Professional Documents
Culture Documents
POLICY
MANAGEMENT
BY DESIGN
A Blueprint for Enterprise
Policy & Training Management
STRATEGY PERSPECTIVE
STRATEGYPERSPECTIVE
Governance, Risk Management & Compliance Insight
© 2019 GRC 20/20 Research, LLC. All Rights Reserved.
No part of this publication may be reproduced, adapted, stored in a retrieval system or transmitted in any form
by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of
GRC 20/20 Research, LLC. If you are authorized to access this publication, your use of it is subject to the Usage
Guidelines established in client contract.
The information contained in this publication is believed to be accurate and has been obtained from sources
believed to be reliable but cannot be guaranteed and is subject to change. GRC 20/20 accepts no liability
whatever for actions taken based on information that may subsequently prove to be incorrect or errors in
analysis. This research contains opinions of GRC 20/20 analysts and should not be construed as statements
of fact. GRC 20/20 disclaims all warranties as to the accuracy, completeness or adequacy of such information
and shall have no liability for errors, omissions or inadequacies in such information. Although GRC 20/20 may
include a discussion of related legal issues, GRC 20/20 does not provide legal advice or services and its research
should not be construed or used as such.
Research Methodology..................................................................................................... 24
TALK TO US . . .
We look forward to hearing from you and learning what you think about GRC 20/20
research. GRC 20/20 is eager to answer inquiries from organizations looking to improve GRC
related processes and utilize technology to drive GRC efficiency, effectiveness, and agility.
nn Identify and treat risk. The existence of a policy means a risk has been identified
and is of enough significance to have a formal policy written which details
controls to manage the risk.
Policies are Governance, Risk Management & Compliance Documents
nn Define compliance. Policies
document compliance in
how the organization meets
requirements and obligations
from regulators, contracts,
and voluntary commitments.
Policy also attaches a legal duty of care to the organization and cannot be approached
haphazardly. Mismanagement of policy can introduce liability and exposure, and
noncompliant policies can and will be used against the organization in legal (both
criminal and civil) and regulatory proceedings. Regulators, prosecuting and plaintiff
attorneys, and others use policy violation and noncompliance to place culpability.
An organization must establish policy it is willing to enforce — but it also must clearly
train and communicate the policy to make sure that individuals understand what is
expected of them. An organization can have a corrupt and convoluted culture with good
policy in place, though it cannot achieve strong and established culture without good
policy and training on policy.
If policies and training programs don’t conform to an orderly style and structure, use
more than one set of vocabulary, are located in different places, and do not offer a
mechanism to gain clarity and support (e.g., a policy helpline), organizations are not
positioned to drive desired behaviors in corporate culture or enforce accountability.
With today’s complex business operations, global expansion, and the ever changing
legal, regulatory, and compliance environments, a well-defined policy management
program is vital to enable an organization to effectively develop and maintain the wide
gamut of policies it needs to govern with integrity.
The bottom line: The haphazard department and document centric approaches for
policy and training management of the past compound the problem and do not solve
it. It is time for organizations to step back and define a cross-functional and coordinated
team to define and govern policy and training management. Organizations need to wipe
the slate clean and approach policy and training management by design with a strategy
Policies and training programs that are managed as dissociated documents, data,
systems, and processes leave the organization with fragments of truth that fail to see
the big picture of policy and training across the enterprise and how it supports the
organization’s governance, risk management, and compliance (GRC) responsibilities.
The organization needs to have holistic visibility and situational awareness into
policy and training across the enterprise. Complexity of business and intricacy and
interconnectedness of policies and obligations requires that the organization implement
a policy and training management strategy.
Organizations have three policy & training management strategies to choose from:
nn Anarchy – ad hoc department silos. This is when you have different departments
doing different yet similar things with little to no collaboration between them.
Distributed and siloed policy and training initiatives never see the big picture
and fail to put policy and training in the context of the rest of the organization.
nn Monarchy – one size fits all. If the anarchy approach does not work then the
natural reaction is the complete opposite: centralize everything and get everyone
to work from one platform and framework. However, this has its issues as well.
Organizations run the risk of having one department be in charge of policy and
training management that does not fully understand the breadth and scope
of the needs across departments. The needs of one area may shadow the
needs of others. From a technology point of view, it may force many parts of
the organization into managing policies and training programs to the lowest
common denominator.
A federated model for policy and training management provides a central coordination
of the policy management lifecycle to ensure consistency in policies across the
organization while there is ownership and management of non-enterprise-wide policies
in distributed areas across the organization that align with the central governance. The
Federated model is the ideal for large global organizations. It allows for policy and
training management to be centrally coordinated, but allows for distributed management
and oversight of the policies to address divisional, legal entity, business unit, and regional
needs. These entities must adhere to all mandated enterprise-wide policies and will
often design their own procedures in a way that makes the policy fit their operations
and supports their compliance with the policy. They may create their own policies and
procedures relating to their specific operations, which may be imposed based on federal,
state, or local laws. These policies and procedures must be written so that they do not
conflict with the overall mission and values of the organization. A federated model often
has layers of policy governance in which a policy steering committee is established
centrally to define the policy process and templates, while “entity” policy committees
oversee the governance of policies within their respective areas.
The core elements of the policy and training strategic plan include:
Policy writing and layout. Writing style for policies and other documents
as well as the layout of policy documents. Also included by reference
are policy template(s), which are absolutely critical for driving consistency
across policies.
Style guide. Policy writing that is wordy and confusing damages the
corporate image and costs time and money. Every organization should
have a policy style guide in place to provide clear and consistent
policy. This establishes the language, grammar, and format guidance
to writing policies. It expresses how to use active over passive voice,
avoid complicated language and “legalese”, how to write for impact and
clarity, use common terms, how to approach gender in writing, and even
internationalization considerations.
Templates. These are standard templates that the organization can utilize
to write policies and supporting documents/resources that are already in
the standard format and structure conforming to the MetaPolicy.
There are three areas of the policy and training management architecture:
It is critical that these architecture areas be initially defined in this order. It is the
process architecture that determines the types of policy and training structures and
information needed, gathered, used, and reported. It is the information architecture
combined with process architecture that defines the organizations requirements for the
technology architecture. Too many organizations put the cart before the horse and start
with selecting technology for policy and training management first, which then dictates
what their process and information architecture will be. This forces the organization
to conform to a technology for policy and training management instead of finding the
technology that best fits their process and information needs.
The core elements of the process architecture are understood as the organization’s
policy management lifecycle. This represents the actual operation and process of
the MetaPolicy in action to develop, manage, and maintain policies throughout their
effective use. Failure to manage policy lifecycles results in policies that are out-of-date,
ineffective, and not aligned to business needs. It also opens the door to liability when an
organization is held accountable for a policy that is not appropriate or properly enforced.
1. Determine Need for New Policies or Updates. Policy should be created only
when necessary, such as to establish the values and ethics of the organization,
meet regulatory obligations, and manage potential risk or liability. Without some
requirement for or exposure of the organization, there is no need for a policy.
Too many policies burden the organization and cannot be complied with. Too
few policies introduce significant risk and legal exposure. Organizations need
a defined change management process to monitor changes that impact policy
across the following areas:
Policy review and approval. Once the initial draft of the policy is written,
the owner sends the draft policy to identified stakeholders for review and
approval before publication. This phase is iterative, as the stakeholders
may send the policy back with changes before it is approved. Leading
practice includes reviews by the organization’s policy management office,
legal department, and ethics and compliance committee (for policies
mandated by law or regulation).
3. Policy publication and awareness. In this stage, individuals become aware of the
new or changed policy by clear articulation of individual responsibility to comply
with the policy. This includes:
4. Policy adherence and compliance. In this stage, policies are regularly monitored
to ensure compliance and that exceptions are documented and managed. This
phase involves:
Monitor, test, and assess. Carefully monitor, test, and assess activities to
ensure that the policy, procedures, and controls are being enforced, are
operating as intended, and the business runs efficiently and smoothly
while in compliance. Findings of noncompliance and violations provide
metrics for policy review and improvement. Enforcement policy is critical,
to define levels of infractions and associated actions.
5. Policy metrics and maintenance. Policies should not change frequently, but they
should go through periodic review. A best practice is to follow an annual review
cycle to make sure policies are still appropriate and do not bring unnecessary
exposure or liability upon the organization. Unneeded policies should be retired.
The major activities of this stage include:
The policy and training management information architecture involves the structural
design, labeling, use, flow, processing, and reporting of policy and training management
information to support policy and training management processes. Categories of policy
and training management information that organizations often collect and process
include:
nn Master data records. This includes data on individuals and their role and history
of interaction and communication with policies and training.
nn Policy and training libraries. The indexing and versions of policies and training.
nn Forms. The design and layout of information needed for specific policies and
related processes.
Policy and training management fails when information is scattered, redundant, non-
reliable, and managed as a system of parts that do not integrate and work as a collective
whole. Successful policy and training management information architecture will be
able to integrate information across the organization. Successful policy and training
management requires a robust and adaptable information architecture. Policies and
training come together into a unified employee experience where policies are displayed
along with training. Training is more than just playing a video but is interactive, showing
employees are behind their desk engaged in the activity and not off to get a coffee.
Relevant resources are easily accessible and provided in the same interface without
hopping between disconnected systems.
There can and should be a central core technology platform for policy and training
management that connects the fabric of the policy and training management
processes, information, and other technologies together across the organization. Many
organizations see policy and training management initiatives fail when they purchase
technology before understanding their process and information architecture and
requirements. Organizations have the following technology architecture choices before
them:
nn Enterprise GRC platforms. Many of the leading enterprise GRC platforms have
policy and training management modules. However, these solutions often have
a predominant focus on policy and do not always have complete capabilities in
training.
The right policy and training technology architecture choice for an organization often
involves integration into ERP/HRMS systems and other GRC and business solutions to
facilitate the integration, correlation, and communication of information, analytics, and
reporting. Organizations suffer when they take a myopic view of policy and training
management technology that fails to connect all the dots and provide context to
analytics, performance, objectives, and strategy in the real-time business operates in.
A well-conceived technology architecture for policy and training management can enable
a common policy and training framework across multiple entities, or just one entity or
department as appropriate. Business requires a policy management platform that is
context-driven and adaptable to a dynamic and changing environment. Compared to
the ad hoc method in use in most organizations today, an architecture approach to policy
management enables better performance, less expense, and more flexibility. Some of
the core capabilities organizations should consider in a policy and training management
platform are:
nn Accessibility. Policies and related training are only of value if they are accessible.
A policy management system must provide a complete system of record any
individual can log into and find policies that apply to their role, along with
required tasks, attestations, and training they must complete. The system should
be available in the official languages recognized by the organization. It should
also support the communication needs of the differently abled (e.g., vision
impaired, etc.).
nn Audit trail. If it’s not documented, it’s not done. An audit trail should record
each who, what, where, and when for every document, assignment, person, and
piece of content collected, developed, changed, distributed, archived, surveyed,
trained, notified, and read. This ensures that when an incident occurs, an audit
takes place, or a regulatory exam or investigation happens, you are prepared
with accurate and timely evidence. The level of audit trail required for policy
management cannot be maintained with manual processes and ad hoc systems
spread across an organization.
nn Mobility. A lot of employees do not have computers, and some that did are now
being issued tablets. Policy and training engagement includes delivery of policies
and training on mobile devices. This works particularly well in manufacturing
and retail environments where a tablet could be deployed as the policy and
training kiosk for employees. Effective policy and training is embracing mobile
technology on tablets and other devices to engage employees in their preferred
languages and bring policies to all levels of business operations.
The organization requires a policy and training management architecture that is context-
driven and adaptable to a dynamic and changing environment. Compared to the ad
hoc method in use in most organizations today, a policy and training management
architecture enables better performance, less expense, and more flexibility. Core
technology capabilities to consider a policy management program are the ability to:
nn Provide easy access to policy and communicate policy in the language of the
reader, as well as to the differently abled.
nn Gather and track edits and comments to policies as they are developed or
revised.
nn Provide a calendar view to see the policies being communicated to various areas
of the business, and ensure policy communications do not burden the business
with too many tasks in any given month.
nn Restrict access and rights to policy documents so (a) readers cannot change
them, and (b) sensitive documents are not accessible to those who do not need
to see them.
nn Keep a record of all the versions and histories of each policy so the organization
can refer to them when there is an incident or issue they must defend themselves
against or provide evidence for.
Effective policy and training management is about delivering value, integration, and
alignment of strategy, process, information, and technology throughout the organization
in the context of GRC. Organizations need to deliver an exceptional end-user
experience: getting employees involved by providing intuitive interfaces into policies
and training that are interactive, engaging, and social. Policy and training solutions need
to instruct, inform, and be easy to use at all levels. It engages employees in policies and
training without leaving them overwhelmed and confused. It is an integration of policy
and training information, processes, and systems to engage employees and agents at all
levels of the organization.
In the end, effective policy and training management is about delivering policy and
training that minimizes the perception of getting in the way of business and instead
becoming a part of business and the culture of the organization. There is an element
to policies that will always be inhibitive, but the right approach overcomes this by
delivering engaging user experiences that align with the needs of employees, integrates
with organization architecture and systems, and delivers relevant content when needed
wherever it is needed.
GRC 20/20 Research, LLC (GRC 20/20) provides clarity of insight into governance, risk management, and
compliance (GRC) solutions and strategies through objective market research, benchmarking, training, and
analysis. We provide objective insight into GRC market dynamics; technology trends; competitive landscape;
market sizing; expenditure priorities; and mergers and acquisitions. GRC 20/20 advises the entire ecosystem
of GRC solution buyers, professional service firms, and solution providers. Our research clarity is delivered
through analysts with real-world expertise, independence, creativity, and objectivity that understand GRC
challenges and how to solve them practically and not just theoretically. Our clients include Fortune 1000
companies, major professional service firms, and the breadth of GRC solution providers.
Research Methodology
GRC 20/20 research reports are written by experienced analysts with experience selecting and implementing
GRC solutions. GRC 20/20 evaluates all GRC solution providers using consistent and objective criteria,
regardless of whether or not they are a GRC 20/20 client. The findings and analysis in GRC 20/20 research
reports reflect analyst experience, opinions, research into market trends, participants, expenditure patterns, and
best practices. Research facts and representations are verified with client references to validate accuracy. GRC
solution providers are given the opportunity to correct factual errors, but cannot influence GRC 20/20 opinion.