Post on 30-Oct-2014
description
Rob Tietjen
4/2/2013 1
Policy Management: Enabling Employee Freedom
and Revenue Growth
72 of the Fortune 100
500+ of the
Fortune 1000
Select Policy Management Clients
4/2/2013 5
Why Policies and their Management Matters
I have stated it before and I will state it again: the
typical organization is a mess when it comes to
managing policies and procedures.
Policies articulate culture, they establish a duty of
care, define expectations for behavior (for individuals,
processes, and business relationships), and establish
how the organization is going to comply with
regulatory and contractual requirements.
- Michael Rasmussen, GRC Analyst, Corporate Integrity
The only real way that the auditor knows whether
or not we are doing our jobs and being compliant is
to look at our policies and procedures to see if the
direction has been set. And then look for evidence
to see if we’ve been following our own directions.
Simple as that.
- Dorian Cougias, CEO of Network Frontiers,
Author of “Say What You Do”
The Kitchen Analogy
The Kitchen Analogy
The Kitchen Analogy
The Kitchen Analogy
The Kitchen Analogy
The Kitchen Analogy
The Kitchen Analogy
The Kitchen Analogy
The Kitchen Analogy
Clarity around policies provides freedom
Risks Benefits
Errors/low quality Standardized/high quality product
Rework Performed correctly 1st time
Litigation Highly reduced litigation events
Constant training Little to no retraining
Incorrect/varied training Correct/absolute training
Constant supervisory correction
Self-correction
Policy Management Challenges
HEADACHES: RISKS:
Finding them
Tracking readers impossible
Keeping drafts organized
Monitoring review/approval
workflow
Delayed approval times
Policy gets changed right
before/after approval
Lack of acceptance proof
Lack of comprehension
Outdating
Insufficient audit trail
Incongruent dates
Lost documents
Lack of standardization
Other Key Benefits
Identifies appropriate behaviors and responsibilities in risk areas
Establishes corporate culture of achieving goals within boundaries
Key component of compliance governance
Sets standards for identifying and disciplining aberrant behavior
19
4/2/2013 20
Best Practices for Policy Management Systems
Best practices for policy management?
Policy committee
o Cross-functional group tasked with bringing consistency to policy management process
Policy manager
o In charge of policy management process
o Drives creation and revision of policies in a consistent style and format
Policy management process
o One repository to create, store and organize policies
o Must have, at a minimum, features / functions to create, communicate, manage and maintain policies
21
PROCESS
MANAGER
COMMITTEE
Policy Process Features/Functions
Policy Development
Initiation: Based on risk monitoring - changes in
organization, regulations, external environment
Ownership: One person is responsible for
overseeing policy drafting and implementation
Drafting: Author creates (or revises) policy
according to accepted format or template,
including scope, applicable laws or rules, and
supporting documents/links
Approval: Stakeholders approve
via iterative process
22
POLICY LIFECYCLE
Policy Process Features/Functions
Policy Communication
Publication: Approved policy is
communicated through centralized
platform
Training: Appropriate risk-exposed
audiences are identified and receive policy
training
Attestation: Appropriate risk-exposed
audiences attest that they have received,
read, understood and will uphold policy
23
POLICY LIFECYCLE
Policy Process Features/Functions
Policy Monitoring
Enforcement: Policy non-compliance is
tracked; feeds policy review/revision
and reports
Aging: Policy review schedule is tracked
with flags for due dates in queue; feeds
reports
Exception management: Policy
exceptions documented; feeds policy
review/revision and reports
24
POLICY LIFECYCLE
Policy Process Features/Functions
Policy Maintenance
Accessibility: Policies easily accessed in
one place by all relevant stakeholders
Review: Policies reviewed according
to cycle time (e.g. annually)
• Policy owner considers documented exceptions/incidents of non-compliance to determine need for revision or reauthorization as is
• Includes ensuring audit trail on changes
• Included in Compliance Work Plan
25
POLICY LIFECYCLE
Policy Process Features/Functions
Policy Maintenance
Archive: Policy versions retained according
to records retention policy; retain easily
accessed policy distribution, training,
attestation records
26
POLICY LIFECYCLE
4/2/2013 27
Automating the Policy Management Lifecycle
Key Technological Components
Notifications
Audit trail
Integration
Reporting
28
Document management
Workflow
Organization management
Task management
Key Attributes for PM Technology
Centralized
Searchable
Secure
Accessible
Global
29
Communicate policies Document attestations
Create: Assess need for Policy authorship Review
Monitor results Enforce compliance
Maintain, review and update
Retire/archive
THE PM LIFECYCLE
Client Advisory Council
Automating the Policy Management Lifecycle
Draft Review Approval Pending Publish/Archive
Policy Management Lifecycle
4/2/2013 NAVEX Global Policy Management 31
document owner
policy draft
Later
Now
PUBLISH
Manage
Publish
Manage
Publish
Automating the Policy Management Lifecycle
Client Advisory Council 33
Train + educate
Communicate policies + expectations
Track and report results
Read and acknowledge
Consistent Processes = Reduced Risk
Manage
Publish
Automating the Policy Management Lifecycle
Cost Saving Benefits
Reduced time involved: Increases efficiency, less time is needed to create,
distribute and track
Fewer people involved = less time spent on management
Process consistency: The system insures process consistency lessening time
spent later on to manage
Improved recognition: Improved awareness leads to reduced litigation and
fewer fines for non-compliance
Hard goods costs (supplies, binders, etc.)
Compliance Benefits
1. Ensures documents are designed with standardized format in conformance
with necessary regulatory requirements
2. Links all documents to applicable regulatory standards
3. Instantly retrieves pertinent documents that show compliance with
regulatory requirements as requested by auditor
4. Ensures employees are accessing current versions and are being reviewed
periodically
5. Demonstrates a defensible Audit Trail as well as Change History
6. Provides legal proof of employees awareness and comprehension of company policy
7. Provides proof of stakeholder buy-in on company procedure (third-parties)
Awareness & Consistency
Ensure Success through Process
The data reveal a strong and direct correlation
between professed knowledge of the existence of
procedures and their comprehensiveness in
practice.
The reasons for this higher awareness are clear:
agencies that have gone to the effort of developing
comprehensive procedures also appear to have
been most likely to expend resources in making
staff aware of them.
4/2/2013 37
The Compliance Ecosystem
ACCESS PORTAL
Analytics & Reporting
Thir
d P
arty
Ris
k M
gt.
Fu
ture
Ap
pli
cati
on
Po
licy
Man
age
me
nt
Ce
rtif
icat
ion
s
Cas
e M
anag
em
en
t
Exp
and
ed
In
take
Emp
loye
e A
war
en
ess
On
line
Tra
inin
g
Ho
tlin
e
Fu
ture
Ap
pli
cati
on
UNIFIED COMPLIANCE DATA
AD
VIS
OR
Y S
ERV
ICES
P
RO
FESSION
AL SER
VIC
ES
Q & A
4/2/2013 39 NAVEX Global: The Ethics and Compliance Experts
Thank you.