Posted on Leave a comment

The Intersection of GRC and Policy Management

Policies matter, and policy management matters. Period.

Policies are critical governance documents for every organization. They set guardrails and parameters of acceptable and unacceptable behavior for individuals, processes, and transactions. When they are managed and enforced properly, policies guide and define corporate culture.

So, why do organizations approach and manage policies so carelessly?

Policies set a duty of care for the organization, and the wrong or mismanaged policy could expose the entire operation to liability and risk. But, I find that most organizations do not even know what policies they have in place. 

Why policies are critical to GRC

Since policies are critical governance documents of the organization, they require structured management and monitoring. They simply cannot be approached haphazardly, as many organizations do.

Changes to risks and regulations, as well as constant modifications to internal business environments, can quickly make policies out of date, misaligned, and irrelevant to the organization.

As defined by OCEG, GRC is “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.” Dissecting this definition hints at the importance of policies in the context of GRC:

  • Policies enable . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Workiva site, follow the link below to read more]

Posted on Leave a comment

Enabling the 1st Line of Defense with Policy, Training & Issue Reporting

Like battling the multi-headed Hydra in Greek mythology, redundant, manual, and uncoordinated governance, risk management, and compliance (GRC) approaches are ineffective. As the Hydra grows more heads of regulation, legal matters, operational risks, and complexity, scattered departments of GRC responsibilities that do not work together become overwhelmed and exhausted and start losing the battle. This approach increases inefficiencies and the risk that serious matters go unnoticed. Redundant and inefficient processes lead to overwhelming complexity that slows the business, at a time when the business environment requires greater agility.

Successful GRC strategy in complex business environments requires layers of protection to ensure that the organization can “reliably achieve objectives [Governance] while addressing uncertainty [Risk Management] and act with integrity [Compliance].”[1] Any strategist, whether in games, sports, combat, or business, understands that layers of defense are critical to the protection of assets and achievement of objectives. Consider a castle in the Middle Ages in which there are layers of protection by moats, gates, outer walls, inner walls, with all sorts of offensive traps and triggers along the way. Organizations are modern castles that require layers of defense to protect the organization and allow it to reliably achieve strategic objectives.

The Three Lines of Defense model is the key model that enables organizations to organize and manage layers of GRC controls and responsibilities. The European Commission originally established it in 2006 as a voluntary audit directive within the European Union. Since this time, it has grown in popularity and is now a globally accepted framework for integrated GRC across lines of defense within organizations – from the front lines, to the back office of GRC, to the assurance and oversight roles. GRC 20/20 sees the Three Lines of Defense Model as critical to enable organizations to reliably achieve objectives while addressing uncertainty and act with integrity.

As the name suggests, the Three Lines of Defense model is comprised of three layers of GRC responsibility and accountability in organizations. These are:

  1. Business Operations.The front lines of the organization across operations and processes comprise the roles that make risk and control decisions every day. This represents the functions within departments and processes that ultimately own and manage risk and controls in the context of business activities. These roles need to be empowered to identify, assess, document, report, and respond to risks, issues, and controls in the organization. This first layer operates within the policies, controls, and tolerances defined by the next layer of defense, GRC professionals.
  2. GRC Professionals.The back office of GRC functions (e.g., risk management, corporate compliance, ethics, finance, health & safety, security, quality, legal, and internal control) are the roles that specify and define the boundaries of the organization that are established in policy, procedure, controls, and risk tolerances. These roles oversee, assess, monitor, and manage risk, compliance, and control activities in the context of business operations, transactions, and activities.
  3. Assurance Professionals.The third layer of defense is assurance professionals (e.g., internal audit, external audit) that provide thorough, objective, and independent assurance on business operations and controls. It is their primary responsibility to provide assurance to the Board of Directors and executives that the first and second lines of defense are operating within established boundaries and are providing complete and accurate information to management. This is accomplished through planning and executing audit engagements to support assurance needs.

While a lot of attention has been given to effective management of the second (risk and compliance managers) and third line (internal audit) of defense, not a lot has focused on how to effectively engage the first line of defense: the employees and managers in the front line of the organizations.

Front line employees are making risk and compliance decisions every day and can either protect or expose the organization to unwanted issues. Risk and compliance are not just about the back office of risk, compliance, and audit management but it is about the front office engagement and education of employees on what is acceptable and unacceptable and how to report issues.  While a lot of attention has been given to effective management of the second (risk and compliance managers) and third line (internal audit) of defence, not a lot has focused on how to effectively engage the first line of defence: the employees and managers in the front line of the organizations.

GRC 20/20 is presenting on a webinar on how to engage and enable the front lines of your organization through effective communication and training on policies and how to report issues and incidents in the organization.

Attendees will learn:

  • GRC in the context of the Three Lines of Defence Model
  • How the second and third line of defense depend on the first line to protect the organization
  • How to effectively communicate and train the first line of defence on policies
  • Methods for first line employees to identify and report issues and incidents
  • How technology can automate and enable the first line of defense
  • Driving efficiency, effectiveness and agility into all three lines of defense

[button link=”https://www.brighttalk.com/webcast/11811/333341?utm_campaign=user_webcast_register&utm_medium=email&utm_source=brighttalk-transact&utm_content=title”]REGISTER[/button]

[1]This is the official definition of GRC that is found in the OCEG GRC Capability Model. www.OCEG.org

Posted on Leave a comment

3 Key Findings from the Policy Management by Design Workshop

Policy management is a crucial component of a larger corporate governance, risk management, and compliance (GRC) program. Adherence to external regulations and instilling employee accountability starts with well-established organizational policies and procedures.

In GRC 20/20’s recent workshop Policy Management by Design (Workiva hosted). Attendees from across industries came together to learn about policy management best practices and how they can be implemented to modernize compliance programs.

Here are three of the top takeaways from the Policy Management by Design Workshop.

1. Policy management affects organizations of all sizes

The challenges of managing policies and procedures were common across all attendees—impacting large and small, public and private companies alike. Attendees shared several concerns for internal compliance, including:

  • Updating policies is a reactive process rather than proactive, meaning policies are often outdated
  • Searching for policies is difficult without a cross-organizational master index
  • Ownership and enforcement is insufficient
  • Version control is not available and understanding what changed in the event of an audit is problematic
  • Visibility into how policies link to other internal control frameworks is limited
  • Measurement of policy effectiveness is inadequate or unavailable

2. Policy management can be like a “choose your own adventure”

A key part of the discussion revolved around how the creation, review, and update of policies is like a “choose your own adventure,” as no two programs are alike, even within the same company. Departments see varying levels of stakeholder commitment and uncoordinated use of policy management tools. Many in the room agreed: there is a need for standardization in order to create a clear path from point A to B.

3. Consistency, consistency, consistency

Many attendees cited the challenges of policies that are managed by multiple departments. Everyone has their own way of doing things, which means the way an employee code of conduct is written, accessed, and enforced may be very different than a non-disclosure agreement (NDA). A united approach keeps everyone on the same page and should include:

  • Consistent user experience (UX): The number one criteria attendees want in policy management software is ease of use. How can leaders expect to engage employees if the tools they are given are disconnected, clunky, or require a steep learning curve?
  • Consistent policies: Intent, messaging, and enforcement among policies must match. Conflicting messages between policies weakens buy-in and generates mistrust across the organization.
  • Consistent governance: Leaders must be able to track issues or incidents back to policies in order to ensure the proper level of training. Selecting when and what to enforce is ineffective.

What should you look for in a policy management technology?

Evaluating policy management options can be daunting. Rasmussen suggested looking solutions which are proven to streamline the process of policy drafting, document management, and distribution across the team.

Rasmussen recommended comparing the following criteria when selecting a policy management solution:

  1. Ease of use and intuitiveness
  2. Defensible system of record with a precise, electronic record of who changed what policy, how, and when
  3. Access to a master index of all policies
  4. Ability to cross-reference linking to other policies
  5. Ability to link policy information across documents, spreadsheets, and presentations
  6. Tools for policy review and attestation workflow and tasking
  7. Survey capabilities

Continuing the conversation on governance, risk, and compliance

The Policy Management by Design Workshop enabled participants to learn from experts, share ideas, and network with peers on best practices for company policies. Attendees came away from the event with a number of new strategies for strengthening policy management in their own workplaces.

This post was originally published by Workiva.

On-Demand Policy Management Research Briefings

Published Research on Policy Management – Strategy Perspectives

Published Research on Policy Management – Solution Perspectives

Published Research on Policy Management – Case Studies

Posted on 1 Comment

Improving Policies Through Metrics

It is unfortunate that many policies are written and then left to slowly rot over time. What was a good policy five years ago may not be the right policy today. Those out-of-date but still existent policies can expose the organization to risk if they are not enforced and complied with in the organization.

Effective policy management requires that the policy lifecycle have a regular maintenance schedule. My recommendation is that every policy goes through an annual review process to determine if the policy is still an appropriate policy for the organization. Some organizations rank their policies on different risk levels that tie into periodic review cycles—some annually, others every other year, and others every three years. In my opinion, best practice is for every policy to undergo an annual review.

A system of accountability and workflow facilitates the periodic review process. The policy to be reviewed gets assigned to the policy owner(s) and has a set due date for completion. The decision from this review process will be to retire the policy, keep the policy as it is, or revise the policy to meet the current needs and obligations of the organization.

Policy owners need a thorough understanding of the effectiveness of the policy. This requires the policy owner have access to metrics on the effectiveness of the policy in the environment. Some of the things that the policy owner will want to look at are:

  • Violations. Information from hotline as well as investigation systems to determine how often the policy was violated. The data from these systems indicate why it was violated—lack of awareness, no training, unauthorized exceptions, outright violations.
  • Understanding. Completion of training and awareness programs, policy attestations, and related metrics show policy comprehension. Questions to a helpdesk or compliance department uncover ambiguities in the policy that need to be corrected.
  • Exceptions. Metrics on the number of exceptions that have been granted and the reasons they were granted. Too many exceptions indicate that the policy is inappropriate and unenforceable and needs to be revised.
  • Compliance. At the end of the day the policy needs to be complied with. Any controls that the policy governs and authorizes and the state of those controls is to be reviewed by the policy owner to determine policy effectiveness.

Environment. The risk, regulatory, and business environment is in constant change. The policy may have been written to address a state that no longer exists. Changes to the business (e.g., mergers/acquisitions, relationships, strategy), changes to the legal environment (e.g., laws, regulations, enforcement actions), and changes to the external risk environment (e.g., economic, competitive, industry, society, technology) are to be reviewed to determine if the policy needs to change.

When a policy does change it is critical that the organization be able to keep a history of the versions of the policy, when they were effective, and the audit trail of interactions around the policy. The audit train is used to present evidence of effective policy management and communication and includes a defensible history of policy interactions on communications, training, acknowledgments, assessments, and related details needed to show the policy was enforced and operational.

I am presenting in detail on this specific topic in the following webinar . . .

On-Demand Policy Management Research Briefings

Published Research on Policy Management – Strategy Perspectives

Published Research on Policy Management – Solution Perspectives

Published Research on Policy Management – Case Studies

Posted on Leave a comment

Policy Management Requires Attention

Policies: A Foundation in GRC Strategies

Policies are critical to organizations as they establish boundaries of behavior for individuals, processes, relationships, and transactions. An organization must establish policy it is willing to enforce – but it also must clearly train and communicate the policy to ensure that individuals understand what is expected of them.

GRC, by definition, is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].” [note: this definition is from the GRC Capability Model at www.OCEG.org] Policies are a critical foundation of GRC. When properly managed, communicated, and enforced, policies accomplish the following:

  • Provide a framework of governance. Policy defines the organization’s governance culture and structure. Without good policy as a guide, corporate culture and control morphs, changes, and takes unintended paths.
  • Identify and treat risk. Policy articulates a culture of risk. Policy addresses risk and establishes risk responsibility, communication, appetites, tolerance, and risk ownership. Without clearly written policy, risk governance is ineffective.
  • Define compliance. Policy establishes a culture of compliance. Policy details how an organization meets its obligations and commitments and how it will stay within legal, regulatory, and contractual boundaries to avoid exposure to liabilities.

Hordes of Policies Scattered Across the Organization

Policies matter. However, the way the typical organization manages policies would leave the impression they are irrelevant and considered a nuisance. The typical organization has:

  • Policies managed in documents and fileshares. Policies are haphazardly managed as document files are dispersed on a number of fileshares, websites, local hard drives, and mobile devices. The organization has not fully embraced centralized online publishing and universal access to policies and procedures.There is no single place where an individual can see all the policies in the organization and those that apply to specific roles – thus, limiting defense of legal liability.
  • Policies that fail to cross-reference standards, rules, or regulations. The typical organization has no historical or auditable record of policies that address legal, regulatory, or contractual requirements. Validating compliance to auditors, regulators, or other stakeholders becomes a time-consuming, labor-intensive, and error-prone process.
  • Rogue policies. Anyone can create a document and call it a policy. As policies establish a legal duty of care, organizations face exposure and liability with any misaligned, mismanaged, and unauthorized rogue policies.
  • Out-of-date policies. In most cases, published policy is not reviewed and maintained on a regular basis. In fact, most organizations have policies that have not been reviewed in years for applicability, appropriateness, and effectiveness.The typical organization has policies and procedures without a defined owner to make sure they are managed and current.
  • Policies that do not adhere to a consistent style. The typical organization has policies that do not conform to a corporate style guide and standard template that would require policies to be presented clearly (e.g. active voice, concise language, and reading level).
  • Policies without lifecycle management. Many organizations maintain an ad-hoc approach to writing, approving, and maintaining policy. They have no system for managing policy workflow, tasks, versions, approvals, and maintenance.
  • Policies that do not map to exceptions or incidents. Often organizations are missing an established system to document and manage policy exceptions, incidents, issues, and investigations. The organization has no information about where policy is breaking down or how it can be addressed.
  • Reactive and inefficient training programs. Organizations often lack any coordinated policy training and communication program. Instead, different departments go about developing and communicating their training without thought for the bigger picture and alignment with other areas.

Inevitable Failure of Policy ManagementExposes the Organization to Significant Liability

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved in supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.

With today’s complex business operations, global expansion, and the ever-changing legal, regulatory, and compliance environments, a well-defined policy management program is vital. It enables an organization to effectively develop and maintain the wide scope of policy it needs to govern with integrity and limit corporate liability.

The Bottom Line: The haphazard department and document-centric approaches for policy management of the past compound the problem and do not solve it. It is time for organizations to step back and implement a centralized strategy and approach to authoring, approving, maintaining, and communicating policies across the organization.


GRC 20/20 Policy Management Resources . . .

Upcoming Policy Management Workshop

Upcoming Policy Management Webinars

On-Demand Policy Management Research Briefings

Published Research on Policy Management – Strategy Perspectives

Published Research on Policy Management – Solution Perspectives

Published Research on Policy Management – Case Studies

Posted on Leave a comment

Critical Capabilities & Considerations for Evaluation of Policy & Training Management Platforms

I get a lot of inquiries from organizations looking for policy management platforms. Some for a department focused need (e.g., IT security, health and safety, Human Resources), others for a regulatory need (e.g., GDPR, FCPA), but most for an enterprise policy management strategy spanning the organization as it attempts to gain control of a Wild West of policies in disarray and confusion.

Policy & Training Management platforms mange the development, approval, distribution, communication, forms, maintenance, and records of organization policies, standards, procedures, guidelines and related training and communication awareness activities. This includes solutions used to train individuals on policy to employees and extended business relationships.  Elements of gamification, eLearning, learning management, document/content management are part of this segment.  Forms and disclosure management solutions (e.g., conflict of interest, gifts & entertainment/hospitality) are included in this segment as they relate and support organization policies.

With over 100 solutions for policy and training management in the market it can be difficult, which is why GRC 20/20 gets engaged for our policy management RFP question library. The most common requirement organizations are looking for is an engaging and intuitive user experience. The growing request, one that comes in every month is on the integration of policy and training management into a single platform and user experience. Every month organizations are stating that their employees go out to Facebook and can watch a YouTube video in Facebook and do not need to bounce out to YouTube. They want to know why their employees cannot watch the training in the policy portal?

This is part of what I call Next Generation Policy & Training Management and is a growing need in the market and one of the most active inquiry areas that I advise organizations looking for solutions on. Other needs are mobility, such as tablet devices that can act as policy and training kiosks for employees that do not have computers. Employee engagement is critical. The ability to plan and calendar a range of policy communication tasks and activities to build campaigns.

These and more are covered in the newly published and reworked on-demand Research Briefing, How to Purchase Policy & Training Management Platforms. This is further supported in the GRC 20/20 written research paper, Policy Management by Design and corresponding workshop.

Critical Capabilities & Considerations for Evaluation of Policy & Training Management Platforms

One of the hottest segments of the GRC market is for solutions to manage, maintain, and communicate policies. Organizations are scrambling to get a grip on the identification, approval, management, and awareness of policies amidst a growing environment of legal and compliance exposures to policy mismanagement and growing regulations.

Whether for a department policy portal or to manage the range of policies across the enterprise, policy management solutions are in demand. Historically the demand has been more on the backend management and maintenance of policies. However, recent RFP and inquiry trends that GRC 20/20 is involved with show a growing demand for the front-end employee portal and engagement on policies, often with integrated training and learning management.

Where there used to be just a few solutions to choose from there are now over eighty with vary capabilities and approaches. They offer varying breadth and depth of capabilities, and certainly no one offers a one size fits all solution. It has become a complex segment of the GRC market to navigate, understand, and find the solution(s) that is the perfect fit for your organization.

In this Research Briefing GRC 20/20 provides a framework for organizations evaluating or considering policy management solutions.

Agenda

  1. Defining & Understanding Policy Management
    Definition, Drivers, Trends & Best Practices
  2. Critical Capabilities of a Policy Management Platform
    What Differentiates Basic, Common, & Advanced Solutions
  3. Considerations in Selection of a Policy Management Platform
    Decision Framework & Considerations to Keep in Mind
  4. Building a Business Case for Policy Management
    Trajectory of Value in Effectiveness, Efficiency & Agility

[button link=”http://grc2020.com/product/how-to-purchase-policy-training-management-platforms/”]LEARN MORE[/button]

Objectives

The GRC Pundit helps organizations . . .

  • Define and scope the policy & training management market
  • Understand policy & training management drivers, trends, and best practices
  • Relate the components of what makes a policy management platform
  • Identify core features/functionality of basic, common, and advanced policy management platforms
  • Map critical capabilities needed in a policy management platform
  • Predict future directions and capabilities for policy & training management
  • Scope how to purchase policy management platforms in a decision-tree framework
  • Discern considerations to keep in mind as you evaluate policy management solutions

Who Should Attend

This Research Briefing is aimed to assist . . .

  • GRC professionals with the responsibilities to identify, author, review, evaluate, approve, communicate, and maintain policies and related documents and training
  • GRC solution providers offering policy & training management solutions
  • GRC professional service firms advising organizations on policy management
  • GRC content & intelligence providers that provide policy and training content and templates

Instructor

rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc.

 

Posted on 1 Comment

How to Purchase Policy & Training Management Platforms

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.

The haphazard department and document centric approaches for policy and training management of the past compound these issues. With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

Organizations need to wipe the slate clean and approach policy and training management by design with a strategy and architecture to manage the ecosystem of policies and training programs throughout the organization with real-time information about policy conformance and how it impacts the organization.  The policy and training management strategy and policy is supported and made operational through the policy and training management technology.  The organization requires complete situational and holistic awareness of policies and related training across operations, processes, employees, and third party relationships to see the big picture of policy and training performance and risk. The architecture defines how organizational processes, information, and technology is structured to make policy and training management effective, efficient, and agile across the organization.

Policy and training management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole.  Successful policy and training management requires a robust and adaptable information and technology architecture. Policies and training need to come together in a unified employee experience where policies are displayed along with training. Policy management technology enables and operationalizes the overall policy and training management strategy. The right policy and training management solution enables the organization to effectively manage policy and training performance across the organization and facilitate the ability to document, communicate, report, and monitor the range of communications, training, documents, tasks, responsibilities, and action plans.

There can and should be a central core technology platform for policy and training management that connects the fabric of the policy and training management processes, information, and other technologies together across the organization. Many organizations see policy and training management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:

  • Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active policy communication and training.
  • Department specific point solutions. Implementation of a number of point solutions that are deployed and purpose built for department or specific risk and regulatory policy needs. The challenge here is that the organization ends up maintaining a wide array of solutions that do very similar things but for different purposes.  This introduces a lot of redundancy in information gathering and communications that taxes the organization and its employees.
  • Dedicated policy and training management platform. This is an implementation of a point solution dedicated to policy and training management.  This is a complete solution that addresses the range of policy management as well as training and communication needs with the broadest array of built-in (versus build-out) features to support the breadth of policy and training management processes. These systems often can integrate with other systems to provide broader context of GRC and business intelligence.
  • Enterprise GRC platforms. Many of the leading enterprise GRC platforms have policy and training management modules. These solutions enable the integration of policy information with other areas of GRC such as case/investigation management (showing violations of policies), issue reporting on potential policy violations, risks which policies govern, obligations such as regulations that mandate policies, and controls which policies authorize. However, these solutions can be more costly to purchase, implement, and manage over dedicated policy solutions.

The right policy and training technology choice for an organization often involves integration into ERP/HRMS systems and other GRC and business solutions to facilitate the integration, correlation, and communication of information, analytics, and reporting. Organizations suffer when they take a myopic view of policy and training management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operates in.

A well-conceived technology platform for policy and training management can enable a common policy and training framework across multiple entities, or just one entity or department as appropriate. Business requires a policy management platform that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, an architecture approach to policy management enables better performance, less expense, and more flexibility.

Some of the core capabilities organizations should consider in a policy and training management platform will be considered in this weeks live Research Briefing (which will be recorded and available on-demand):

GRC 20/20 has a detailed research piece that goes through why policy management is critical to organizations and their GRC strategies:

This same topic will be explored deeply in an interactive workshop in Houston on May 30th:

Posted on Leave a comment

GRC Archetypes: Policy Management

Policy management is the capability to establish, manage, monitor, and enforce policies to reliably achieve objectives, while addressing uncertainty, and act with integrity across the organization (adapted from the OCEG GRC definition).

Policies are critical to the organization to establish boundaries of behavior for individuals, processes, relationships, and transactions. Starting at the policy of all policies – the code of conduct – they filter down to govern the enterprise, divisions/regions, business units, and processes. Policy paints a picture of behavior, values, and ethics that define the culture and expected behavior of the organization; without policy there is no consistent rules and the organization goes in every direction. The existence of a policy means a risk has been identified and is of enough significance to have a formal policy written which details controls to manage the risk. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments. Without policy, there is no written standard for acceptable and unacceptable conduct — an organization can quickly become something it never intended.

Policy also attaches a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policy can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal (both criminal and civil) and regulatory proceedings. Regulators, prosecuting and plaintiff attorneys, and others use policy violation and noncompliance to place culpability. An organization must establish policy it is willing to enforce — but it also must clearly train and communicate the policy to make sure that individuals understand what is expected of them. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot achieve strong and established culture without good policy and training on policy.

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s GRC programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed. With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

THE QUESTION: How is your organization approaching policy management? Can you map yourself to one of the following GRC archetypes of policy management?

  • Fire Fighter. Your organization approaches policy management in an ad hoc fly by the seat of your pants approach. Policy management is not structured and policies are written or reviewed only when there is a burning issue, incident, compliance requirement, or other pressure. Even then, it is about addressing the issue before you and not thinking strategically about policy management. Policy management is addressed in manual processes with file shares, documents, spreadsheets, and emails. The organization does not have a master index of all official policies across departments and there are conflicting versions of the policy in existence (e.g., out of date).
  • Department Islander. In this archetype, your organization has a more structured approach to policy management within specific departments. There is little to no collaboration between departments and you often have different departments with a vested interest in policy management going in different directions with a significant amount of redundancy and inefficiency. Departments may have specific technology deployed for policy management, or may still be relying on manual processes with documents, spreadsheets, and emails. The result is a variety of policies in different portals and file shares with inconsistent formats and templates.
  • GRC Collaborator. This is the archetype in which your organization has cross-department collaboration for policy management to provide consistent processes and structure for policy management. However, the focus is purely on addressing significant compliance concerns and risks. It is more of a checkbox mentality in collaborating on what needs to be done to manage policies to meet requirements. Most often there is a broader policy management platform deployed to manage policies, but some still rely on manual processes supported by documents, spreadsheets, and emails.
  • Principled Performer  This is the model in which the organization is focused on managing the integrity of the organization across its business and its relationships. Policy management is more than meeting requirements but is about encoding and communicating boundaries of expected conduct to develop a strong and consistent corporate culture aligned with the ethics, values, and obligations of the organization. Policies are mapped to risks and objectives and actively understood and managed as critical governance documents of the organization. Policies are consistent in a defined template, language style, and the organization has a current index of all official policies of the organization. Policy management is tightly integrated with training to help communicate and ensure that policies are understood.

The haphazard department and document centric approaches for policy and training management of the past compound the problem and do not solve it.  It is time for organizations to step back and define a cross-functional and coordinated team to define and govern policy and training management. Organizations need to wipe the slate clean and approach policy and training management by design with a strategy and architecture to manage the ecosystem of policies and training programs throughout the organization with real-time information about policy conformance and how it impacts the organization.

GRC 20/20’s Policy Management Workshop

GRC 20/20 will be leading an interactive workshop to facilitate discussion and learning between organizations on Policy Management on the following dates and locations:

Strategy Perspective on Policy Management

Research Briefings on Policy Management

Solution Perspectives on Policy Management

Case Studies on Policy Management

Posted on Leave a comment

Benefits of a Policy & Training Management Strategy and Architecture

The organization requires a policy and training management architecture that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, a policy and training management architecture enables better performance, less expense, and more flexibility.  Core technology capabilities to consider a policy management program are the ability to:

  • Provide a consistent policy management framework for the entire enterprise instead of each department implementing its own policy management system.
  • Manage the policy lifecycle throughout creation, communication, assessment, monitoring, tracking, maintenance, revision, archiving, and record keeping.
  • Train individuals on what is required of them through links to learning systems, modules, quizzing, and attestation.
  • Provide easy access to policy and communicate policy in the language of the reader, as well as to the differently abled.
  • Gather and track edits and comments to policies as they are developed or revised.
  • Map policies to obligations (e.g., regulatory or contractual requirements), risks, controls, and investigations so there is a holistic view of policies as they relate to other areas of GRC.
  • Provide a robust system of record to track who accessed a policy as well as dates of attestation, certification, and read-and-understood acknowledgments.
  • Provide a user-friendly portal for policies in the environment with workflow, content management, and integration requirements necessary for policy management.
  • Provide a calendar view to see the policies being communicated to various areas of the business, and ensure policy communications do not burden the business with too many tasks in any given month.
  • Provide links to hotlines for reporting policy violations.
  • Publish access to additional resources such as helplines and FAQs.
  • Enable cross-referencing and linking of related and supporting policies and procedures so users can quickly navigate to what they need to understand.
  • Create categories of metadata to store within policies and display documents by category so policies are easily catalogued and accessed.
  • Restrict access and rights to policy documents so (a) readers cannot change them, and (b) sensitive documents are not accessible to those who do not need to see them.
  • Keep a record of all the versions and histories of each policy so the organization can refer to them when there is an incident or issue they must defend themselves against or provide evidence for.
  • Maintain accountable workflows to allow certain people to approve policy documents and move tasks to others with full audit trails.
  • Deliver comprehensive reporting with an extensive depth and breadth of reports.

GRC 20/20’s Final Perspective . . .

Effective policy and training management is about delivering value, integration, and alignment of strategy, process, information, and technology throughout the organization in the context of GRC. Organizations need to deliver an exceptional end-user experience: getting employees involved by providing intuitive interfaces into policies and training that are interactive, engaging, and social. Policy and training solutions need to instruct, inform, and be easy to use at all levels. It engages employees in policies and training without leaving them overwhelmed and confused. It is an integration of policy and training information, processes, and systems to engage employees and agents at all levels of the organization.

  • Getting questions answered. Employees need to be able to ask questions and get them answered. This means that policy and training management processes and architecture should provide contextually relevant information as well as pathways to get questions answered.
  • Provide two-way communication. Employees not only need to be able to ask questions and get them answered, they also come up with ideas and ways to improve policies and training. Perhaps it is an idea on a new initiative related to corporate values, to report a new risk, or make a control more efficient.
  • Sharing information. Getting employees engaged is about sharing information, like the ability to like a training initiative and share it with others in the organization. This allows the organization to see what works and keeps employees engaged. It allows a way for employees to share information they find relevant and interesting. It provides feedback into what does not work.
  • Connecting the dots through collaboration. Often elements of policies and training are done in ways that are not ultimately effective. A common problem is individuals often modify responses based on what they think people want to hear. This cognitive and behavioral bias has an impact on the accuracy of the results.  Policy and training processes and architecture should bypass stakeholder interests by using technology to engage individuals in an environment in which to express true opinion, without fear of consequences. Social and collaborative technologies provide a way for individuals in a workshop to anonymously enter thoughts and opinions to captures unbiased information that builds toward stronger discussions and deeper analysis.

In the end, effective policy and training management is about delivering policy and training that minimizes the perception of getting in the way of business and instead becoming a part of business and the culture of the organization. There is an element to policies that will always be inhibitive, but the right approach overcomes this by delivering engaging user experiences that align with the needs of employees, integrates with organization architecture and systems, and delivers relevant content when needed wherever it is needed.


This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Policy Management by Design: a Blueprint for Enterprise Policy & Training Management

  • Have a question about Policy & Training Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
  • Policy Management by Design Workshop. Engage GRC 20/20 to facilitate and teach the Policy Management by Design Workshop in your organization.
  • Looking for Policy Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 400 requirements for policy management solutions.

GRC 20/20’s Policy & Training Management Research includes . . .

Register for the upcoming Research Briefing presentation:

Access the on-demand Research Briefing presentation:

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):

Posted on Leave a comment

Policy Management Information & Technology Architecture

Policy & Training Management Information Architecture

The policy and training management information architecture supports the process architecture and overall policy and training management strategy. With processes defined and structured in the process architecture, the organization can now get into the specifics of the information architecture needed to support policy and training processes.

The policy and training management information architecture involves the structural design, labeling, use, flow, processing, and reporting of policy and training management information to support policy and training management processes. Categories of policy and training management information that organizations often collect and process include:

  • Master data records. This includes data on individuals and their role and history of interaction and communication with policies and training.
  • Compliance requirements. Listing of compliance/regulatory requirements that are mapped to policies.
  • Policy and training libraries. The indexing and versions of policies and training.
  • SLAs, KPIs, and KRIs. Documentation and monitoring of service level agreements, key performance indicators, and key risk indicators for the policy and training program.
  • Exceptions/exemptions. Documentation of exceptions and exemptions that have been requested, granted, and/or denied.
  • Forms. The design and layout of information needed for specific policies and related processes.
  • Incidents & issues. Record of policy violations and details.

Policy and training management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole.  Successful policy and training management information architecture will be able to integrate information across the organization. Successful policy and training management requires a robust and adaptable information architecture.  Policies and training come together into a unified employee experience where policies are displayed along with training. Training is more than just playing a video but is interactive, showing employees are behind their desk engaged in the activity and not off to get a coffee. Relevant resources are easily accessible and provided in the same interface without hopping between disconnected systems.

Policy & Training Management Technology Architecture

The policy and training management technology architecture enables and operationalizes the information and process architecture to support the overall policy and training management strategy. The goal of the technology architecture is to operationalize the process and information architecture. The right policy and training management architecture enables the organization to effectively manage policy and training performance across the organization and facilitate the ability to document, communicate, report, and monitor the range of communications, training, documents, tasks, responsibilities, and action plans.

There can and should be a central core technology platform for policy and training management that connects the fabric of the policy and training management processes, information, and other technologies together across the organization. Many organizations see policy and training management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:

  • Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active policy communication and training.
  • Department specific point solutions. Implementation of a number of point solutions that are deployed and purpose built for department or specific risk and regulatory policy needs. The challenge here is that the organization ends up maintaining a wide array of solutions that do very similar things but for different purposes.  This introduces a lot of redundancy in information gathering and communications that taxes the organization and its employees.
  • Enterprise GRC platforms. Many of the leading enterprise GRC platforms have policy and training management modules.  However, these solutions often have a predominant focus on policy and do not always have complete capabilities in training.
  • Enterprise policy and training management platform. This can be an enterprise implementation of point solution dedicated to policy and training management or an enterprise GRC platform that has the breadth of capabilities needed for policy and training management.  This is a complete solution that addresses the range of policy management as well as training and communication needs with the broadest array of built-in (versus build-out) features to support the breadth of policy and training management processes.

The right policy and training technology architecture choice for an organization often involves integration into ERP/HRMS systems and other GRC and business solutions to facilitate the integration, correlation, and communication of information, analytics, and reporting. Organizations suffer when they take a myopic view of policy and training management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operates in.

A well-conceived technology architecture for policy and training management can enable a common policy and training framework across multiple entities, or just one entity or department as appropriate. Business requires a policy management platform that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, an architecture approach to policy management enables better performance, less expense, and more flexibility.  Some of the core capabilities organizations should consider in a policy and training management platform are:

  • Integration. Policy and training management is not a single isolated competency or technology within a company.  Policy and training management often requires information from human resources, vendor management systems and other sources to automatically maintain a single record. These applications must integrate with other systems. It needs to integrate well with other technologies and competencies that already exist in the organization – ERP and GRC.  So the ability to pull and push data through integration is critical.
  • Content, workflow, and task management. Content should be able to be tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis.  Standardized formats for measuring business impact, risk, and compliance.
  • 360° contextual awareness. The organization should have a complete view of what is happening with policies and training metrics and processes. Contextual awareness requires that policy and training management have a central nervous system to capture signals as changing risks and regulations, analysis, and holistic awareness in the context of changing and evolving business environment.
  • Organization management. Policies and training apply to something within the organization, whether it is a business process, a physical asset, an information asset, a business relationship, or the entire organization. The system must model the organization and map policies to where they apply.
  • Accessibility. Policies and related training are only of value if they are accessible. A policy management system must provide a complete system of record any individual can log into and find policies that apply to their role, along with required tasks, attestations, and training they must complete. The system should be available in the official languages recognized by the organization. It should also support the communication needs of the differently abled (e.g., vision impaired, etc.).
  • Training management. Training management includes support for classroom, offsite or vendor training, e-learning programs, recorded presentations, simple document delivery and attestation, registration, and attendance completions. The challenge for companies is integrating learning management systems with policy management systems. This can be done by adopting a policy management solution that provides training management. In this model, the courses, scheduling, attestations, and automatic assignment of policies and training based upon the organization matrix are integrated with workflow, task management, and monitoring. Mature policy management systems automatically reschedule training if a policy is updated and assign additional training if a person is promoted or changes roles. This greatly simplifies administration and maximizes accountability and measurability.
  • Notifications. The most effective means of providing accountability in policy management is through notifications. Notifications are delivered when policy authors receive a new work assignment, when a due date draws near, or when a task is overdue and an escalation notice must be sent to management. If a person, or perhaps a whole business unit, needs to read and attest to a revised policy, reminders and escalation are required. Policy management systems provide configuration capabilities to customize messages, provide links to tasks, consolidate notifications, and help enforce goals, plans, and accountability. Notifications must be able to integrate with the organization’s e-mail system to deliver messages and drive accountability.
  • Audit trail. If it’s not documented, it’s not done. An audit trail should record each who, what, where, and when for every document, assignment, person, and piece of content collected, developed, changed, distributed, archived, surveyed, trained, notified, and read. This ensures that when an incident occurs, an audit takes place, or a regulatory exam or investigation happens, you are prepared with accurate and timely evidence. The level of audit trail required for policy management cannot be maintained with manual processes and ad hoc systems spread across an organization.
  • Intuitive interface design. Policy & training management is using leading concepts in interface design to make user experience of applications simpler, easy to navigate, aesthetically appealing, and minimizing complexity.
  • Socialization and collaboration. Collaboration and socialization is used to conduct risk workshops, understand compliance in the context of business, and get individuals involved in policy and training at all levels of the organization.
  • Gamification. Gamification is used, where appropriate, through interactive content and incentives to drive the culture of GRC into decision-making. Getting employees involved through video, comedy, and games to educate on risk, policy, and compliance. It could be an interactive adventure where employees choose their path when presented with different ethical options in the context of business. Games, puzzles, and illustrations help answer questions, develop skills, and communicate a point. Employees can engage policies and training to gain points, accomplish levels, earn badges, and recognition of skills achieved. Perhaps an employee has gone through all the health and safety training, has read and attested to policies and has taken a quiz to validate understanding. As a result they get a health and safety badge on their corporate profile/avatar. Recognition can be given when people complete assessments, discover and report issues, educate others and champion policies in different ways. This is all linked back to GRC technology to track and promote this activity as well as broader corporate HR and collaboration technologies.
  • Mobility. A lot of employees do not have computers, and some that did are now being issued tablets. Policy and training engagement includes delivery of policies and training on mobile devices. This works particularly well in manufacturing and retail environments where a tablet could be deployed as the policy and training kiosk for employees. Effective policy and training is embracing mobile technology on tablets and other devices to engage employees in their preferred languages and bring policies to all levels of business operations.

This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Policy Management by Design: a Blueprint for Enterprise Policy & Training Management

Have a question about Policy & Training Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .

Engage GRC 20/20 to facilitate and teach the Policy Management by Design Workshop in your organization.

Looking for Policy Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 400 requirements for policy management solutions.

GRC 20/20’s Policy & Training Management Research includes:

Register for the upcoming Research Briefing presentation:

Access the on-demand Research Briefing presentation:

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):