This is the second in a series of posts on buying considerations when purchasing GRC solutions. The GRC Pundit first looked at overall considerations when purchasing GRC solutions, and in this post he turns his focus to Policy Management Solutions.
Policy management is one of the hottest segments in the GRC market. This is apparent in the number of RFPs and inquiries GRC 20/20 is involved in from organizations looking for policy management platforms.
Consider that policies are critical to the organization as they establish boundaries of behavior for individuals, processes, relationships, and transactions. Policies are a critical foundation of GRC. When properly managed, communicated, and enforced policies:
- Provide a framework of governance. Policy paints a picture of behavior, values and ethics that define the culture and expected behavior of the organization; without policy there is no consistent rules and the organization goes in every direction.
- Identify and treat risk. The existence of a policy means a risk of has been identified and is of enough significance to have a formal policy written which details controls to manage the risk.
- Define compliance. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments.
Policies attach a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policies can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal and regulatory proceedings to place culpability. In this context, organizations are struggling with the following issues:
- Policies haphazardly managed in documents, fileshares, and poorly implemented portals
- Different departments going in different policy directions
- Lack of centralized inventory of all organization policies
- Need to have a defensible audit trail of all interactions with a policy and training
- Reactive and inefficient training programs
- Policies that do not adhere to a consistent style, template, format
- Rogue policies that put liability and exposure on the organization
- Out of date and inconsistent policies
- No tracking of policy exceptions
Many organizations lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed. An organization must establish policy it is willing to enforce — but also must clearly train and communicate policy to make sure that individuals understand what is expected of them.
With today’s complex business operations, global expansion, and the ever changing legal, regulatory and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the policies needed to reliably achieve objectives while addressing uncertainty and act with integrity. This is why organizations are aggressively looking at policy management platforms to address this challenge.
Basic, Common & Advanced Policy Management Solutions
GRC 20/20 has developed an extensive framework of RFP requirements for policy management platforms and advises organizations on RFP development and solutions the organization should be considering. GRC 20/20 covers 144 solutions in the Policy & Training Management Segment of the GRC market. Eighty-eight of these solutions do policy management, and forty-four do training management (the overlap if you add these together are solutions that do both). Every organization has unique requirements and expectations for policy management. GRC 20/20 has detailed over 200 requirements specific to policy and training management solutions in the GRC market. Overall, policy management solutions can be mapped into the following areas:
- Basic Policy Management Capabilities. These solutions tend to focus on the back-end of policy management, the development, approval, maintenance of policies. Policies are typically managed as documents and imported into the system as documents or PDFs. Solutions in this area are focused on managing workflow and tasks for managing and maintaining policies. They often have some basic employee portal capabilities aimed at completing tasks such as reading policies and attestation (e.g., certification, read and understood).
- Common Policy Management Capabilities. These solutions are more built out in feature sets that offer a broader range of capabilities. This includes a stronger user portal and experience to navigate policies, the ability to build forms related to policies and manage workflow and tasks around forms, map policies to regulations and other obligations, and move beyond treating policies as documents to import into the system and have integrated word processing capabilities. These solutions also have capabilities to manage policy exemptions/exceptions, and measure policy compliance. While the employee experience is stronger than those offering basic capabilities, it is still the back-end management of policies that is central to these solutions.
- Advanced Policy Management Capabilities. Advanced policy management solutions have all the common attributes, but take on more advanced capabilities (note, advanced capabilities extend common capabilities and not all policy management solutions support the range of advanced capabilities). Advanced capabilities tend to put a stronger focus on the employee experience – the front-end of policy management – and not just the back-end experience. Advanced capabilities include:
- Employee portal experience is clearly stronger offering an intuitive, interactive, personal, and social policy experience for employees. Policies are most often treated as HTML and not PDFs or word processing documents, and the display of policies allows for hyperlink pop-ups for clarification and resources as well as embedding training and other policy tools.
- Embedded training in which the solution has a full LMS capability to deliver training within the policy portal for employees and they do not have to bounce around through hyperlinks.
- Social and gamification, as part of the employee portal the solution picks up on social aspects of employees being able to share policies with other employees, provide feedback and interaction on policies, and implement employee avatars with badges for policy and training tasks.
- Mobility there are dedicated tablet and phone apps offering policies to employees. In fact, GRC 20/20 has been involved in several interactions with organization looking to use tablets as policy and training kiosks for employees in retail, food and beverage, manufacturing, and logistics/transportation.
- Integration with HR management systems to push policy to new employees or those that have changed roles in the organization.
- Integration with other GRC modules and solutions such as incident management to map incidents to violations of policy. Or risk management to map risks to policies.
- Advanced policy authoring and editing capabilities in which policy authoring is done in a browser interface with full redlining, commenting, and editing capabilities.
- Regulatory change management in which not just documents but chapter and verse of policies is mapped to chapter and verse of regulations and there are clearly defined processes to manage policies in the context of regulatory change.
- Federated policy management that allows large distributed and diversified organizations to have layers of policy management committees and groups to govern complex policy lifecycles.
These summaries of basic, common, and advanced capabilities are some attributes these areas from GRC 20/20’s broader RFP requirements and analysis of policy management solutions. Organizations need to select what best fits there needs. More advanced capabilities often comes at a more significant cost of the policy management solution.
The most significant trend GRC 20/20 has seen in policy management RFPs and organizational needs is the shift of focus to the front-end of policy management. Historically, the requirements for policy management have been largely on the back-end management and maintenance of policies with only very basic requirements in the front-end communication and attestation of policies.
Over the past three years there has been a growing trend to put equal or more importance on the front-end communication and access of policies. This is in response to organizations desiring to create a single portal for all organization policies, engage employees, and provide defensible audit trails and compliance records. One organization even requested that the policy portal have a capability to have a green light in a corner if the policy subject matter expert is at their desk and pop-up a box to ask them a question (they used a direct analogy to online shopping with a ‘can we help you’). The overall trend is that organizations desire an engaging policy portal for employees as much as they do the back-end development of policies.
CASE IN POINT: I did the design and layout of the OCEG GRC Illustration: Engaging Employees With Interactive Policies. I have had several organizations specifically reference this illustration and state “this is what we want, who does this.”
Questions & Considerations to Ponder on Policy Management Solutions
Organizations considering policy management solutions should ask themselves the following questions to help guide them in developing requirements and engaging solution providers:
- What are my back-end policy lifecycle management requirements?
- What are my front-end policy portal and employee experience requirements?
- Is the front-end portal as important as the back-end?
- Do we want to develop policies in standard word processors and import them as documents/PDFs into the solution to manage?
- Do we want to develop policies within the solution/browser interface?
- Do we need to map policies to hotline reports, issues/incidents, controls, or risks?
- What are our requirements for regulatory change management in context of keeping policies current?
- What are our requirements for having a full audit and compliance trail of all interactions between policies and employees?
- Do we desire an integrated LMS capability to manage policies and training as a collective whole in an integrated portal?
- Do we need the capability to manage policy related forms and manage those forms through workflow and tasks for review and approval/disapproval (e.g., gifts and entertainment, conflict of interest, medical leave, political contributions)?
- What are out mobility requirements for policy and training on tablets and smartphones?
- Do we need to integrate with HR management systems to automate the communication of policies to new employees and those that have changed roles?
- Do we need features of socialization and gamificaiton on the policy portal?
- What are our internationalization and language requirements for both the back-end management of policies and the front-end policy portal?
- What are our requirements to track and manage policy exceptions and exemptions?
- Do we need a solution that can support federated policy management to address the need for multiple layers of policy committees and a complex policy lifecycle?
These are a subset of a broader set of questions that will be categorized and mapped in the forthcoming Buyers Guide: Policy Management Solutions, and are further detailed in GRC 20/20’s RFP requirements for policy management solutions. GRC 20/20 will be releasing the following research in the next several weeks:
- Buyer’s Guide: Policy Management Solutions. The Buyer’s Guide goes into a detailed framework in how to approach purchasing policy management platforms.
- Strategy Perspective: Policy Management by Design. The Strategy Perspective focuses on best practices in defining a policy governance committee, framework, lifecycle, and architecture (written from context of GRC 20/20’s Policy Management by Design Workshops).
- Online directory of Policy & Training Management Solutions. The directory lists policy and training management solutions that GRC 20/20 covers in the market and is the first part of the broader GRC Directory being rolled out in stages.
- Market Perspective: Policy & Training Management Solutions. This details the overall drivers, trends, market size, growth, and forecasting of the Policy & Training Management Market.
I have shared my thoughts on some buying considerations of policy management solutions. I would love to hear your thoughts and reaction to this as I work on publishing this series of GRC 20/20 research.