GRC Tuesdays: Hidden Gems – Distributing Policies to 3rd Parties
As explained by the OCEG (formerly the Open Compliance and Ethics Group) – a global nonprofit organization and community focused on GRC topics, “Policies are critical to the organization as they establish boundaries of behavior for individuals, processes, relationships, and transactions.”, “Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments.”
As such, policies are a vital part of any Governance, Risk, and Compliance program – especially the Code of Conduct policy that establishes the dos and don’ts for employees and is often the first policy anyone signs when joining a new organization.
Many companies have also extended their Code of Conduct to 3rd parties as well, often by creating a dedicated policy and having it signed by 3rd party personnel to ensure they adhere to the very same level of ethics and integrity.
For instance, to implement a sustainable supply chain, companies could have a Supplier Code of Conduct that addresses topics relating to bribery and corruption, insider trading fair competition, labor and human rights, health and safety, etc. and requires signatories to uphold these commitments.
To do so, companies have 2 choices:
- Create the policy in an Office Suite document, put it on a shared drive, send it by email, and track responses
- Use a Policy Management capability to do all the heavy lifting for them!
And now comes my 2 hidden gems today: did you know that there is an embedded Policy Management module in both SAP Process Control and SAP Risk Management? And what’s more, did you know that it includes features to distribute policies to external parties and track their acknowledgements?
Distributing policies to 3rd parties…
In the Policy Management module, the policy activities (surveys, acknowledgements, quizzes) are distributed by default by email to the end-users documented in the “People” tab of the policy:
These end-user recipients can be roles, user groups, specific users or even distribution lists (this option requires LDAP).
… Even when you don’t know who the right signatory is
That’s all good, but let’s take a simple use case that can quickly become a headache. Before onboarding a new supplier, you would like to make sure that they follow your requirements in terms of Labour and Human Rights. For this, you’d like them to acknowledge your 3rd party policy on this aspect. But there’s a catch: you only have a generic address such as “info@”.
You know that your message will be forwarded internally to the right stakeholder, but you are concerned this poses 2 issues:
- The tool won’t reconcile the acknowledgement if it’s done by another recipient to the original one
- If it does reconcile, it won’t register the name of the final signatory
The good news is that both are possible in the Policy Management module!
The ability to forward these offline surveys to other recipients – while still tracking the responses and associate them with the right signatories – can be activated in the dedicated “Maintain Settings for Offline Survey Forwarding” activity in the SAP Implementation Guide (IMG).
There are 4 options available:
- No forward: the survey can only be completed by its original recipient
- Forward to delegate: the survey can be completed by user defined as delegate in the solution
- Forward to address inside the domain: the survey can only be completed by user with an email address in same domain as the original recipient
- Forward to any e-mail address: the survey can be completed by any recipient.
In our example above where you only have the “info@” email address, options 3 and 4 would be applicable to help your survey get to the right person.
Once activated, your main contact within your supplier can then forward the policy activity internally to the relevant stakeholder who can then sign and return it directly to the solution.
2nd Line can then use the Policy Management module to track the response.
Illustrations of the process:
- Recipient of survey activity receives email and forwards it (option illustrated here is “Forward to address inside the domain”)
- New recipient receives the policy activity, completes and submits it
- Confirmation is sent to the signatory and contributions are displayed in the solution with associated recipient who actually submitted the task
What about you, how does your company distribute and track policies? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard
And if you are interested in learning more about SAP solutions for Governance, Risk, and Compliance, feel free to fill-in the demo request form!