively develop and maintain the wide scope of policy it needs to govern with integrity and limit corporate liability.

The Bottom Line: The haphazard department and document-centric approaches for policy management of the past compound the problem and do not solve it. It is time for organizations to step back and implement a centralized strategy and approach to authoring, approving, maintaining, and communicating policies across the organization.


GRC 20/20 Policy Management Resources . . .

Upcoming Policy Management Workshop

Upcoming Policy Management Webinars

On-Demand Policy Management Research Briefings

Published Research on Policy Management – Strategy Perspectives

Published Research on Policy Management – Solution Perspectives

Published Research on Policy Management – Case Studies

Critical Capabilities & Considerations for Evaluation of Policy & Training Management Platforms

I get a lot of inquiries from organizations looking for policy management platforms. Some for a department focused need (e.g., IT security, health and safety, Human Resources), others for a regulatory need (e.g., GDPR, FCPA), but most for an enterprise policy management strategy spanning the organization as it attempts to gain control of a Wild West of policies in disarray and confusion.

Policy & Training Management platforms mange the development, approval, distribution, communication, forms, maintenance, and records of organization policies, standards, procedures, guidelines and related training and communication awareness activities. This includes solutions used to train individuals on policy to employees and extended business relationships.  Elements of gamification, eLearning, learning management, document/content management are part of this segment.  Forms and disclosure management solutions (e.g., conflict of interest, gifts & entertainment/hospitality) are included in this segment as they relate and support organization policies.

With over 100 solutions for policy and training management in the market it can be difficult, which is why GRC 20/20 gets engaged for our policy management RFP question library. The most common requirement organizations are looking for is an engaging and intuitive user experience. The growing request, one that comes in every month is on the integration of policy and training management into a single platform and user experience. Every month organizations are stating that their employees go out to Facebook and can watch a YouTube video in Facebook and do not need to bounce out to YouTube. They want to know why their employees cannot watch the training in the policy portal?

This is part of what I call Next Generation Policy & Training Management and is a growing need in the market and one of the most active inquiry areas that I advise organizations looking for solutions on. Other needs are mobility, such as tablet devices that can act as policy and training kiosks for employees that do not have computers. Employee engagement is critical. The ability to plan and calendar a range of policy communication tasks and activities to build campaigns.

These and more are covered in the newly published and reworked on-demand Research Briefing, How to Purchase Policy & Training Management Platforms. This is further supported in the GRC 20/20 written research paper, Policy Management by Design and corresponding workshop.

Critical Capabilities & Considerations for Evaluation of Policy & Training Management Platforms

One of the hottest segments of the GRC market is for solutions to manage, maintain, and communicate policies. Organizations are scrambling to get a grip on the identification, approval, management, and awareness of policies amidst a growing environment of legal and compliance exposures to policy mismanagement and growing regulations.

Whether for a department policy portal or to manage the range of policies across the enterprise, policy management solutions are in demand. Historically the demand has been more on the backend management and maintenance of policies. However, recent RFP and inquiry trends that GRC 20/20 is involved with show a growing demand for the front-end employee portal and engagement on policies, often with integrated training and learning management.

Where there used to be just a few solutions to choose from there are now over eighty with vary capabilities and approaches. They offer varying breadth and depth of capabilities, and certainly no one offers a one size fits all solution. It has become a complex segment of the GRC market to navigate, understand, and find the solution(s) that is the perfect fit for your organization.

In this Research Briefing GRC 20/20 provides a framework for organizations evaluating or considering policy management solutions.

Agenda

  1. Defining & Understanding Policy Management
    Definition, Drivers, Trends & Best Practices
  2. Critical Capabilities of a Policy Management Platform
    What Differentiates Basic, Common, & Advanced Solutions
  3. Considerations in Selection of a Policy Management Platform
    Decision Framework & Considerations to Keep in Mind
  4. Building a Business Case for Policy Management
    Trajectory of Value in Effectiveness, Efficiency & Agility

[button link=”http://grc2020.com/product/how-to-purchase-policy-training-management-platforms/”]LEARN MORE[/button]

Objectives

The GRC Pundit helps organizations . . .

  • Define and scope the policy & training management market
  • Understand policy & training management drivers, trends, and best practices
  • Relate the components of what makes a policy management platform
  • Identify core features/functionality of basic, common, and advanced policy management platforms
  • Map critical capabilities needed in a policy management platform
  • Predict future directions and capabilities for policy & training management
  • Scope how to purchase policy management platforms in a decision-tree framework
  • Discern considerations to keep in mind as you evaluate policy management solutions

Who Should Attend

This Research Briefing is aimed to assist . . .

  • GRC professionals with the responsibilities to identify, author, review, evaluate, approve, communicate, and maintain policies and related documents and training
  • GRC solution providers offering policy & training management solutions
  • GRC professional service firms advising organizations on policy management
  • GRC content & intelligence providers that provide policy and training content and templates

Instructor

rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc.

 

How to Purchase Policy & Training Management Platforms

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.

The haphazard department and document centric approaches for policy and training management of the past compound these issues. With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

Organizations need to wipe the slate clean and approach policy and training management by design with a strategy and architecture to manage the ecosystem of policies and training programs throughout the organization with real-time information about policy conformance and how it impacts the organization.  The policy and training management strategy and policy is supported and made operational through the policy and training management technology.  The organization requires complete situational and holistic awareness of policies and related training across operations, processes, employees, and third party relationships to see the big picture of policy and training performance and risk. The architecture defines how organizational processes, information, and technology is structured to make policy and training management effective, efficient, and agile across the organization.

Policy and training management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole.  Successful policy and training management requires a robust and adaptable information and technology architecture. Policies and training need to come together in a unified employee experience where policies are displayed along with training. Policy management technology enables and operationalizes the overall policy and training management strategy. The right policy and training management solution enables the organization to effectively manage policy and training performance across the organization and facilitate the ability to document, communicate, report, and monitor the range of communications, training, documents, tasks, responsibilities, and action plans.

There can and should be a central core technology platform for policy and training management that connects the fabric of the policy and training management processes, information, and other technologies together across the organization. Many organizations see policy and training management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:

  • Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active policy communication and training.
  • Department specific point solutions. Implementation of a number of point solutions that are deployed and purpose built for department or specific risk and regulatory policy needs. The challenge here is that the organization ends up maintaining a wide array of solutions that do very similar things but for different purposes.  This introduces a lot of redundancy in information gathering and communications that taxes the organization and its employees.
  • Dedicated policy and training management platform. This is an implementation of a point solution dedicated to policy and training management.  This is a complete solution that addresses the range of policy management as well as training and communication needs with the broadest array of built-in (versus build-out) features to support the breadth of policy and training management processes. These systems often can integrate with other systems to provide broader context of GRC and business intelligence.
  • Enterprise GRC platforms. Many of the leading enterprise GRC platforms have policy and training management modules. These solutions enable the integration of policy information with other areas of GRC such as case/investigation management (showing violations of policies), issue reporting on potential policy violations, risks which policies govern, obligations such as regulations that mandate policies, and controls which policies authorize. However, these solutions can be more costly to purchase, implement, and manage over dedicated policy solutions.

The right policy and training technology choice for an organization often involves integration into ERP/HRMS systems and other GRC and business solutions to facilitate the integration, correlation, and communication of information, analytics, and reporting. Organizations suffer when they take a myopic view of policy and training management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operates in.

A well-conceived technology platform for policy and training management can enable a common policy and training framework across multiple entities, or just one entity or department as appropriate. Business requires a policy management platform that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, an architecture approach to policy management enables better performance, less expense, and more flexibility.

Some of the core capabilities organizations should consider in a policy and training management platform will be considered in this weeks live Research Briefing (which will be recorded and available on-demand):

GRC 20/20 has a detailed research piece that goes through why policy management is critical to organizations and their GRC strategies:

This same topic will be explored deeply in an interactive workshop in Houston on May 30th:

GRC Archetypes: Policy Management

Policy management is the capability to establish, manage, monitor, and enforce policies to reliably achieve objectives, while addressing uncertainty, and act with integrity across the organization (adapted from the OCEG GRC definition).

Policies are critical to the organization to establish boundaries of behavior for individuals, processes, relationships, and transactions. Starting at the policy of all policies – the code of conduct – they filter down to govern the enterprise, divisions/regions, business units, and processes. Policy paints a picture of behavior, values, and ethics that define the culture and expected behavior of the organization; without policy there is no consistent rules and the organization goes in every direction. The existence of a policy means a risk has been identified and is of enough significance to have a formal policy written which details controls to manage the risk. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments. Without policy, there is no written standard for acceptable and unacceptable conduct — an organization can quickly become something it never intended.

Policy also attaches a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policy can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal (both criminal and civil) and regulatory proceedings. Regulators, prosecuting and plaintiff attorneys, and others use policy violation and noncompliance to place culpability. An organization must establish policy it is willing to enforce — but it also must clearly train and communicate the policy to make sure that individuals understand what is expected of them. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot achieve strong and established culture without good policy and training on policy.

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s GRC programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed. With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

THE QUESTION: How is your organization approaching policy management? Can you map yourself to one of the following GRC archetypes of policy management?

  • Fire Fighter. Your organization approaches policy management in an ad hoc fly by the seat of your pants approach. Policy management is not structured and policies are written or reviewed only when there is a burning issue, incident, compliance requirement, or other pressure. Even then, it is about addressing the issue before you and not thinking strategically about policy management. Policy management is addressed in manual processes with file shares, documents, spreadsheets, and emails. The organization does not have a master index of all official policies across departments and there are conflicting versions of the policy in existence (e.g., out of date).
  • Department Islander. In this archetype, your organization has a more structured approach to policy management within specific departments. There is little to no collaboration between departments and you often have different departments with a vested interest in policy management going in different directions with a significant amount of redundancy and inefficiency. Departments may have specific technology deployed for policy management, or may still be relying on manual processes with documents, spreadsheets, and emails. The result is a variety of policies in different portals and file shares with inconsistent formats and templates.
  • GRC Collaborator. This is the archetype in which your organization has cross-department collaboration for policy management to provide consistent processes and structure for policy management. However, the focus is purely on addressing significant compliance concerns and risks. It is more of a checkbox mentality in collaborating on what needs to be done to manage policies to meet requirements. Most often there is a broader policy management platform deployed to manage policies, but some still rely on manual processes supported by documents, spreadsheets, and emails.
  • Principled Performer  This is the model in which the organization is focused on managing the integrity of the organization across its business and its relationships. Policy management is more than meeting requirements but is about encoding and communicating boundaries of expected conduct to develop a strong and consistent corporate culture aligned with the ethics, values, and obligations of the organization. Policies are mapped to risks and objectives and actively understood and managed as critical governance documents of the organization. Policies are consistent in a defined template, language style, and the organization has a current index of all official policies of the organization. Policy management is tightly integrated with training to help communicate and ensure that policies are understood.

The haphazard department and document centric approaches for policy and training management of the past compound the problem and do not solve it.  It is time for organizations to step back and define a cross-functional and coordinated team to define and govern policy and training management. Organizations need to wipe the slate clean and approach policy and training management by design with a strategy and architecture to manage the ecosystem of policies and training programs throughout the organization with real-time information about policy conformance and how it impacts the organization.

GRC 20/20’s Policy Management Workshop

GRC 20/20 will be leading an interactive workshop to facilitate discussion and learning between organizations on Policy Management on the following dates and locations:

Strategy Perspective on Policy Management

Research Briefings on Policy Management

Solution Perspectives on Policy Management

Case Studies on Policy Management