Is your business hands on or hands off when it comes to policy lifecycle management?
Policies are a critical part of GRC (governance, risk, and compliance) programs, setting parameters on everything from staff conduct to business processes and transactions. And in an evolving legislative and regulatory landscape, policies need to be constantly assessed for their suitability and relevance.
Policies also must be easy to find. All employees need to know where to locate current policies and practices, so they always know what’s expected.
In practice, however, organizations get complacent. Policies are created, approved … and too often filed away.
A Lifecycle Approach to Policy Management
Hanging on to outdated, ineffective policies is a liability. According to Michael Rasmussen, GRC Pundit – and frequent guest of Riskonnect’s Risk@Work educational webinar series – organizations often fail to manage policies across their entire lifecycle, which can cause problems.
“This results in policies that are out of date, ineffective, and not aligned to business needs. It further opens the doors of liability, as an organization may be held accountable for the policies it has in place but are not appropriate or is not compliant with.”
Michael Rasmussen, GRC Pundit
Without a structured and coordinated approach to policy lifecycle management, your business could send conflicting messages to employees and regulators. This not only leaves your organization exposed to greater risk, but it could result in culpability in the eyes of regulators.
Common Challenges to Policy Lifecycle Management
The sheer number of policies within in any business means there is a lot to keep up with. Here are seven challenges that often get in the way of effective policy management:
- Manual upkeep. When policies are managed manually in Word documents, it’s difficult to know which version is the most current.
- Inaccessible. If policies are held in many different places, it can be hard for employees to find what they need.
- Conflicting policies. When departments develop their own policies, you might end up with a range of overlapping or conflicting policies that don’t align with other functions.
- Hard to understand. Without a consistent format, style, and plain-speaking language, the meaning of your policies – and actions you are looking to inspire – might get lost.
- Lack of ownership. When policies don’t have a defined owner, no one is responsible for keeping them up to date.
- No tracking capabilities. If policy exemptions, incidents, and issues are not be documented, it’s hard to identify and address problems.
- Poor documentation. Without auditable records of policies, attestations, and exceptions, validating compliance is labor intensive and time consuming.
View Policy Management Through a Lifecycle Lens
Effective policy management doesn’t just happen. You have to regularly reassess your policies to make sure they govern effectively and protect the best interests of your workforce and key stakeholders.
You need to know what policies are in place, how they are communicated, and that the right people have read them and received appropriate training. Policy exemptions must be documented and validated. You also need to maintain an audit trail of how policy violations are monitored and managed.
Tightening up your processes for managing policies can help reduce risks, protect your workforce, satisfy regulators, and preserve your corporate good name. Here are five steps to make sure your policies keep up with your business, culture, and regulators.
Do you need a policy?
Policies can be used to ensure good governance, identify and manage risk, document compliance, and instill corporate values by documenting standards for acceptable behaviors and practices.
Once you’ve determined the need for a formal policy, appoint an owner who will be responsible for keeping the policy current over the course of its lifecycle. Every policy attaches a legal duty of care to the employer, so it’s important to assign accountability at the start.
The nuts and bolts of writing a policy are also critical. Aim for clear, jargon-free writing and a consistent format, so everyone understands what is expected.
Look for a technology solution that automates the review and approval process and helps you establish consistency and accountability across policies, objectives, third parties, regulations, risks and controls.
How will you get the word out?
Policies are only meaningful if the right people know about them, understand the purpose, and know how they apply to daily life. Once you announce a new or revised policy, follow up with any necessary training for those impacted. Facilitate training by associating questions and quiz elements according to regulatory compliance assessment structures. And make sure you publish the policy in a central location that’s easy to access.
Look for a technology solution that consolidates all of your policies in one place. With centralized access, employees will know where to go to find the policies that relate to their jobs – and you’ll know that what is found is always up to date.
How will you ensure the right people are aware of and understand your policies?
Some policies require periodic attestation to confirm that an individual has received the information and agreed to abide by the rules. Attestations can be gathered via email; however, manual methods can be extremely time-consuming and error prone.
Look for a technology solution that provides a dedicated portal for easy attestation submission and automatic validation that respondents understand to what is being attested. Automated tracking will give you a detailed audit trail, which helps protect your business from noncompliance issues.
How will you manage your policies over the lifecycle?
Policy management should be proactive and ongoing to ensure that the rules are being followed. Establish controls to track policy compliance. Document any exceptions to the policy – and periodically review those exceptions to ensure they are still needed. Details on policy violations and exceptions can then feed back into your review process.
Look for a technology solution that automatically monitors exceptions, identifies violations, and reports on relationships for each policy. It should identify areas with high exceptions and violations and provide a clear audit trail of all actions.
Is the policy still relevant?
Regularly review your policies to make sure they are still relevant in terms of your business objectives and regulatory requirements. Are they still effective? Do they need updating, should they continue as-is, or should they be archived and replaced with something better?
Look for a technology solution that maintains specific policy statements, along with associated files, versions, and attestation records and campaigns. Customized dashboards and point-and-click reporting can put relevant information at your fingertips to help you make better decisions.
Make Ongoing Policy Management a Priority
Effective policy management plays a critical role in your organization’s ability to manage risks and meet its regulatory obligations. Crafting appropriate policies and ensuring compliance will minimize your exposure to litigation, safeguard your corporate reputation, and help make your company a better place to work for and with.
To give your business the edge, check out Riskonnect’s Policy Management software, and download our e-book, Transforming Compliance from Check-the-Box to Champion.