Benefits of a Policy & Training Management Strategy and Architecture

The organization requires a policy and training management architecture that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, a policy and training management architecture enables better performance, less expense, and more flexibility.  Core technology capabilities to consider a policy management program are the ability to:

  • Provide a consistent policy management framework for the entire enterprise instead of each department implementing its own policy management system.
  • Manage the policy lifecycle throughout creation, communication, assessment, monitoring, tracking, maintenance, revision, archiving, and record keeping.
  • Train individuals on what is required of them through links to learning systems, modules, quizzing, and attestation.
  • Provide easy access to policy and communicate policy in the language of the reader, as well as to the differently abled.
  • Gather and track edits and comments to policies as they are developed or revised.
  • Map policies to obligations (e.g., regulatory or contractual requirements), risks, controls, and investigations so there is a holistic view of policies as they relate to other areas of GRC.
  • Provide a robust system of record to track who accessed a policy as well as dates of attestation, certification, and read-and-understood acknowledgments.
  • Provide a user-friendly portal for policies in the environment with workflow, content management, and integration requirements necessary for policy management.
  • Provide a calendar view to see the policies being communicated to various areas of the business, and ensure policy communications do not burden the business with too many tasks in any given month.
  • Provide links to hotlines for reporting policy violations.
  • Publish access to additional resources such as helplines and FAQs.
  • Enable cross-referencing and linking of related and supporting policies and procedures so users can quickly navigate to what they need to understand.
  • Create categories of metadata to store within policies and display documents by category so policies are easily catalogued and accessed.
  • Restrict access and rights to policy documents so (a) readers cannot change them, and (b) sensitive documents are not accessible to those who do not need to see them.
  • Keep a record of all the versions and histories of each policy so the organization can refer to them when there is an incident or issue they must defend themselves against or provide evidence for.
  • Maintain accountable workflows to allow certain people to approve policy documents and move tasks to others with full audit trails.
  • Deliver comprehensive reporting with an extensive depth and breadth of reports.

GRC 20/20’s Final Perspective . . .

Effective policy and training management is about delivering value, integration, and alignment of strategy, process, information, and technology throughout the organization in the context of GRC. Organizations need to deliver an exceptional end-user experience: getting employees involved by providing intuitive interfaces into policies and training that are interactive, engaging, and social. Policy and training solutions need to instruct, inform, and be easy to use at all levels. It engages employees in policies and training without leaving them overwhelmed and confused. It is an integration of policy and training information, processes, and systems to engage employees and agents at all levels of the organization.

  • Getting questions answered. Employees need to be able to ask questions and get them answered. This means that policy and training management processes and architecture should provide contextually relevant information as well as pathways to get questions answered.
  • Provide two-way communication. Employees not only need to be able to ask questions and get them answered, they also come up with ideas and ways to improve policies and training. Perhaps it is an idea on a new initiative related to corporate values, to report a new risk, or make a control more efficient.
  • Sharing information. Getting employees engaged is about sharing information, like the ability to like a training initiative and share it with others in the organization. This allows the organization to see what works and keeps employees engaged. It allows a way for employees to share information they find relevant and interesting. It provides feedback into what does not work.
  • Connecting the dots through collaboration. Often elements of policies and training are done in ways that are not ultimately effective. A common problem is individuals often modify responses based on what they think people want to hear. This cognitive and behavioral bias has an impact on the accuracy of the results.  Policy and training processes and architecture should bypass stakeholder interests by using technology to engage individuals in an environment in which to express true opinion, without fear of consequences. Social and collaborative technologies provide a way for individuals in a workshop to anonymously enter thoughts and opinions to captures unbiased information that builds toward stronger discussions and deeper analysis.

In the end, effective policy and training management is about delivering policy and training that minimizes the perception of getting in the way of business and instead becoming a part of business and the culture of the organization. There is an element to policies that will always be inhibitive, but the right approach overcomes this by delivering engaging user experiences that align with the needs of employees, integrates with organization architecture and systems, and delivers relevant content when needed wherever it is needed.


This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Policy Management by Design: a Blueprint for Enterprise Policy & Training Management

  • Have a question about Policy & Training Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
  • Policy Management by Design Workshop. Engage GRC 20/20 to facilitate and teach the Policy Management by Design Workshop in your organization.
  • Looking for Policy Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 400 requirements for policy management solutions.

GRC 20/20’s Policy & Training Management Research includes . . .

Register for the upcoming Research Briefing presentation:

Access the on-demand Research Briefing presentation:

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):

Policy Management Information & Technology Architecture

Policy & Training Management Information Architecture

The policy and training management information architecture supports the process architecture and overall policy and training management strategy. With processes defined and structured in the process architecture, the organization can now get into the specifics of the information architecture needed to support policy and training processes.

The policy and training management information architecture involves the structural design, labeling, use, flow, processing, and reporting of policy and training management information to support policy and training management processes. Categories of policy and training management information that organizations often collect and process include:

  • Master data records. This includes data on individuals and their role and history of interaction and communication with policies and training.
  • Compliance requirements. Listing of compliance/regulatory requirements that are mapped to policies.
  • Policy and training libraries. The indexing and versions of policies and training.
  • SLAs, KPIs, and KRIs. Documentation and monitoring of service level agreements, key performance indicators, and key risk indicators for the policy and training program.
  • Exceptions/exemptions. Documentation of exceptions and exemptions that have been requested, granted, and/or denied.
  • Forms. The design and layout of information needed for specific policies and related processes.
  • Incidents & issues. Record of policy violations and details.

Policy and training management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole.  Successful policy and training management information architecture will be able to integrate information across the organization. Successful policy and training management requires a robust and adaptable information architecture.  Policies and training come together into a unified employee experience where policies are displayed along with training. Training is more than just playing a video but is interactive, showing employees are behind their desk engaged in the activity and not off to get a coffee. Relevant resources are easily accessible and provided in the same interface without hopping between disconnected systems.

Policy & Training Management Technology Architecture

The policy and training management technology architecture enables and operationalizes the information and process architecture to support the overall policy and training management strategy. The goal of the technology architecture is to operationalize the process and information architecture. The right policy and training management architecture enables the organization to effectively manage policy and training performance across the organization and facilitate the ability to document, communicate, report, and monitor the range of communications, training, documents, tasks, responsibilities, and action plans.

There can and should be a central core technology platform for policy and training management that connects the fabric of the policy and training management processes, information, and other technologies together across the organization. Many organizations see policy and training management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:

  • Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active policy communication and training.
  • Department specific point solutions. Implementation of a number of point solutions that are deployed and purpose built for department or specific risk and regulatory policy needs. The challenge here is that the organization ends up maintaining a wide array of solutions that do very similar things but for different purposes.  This introduces a lot of redundancy in information gathering and communications that taxes the organization and its employees.
  • Enterprise GRC platforms. Many of the leading enterprise GRC platforms have policy and training management modules.  However, these solutions often have a predominant focus on policy and do not always have complete capabilities in training.
  • Enterprise policy and training management platform. This can be an enterprise implementation of point solution dedicated to policy and training management or an enterprise GRC platform that has the breadth of capabilities needed for policy and training management.  This is a complete solution that addresses the range of policy management as well as training and communication needs with the broadest array of built-in (versus build-out) features to support the breadth of policy and training management processes.

The right policy and training technology architecture choice for an organization often involves integration into ERP/HRMS systems and other GRC and business solutions to facilitate the integration, correlation, and communication of information, analytics, and reporting. Organizations suffer when they take a myopic view of policy and training management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operates in.

A well-conceived technology architecture for policy and training management can enable a common policy and training framework across multiple entities, or just one entity or department as appropriate. Business requires a policy management platform that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, an architecture approach to policy management enables better performance, less expense, and more flexibility.  Some of the core capabilities organizations should consider in a policy and training management platform are:

  • Integration. Policy and training management is not a single isolated competency or technology within a company.  Policy and training management often requires information from human resources, vendor management systems and other sources to automatically maintain a single record. These applications must integrate with other systems. It needs to integrate well with other technologies and competencies that already exist in the organization – ERP and GRC.  So the ability to pull and push data through integration is critical.
  • Content, workflow, and task management. Content should be able to be tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis.  Standardized formats for measuring business impact, risk, and compliance.
  • 360° contextual awareness. The organization should have a complete view of what is happening with policies and training metrics and processes. Contextual awareness requires that policy and training management have a central nervous system to capture signals as changing risks and regulations, analysis, and holistic awareness in the context of changing and evolving business environment.
  • Organization management. Policies and training apply to something within the organization, whether it is a business process, a physical asset, an information asset, a business relationship, or the entire organization. The system must model the organization and map policies to where they apply.
  • Accessibility. Policies and related training are only of value if they are accessible. A policy management system must provide a complete system of record any individual can log into and find policies that apply to their role, along with required tasks, attestations, and training they must complete. The system should be available in the official languages recognized by the organization. It should also support the communication needs of the differently abled (e.g., vision impaired, etc.).
  • Training management. Training management includes support for classroom, offsite or vendor training, e-learning programs, recorded presentations, simple document delivery and attestation, registration, and attendance completions. The challenge for companies is integrating learning management systems with policy management systems. This can be done by adopting a policy management solution that provides training management. In this model, the courses, scheduling, attestations, and automatic assignment of policies and training based upon the organization matrix are integrated with workflow, task management, and monitoring. Mature policy management systems automatically reschedule training if a policy is updated and assign additional training if a person is promoted or changes roles. This greatly simplifies administration and maximizes accountability and measurability.
  • Notifications. The most effective means of providing accountability in policy management is through notifications. Notifications are delivered when policy authors receive a new work assignment, when a due date draws near, or when a task is overdue and an escalation notice must be sent to management. If a person, or perhaps a whole business unit, needs to read and attest to a revised policy, reminders and escalation are required. Policy management systems provide configuration capabilities to customize messages, provide links to tasks, consolidate notifications, and help enforce goals, plans, and accountability. Notifications must be able to integrate with the organization’s e-mail system to deliver messages and drive accountability.
  • Audit trail. If it’s not documented, it’s not done. An audit trail should record each who, what, where, and when for every document, assignment, person, and piece of content collected, developed, changed, distributed, archived, surveyed, trained, notified, and read. This ensures that when an incident occurs, an audit takes place, or a regulatory exam or investigation happens, you are prepared with accurate and timely evidence. The level of audit trail required for policy management cannot be maintained with manual processes and ad hoc systems spread across an organization.
  • Intuitive interface design. Policy & training management is using leading concepts in interface design to make user experience of applications simpler, easy to navigate, aesthetically appealing, and minimizing complexity.
  • Socialization and collaboration. Collaboration and socialization is used to conduct risk workshops, understand compliance in the context of business, and get individuals involved in policy and training at all levels of the organization.
  • Gamification. Gamification is used, where appropriate, through interactive content and incentives to drive the culture of GRC into decision-making. Getting employees involved through video, comedy, and games to educate on risk, policy, and compliance. It could be an interactive adventure where employees choose their path when presented with different ethical options in the context of business. Games, puzzles, and illustrations help answer questions, develop skills, and communicate a point. Employees can engage policies and training to gain points, accomplish levels, earn badges, and recognition of skills achieved. Perhaps an employee has gone through all the health and safety training, has read and attested to policies and has taken a quiz to validate understanding. As a result they get a health and safety badge on their corporate profile/avatar. Recognition can be given when people complete assessments, discover and report issues, educate others and champion policies in different ways. This is all linked back to GRC technology to track and promote this activity as well as broader corporate HR and collaboration technologies.
  • Mobility. A lot of employees do not have computers, and some that did are now being issued tablets. Policy and training engagement includes delivery of policies and training on mobile devices. This works particularly well in manufacturing and retail environments where a tablet could be deployed as the policy and training kiosk for employees. Effective policy and training is embracing mobile technology on tablets and other devices to engage employees in their preferred languages and bring policies to all levels of business operations.

This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Policy Management by Design: a Blueprint for Enterprise Policy & Training Management

Have a question about Policy & Training Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .

Engage GRC 20/20 to facilitate and teach the Policy Management by Design Workshop in your organization.

Looking for Policy Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 400 requirements for policy management solutions.

GRC 20/20’s Policy & Training Management Research includes:

Register for the upcoming Research Briefing presentation:

Access the on-demand Research Briefing presentation:

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):

GRC 20/20’s Effective Policy Management Process Lifecycle

The policy and training management strategy and policy is supported and made operational through the policy and training management architecture.  The organization requires complete situational and holistic awareness of policies and related training across operations, processes, employees, and third party relationships to see the big picture of policy and training performance and risk. Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to policy and training management architecture. The architecture defines how organizational processes, information, and technology is structured to make policy and training management effective, efficient, and agile across the organization.

There are three areas of the policy and training management architecture:

  • Policy and training management process lifecycle architecture
  • Policy and training management information architecture
  • Policy and training management technology architecture

It is critical that these architecture areas be initially defined in this order.  It is the process architecture that determines the types of policy and training structures and information needed, gathered, used, and reported.  It is the information architecture combined with process architecture that defines the organizations requirements for the technology architecture.  Too many organizations put the cart before the horse and start with selecting technology for policy and training management first, which then dictates what their process and information architecture will be.  This forces the organization to conform to a technology for policy and training management instead of finding the technology that best fits their process and information needs.

Policy & Training Management Process Architecture

Policy and training management architecture starts with the process architecture.  Processes are used to manage and monitor the ever-changing business, third party relationship, risk, and regulatory environments in context of policy and training programs.

The policy and training management process architecture is the structural design of processes, including their components of inputs, processing, and outputs. This architecture inventories and describes policy and training management processes, each process’s components and interactions, and how processes work together as well as with other enterprise and GRC processes.

The core elements of the process architecture are understood as the organization’s policy management lifecycle. This represents the actual operation and process of the MetaPolicy in action to develop, manage, and maintain policies throughout their effective use. Failure to manage policy lifecycles results in policies that are out-of-date, ineffective, and not aligned to business needs. It also opens the door to liability when an organization is held accountable for a policy that is not appropriate or properly enforced.

The stages evaluated in the Effective Policy Management are:

  • Determine Need for New Policies or Updates. Policy should be created only when necessary, such as to establish the values and ethics of the organization, meet regulatory obligations, and manage potential risk or liability. Without some requirement for or exposure of the organization, there is no need for a policy. Too many policies burden the organization and cannot be complied with. Too few policies introduce significant risk and legal exposure. Organizations need a defined change management process to monitor changes that impact policy across the following areas:
    • Corporate environment. Policies change in response to new strategies, objectives, mergers, and acquisitions. Changes in corporate commitments, contracts, values, ethics, risk appetite, and social responsibility statements also drive policy.
    • Risk environment. Ongoing risk intelligence processes are required to monitor geopolitical, environmental, economic, strategic, relationship, and operational risk.
    • Regulatory environment. New laws, changing regulations, litigation, and court rulings (case law) impact organizations and drive policy changes. Organizations need regulatory change management processes in place to monitor the changing legal and regulatory environment in jurisdictions where business is conducted.
  • Policy development and approval. When an organization identifies a change in the corporate, risk, or regulatory environments and determines a new policy is needed, or an existing policy must be updated, it enters the policy development phase. In this stage, policies are drafted, reviewed, and approved. While the Policy Owner is responsible for managing development and works with the policy author and stakeholders, the policy manager champions this process to make sure the policy conforms to corporate style and template requirements and has referential integrity with the other policies in the Policy Portfolio. The policy steering committee, other governing committee, or a designated executive approve policy changes once they go through the development workflow and review process. The policy development steps include:
    • Policy ownership. Every policy in the organization should be assigned to an individual or business role that owns the policy. The owner ensures that the policy remains accurate, is appropriately communicated, and continues to serve the purpose for which it was established. Even if the policy is applied across the entire organization, such as with a code of conduct, the owner must oversee its implementation and monitoring.
    • Policy writing. Once an owner is established, the next step is to write the policy. All policies across the organization should be written in a consistent style, format, and language while following a defined style guide. Policies must be clear and easily understood. They must articulate who the policy applies to, standards, rules, regulations or laws it intends to address, and what, if any, larger program it is associated with.
    • Policy review and approval. Once the initial draft of the policy is written, the owner sends the draft policy to identified stakeholders for review and approval before publication. This phase is iterative, as the stakeholders may send the policy back with changes before it is approved. Leading practice includes reviews by the organization’s policy management office, legal department, and ethics and compliance committee (for policies mandated by law or regulation).
  • Policy publication and awareness. In this stage, individuals become aware of the new or changed policy by clear articulation of individual responsibility to comply with the policy. This includes:
    • Policy publication. After approval, the policy must be published. This is most effectively done with a centralized policy management and communication platform. Unfortunately, many organizations have scattered systems for publishing policies and procedures. This complicates policy management, as multiple publication methods means more policies will become outdated and scattered across the organization. A best practice is to have a single policy system that allows any individual within the environment to login, see all of the policies that apply to a specific role in the organization, and receive automated notification of a changed or new policy.
    • Policy communication and training. Written policy is necessary, but not good enough on its own. Organizations must actively ensure individuals are aware of and understand the policy and what is required of them — appropriate communication and training should be used to facilitate understanding, such as video, LMS courses, surveys, and testing. It is important that training and other resources are linked to policies and are easily accessible. It is also important to preserve records of each individual’s training completion for critical policies so that they are easily accessible by oversight personnel.
    • Policy attestation. It is necessary for individuals to attest to that they have read, understood, and will adhere to critical policies. Policies such as a code of conduct require specific attestation on a regular basis (e.g., annually). Attestations should be dated and time stamped, preserved with the version of the policy, and easily accessible by oversight personnel.
  • Policy adherence and compliance. In this stage, policies are regularly monitored to ensure compliance and that exceptions are documented and managed. This phase involves:
    • Implement procedures and controls. The MetaPolicy states who is responsible for implementing the appropriate procedures and controls to ensure effective implementation, usually the Policy Owner. The procedures and controls should be written using approved templates and embedded within the business operations and processes.
    • Monitor, test, and assess. Carefully monitor, test, and assess activities to ensure that the policy, procedures, and controls are being enforced, are operating as intended, and the business runs efficiently and smoothly while in compliance. Findings of noncompliance and violations provide metrics for policy review and improvement. Enforcement policy is critical, to define levels of infractions and associated actions.
    • Manage exception requests. While policies must be complied with, there are justifiable business situations in which the organization accepts noncompliance. These exceptions must be documented and managed. An exception may be appropriate for a given time period or until a certain event occurs.
  • Policy metrics and maintenance. Policies should not change frequently, but they should go through periodic review. A best practice is to follow an annual review cycle to make sure policies are still appropriate and do not bring unnecessary exposure or liability upon the organization. Unneeded policies should be retired. The major activities of this stage include:
    • Review, update, or retirement. Every policy should have a regular review cycle (ideally annually). During this review, the Policy Owner and stakeholders assess changes to the internal business and external regulatory and business environments, look at incidents of policy noncompliance and approved exceptions, and consider the continued need for the policy. After this analysis the Policy Owner requests the policy approver(s) to reauthorize the policy as-is for another management cycle, to retire it, or to send it back into the Development and Update stage to revise the policy.
    • Policy archives. Every policy and its associated versions must be archived for reference at a later time. The retention period for superseded versions and retired policies should be managed in accordance with the organization’s document and records-retention policies. When an organization becomes aware of an incident, or a regulator has a question, it is necessary to have a full view of the accountability history of a policy: the owner, who read it, who was trained, and who attested and on what version of the policy at a particular date. This level of detail is necessary to defend the organization in a situation involving a rogue employee, where the organization itself is not culpable.

This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Policy Management by Design: a Blueprint for Enterprise Policy & Training Management

Have a question about Policy & Training Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .

Engage GRC 20/20 to facilitate and teach the Policy Management by Design Workshop in your organization.

Looking for Policy Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 400 requirements for policy management solutions.

GRC 20/20’s Policy & Training Management Research includes:

Register for the upcoming Research Briefing presentation:

Access the on-demand Research Briefing presentation:

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):

Developing a Policy Management Strategy

Organizations need a coordinated cross-department strategy for managing policies and training programs across the enterprise.  The goal is to develop a common framework and approach so that policies and training are understood and managed as an integrated whole rather than a dissociated collection of parts.

Policies and training programs that are managed as dissociated documents, data, systems, and processes leave the organization with fragments of truth that fail to see the big picture of policy and training across the enterprise and how it supports the organization’s governance, risk management, and compliance (GRC) responsibilities. The organization needs to have holistic visibility and situational awareness into policy and training across the enterprise. Complexity of business and intricacy and interconnectedness of policies and obligations requires that the organization implement a policy and training management strategy.

Contrasting Policy & Training Management Approaches

The primary directive of a mature policy and training management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of GRC.  This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of policies and training needs across the extended enterprise.

Organizations have three policy & training management strategies to choose from:

  1. Anarchy – ad hoc department silos. This is when you have different departments doing different yet similar things with little to no collaboration between them. Distributed and siloed policy and training initiatives never see the big picture and fail to put policy and training in the context of the rest of the organization. The result: complexity, redundancy, and failure. The organization is not thinking big picture about how policy and training management processes can be designed to meet a range of needs. An ad hoc approach to policy and training management results in poor visibility into the organization’s obligations and values, as there is no framework for managing policies and training consistently. When the organization approaches policies and training in scattered silos that do not collaborate with each other, there is no possibility to be intelligent and align policies and training initiatives to achieve efficiency, effectiveness, and agility.
  2. Monarchy – one size fits all. If the anarchy approach does not work then the natural reaction is the complete opposite: centralize everything and get everyone to work from one platform and framework. However, this has its issues as well. Organizations run the risk of having one department be in charge of policy and training management that does not fully understand the breadth and scope of the needs across departments. The needs of one area may shadow the needs of others. From a technology point of view, it may force many parts of the organization into managing policies and training programs to the lowest common denominator.
  3. Federated – an integrated and collaborative approach. The federated approach is where most organizations will find the greatest balance between common policy and training management. It allows for some level of department/business function autonomy where needed but focuses on a common governance model and architecture that the various groups in policy and training management participate in. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of GRC as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in policy and training management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.

A federated model for policy and training management provides a central coordination of the policy management lifecycle to ensure consistency in policies across the organization while there is ownership and management of non-enterprise-wide policies in distributed areas across the organization that align with the central governance. The Federated model is the ideal for large global organizations.  It allows for policy and training management to be centrally coordinated, but allows for distributed management and oversight of the policies to address divisional, legal entity, business unit, and regional needs. These entities must adhere to all mandated enterprise-wide policies and will often design their own procedures in a way that makes the policy fit their operations and supports their compliance with the policy. They may create their own policies and procedures relating to their specific operations, which may be imposed based on federal, state, or local laws. These policies and procedures must be written so that they do not conflict with the overall mission and values of the organization. A federated model often has layers of policy governance in which a policy steering committee is established centrally to define the policy process and templates, while “entity” policy committees oversee the governance of policies within their respective areas.

Policy & Training Management Strategic Plan

Designing a federated policy and training management program starts with defining the strategy.  The strategy connects key business functions with a common policy and training governance framework.  The strategic plan is the foundation that enables policy and training transparency, discipline, and control across the ecosystem of the enterprise.

The core elements of the policy and training strategic plan include:

  • Policy & training governance team. Effective policy management and communication requires policy governance and oversight. The first piece of the strategic plan is building the cross-organization policy and training governance team (e.g., committee, group). This team needs to work with policy owners to ensure a collaborative and efficient oversight process is in place. The goal of this group is to take the varying parts of the organization that have vested in policy and training management and get them collaborating and working together on a regular basis.  Various roles involved in the policy and training governance team are: compliance, ethics, legal, human resources, finance, information technology, security, audit, quality, health & safety, and business operations. One of the first items to determine is who chairs and leads the policy and training governance team. This committee provides the structure and connective tissue to coordinate and drive consistent policy management. Its team members represent the best interests and expertise of the different parts of the organization. They leverage the knowledge, charter and authority of the committee to benefit their business areas and the whole organization. A large distributed organization may have layers of policy and training committees for different geographies or business units. If a layered approach is in place, the organization still needs a central policy and training governance committee that the rest roll-up to, to enforce consistency and structure.
  • Policy and training management charter.  With the initial collaboration and interaction of the policy and training management team in place, the next step in the strategic plan is to formalize this with a policy and training management charter.  The charter defines the key elements of the policy and training management strategy and gives it executive and board authorization. The charter will contain the mission and vision statement of policy and training management, the members of the policy and training governance team, and define the overall goals, objectives, resources, and expectations of enterprise policy and training management.  The key goal of the charter is to establish alignment of policy and training management to business objectives, performance, and strategy. The charter also should detail board oversight responsibilities and reporting on policy and training management. The charter should specifically address:
    • An organized policy & training management committee to govern the oversight and guidance of policies, and ensure policy collaboration across the enterprise.
    • An individual assigned to the role of policy & training manager to assure accountability to the standards, style, and process defined by the policy management committee. The policy manager does not write policy, but is the champion of the policy management process; for ensuring the creation and revision of policies conforms to the policy management lifecycle defined by the organization.
    • The authorization and allocation of resources for program management architecture, policy review cycles, executive “tone from the top” on policy governance, extending policy governance to mergers and acquisitions, compliance monitoring and assurance activities, and management reporting and dashboards.
  • Policy management policy (e.g., MetaPolicy, Policy on Policies).  The next critical item to establish in the policy and training management strategic plan is the writing and approval of the organization’s MetaPolicy (or policies on writing policies).  This sets the policy management structure in place.  The policy should require that an inventory of all policies be maintained with appropriate detail and approvals. The MetaPolicy is the foundation on which to build an effective policy and training management program. It defines the critical elements of the organization’s policy management program. The major components of an effective MetaPolicy are:
    • Roles and responsibilities. Key organizational roles, responsibilities, and accountabilities for policy governance and lifecycle and specifically the scope of governance and influence of the meta-policy itself.
    • Scope of MetaPolicy. Scope of what is and is not under remit/scope of the MetaPolicy (e.g., internal facing policies, client facing policies, policies of subsidiaries, and joint ventures).
    • Definition of terms. Definitions of specifically— for a given organization—what a policy is as well as a procedure, standard, and guideline in addition to other applicable governance documents and resources.
    • Format and structure guidance. Common structure and content of a policy with specific reference to what topics are required (e.g., purpose, scope, accountability, and policy statement) and what is optional (definitions of key terms/acronyms/abbreviations, authoritative sources/obligations, and cross-references to other documents) to establish a policy.
    • Policy writing and layout. Writing style for policies and other documents as well as the layout of policy documents.  Also included by reference are policy template(s), which are absolutely critical for driving consistency across policies.
    • Central repository and indexing of policies. Requirements for central repository as the system of record for policies and related governance documents. This repository must be accessible to all of the organization’s employees and contingent workers.
    • Policy approval. Policy governance rules for approving policy creation/update/retirement, general requirements for exception approval, and definition of maintenance and review cycles with appropriate accountability of roles and responsibilities for policy development and maintenance.
    • Policy assurance and compliance monitoring. Assurance methodologies to ensure that compliance with the MetaPolicy is in place, that exceptions to the MetaPolicy are documented and managed appropriately, and violations are identified and remediated.
    • Style guide. Policy writing that is wordy and confusing damages the corporate image and costs time and money. Every organization should have a policy style guide in place to provide clear and consistent policy. This establishes the language, grammar, and format guidance to writing policies.  It expresses how to use active over passive voice, avoid complicated language and “legalese”, how to write for impact and clarity, use common terms, how to approach gender in writing, and even internationalization considerations.
    • Templates. These are standard templates that the organization can utilize to write policies and supporting documents/resources that are already in the standard format and structure conforming to the MetaPolicy.
    • Exception/exemption request. Provides a standard template for documenting an exception/exemption request to a policy or procedure and how to seek approval for the request.

This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Policy Management by Design: a Blueprint for Enterprise Policy & Training Management

Have a question about Policy & Training Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .

Engage GRC 20/20 to facilitate and teach the Policy Management by Design Workshop in your organization.

Looking for Policy Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 400 requirements for policy management solutions.

GRC 20/20’s Policy & Training Management Research includes:

Register for the upcoming Research Briefing presentation:

Access the on-demand Research Briefing presentation:

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):

Policy & Training Management Demands Attention

The Foundational Role of Policies in GRC Strategies

Policies are critical to the organization as they establish boundaries of behavior for individuals, processes, relationships, and transactions. Starting at the policy of all policies – the code of conduct – they filter down to govern the enterprise, divisions/regions, business units, and processes.

GRC, by definition (www.OCEG.org), is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and act with integrity [compliance].” Policies are a critical foundation of GRC. When properly managed, communicated, and enforced policies:

  • Provide a framework of governance. Policy paints a picture of behavior, values, and ethics that define the culture and expected behavior of the organization; without policy there is no consistent rules and the organization goes in every direction.
  • Identify and treat risk. The existence of a policy means a risk has been identified and is of enough significance to have a formal policy written which details controls to manage the risk.
  • Define compliance. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments.

Unfortunately, most organizations do not connect the idea of policy to the establishment of corporate culture. Without policy, there is no written standard for acceptable and unacceptable conduct — an organization can quickly become something it never intended.

Policy also attaches a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policy can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal (both criminal and civil) and regulatory proceedings. Regulators, prosecuting and plaintiff attorneys, and others use policy violation and noncompliance to place culpability.

An organization must establish policy it is willing to enforce — but it also must clearly train and communicate the policy to make sure that individuals understand what is expected of them. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot achieve strong and established culture without good policy and training on policy.

Hordes of Policies Scattered Across the Organization

Policy and training matter. However, when you look at the typical organization you would think policies are irrelevant and a nuisance. The typical organization has:

  • Policies managed in documents and fileshares. Policies are haphazardly managed as document files and dispersed on a number of fileshares, websites, local hard drives, and mobile devices.  The organization has not fully embraced centralized online publishing and universal access to policies and procedures. There is no single place where an individual can see all the policies in the organization and those that apply to specific roles.
  • Reactive and inefficient training programs. Organizations often lack any coordinated policy training and communication program. Instead, different departments go about developing and communicating their training without thought for the bigger picture and alignment with other areas.
  • Policies that do not adhere to a consistent style. The typical organization has policy that does not conform to a corporate style guide and standard template that would require policies to be presented clearly (e.g., active voice, concise language, eighth-grade reading level).
  • Rogue policies. Anyone can create a document and call it a policy.  As policies establish a legal duty of care, organizations face misaligned policies, exposure and liability, and other rogue policies that were never authorized.
  • Out of date policies. In most cases, published policy is not reviewed and maintained on a regular basis. In fact, most organizations have policies that have not been reviewed in years for applicability, appropriateness, and effectiveness. The typical organization has policies and procedures without a defined owner to make sure they are managed and current.
  • Policies without lifecycle management. Many organizations maintain an ad hoc approach to writing, approving, and maintaining policy. They have no system for managing policy workflow, tasks, versions, approvals, and maintenance.
  • Policies that do not map to exceptions or incidents. Often organizations are missing an established system to document and manage policy exceptions, incidents, issues, and investigations to policy. The organization has no information about where policy is breaking down, and how it can be addressed.
  • Policies that fail to cross-reference standards, rules, or regulations. The typical organization has no historical or auditable record of policies that address legal, regulatory, or contractual requirements. Validating compliance to auditors, regulators, or other stakeholders becomes a time-consuming, labor-intensive, and error-prone process.

Inevitable Failure of Policy & Training Management

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.

If policies and training programs don’t conform to an orderly style and structure, use more than one set of vocabulary, are located in different places, and do not offer a mechanism to gain clarity and support (e.g., a policy helpline), organizations are not positioned to drive desired behaviors in corporate culture or enforce accountability.

With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

The bottom line: The haphazard department and document centric approaches for policy and training management of the past compound the problem and do not solve it.  It is time for organizations to step back and define a cross-functional and coordinated team to define and govern policy and training management.  Organizations need to wipe the slate clean and approach policy and training management by design with a strategy and architecture to manage the ecosystem of policies and training programs throughout the organization with real-time information about policy conformance and how it impacts the organization.


This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Policy Management by Design: a Blueprint for Enterprise Policy & Training Management

Have a question about Policy & Training Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .

Engage GRC 20/20 to facilitate and teach the Policy Management by Design Workshop in your organization.

Looking for Policy Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 400 requirements for policy management solutions.

GRC 20/20’s Policy & Training Management Research includes:

Register for the upcoming Research Briefing presentation:

Access the on-demand Research Briefing presentation:

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):

Policy Management Demands Attention

The Foundational Role of Policies in GRC Strategies

Policies are critical to the organization as they establish boundaries of behavior for individuals, processes, relationships, and transactions. Starting at the policy of all policies – the code of conduct – they filter down to govern the enterprise, divisions/regions, business units, and processes.

GRC, by definition, is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].” Policies are a critical foundation of GRC. When properly managed, communicated, and enforced policies:

  • Provide a framework of governance. Policy paints a picture of behavior, values, and ethics that define the culture and expected behavior of the organization; without policy there is no consistent rules and the organization goes in every direction.
  • Identify and treat risk. The existence of a policy means a risk has been identified and is of enough significance to have a formal policy written which details controls to manage the risk.
  • Define compliance. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments.

Unfortunately, most organizations do not connect the idea of policy to the establishment of corporate culture. Without policy, there is no written standard for acceptable and unacceptable conduct — an organization can quickly become something it never intended.

Policy also attaches a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policy can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal (both criminal and civil) and regulatory proceedings. Regulators, prosecuting and plaintiff attorneys, and others use policy violation and noncompliance to place culpability.

An organization must establish policy it is willing to enforce — but it also must clearly train and communicate the policy to make sure that individuals understand what is expected of them. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot achieve strong and established culture without good policy and training on policy.

Hordes of Policies Scattered Across the Organization

Policies matter. However, when you look at the typical organization you would think policies are irrelevant and a nuisance. The typical organization has:

  • Policies managed in documents and fileshares. Policies are haphazardly managed as document files and dispersed on a number of fileshares, websites, local hard drives, and mobile devices.  The organization has not fully embraced centralized online publishing and universal access to policies and procedures. There is no single place where an individual can see all the policies in the organization and those that apply to specific roles.
  • Reactive and inefficient policy programs. Organizations often lack any coordinated policy training and communication program. Instead, different departments go about developing and communicating their training without thought for the bigger picture and alignment with other areas.
  • Policies that do not adhere to a consistent style. The typical organization has policy that does not conform to a corporate style guide and standard template that would require policies to be presented clearly (e.g., active voice, concise language, and eighth-grade reading level).
  • Rogue policies. Anyone can create a document and call it a policy.  As policies establish a legal duty of care, organizations face misaligned policies, exposure, liability, and other rogue policies that were never authorized.
  • Out of date policies. In most cases, published policy is not reviewed and maintained on a regular basis. In fact, most organizations have policies that have not been reviewed in years for applicability, appropriateness, and effectiveness. The typical organization has policies and procedures without a defined owner to make sure they are managed and current.
  • Policies without lifecycle management. Many organizations maintain an ad hoc approach to writing, approving, and maintaining policy. They have no system for managing policy workflow, tasks, versions, approvals, and maintenance.
  • Policies that do not map to exceptions or incidents. Often organizations are missing an established system to document and manage policy exceptions, incidents, issues, and investigations to policy. The organization has no information about where policy is breaking down, and how it can be addressed.
  • Policies that fail to cross-reference standards, rules, or regulations. The typical organization has no historical or auditable record of policies that address legal, regulatory, or contractual requirements. Validating compliance to auditors, regulators, or other stakeholders becomes a time-consuming, labor-intensive, and error-prone process.

Inevitable Failure of Policy Management

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.

If policies do not conform to an orderly style and structure, use more than one set of vocabulary, are located in different places, and do not offer a mechanism to gain clarity and support (e.g., a policy helpline), organizations are not positioned to drive desired behaviors in corporate culture or enforce accountability.

With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

The bottom line: The haphazard department and document centric approaches for policy management of the past compound the problem and do not solve it. It is time for organizations to step back and define and approach policy management with a strategy and architecture to manage the ecosystem of policies programs throughout the organization with real-time information about policy conformance and how it impacts the organization.

Check out GRD 20/20’s additional policy management resources . . .

Workshop: Policy Management by Design Workshop in Dallas, October 11th

  • This is a complimentary full day interactive workshop to help organizations define a policy management strategy, write a policy on writing policies (meta-policy), define a policy management lifecycle, understand the role of technology in policy management, and build a business case for policy management. This workshop is only open to individuals managing policies in their internal environment and is not open to solution providers or consultants.

Research Briefing: How to Purchase Policy Management Solutions & Platforms

  • This is GRC 20/20’s on-demand Research Briefing that advises organizations on what to consider in evaluating and selecting policy management solutions and technologies. It reviews critical capabilities needed in policy management technology as well as what differentiates a basic, common, and advanced solution in the market. Particular guidance is given into considerations when engaging solution providers and navigating solution provider hyperbole.

Inquiry: Ask GRC 20/20 Your Questions on Policy Management

  • The challenge is: how do you find the right policy management solution for your organization? This is where GRC 20/20 comes in. If you are looking for policy management solutions for various purposes, GRC 20/20 Research offers complimentary inquiries to explore your needs and identify a short list of solutions that best fit your specific needs. Simply register an inquiry on the GRC 20/20 website.

RFP Template & Support: Policy Management RFP Requirements Template

  • GRC 20/20 can be engaged on policy management RFP projects to rapidly enable organizations to develop RFPs based on our policy management RFP criteria library. Simply email [email protected] and we can scope your needs for a RFP criteria project. GRC 20/20 is often engaged in more detailed RFP projects to help manage the RFP and keep solution providers honest based on our broad experience in the market.

Written Research on Policy Management

Considerations When Purchasing Policy Management Solutions

This is the second in a series of posts on buying considerations when purchasing GRC solutions.  The GRC Pundit first looked at overall considerations when purchasing GRC solutions, and in this post he turns his focus to Policy Management Solutions.

policy-portalPolicy management is one of the hottest segments in the GRC market. This is apparent in the number of RFPs and inquiries GRC 20/20 is involved in from organizations looking for policy management platforms.

Consider that policies are critical to the organization as they establish boundaries of behavior for individuals, processes, relationships, and transactions. Policies are a critical foundation of GRC. When properly managed, communicated, and enforced policies:

  • Provide a framework of governance. Policy paints a picture of behavior, values and ethics that define the culture and expected behavior of the organization; without policy there is no consistent rules and the organization goes in every direction.
  • Identify and treat risk. The existence of a policy means a risk of has been identified and is of enough significance to have a formal policy written which details controls to manage the risk.
  • Define compliance. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments.

Policies attach a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policies can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal and regulatory proceedings to place culpability. In this context, organizations are struggling with the following issues:

  • Policies haphazardly managed in documents, fileshares, and poorly implemented portals
  • Different departments going in different policy directions
  • Lack of centralized inventory of all organization policies
  • Need to have a defensible audit trail of all interactions with a policy and training
  • Reactive and inefficient training programs
  • Policies that do not adhere to a consistent style, template, format
  • Rogue policies that put liability and exposure on the organization
  • Out of date and inconsistent policies
  • No tracking of policy exceptions

Many organizations lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed. An organization must establish policy it is willing to enforce — but also must clearly train and communicate policy to make sure that individuals understand what is expected of them.

With today’s complex business operations, global expansion, and the ever changing legal, regulatory and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the policies needed to reliably achieve objectives while addressing uncertainty and act with integrity. This is why organizations are aggressively looking at policy management platforms to address this challenge.

Basic, Common & Advanced Policy Management Solutions

GRC 20/20 has developed an extensive framework of RFP requirements for policy management platforms and advises organizations on RFP development and solutions the organization should be considering. GRC 20/20 covers 144 solutions in the Policy & Training Management Segment of the GRC market.  Eighty-eight of these solutions do policy management, and forty-four do training management (the overlap if you add these together are solutions that do both). Every organization has unique requirements and expectations for policy management. GRC 20/20 has detailed over 200 requirements specific to policy and training management solutions in the GRC market. Overall, policy management solutions can be mapped into the following areas:

  • Basic Policy Management Capabilities. These solutions tend to focus on the back-end of policy management, the development, approval, maintenance of policies. Policies are typically managed as documents and imported into the system as documents or PDFs. Solutions in this area are focused on managing workflow and tasks for managing and maintaining policies. They often have some basic employee portal capabilities aimed at completing tasks such as reading policies and attestation (e.g., certification, read and understood).
  • Common Policy Management Capabilities. These solutions are more built out in feature sets that offer a broader range of capabilities. This includes a stronger user portal and experience to navigate policies, the ability to build forms related to policies and manage workflow and tasks around forms, map policies to regulations and other obligations, and move beyond treating policies as documents to import into the system and have integrated word processing capabilities. These solutions also have capabilities to manage policy exemptions/exceptions, and measure policy compliance. While the employee experience is stronger than those offering basic capabilities, it is still the back-end management of policies that is central to these solutions.
  • Advanced Policy Management Capabilities. Advanced policy management solutions have all the common attributes, but take on more advanced capabilities (note, advanced capabilities extend common capabilities and not all policy management solutions support the range of advanced capabilities). Advanced capabilities tend to put a stronger focus on the employee experience – the front-end of policy management – and not just the back-end experience. Advanced capabilities include:
    • Employee portal experience is clearly stronger offering an intuitive, interactive, personal, and social policy experience for employees. Policies are most often treated as HTML and not PDFs or word processing documents, and the display of policies allows for hyperlink pop-ups for clarification and resources as well as embedding training and other policy tools.
    • Embedded training in which the solution has a full LMS capability to deliver training within the policy portal for employees and they do not have to bounce around through hyperlinks.
    • Social and gamification, as part of the employee portal the solution picks up on social aspects of employees being able to share policies with other employees, provide feedback and interaction on policies, and implement employee avatars with badges for policy and training tasks.
    • Mobility there are dedicated tablet and phone apps offering policies to employees. In fact, GRC 20/20 has been involved in several interactions with organization looking to use tablets as policy and training kiosks for employees in retail, food and beverage, manufacturing, and logistics/transportation.
    • Integration with HR management systems to push policy to new employees or those that have changed roles in the organization.
    • Integration with other GRC modules and solutions such as incident management to map incidents to violations of policy. Or risk management to map risks to policies.
    • Advanced policy authoring and editing capabilities in which policy authoring is done in a browser interface with full redlining, commenting, and editing capabilities.
    • Regulatory change management in which not just documents but chapter and verse of policies is mapped to chapter and verse of regulations and there are clearly defined processes to manage policies in the context of regulatory change.
    • Federated policy management that allows large distributed and diversified organizations to have layers of policy management committees and groups to govern complex policy lifecycles.

These summaries of basic, common, and advanced capabilities are some attributes these areas from GRC 20/20’s broader RFP requirements and analysis of policy management solutions. Organizations need to select what best fits there needs. More advanced capabilities often comes at a more significant cost of the policy management solution.

The most significant trend GRC 20/20 has seen in policy management RFPs and organizational needs is the shift of focus to the front-end of policy management.  Historically, the requirements for policy management have been largely on the back-end management and maintenance of policies with only very basic requirements in the front-end communication and attestation of policies.

Over the past three years there has been a growing trend to put equal or more importance on the front-end communication and access of policies. This is in response to organizations desiring to create a single portal for all organization policies, engage employees, and provide defensible audit trails and compliance records.  One organization even requested that the policy portal have a capability to have a green light in a corner if the policy subject matter expert is at their desk and pop-up a box to ask them a question (they used a direct analogy to online shopping with a ‘can we help you’). The overall trend is that organizations desire an engaging policy portal for employees as much as they do the back-end development of policies.OCEG.GRC Illustrated.Interactive Policy.2014

CASE IN POINT: I did the design and layout of the OCEG GRC Illustration: Engaging Employees With Interactive Policies. I have had several organizations specifically reference this illustration and state “this is what we want, who does this.”

 

Questions & Considerations to Ponder on Policy Management Solutions

Organizations considering policy management solutions should ask themselves the following questions to help guide them in developing requirements and engaging solution providers:

  • What are my back-end policy lifecycle management requirements?
  • What are my front-end policy portal and employee experience requirements?
  • Is the front-end portal as important as the back-end?
  • Do we want to develop policies in standard word processors and import them as documents/PDFs into the solution to manage?
  • Do we want to develop policies within the solution/browser interface?
  • Do we need to map policies to hotline reports, issues/incidents, controls, or risks?
  • What are our requirements for regulatory change management in context of keeping policies current?
  • What are our requirements for having a full audit and compliance trail of all interactions between policies and employees?
  • Do we desire an integrated LMS capability to manage policies and training as a collective whole in an integrated portal?
  • Do we need the capability to manage policy related forms and manage those forms through workflow and tasks for review and approval/disapproval (e.g., gifts and entertainment, conflict of interest, medical leave, political contributions)?
  • What are out mobility requirements for policy and training on tablets and smartphones?
  • Do we need to integrate with HR management systems to automate the communication of policies to new employees and those that have changed roles?
  • Do we need features of socialization and gamificaiton on the policy portal?
  • What are our internationalization and language requirements for both the back-end management of policies and the front-end policy portal?
  • What are our requirements to track and manage policy exceptions and exemptions?
  • Do we need a solution that can support federated policy management to address the need for multiple layers of policy committees and a complex policy lifecycle?

These are a subset of a broader set of questions that will be categorized and mapped in the forthcoming Buyers Guide: Policy Management Solutions, and are further detailed in GRC 20/20’s RFP requirements for policy management solutions. GRC 20/20 will be releasing the following research in the next several weeks:

  • Buyer’s Guide: Policy Management Solutions. The Buyer’s Guide goes into a detailed framework in how to approach purchasing policy management platforms.
  • Strategy Perspective: Policy Management by Design. The Strategy Perspective focuses on best practices in defining a policy governance committee, framework, lifecycle, and architecture (written from context of GRC 20/20’s Policy Management by Design Workshops).
  • Online directory of Policy & Training Management Solutions. The directory lists policy and training management solutions that GRC 20/20 covers in the market and is the first part of the broader GRC Directory being rolled out in stages.
  • Market Perspective: Policy & Training Management Solutions. This details the overall drivers, trends, market size, growth, and forecasting of the Policy & Training Management Market.

I have shared my thoughts on some buying considerations of policy management solutions. I would love to hear your thoughts and reaction to this as I work on publishing this series of GRC 20/20 research.

Regulatory Change Management Maturity Model: From Ad Hoc to Agile

This is part 5 and final post in the series on regulatory change management, part of the broader series of posts on the Greatest GRC Challenges companies are facing today.  Next we will look at changing risk environments.  In the previous posts we explored:

In this post I detail GRC 20/20’s maturity model to measure regulatory change management programs to support an efficient, effective, and agile process. These posts are excerpts from the broader GRC 20/20 Research Paper: Regulatory Change Management: Effectively Managing Regulatory Change


Mature regulatory change management requires the organization to align on regulatory risk. It also involves participation across the organization at all levels to identify and monitor uncertainty and the impact of regulatory change.

GRC 20/20 has developed the Regulatory Change Management Maturity Model to determine an organization’s maturity in regulatory change management processes as well as information and technology architecture.

The GRC 20/20 Regulatory Change Management Maturity Model is summarized as follows:

Level 1 – Ad Hoc

Organizations at this stage lack a structured approach to regulatory change management and are constantly putting out fires and being caught off guard. Few if any resources are allocated to monitor regulatory change. The organization addresses regulatory change in a reactive mode—doing assessments when forced to. There is no ownership or monitoring of regulatory change and certainly no integration of regulatory change information and processes. Characteristics of this stage are:

  • Lack of a defined regulatory taxonomy
  • Ad hoc and reactive approaches to regulatory and business change
  • Document and email-centric approaches
  • Lack of accountability

Level 2 – Fragmented

In the Fragmented stage, departments are focused on regulatory change management within respective functions—but information and processes are highly redundant. The organization may have limited processes for regulatory change but largely does not benefit from the efficiencies of an integrated approach. Regulatory change management is very document-centric and lacks an integrated process, information and technology architecture. Positively, there is some structure to regulatory change responsibilities—but the management of regulatory change lacks accountability as it is done largely in documents and email that lack structures of accountability and automation. Characteristics of this stage are:

  • Varied approaches to regulatory change
  • Lack consistent structure
  • Lack integration or formal processes for sharing regulatory information
  • Reliance on fragmented technology with a focus on discrete documents

Level 3 – Managed

The Managed stage represents a mature regulatory change management program that is using technology for structured workflow, task management, and accountability. Regulatory change functions have defined processes for regulatory change management, an integrated information architecture supported by technology and ongoing reporting, accountability, and oversight. Though there is no integration of regulatory content feeds into the technology platform. Characteristics of this stage are:

  • Visibility into regulatory change across the business
  • Established processes for regulatory change
  • Good use of technology to manage accountability

Level 4 – Integrated

It is at the integrated stage that the organization begins to integrate regulatory content feeds into the technology platform for automation. The organization has consistent regulatory taxonomy, process, information, and technology to streamline regulatory change management processes. The organization is seeing gains in addressing regulatory change through shared information that achieves greater agility, efficiency and effectiveness in a common technology architecture that enables consistent management of regulatory change. Standardized workflow is integrated into regulatory and legal content feeds. Characteristics of this stage are:

  • Strategic approach to regulatory change across departments
  • Common process, technology and information architecture
  • Integration of legal/regulatory content feeds
  • Reporting across departments

Level 5 – Agile

At the Agile stage, the organization has completely moved to an integrated approach to regulatory change management across the organization. This results in a shared-services approach in which core regulatory change technology, content, and processes are shared centrally. The approach is characterized through a mature regulatory taxonomy with integrated and actionable regulatory content automated by technology. The organization has enterprise workflow that provides business-process automation for regulatory change with oversight and management of regulatory change. Regulatory content feeds deliver fully analyzed content that identifies relevancy, impacts and tasks. Characteristics of this stage are:

  • Regulatory intelligence achieved through integration of analyzed content and enterprise technology
  • Consistent views of regulatory change and impact on operations and policies
  • Able to efficiently manage business change in regulatory context

GRC 20/20’s Final Perspective

The constant changes in today’s regulatory environments translate to a growing burden on organizations in terms of the number of regulations they face and their scope. Many organizations do not possess the necessary regulatory change management infrastructure and processes to address these changes and, consequently, find themselves at a competitive disadvantage and subject to regulatory scrutiny and losses that were preventable. These organizations can greatly benefit from moving away from manual and ad hoc process changes and toward a system specifically designed to manage those changes comprehensively and consistently. Such a system gathers and sorts relevant information, routes critical information to subject matter experts, models and measures potential impact on the organization, and establishes personal accountability for action or inaction.