GRC Tuesdays: Unlock the Power of your Policies!
Cambridge Dictionary defines a policy as “a set of ideas or a plan of what to do in particular situations that has been agreed to officially by a group of people, a business organization, a government, or a political party”. This definition I feel fits perfectly well in the Governance, Risk and Compliance world, where it’s usually summed up very simply as the “standard for acceptable conduct” – be it for regulatory purpose, other just internal to ensure a process is applied as intended.
Now that we agree on this premise, let’s also agree on the pain point that I’d like to address in this blog: many organizations have more “policies” than they even know of. These are sometimes stored in SharePoint, Cloud content management systems, in-house document management systems… or even worse: stored on someone’s laptop and simply sent in PDF to a distribution list…
In this blog, I’m not going to go through recommendations on best ways to create effective policies since I think OCEG’s assets on Policy Management are far better than anything I could write!
No, in this blog I’d like of course to discuss how to best use technology to support the policy management process.
How many times have you receive a new “policy” that has been written by an unclear author, where you are not sure if it applies to you, and that you have just received the document by email or better yet, a link to a DMS that you don’t even have access to? If this has never happened to you, then consider yourself lucky!
Even if things seem to get better, according to PwC’s Getting ahead of the watchdogs: Real-time compliance management, only 44% of organizations used a policy management technology in 2018:
You may ask yourself: what’s the big deal? It’s just a document. But in fact, it’s much more than that.
Firstly, it can be a compliance requirement, but what good is it if you can’t show to your auditors or the regulator that you did indeed distribute it and that recipients have read and acknowledged it?
Secondly, it can be a risk response strategy. Do you have a critical risk that can’t be mitigated due to external factors? For instance a production or an extraction site located on a seismic zone? An evacuation plan could be a risk response policy. Not to prevent the risk, but to minimize its impact.
Finally, it could simply be a guide to ensure that a process runs effectively.
Regardless, if you are unsure of what you received, how can you be confident that you are applying the latest version, the one that reflects all the changes in the process that have been made over time?
This is where I answer: it’s more than a document, in some cases like the evacuation plan, it can be your lifeline and it should be integrated in your Governance, Risk and Compliance approach.
Integrated it in your Governance, Risk and Compliance Approach
Starting with G – Governance: as per the definition earlier, it’s the standard for acceptable conduct. As such, it is fully part of the governance of the organization since the code of business conduct is a foundation that all employees have to review and sign during onboarding.
It’s sometimes the first interaction a new employee will have with the organization’s compliance efforts.
Progressing to R – Risk Management: as stated above, a policy can be used as a means of reducing the impact of a risk. If you prefer not to think about seismic zones, what about the quality procedure? This guide is designed to ensure that the risk of a deficient product being shipped to a customer is reduced. Every company that provides goods or services will have a quality policy.
Finishing with C – Compliance: in some cases, policies are actually a regulatory requirement and companies are requested to have all employees – including contractors – review and acknowledge the policy. In some cases, there is even the obligation to show that employees have understood the policy and not signed it blindly.
Now, does this still seem like “just a document”?
Take a Step Further and Automate
As stated by KPMG in their whitepaper Innovating compliance through automation: “As policies and procedures have proliferated, it has become increasingly difficult to identify the changes and to develop a clear understanding of what policies and procedures are current.
Automation can be used to track policies, procedures, communications, and changes to protocols and provide a workflow for approval and certification processes as well as provide an audit trail”
The main question remains: what do we automate?
And here I would have a few suggestions.
- Automate the redesign => when context change – such as a redesign in the process – and that policies are de facto obsolete, policy owners sometimes are not even aware of it. Being able to trigger notifications either when events occur or when a stakeholder requests it will help prevent just that;
- Automate the collaboration => rarely is a policy the child of one’s mind. Being able to effectively collaborate helps achieve a successful output. This also of course includes the validation step. In my experience – and this is corroborated by Cambridge’s definition above, no policy should be released unless it has been reviewed and approved. I have seen cases of policies being sent to employees but that actually didn’t follow company guidelines. Conflicting policies not only create confusion, but also defiance towards the entire compliance efforts the company deploys;
- Automate the delivery => who will receive it? Sending it to email addresses might suffice, but having distribution lists, user profiles, etc. will ease the process and make it repeatable over time in case there are new joiners, updates in the policy and so on;
- Automate the monitoring => having a policy that has been received by an entire group of stakeholders but not knowing whether they even opened it is frustrating to say the least. Being able to automatically monitor who’s acknowledge it – and when required who has answered to a survey to ensure that they understood it – will be much more helpful. Especially when reminders will need to be sent;
- Automate the measuring => to put it bluntly: this helps answer the question of whether the policy is effective or not. According to the PwC paper above: 58% of Leaders use “Frequency of policy violations” as a data points used to measure the effectiveness and ethics and compliance policies and procedures. This figure then falls at 51% for Fast Followers and then quickly descends to 35% for Strivers. What about the others? If no tracking of effectiveness is performed, then the policy owner won’t be able to take corrective actions to improve it in case it failed as he won’t be able to identity the root cause. It could be that the policy is not being understood, but it could also very well be that people are going around it because of process inefficiencies;
- Automate the testing => by putting in place controls or even by including a review of the policy during an audit cycle, the company will be able to test it and ensure that it still applies over time.
What about you, are there other policy management areas that you are automating? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard