Modernizing Policy Management Step-by-Step
OCEG President Carole Switzer discusses Policy Management with Russ Griggs and Mike Vidoni of Steele, a Diligent company.
SWITZER: What is the biggest challenge you see over and over again in policy management and how does using a modern policy management technology help with that?
GRIGGS: There are a number of common, primary challenges that most companies face with regards to policies but they can all be categorized into one topic: effective administration. Forget for the moment all of the external pressures and demands that drive the need for up to date policies. Companies simply do not have effective procedures, processes or centralized repositories to even begin to address these outside requirements. Typically, companies are trying to use ill-suited platforms (e.g. Sharepoint) to desperately get a handle on this issue but they simply do not have all of the necessary features that a dedicated policy management system can and should provide. Sometimes even just finding the correct source file for a policy can be a daunting task. An excellent policy management system will provide at least the following features:
- Centralized repository for all documents
- Fully configurable to meet each company’s unique business requirements
- Definable review cycles that provide for repeatable standard processes by which to review, approve and publish documents in an automated manner with notifications to all parties
- Automatic tracking of revisions and versions with the ability to easily examine the entire history
- Coordination of everyone involved in the process to insure they are working with the most current version and to guard against the possibility of changes being lost or overwritten
- Provide one location for capturing all other information that relates to a document beyond just its content such as: document owner, review frequency, tags, cross-reference to other documents and resources, and more
- Direct support for multiple language versions of documents Additionally, a full-featured system will provide a number of other features that provide an easy to use means by which document consumers can locate and view policies, as well as, facilitating the proactive soliciting of electronic attestations to certain policies or documents.
Additionally, a full-featured system will provide a number of other features that provide an easy to use means by which document consumers can locate and view policies, as well as, facilitating the proactive soliciting of electronic attestations to certain policies or documents.
VIDONI: Policy owner accountability is a big area that I see companies often struggling with. There are so many policies within an organization, and they are often managed by different departments. Knowing when policies need to be updated and who needs to update them can be a hard to track and manage with a manual process. Even when updates are made, it can be challenging to clearly see where the updates are. With this in mind, we created a system that automates this piece, so it takes the guessing out of the mix and sends reminders to the appropriate policy managers.
SWITZER: When you read about business or even governmental failures and challenges in the news, do you see examples where better policy management would have made a difference?
GRIGGS: A company’s policies, procedures, guidelines and other documents need to be living, breathing entities that are kept up-to-date and actively promoted to their intended audiences. DOJ guidelines and recent real-world examples have stressed that a policy is not just a “write it once and put it on a shelf” document. Look at the most recent impactful example that we have all been and continue to live with: COVID. Seemingly out of nowhere, it became necessary for every company to create, publish and continually update new policies to help their employees understand and navigate the constant changing landscape of the pandemic. Suddenly, nearly entire workforces were no longer in the office and those that were going to the office were subject to almost daily new requirements. The inadequacies of how companies were attempting to handle policy management immediately made themselves painfully apparent. Without a robust policy management system as we have described, companies struggled with coordinating the efforts of document authors who were now working across various locations. Moreover, they need to track resources (e.g. web sites) upon which they were dependent to draft their policies. Most critically, how could they get the rapidly changing updates to everyone and solicit their acknowledgments to each as required? Again, the need for a robust, dedicated policy management system became painfully obvious. Not coincidentally, we have been seeing an uptick in interest in such systems as the pandemic has continued.
VIDONI: There are a lot of companies that had to change from working in an office environment to working from home. I saw a lot of companies in the healthcare space that had challenges especially because most of their employees didn’t have job responsibilities that easily translated to a work from home environment and there was a lot of sensitive data that had to remain private. Companies had to quickly review all of their policies and locate all areas that would be affected by this type of change. This was certainly a labor-intensive exercise for companies who were reviewing policies manually.
SWITZER: In our conversations, you’ve talked about how Steele emphasizes the need for living metadata in policy management. Can you explain what that means and why it’s so important?
GRIGGS: As briefly mentioned before, a policy is much more than just its content. There are attributes, relationships, resources (ie. metadata) that all define the policy from a holistic business perspective. A policy does exist in isolation -- it relates to the world around it in various ways. Here are just a few examples of what we are talking about:
- How often does the policy need to be reviewed?
- Who is the intended target audience for this document?
- What group and/or person has primary responsibility for its scope and content?
- What tags (like hashtags) can be applied to all of our documents to make them easier for consumers to cross-locate similar documents?
- Which other documents should we expressly denote as being of additional interest to consumers for easier access?
- What other documents should be automatically reviewed whenever a particular document is updated?
- What are all of the outside resources that impact the scope or content of this document?
A dedicated policy management system that provides for capturing all of this type of information as a cohesive whole not only provides one single location to find this critical data but enables the automation of business processes and document access. Overall, this supports more efficient business processes, reduces risk in both the production and consumption of a company’s policies.
VIDONI: There is a lot that goes into successfully managing and tracking policies. We always solicit feedback from our clients to understand how we can make the process easier and give them everything they need to help them provide status updates to their superiors. We keep it simple for them to use, the system keeps an audit trail, and our reporting features make it easy to get everything needed out of the system. Companies can speak with their dedicated support team or make changes on their own. It gives them the best of both worlds.
SWITZER: What do you see coming next in modernization of policy management technology?
GRIGGS: Over the last several years, companies have been embracing not only policy management tools but also others in the GRC space. These adopters have begun to reap the benefits of these dedicated offerings. Now, as the market is maturing, they can perceive the additional benefits to be had with more integration among these individual products to further improve the ROI companies are making in their Compliance organizations. The policies maintained in a dedicated policy management system serve as the basis upon which potential violations or conflicts of interest may be identified and reported. These latter domains have their own dedicated solutions. Automated and intelligent connections among these products will give Compliance groups even greater tools by which to protect companies from potential risks.
VIDONI: We like to think of our clients as our partners and I think beyond what we see, they are on the front lines and continually provide feedback that makes us and our products stronger. We are all in this together and are looking forward to continually improving the system together.
Featured in: Policy Management