Strengthening Your Policy Management Framework

[button link=”http://info.metricstream.com/policy-management-framework.html?Channel=Webinar_MR”]REGISTER[/button]

[tabs style=”default”] [tab title=”Summary”]

With increasing regulatory oversight and legal obligations, global expansion and the spike in employee lawsuits, a well-defined policy management and awareness program is vital to enable an organization to effectively develop, communicate, and maintain policies. Since policies are a dynamic body of shared knowledge which can strengthen the corporate culture, the need of the hour is to adopt a more streamlined and standardized approach to policy management and its implementation.

Join this webinar, where our experts share insights on:

  • Strategy and architecture to manage the ecosystem of policies
  • Why policy is an integral part of an organization’s GRC initiative
  • How a solid technology platform can help in managing policies effectively

[/tab] [tab title=”GRC 20/20 Presenter”]

rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc.

[/tab] [tab title=”Webinar Sponsor”]

MetricStream is simplifying Governance, Risk, and Compliance (GRC) for modern and digital enterprises. Our market-leading enterprise and cloud Apps for GRC enable organizations to strengthen risk management, regulatory compliance, vendor governance, and quality management while driving business performance.

The MetricStream GRC Journey methodology integrates GRC technologies and programs across business, IT, and security functions as we enable organizations to realize the vision of Pervasive GRC. Rich content from GRCIntelligence.com and thriving communities like ComplianceOnline.com, as well as MetricStream Special Interest Groups (mSIGs) support the ongoing success of our customers through real-time content feeds and best practices embedded in our Apps.

Leading companies across industry verticals are benefiting from MetricStream’s simple and modular approach to GRC that is transforming risk management in a business environment that is increasingly mobile, social, global, and virtual. We have been consistently rated as a market leader by leading analysts, and have received several awards and recognitions for product innovation and customer success.

[/tab][/tabs]

Policy Management by Design Workshop, Dallas

Blueprint for an Effective, Efficient & Agile Policy Management Program

[button link=”https://www.eventbrite.com/e/policy-management-by-design-workshop-tickets-27415920757″]REGISTER[/button]

[tabs style=”default”] [tab title=”Overview”]

In order to achieve effectiveness, efficiency, and agility in policy management, organizations need to define a structured governance framework and process. Designing a mature policy management program and processes that align with the organization requires an understanding of what the organization is about, how it operates and how it should be monitored and controlled. Policy management by design requires a structured approach in context of how the organization operates. This is done through defining the right process, information and technology architecture for policy management.
 
Policies must be in place so the organization can:
  • Reliably achieve objectives
  • Manage and control uncertainty
  • Safeguard the workplace
  • Protect the organization from unnecessary risk
  • Ensure consistent operations
  • Uphold ethical values
  • Address compliance obligations
  • Defend the organization should it land in turbulent legal and regulatory waters
However, effectively managing policies is easier said than done. Ad hoc or passive approaches mean that policies are outdated, scattered across the organization, and not consistent– resulting in confusion for recipients and a nightmare to manage. Organizations often lack a complete inventory of policies as so many departments have gone in different policy directions. Further, there is significant concern of rogue policies as anyone can create a document and call it a policy which may put a legal duty of care upon the organization.
 
The continual growth of regulatory requirements, complex business operations, and global expansion demand a well thought-out and implemented approach to policy management. It is no longer enough to simply make policies available. Organizations need to guarantee receipt, affirmation, and understanding of policies across the organization. To consistently manage and communicate policies, organizations are turning toward defined processes and technologies to govern policies and implement an effective policy management lifecycle.
 
This workshop aims to provide a blueprint for attendees on effective policy management in a dynamic business, regulatory, and risk environment. Attendees will learn policy management governance and process that can be applied across the organization at either an enterprise or a department level.

[/tab] [tab title=”Agenda”]

PART 1 – Policy by Design: Why Policies Matter
  • Policies in Disarray: how organizations mismanage policies
  • Policy Exposure: how mismanaged policies expose the organization to risk
  • What Effective Policy Management Achieves: policy management’s role in governance, risk management, and compliance
  • Case Study in Effective Policy Management: a look at Morgan Stanley
  • Interactive Group Discussions
PART 2 – Policy Governance: Blueprint for Effective Policy Management
  • Policy Committee & Collaboration: bringing together the range of policy roles and responsibilities in the organization
  • Policy Management Charter: defining a structure to govern policies
  • Meta Policy: the policy on writing policies
  • Style Guide: ensuring policies are written consistently to the organization’s voice
  • Interactive Group Exercise
PART 3 – Policy Management Lifecycle: Managing Policies from Creation to Dissolution
  • When to Write a Policy: Framework to Determine Need for a Policy
  • Policy Development and Approval: Policy Authoring, Review, Editing, and Approval
  • Policy Communication: Policy Awareness, Communication, Training and Attestation
  • Policy Monitoring: Managing Exemptions, Exceptions, and Conformance to Policies
  • Policy Metrics & Maintenance: Measuring Policy Effectiveness and Keeping Policies Current
  • Interactive Group Exercise
PART 4 – Policy Management Architecture: Enabling Information & Technology Management of Policies
  • Policy Management Information Architecture: Blueprint for Managing Policy Content and Related Data
  • Policy Management Technology Architecture: Blueprint for Enabling Policy Processes with Technology
  • Policy Management Business Case: Articulating the Value of Effective Policy Management
  • Interactive Group Discussion

[/tab] [tab title=”Objectives & Benefits”]

Attendees will take back to their organization approaches to address:

  • Define a process lifecycle for managing policies
  • Establish policy ownership and accountability
  • Provide policy consistency in style and language
  • Communicate policies across extended business relationships
  • Track policy attestation
  • Deliver effective training
  • Monitor metrics to establish effectiveness
  • Identify issues with policies
  • Map policies to objectives, risks, controls, issues, and other GRC areas

Benefits to attendees:

  • Understand a top-down as well as a bottom-up approach to internal control management
  • Implement internal control management in the context of business strategy, process, and operations
  • Explore internal control management architecture models and how they apply to your organization
  • Discover various internal control assessment and monitoring techniques and how they apply to your business
  • Develop an internal control information architecture that aligns with business operations and processes
  • Effectively communicate and gather attestation on internal controls across your organizations

[/tab] [tab title=”Who Should Attend”]

Who should attend?

  • Chief Compliance Officers
  • Chief Risk Officers
  • Senior Managers in Compliance/Ethics
  • Legal
  • Policy Managers/Administrators
  • Individuals with policy management, approval or oversight responsibilities

[/tab] [tab title=”Instructor”]

rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc.

[/tab] [tab title=”Workshop Sponsor”]

LockPath-LogoLockPath® was created by GRC experts who recognized the need for intuitive GRC software that was flexible and scalable to serve ever-changing and expanding organizations.
In addition to the company’s founders, LockPath’s executive team comprises top industry professionals in the fields of software development, accounting and consulting, cybersecurity, financial services, market development and other industries. LockPath employs dozens of talented professionals and has several open positions.
LockPath serves a client base of global organizations ranging from small and midsize companies to Fortune 10 enterprises across industries. Along with their ecosystem of technology and channel partners, LockPath provides unparalleled customer satisfaction from initial project discovery discussions to ongoing customer support.

[/tab] [/tabs]

Policy Management by Design, Boston

Blueprint for an Effective, Efficient & Agile Policy Management Program

[button link=”http://join.reged.com/policy-management-by-design-boston-7-13-2016″]REGISTER[/button]

[tabs style=”default”] [tab title=”Overview”]

In order to achieve effectiveness, efficiency, and agility in policy management, organizations need to define a structured governance framework and process. Designing a mature policy management program and processes that align with the organization requires an understanding of what the organization is about, how it operates and how it should be monitored and controlled. Policy management by design requires a structured approach in context of how the organization operates. This is done through defining the right process, information and technology architecture for policy management.
 
Policies must be in place so the organization can:
  • Reliably achieve objectives
  • Manage and control uncertainty
  • Safeguard the workplace
  • Protect the organization from unnecessary risk
  • Ensure consistent operations
  • Uphold ethical values
  • Address compliance obligations
  • Defend the organization should it land in turbulent legal and regulatory waters
However, effectively managing policies is easier said than done. Ad hoc or passive approaches mean that policies are outdated, scattered across the organization, and not consistent– resulting in confusion for recipients and a nightmare to manage. Organizations often lack a complete inventory of policies as so many departments have gone in different policy directions. Further, there is significant concern of rogue policies as anyone can create a document and call it a policy which may put a legal duty of care upon the organization.
 
The continual growth of regulatory requirements, complex business operations, and global expansion demand a well thought-out and implemented approach to policy management. It is no longer enough to simply make policies available. Organizations need to guarantee receipt, affirmation, and understanding of policies across the organization. To consistently manage and communicate policies, organizations are turning toward defined processes and technologies to govern policies and implement an effective policy management lifecycle.
 
This workshop aims to provide a blueprint for attendees on effective policy management in a dynamic business, regulatory, and risk environment. Attendees will learn policy management governance and process that can be applied across the organization at either an enterprise or a department level.

[/tab] [tab title=”Agenda”]

PART 1 – Policy by Design: Why Policies Matter
  • Policies in Disarray: how organizations mismanage policies
  • Policy Exposure: how mismanaged policies expose the organization to risk
  • What Effective Policy Management Achieves: policy management’s role in governance, risk management, and compliance
  • Case Study in Effective Policy Management: a look at Morgan Stanley
  • Interactive Group Discussions
PART 2 – Policy Governance: Blueprint for Effective Policy Management
  • Policy Committee & Collaboration: bringing together the range of policy roles and responsibilities in the organization
  • Policy Management Charter: defining a structure to govern policies
  • Meta Policy: the policy on writing policies
  • Style Guide: ensuring policies are written consistently to the organization’s voice
  • Interactive Group Exercise
PART 3 – Policy Management Lifecycle: Managing Policies from Creation to Dissolution
  • When to Write a Policy: Framework to Determine Need for a Policy
  • Policy Development and Approval: Policy Authoring, Review, Editing, and Approval
  • Policy Communication: Policy Awareness, Communication, Training and Attestation
  • Policy Monitoring: Managing Exemptions, Exceptions, and Conformance to Policies
  • Policy Metrics & Maintenance: Measuring Policy Effectiveness and Keeping Policies Current
  • Interactive Group Exercise
PART 4 – Policy Management Architecture: Enabling Information & Technology Management of Policies
  • Policy Management Information Architecture: Blueprint for Managing Policy Content and Related Data
  • Policy Management Technology Architecture: Blueprint for Enabling Policy Processes with Technology
  • Policy Management Business Case: Articulating the Value of Effective Policy Management
  • Interactive Group Discussion

[/tab] [tab title=”Objectives & Benefits”]

Attendees will take back to their organization approaches to address:

  • Define a process lifecycle for managing policies
  • Establish policy ownership and accountability
  • Provide policy consistency in style and language
  • Communicate policies across extended business relationships
  • Track policy attestation
  • Deliver effective training
  • Monitor metrics to establish effectiveness
  • Identify issues with policies
  • Map policies to objectives, risks, controls, issues, and other GRC areas

Benefits to attendees:

  • Understand a top-down as well as a bottom-up approach to internal control management
  • Implement internal control management in the context of business strategy, process, and operations
  • Explore internal control management architecture models and how they apply to your organization
  • Discover various internal control assessment and monitoring techniques and how they apply to your business
  • Develop an internal control information architecture that aligns with business operations and processes
  • Effectively communicate and gather attestation on internal controls across your organizations

[/tab] [tab title=”Who Should Attend”]

Who should attend?

  • Chief Compliance Officers
  • Chief Risk Officers
  • Senior Managers in Compliance/Ethics
  • Legal
  • Policy Managers/Administrators
  • Individuals with policy management, approval or oversight responsibilities

[/tab] [tab title=”Instructor”]

rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc.

[/tab] [tab title=”Workshop Sponsor”]

Screen Shot 2016-06-10 at 3.44.16 PM

RegEd is a leading provider of compliance technology solutions with relationships with more than 400 enterprise clients, including 80% of the top 25 broker-dealers and top 25 insurance companies. Established in 1994 by former regulators, the company is a recognized industry authority and has created the standard of excellence for rule-based and content-driven compliance automation for insurance companies, investment advisors and broker-dealers.  RegEd solutions drive new levels of operational efficiency and enable firms to cost-effectively comply with regulations and mitigate risk.  For more information, visit www.reged.com.

[/tab] [/tabs]

Keeping Policies Relevant in the Midst of Business Changes

 

[button link=”http://info.metricstream.com/policy-management-dynamic-organization.html”]Register[/button]

[tabs style=”default”] [tab title=”Summary”]

Businesses are dynamic and in a constant state of flux. Strategy, processes, technology, and employees transform faster than the speed of light. In this context, if not managed properly, organizational policies quickly become forgotten, irrelevant, or outdated. Policies, which are critical governance documents of an organization that establish a legal duty of care, are often haphazardly managed. These challenges grow in the midst of continuous organizational change and evolution. Significant events such as mergers and acquisitions bring in completely redundant or conflicting policies that remain indefinitely in the new organization. Unceasing change in employees with new ones entering the organization while existing employees shift and change roles and departments creates a significant challenge to keep employees fully aware of the policies in the context of their new role.

This webinar educates attendees on how to keep policies relevant and understood in the context of the continuously evolving organization. Attendees will learn processes and the role of a supporting information and technology architecture that enables the organization to keep policies current and relevant as well as understood across their dynamic organization.

[/tab] [tab title=”Objectives”]

Objectives of this webinar include:

  • Get a grip on business change and how it relates to policies
  • Develop a master policy index
  • Define processes that trigger policy review in context of change
  • Understand how to harmonize policies in the midst of mergers and acquisitions
  • Implement an information and technology architecture to support policy management in a dynamic environment

[/tab] [tab title=”GRC 20/20 Presenter”]

rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc.

[/tab] [tab title=”Webinar Sponsor”]

 

MetricStream

MetricStream is simplifying Governance, Risk, and Compliance (GRC) for modern and digital enterprises. Our market-leading enterprise and cloud Apps for GRC enable organizations to strengthen risk management, regulatory compliance, vendor governance, and quality management while driving business performance.

[/tab][/tabs]

Posted on Leave a comment

How to Purchase Policy Management Solutions

The policy and training management technology enables and operationalizes effective, efficient and agile policy management and awareness. The goal of this technology is to operationalize the policy management processes and communication. The right policy and training management solution enables the organization to effectively manage policy and training performance across the organization and facilitates the ability to document, communicate, report, and monitor the range of communications, training, documents, tasks, responsibilities, and action plans.

There should be an enterprise platform for policy and training management that connects the fabric of the policy management processes, information, and other technologies together across the organization. Many organizations see policy and training management initiatives fail when they purchase technology before understanding their process and information architecture and requirements.

Organizations have the following policy management choices before them:

  • Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active policy communication and training.
  • Department specific point solutions.  Implementation of a number of point solutions that are deployed and purpose built for department or specific risk and regulatory policy needs. The challenge here is that the organizations end up maintaining a wide array of solutions that do very similar things but for different purposes.  This introduces a lot of redundancy in information gathering and communications that taxes the organization and its employees.
  • Enterprise GRC platforms.  Many of the leading enterprise GRC platforms have policy and training management modules.  However, these solutions often have a predominant focus on policy and do not always have complete capabilities in training.
  • Enterprise policy and training management platform.  This can be an enterprise implementation of a point solution dedicated to policy and training management or an enterprise GRC platform that has the breadth of capabilities needed for policy and training management.  This is a complete solution that addresses the range of policy management as well as training and communication needs with the broadest array of built-in (versus build-out) features to support the breadth of policy and training management processes.

The right policy and training solution choice for an organization often involves integration into ERP/HRMS systems and other GRC and business solutions to facilitate the integration and correlation, and communication of information, analytics, and reporting. Organizations suffer when they take a myopic view of policy and training management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operates in.

A well-conceived technology architecture for policy and training management can enable a common policy and training framework across multiple departments, or just one department as appropriate. Organizations need a policy management platform that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, a policy management platform approach enables better performance, less expense and more flexibility.  Some of the core capabilities organizations should consider in a policy and training management platform are:

  • Integration. Policy and training management is not a single isolated competency or technology within a company.  Policy and training management often requires information from human resources, vendor management systems and other sources to automatically maintain a single record. These applications must integrate with other systems. It needs to integrate well with other technologies and competencies that already exist in the organization – ERP and GRC.  So the ability to pull and push data through integration is critical.
  • Content, workflow, and task management. Content should be able to be tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis.  Standardized formats for measuring business impact, risk, and compliance.
  • 360° contextual awareness. The organization should have a complete view of what is happening with policies and training metrics and processes. Contextual awareness requires that policy and training management have a central nervous system to capture signals as changing risks and regulations, analysis, and holistic awareness in the context of changing and evolving business environment.
  • Organization management. Policies and training apply to something within the organization, whether it is a business process, a physical asset, an information asset, a business relationship, or the entire organization. The system must model the organization and map policies to where they apply.
  • Accessibility. Policies and related training are only of value if they are accessible. A policy management system must provide a complete system of record any individual can log into and find policies that apply to their role, along with required tasks, attestations, and training they must complete. The system should be available in the official languages recognized by the organization. It should also support the communication needs of the differently abled (e.g., vision impaired, etc.).
  • Training management. Training management includes support for classroom, offsite or vendor training, e-learning programs, recorded presentations, simple document delivery and attestation, registration, and attendance completions. The challenge for companies is integrating learning management systems with policy management systems. This can be done by adopting a policy management solution that provides training management. In this model, the courses, scheduling, attestations, and automatic assignment of policies and training based upon the organization matrix are integrated with workflow, task management, and monitoring. Mature policy management systems automatically reschedule training if a policy is updated and assign additional training if a person is promoted or changes roles. This greatly simplifies administration and maximizes accountability and measurability.
  • Notifications. The most effective means of providing accountability in policy management is through notifications. Notifications are delivered when policy authors receive a new work assignment, when a due date draws near, or when a task is overdue and an escalation notice must be sent to management. If a person, or perhaps a whole business unit, needs to read and attest to a revised policy, reminders and escalation are required. Policy management systems provide configuration capabilities to customize messages, provide links to tasks, consolidate notifications, and help enforce goals, plans, and accountability. Notifications must be able to integrate with the organization’s e-mail system to deliver messages and drive accountability.
  • Audit trail. If it’s not documented, it’s not done. An audit trail should record each who, what, where, and when for every document, assignment, person, and piece of content collected, developed, changed, distributed, archived, surveyed, trained, notified, and read. This ensures that when an incident occurs, an audit takes place, or a regulatory exam or investigation happens, you are prepared with accurate and timely evidence. The level of audit trail required for policy management cannot be maintained with manual processes and ad hoc systems spread across an organization.
  • Intuitive interface design. Policy & training management is using leading concepts in interface design to make user experience of applications simpler, easy to navigate, aesthetically appealing, and minimizing complexity.
  • Socialization and collaboration. Collaboration and socialization is used to conduct risk workshops, understand compliance in the context of business, and get individuals involved in policy and training at all levels of the organization.
  • Gamification. Gamification is used, where appropriate, through interactive content and incentives to drive the culture of GRC into decision-making. Getting employees involved through video, comedy, and games to educate on risk, policy, and compliance. It could be an interactive adventure where employees choose their path when presented with different ethical options in the context of business. Games, puzzles, and illustrations help answer questions, develop skills, and communicate a point. Employees can engage policies and training to gain points, accomplish levels, earn badges, and recognition of skills achieved. Perhaps an employee has gone through all the health and safety training, has read and attested to policies and has taken a quiz to validate understanding. As a result they get a health and safety badge on their corporate profile/avatar. Recognition can be given when people complete assessments, discover and report issues, educate others and champion policies in different ways. This is all linked back to GRC technology to track and promote this activity as well as broader corporate HR and collaboration technologies.
  • Mobility. A lot of employees do not have computers, and some that did are now being issued tablets. Policy and training engagement includes delivery of policies and training on mobile devices. This works particularly well in manufacturing and retail environments where a tablet could be deployed as the policy and training kiosk for employees. Effective policy and training is embracing mobile technology on tablets and other devices to engage employees in their preferred languages and bring policies to all levels of business operations.

More on this topic will be presented next week’s Research Briefing: How to Purchase Policy Management Solutions

With today’s complex business operations, global expansion, and the ever changing legal, regulatory and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop, maintain, communicate, and train on policies. This is why organizations are aggressively looking at policy management platforms to address this challenge, and is apparent in the number of RFPs and inquiries GRC 20/20 is involved in with organizations looking for policy management platforms.

In this Research Briefing, 2015 How to Purchase Policy Management Solutions, GRC 20/20 will provide a synthesis of what organizations should consider when purchasing policy management solutions. Attendees will learn what a policy management system does and what are basic, common, and advanced features of a policy management platform. This will be supported by a framework (decision-tree) of considerations to guide an organization when purchasing policy management solutions.

[button link=”http://grc2020test.cloudaccess.host/events/2015-how-to-purchase-policy-management-solutions/” color=”default”]REGISTER[/button]

Posted on 1 Comment

GRC Architecture to Manage Regulatory Change

This is part 4 on the topic of regulatory change management.  In the previous posts we explored:

In this post I detail the information and technology architecture needed to support an efficient, effective, and agile regulatory change management process. These posts are excerpts from the broader GRC 20/20 Research Paper: Regulatory Change Management: Effectively Managing Regulatory Change


Effectively managing regulatory change is done with a GRC information and technology architecture to improve processes and transform manual document and email-centric processes. Organizations use technology to document, communicate, report, monitor change, and facilitate business impact analysis.

 

Regulatory Change Management Architecture Goals

A GRC information and technology architecture helps the organization to manage regulatory change to:

  • Ensure that ownership and accountability of regulatory change is clearly established and understood.
  • Manage ongoing business impact analysis and scoring.
  • Integrate regulatory intelligence feeds that kick-off workflows and tasks to the right SME when change occurs that impacts the organization.
  • Monitor the internal organization’s environment for business, employee, and process change that could impact the firm’s state of compliance.
  • Identify changes in risk, policy, training, process, and control profiles based on regulatory change assessments.
  • Visualize the impact of a change on the organization’s processes and operations.

The right GRC information and technology architecture allows compliance and regulatory experts to profile regulations, link with external content feeds and content aggregators, and push new developments or alerts into the application and disseminate for review and analysis. It delivers effectiveness and efficiency using technology for workflow, task management, and accountability documentation—allowing the organization to be agile amidst change. It enables the organization to harness internal and external information and be intelligent about regulatory environments across the organization.

Regulatory Change Management Architecture Considerations

In evaluating regulatory change management solutions that integrate regulatory intelligence feeds and technology, organizations should ask the following three questions:

  1. How adaptable is the regulatory taxonomy?  The regulatory taxonomy provides the backbone of regulatory change management as it maps regulations to other objects such as business processes, assets, subject matter experts, risks, controls, policies and more. Organizations should specifically understand how adaptable the taxonomy/mapping is to fit the organization’s environment, evolve as the business evolves, and how easy it is to adapt the metadata and taxonomy structure.
  2. How rich is the regulatory content? A lot of GRC solutions can handle the workflow and task management of regulatory change management. What really differentiates capabilities is the depth and breadth of the regulatory intelligence content feeds that the solution offers. This includes regulator coverage, geographic coverage, supporting news and analysis, frequency of updates, and actionable content/recommendations.
  3. How strong is the technology? As stated, a lot of solutions can do workflow and tasks management for regulatory change, so the evaluation of the technology itself needs to go deeper in the systems ability to integrate regulatory intelligence feeds, conduct business impact analysis, as well as connect and understand relationships of regulatory impact to policies, processes, and risks. Of particular importance is the user experience.  SMEs across the enterprise may or may not be technical gurus; the overall user experience should be intuitive and natural.
    • Deficient technology involves documents and spreadsheets with email used as a workflow and task management tools. The organization struggles with things getting missed and not having a structured system of accountability.
    • Moderate technology provides a system of accountability with basic workflow and task management, but the integration of regulatory developments/updates is a manual entry system that is time-consuming and taxing on resources.
    • Strong technology for regulatory change management has enterprise content, workflow and task management capabilities with integration to actionable regulatory content.  It enables a closed-loop process as it delivers and integrates regulatory content and insight with technology in an integrated architecture. It also allows the indexing and mapping of regulations to other GRC elements.

Regulatory Change Management Architecture Capabilities

All of these elements are critical and are why they come together in a GRC architecture or platform for regulatory change management. Some solutions in the GRC space are delivering across these three elements and are being used to gather regulatory information, weed out irrelevant information, and route critical information to SMEs responsible for making a decision on a particular topic. This at a minimum requires workflow and task management capabilities, but in mature systems it provides direct integration with regulatory content aggregators. These aggregators manage regulatory profiles, and provide data about relevant new developments that can be routed to individuals responsible for evaluating specific regulatory subject areas. Advanced solutions map regulatory changes to the appropriate metadata as part of a fully integrated, dynamic, and agile process.

Specific capabilities to be evaluated in a GRC solution for regulatory change management, include:

  • Regulatory intelligence content.  At a very basic level, the solution should allow for simple manual entry of new changes and updates so they can be routed to the correct SME for analysis. More advanced solutions provide the interface to content to search for related laws, statutes, regulations, case rulings, analysis, news, and information that intersect with the change and could indicate regulatory risks that need to be monitored actively. The solution needs to automatically capture and access regulatory related information and events from various external sources that are flagged as relevant to the business. This capability helps ensure that regulatory affairs and compliance teams are up-to-date on new, changing, or evolving regulatory requirements. Regulatory intelligence feeds should be easily configured and categorized in the regulatory taxonomy, providing a powerful and comprehensive inventory of changes in laws and regulations. The regulatory content should identify information such as geographic area/jurisdiction, issuing regulatory body, subject, effective date, modification date, end date, title, text, and guidance for compliance. The guidance should give commentary on how regulatory alerts are effectively transformed from rules into actionable tasks and modifications to internal policies and processes.
  • Content management. The solution should be able to catalog and version regulations, policies, risks, controls and other related information. It should maintain a full history of how the organization addressed the area in the past, with the ability to draft new policies, assessments, and other compliance responses for approval before implementation. The solution needs to provide a central repository for storing and organizing all types of regulations and laws based on various templates and classification criteria, within a defined taxonomy. The system should be able to maintain a history of actions taken and analysis, including review periods, and obsolescence rules that can be set for regulations.
  • Process management. A primary directive of a defined regulatory change management process is to provide accountability. Accountability needs to be tracked as regulatory change information is routed to the right SME to take review and define actions. The SME should be notified that there is something to evaluate and given a deadline based on an initial criticality ranking. The SME must be able to reroute the task if it was improperly assigned or forward it to others for input. Individuals and/or groups of SMEs must have visibility into their assignments and time frames. The built-in automatic notification and alert functionality with configurable workflows facilitates regulatory change management in the context of the organization’s operations.
  • Business impact analysis. The system needs to provide functionality to identify the impact of changes of regulations on the business environment and its operations and then communicate to relevant areas of the organization how the change impacts them. This is conducted through a detailed business impact analysis in the platform and is facilitated by being able to tag regulatory areas/domains to respective businesses and products. The overall system needs to be able to keep track of changes by assessing their impact, and triggering preventive and corrective actions. Furthermore, the solution should ensure that stakeholders and owners are informed, tasks related to actions are assigned, and due dates for the completion of actions/tasks are defined. Similarly, when regulations are removed, repealed or deactivated, the solution assesses the impact of the change, and sets up the appropriate responsive actions.
  • Mapping regulations to risks, policies, controls and more. A critical component to evaluate is the solution’s ability to link regulations to internal policies, risks, controls, training, reports, assessments, and processes. The ability to map to business lines, products, and geographies allows companies to manage a risk-based approach to regulatory compliance. The workflow, defined above, automatically alerts relevant stakeholders for necessary action and process changes. It also supports electronic sign-offs at departmental and functional levels that roll up for executive certifications.
  • Ease of use. Regulatory experts are not typically technical experts. The platform managing risk and regulatory change has to be easy to use and should support and enforce the business process. Tasks and information presented to the user should be relevant to their specific role and assignments.
  • Audit trail and accountability. It is absolutely necessary that the regulatory change management solution have a full audit trail to see who was assigned a task, what they did, what was noted and if notes were updated, and be able to track what was changed. This enables the organization to provide full accountability and insight into whom, how, and when regulations were reviewed, measure the impact on the organization, and record what actions were recommended or taken.
  • Reporting capabilities. The solution is to provide full reporting and dashboard capabilities to see what changes have been monitored, who is assigned what tasks, which items are overdue, what the most significant risk changes impacting the organization are and more. Additionally, by linking regulatory requirements to the various other aspects of the platform including risks, policies, controls and more, the reporting should provide an aggregate view of a regulatory requirement across multiple organization units and business processes.
  • Flexibility and configuration. No two organizations are identical in their processes, risk taxonomy, applicable regulations, structure, and responsibilities. The information collected may vary from organization to organization as well as the process, workflow, and tasks. The system must be fully configurable and flexible to model the specific organization’s risk and regulatory intelligence process.
Posted on 3 Comments

Defining a Regulatory Change Management Process

This is part 3 on the topic of regulatory change management.  In the previous posts we explored the pressure organizations are under in context of regulatory change, in this post we look at what elements are needed in an efficient, effective, and agile regulatory change management process.


processOrganizations are struggling with regulatory change and seeking to integrate technology with actionable and relevant regulatory change content to support consistent regulatory change processes. A dynamic business environment requires a process to actively manage regulatory change and fluctuating risks impacting the organization. The old paradigm of uncoordinated regulatory change management is a disaster given the volume of regulatory information, the pace of change, and the broader operational impact on today’s risk environment.

Elements of a Regulatory Change Management Process

Regulatory change management requires a process to gather information, weed out irrelevant information, route critical information to SMEs to analyze, track accountability, and determine potential impact on the organization. The goal should be a regulatory change management strategy that monitors change, alerts the organization to risk conditions, and enables accountability and collaboration around changes impacting the firm. This requires a common process to deliver real-time accountability and transparency across regulatory areas with a common system of record to monitor regulatory change, measure impact, and implements appropriate risk, policy, training, and control updates. To achieve this financial services organizations must develop a process for collaboration, accountability, and integration between regulatory intelligence content providers within a GRC information and technology architecture. A well defined regulatory change management processes includes:

  • Regulatory taxonomy and repository. The foundation of regulatory change management is a regulatory taxonomy and repository. The regulatory taxonomy is a hierarchical catalog/index of regulatory areas that impact the organization. Regulations are broken into categories to logically group related areas (e.g., employment and labor, anticorruption, privacy, anti-money laundering (AML), fraud).  Integrated with this taxonomy is a repository of the regulations indexed into the taxonomy. One regulation may have multiple links into the taxonomy at different areas. The taxonomy and repository maps into the following elements:
    • Regulatory bodies (e.g., lawmakers, central banks, government bodies, regulators, self-regulatory organizations (SROs), exchanges, clearers, industry associations, trade bodies)
    • Document types (e.g., laws, regulations, rules, guidance, releases)
    • Sources (e.g., websites, RSS feeds, newsletters, etc.)
    • Attributes needed for classification, filtering, and reporting (e.g., business process, jurisdiction/geography, related regulations, regulator, status of change, relevant dates, consequences)
    • Rules & regulatory events
  • Regulatory roles and responsibilities. Success in regulatory change management requires accountability—making sure the right information gets to the right person that has the knowledge of the regulation and its impact on the organization. This requires the identification of SMEs for each regulatory category defined in the taxonomy. This can be subdivided into SMEs with particular expertise in subcategories or specific jurisdictions, or who perform specific actions as part of a series of changes to address change requirements.
  • Regulatory content feeds. To support the process of regulatory change management, the financial services organization should identify the best sources of intelligence on regulatory developments and changes. Content feeds can come directly from the regulators as well as law firms, consultancies, newsletters, blogs by experts, and content aggregators. The best content includes the regulation itself, summary of the change, impact on typical financial services organizations, and recommendations on response with suggested actions for response. The range of regulatory change content should span new regulations, amended regulations, new legislation, regulatory guidance, news and circulars, comment letters, enforcement actions, feedback statements, and regulator speeches.
  • Standard business impact analysis methodology. To maintain consistency in evaluating regulatory change, financial services organizations should have a standardized impact analysis process that measures impact of the change on the organization to determine if action is needed and prioritize action items and resources. This includes identifying related policies, controls, procedures, training, tests, assessments, and reporting that need to be reviewed and potentially revised in the context of the change. The analysis may indicate a response to simply note that the change has no impact and the organizational controls and policies are sufficient, or it may indicate that a significant policy, training, and compliance-monitoring program must be put in place.
  • Workflow and task management. The backbone of the regulatory change management process is a system of structured accountability to intake regulatory changes from content feeds and route them to the right subject matter expert for review and analysis. This is extended by getting others involved in review and response and requires some standardized workflow and task management with escalation capabilities when items are past due. The process needs to track accountability on who is assigned what tasks; establish priorities; and determine appropriate course of action.
  • Metrics, dashboarding & reporting. To govern and report on the regulatory change management process the organization needs an ability to monitor metrics and report on the process to determine process adherence, risk/performance indicators, and issues. This should provide the organization a quick view into what regulations have changed, which individuals in the organization are responsible for triage and/or impact analysis, the state of review of change, who is accountable, and overall risk impact on the organization.

Types-of-Metrics-&-Examples

Value and Benefits of a Regulatory Change Process

When organizations develop a regulatory change process they expect to be:

  • Effective. They seek to have a greater understanding of changing regulatory requirements and their impact on the organization. To enable the organization to be proactive in gathering, organizing, assessing, prioritizing, communicating, addressing and monitoring the regulatory change. This allows the organization to demonstrate evidence of good compliance practices.
  • Efficient. To allow the organization to optimize human and financial capital resources to consistently address regulatory change and enable sustainable management of resources as the business and regulatory landscape grows.
  • Agile. Competitively enable a dynamic and changing environment as an advantage over competitors that are handicapped by the same change.  This requires the organization to understand how the regulatory environment effects the organization and its strategy and how to adapt quickly and be responsive to new developments before competitors are.

The full paper on this topic in the context of financial services can be found here.

Posted on Leave a comment

2014 GRC Technology Innovation Award: ngCompliance’s Sherlock Makes Regulatory Change and Policy Management ‘Elementary and Deductive’

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

ngCompliance’s Sherlock Makes Regulatory Change and Policy Management ‘Elementary and Deductive’

ngCompliance’s innovation is the ability to automate the analysis of regulatory changes against the organizations policies and procedures. The solution is called Sherlock and it makes regulatory change management and mapping elementary and deductive.  Sherlock has a rule-mapping module that allows the organization to create a mapping between applicable laws and regulations on one hand, with the organizations policies, processes and procedures on the other hand. This mapping can be used to demonstrate whether the organization operates in line with regulatory requirements and it can disclose gaps. Whenever there is a regulatory change, it can be used to quickly identify the impact on business areas, policies and procedures and initiate a change management process to timely realign. Amazingly, the system does so cross lingual that allows the organizations to map and analyze policies written in other languages, for example Chinese against regulations written in English.

This automates what has historically been a manual process of cross-referencing policies to regulations within GRC solutions or within documents and spreadsheets to prove to regulators that all policies and procedures are in line with rules and regulations. ngCompliance’s innovation significantly reduces the manual work as initial mapping is generated by their Sherlock system. The mapping should be reviewed by subject matter experts, but it significantly reduces the work of building mappings manually.

Organizations that adopt this innovation, no longer need to allocate this task to a big workforce. This allows for reduced cost and time spent in administrative activities of compliance, regulatory change, and policy maintenance. Once Sherlock creates a mapping, it allows the user to evaluate the mapping and confirm correctness or make adjustments. Any time there is a regulatory change, the system submits to the user an impact analysis on which policies or steps in procedures are impacted. Because the user sees both the policy text as the related legislation or regulation changes, the user can immediately give the appropriate advice on the required changes and start necessary change management workflows.

As the regulatory mapping functionality can also be used to verify norms against contracts, the system can also be used to identify the most high risk contracts and pull those up, in combination with analytics analyzing the risk in third party relationships, it will alert on high risk third parties that need review and facilitate mitigating controls on the relationship (e.g. change management on the contract).

The system reads the regulation and analyzes the text. Based on text-analytics, definitions based on financial and legal terms are extracted from the article and converted into a tree representation. The same is done on paragraphs of policies and steps of procedures. Because they are converted back to a definitions structure it takes into account synonyms and differences in languages. A mapping engine compares the definition trees and builds appropriate connections between legislation/regulation text and policy/procedure text. When employees look at policies they are able to also see the related regulations. The context that is built during analysis of texts is used to make sure the connections match the contexts, e.g. articles applicable to organizations with a banking license are only shown once the process is within the organization of a bank.

Sherlock keeps track of all history that can be used to look back in time and verify alignment of organizational procedures with applicable legislation and regulation. In this way it is easy to demonstrate the level of compliance of the organization at any given moment in the past. Sherlock comes with a unique feature that can create the initial mapping from rules to internal policies and procedures, regardless of the number of jurisdictions it has to take into account or the number of languages it has to deal with. This way Sherlock contributes to a significant decrease of the organizations administrative burden.

The Sherlock solution allows for adding web locations that are used by regulators or other organizations that publish regulatory information, in addition to your normal regulatory feeds. The synchronization functionality ensures that the regulatory information stored in the database is always accurate without the need to maintain this manually. In addition, a historical trail on the regulatory developments is maintained. Any information that is found on the web and seems to be of relevance for Compliance can be included in the legal framework, either by means of the synchronization functionality or the quick-browse-and-add feature of Sherlock. When any regulatory change enters the legal framework in Sherlock, or when the legal framework detects a change from a regulator’s site it is monitoring, the solution will notify this to the user according to specified needs on the dashboard, in the task inbox, by email or compliance wiki. The solution can filter and sort on relevance, and can even distribute to different users based on jurisdiction, language, topic or expertise.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

Posted on Leave a comment

2014 GRC Technology Innovation Award: True Office Engages Employees Through Interactive GRC Learning Experience

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

True Office Engages Employees Through Interactive GRC Learning Experiences

Impacting and driving true learning to the employees/consultants/partners of major firms around compliance and risk management is the “last mile” of GRC. The missing link in organizational training is two-fold: 1), are people truly learning, and 2), how do you measure not only the learning, but the potential risk to the organization if complex policies are not understood. After considerable investment is made in managing risks and controls, it is important that an organization’s work force — the front line of the business — is able to learn the policy and its effect on the company’s business outcomes in order to ‘walk the walk’ on a daily basis.

True Office is demonstrating innovation in impactful, gamified training solutions applied to compliance & risk management, professional development and customer proficiency. True Office, because of its ability to bring dry policy to life, engage learners and measure their efficacy through rich, comprehensive analytics, and is paving the way for a new era of Policy & Training Management.

True Office’s current focus enlarges their overall scope to bring greater satisfaction through “content transformation” of existing client content based on four interactive learning frameworks. A customer engagement may consist of training on topics such as Anti-corruption, Workplace Harassment and Data Privacy. However, clients also possess their own unique policies and processes which True Office is able to bring to life, through an impactful experience, in which employees that must execute these policies can truly learn.

The solution offers proof that improved efficacy is actually happening as well as highlight the “hot-spots” requiring additional learning and development.

The True Office solution has already seen a “real-world” application with characteristics of over 90,000 users, 12 languages, and multiple industries. Modules are designed to encompass 10-20 minutes across True Office’s 4 Interactive Learning Frameworks. Based on the learning framework and corresponding business outcome, the learner will be placed in different situations where “they” take an active role in the learning—through dialogue, trend analysis, making decisions, or answering questions. By interacting with the module, the underlying analytics indicate their level of understanding of the policy.

True Office is a cloud-based software solution, compatible with a client’s own Learning Management System (LMS) interfacing with the True Office Analytics server. Individual users are presented a web-based login either on their desktop/laptop computer or through HTML5 via an iOS device (e.g., mobile or tablet).

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients