Rob Tietjen

4/2/2013 1

Policy Management: Enabling Employee Freedom

and Revenue Growth

72 of the Fortune 100

500+ of the

Fortune 1000

Select Policy Management Clients

4/2/2013 5

Why Policies and their Management Matters

I have stated it before and I will state it again: the

typical organization is a mess when it comes to

managing policies and procedures.

Policies articulate culture, they establish a duty of

care, define expectations for behavior (for individuals,

processes, and business relationships), and establish

how the organization is going to comply with

regulatory and contractual requirements.

- Michael Rasmussen, GRC Analyst, Corporate Integrity

The only real way that the auditor knows whether

or not we are doing our jobs and being compliant is

to look at our policies and procedures to see if the

direction has been set. And then look for evidence

to see if we’ve been following our own directions.

Simple as that.

- Dorian Cougias, CEO of Network Frontiers,

Author of “Say What You Do”

The Kitchen Analogy

The Kitchen Analogy

The Kitchen Analogy

The Kitchen Analogy

The Kitchen Analogy

The Kitchen Analogy

The Kitchen Analogy

The Kitchen Analogy

The Kitchen Analogy

Clarity around policies provides freedom

Risks Benefits

Errors/low quality Standardized/high quality product

Rework Performed correctly 1st time

Litigation Highly reduced litigation events

Constant training Little to no retraining

Incorrect/varied training Correct/absolute training

Constant supervisory correction

Self-correction

Policy Management Challenges

HEADACHES: RISKS:

Finding them

Tracking readers impossible

Keeping drafts organized

Monitoring review/approval

workflow

Delayed approval times

Policy gets changed right

before/after approval

Lack of acceptance proof

Lack of comprehension

Outdating

Insufficient audit trail

Incongruent dates

Lost documents

Lack of standardization

Other Key Benefits

Identifies appropriate behaviors and responsibilities in risk areas

Establishes corporate culture of achieving goals within boundaries

Key component of compliance governance

Sets standards for identifying and disciplining aberrant behavior

19

4/2/2013 20

Best Practices for Policy Management Systems

Best practices for policy management?

Policy committee

o Cross-functional group tasked with bringing consistency to policy management process

Policy manager

o In charge of policy management process

o Drives creation and revision of policies in a consistent style and format

Policy management process

o One repository to create, store and organize policies

o Must have, at a minimum, features / functions to create, communicate, manage and maintain policies

21

PROCESS

MANAGER

COMMITTEE

Policy Process Features/Functions

Policy Development

Initiation: Based on risk monitoring - changes in

organization, regulations, external environment

Ownership: One person is responsible for

overseeing policy drafting and implementation

Drafting: Author creates (or revises) policy

according to accepted format or template,

including scope, applicable laws or rules, and

supporting documents/links

Approval: Stakeholders approve

via iterative process

22

POLICY LIFECYCLE

Policy Process Features/Functions

Policy Communication

Publication: Approved policy is

communicated through centralized

platform

Training: Appropriate risk-exposed

audiences are identified and receive policy

training

Attestation: Appropriate risk-exposed

audiences attest that they have received,

read, understood and will uphold policy

23

POLICY LIFECYCLE

Policy Process Features/Functions

Policy Monitoring

Enforcement: Policy non-compliance is

tracked; feeds policy review/revision

and reports

Aging: Policy review schedule is tracked

with flags for due dates in queue; feeds

reports

Exception management: Policy

exceptions documented; feeds policy

review/revision and reports

24

POLICY LIFECYCLE

Policy Process Features/Functions

Policy Maintenance

Accessibility: Policies easily accessed in

one place by all relevant stakeholders

Review: Policies reviewed according

to cycle time (e.g. annually)

• Policy owner considers documented exceptions/incidents of non-compliance to determine need for revision or reauthorization as is

• Includes ensuring audit trail on changes

• Included in Compliance Work Plan

25

POLICY LIFECYCLE

Policy Process Features/Functions

Policy Maintenance

Archive: Policy versions retained according

to records retention policy; retain easily

accessed policy distribution, training,

attestation records

26

POLICY LIFECYCLE

4/2/2013 27

Automating the Policy Management Lifecycle

Key Technological Components

Notifications

Audit trail

Integration

Reporting

28

Document management

Workflow

Organization management

Task management

Key Attributes for PM Technology

Centralized

Searchable

Secure

Accessible

Global

29

Communicate policies Document attestations

Create: Assess need for Policy authorship Review

Monitor results Enforce compliance

Maintain, review and update

Retire/archive

THE PM LIFECYCLE

Client Advisory Council

Automating the Policy Management Lifecycle

Draft Review Approval Pending Publish/Archive

Policy Management Lifecycle

4/2/2013 NAVEX Global Policy Management 31

document owner

policy draft

Later

Now

PUBLISH

Manage

Publish

Manage

Publish

Automating the Policy Management Lifecycle

Client Advisory Council 33

Train + educate

Communicate policies + expectations

Track and report results

Read and acknowledge

Consistent Processes = Reduced Risk

Manage

Publish

Automating the Policy Management Lifecycle

Cost Saving Benefits

Reduced time involved: Increases efficiency, less time is needed to create,

distribute and track

Fewer people involved = less time spent on management

Process consistency: The system insures process consistency lessening time

spent later on to manage

Improved recognition: Improved awareness leads to reduced litigation and

fewer fines for non-compliance

Hard goods costs (supplies, binders, etc.)

Compliance Benefits

1. Ensures documents are designed with standardized format in conformance

with necessary regulatory requirements

2. Links all documents to applicable regulatory standards

3. Instantly retrieves pertinent documents that show compliance with

regulatory requirements as requested by auditor

4. Ensures employees are accessing current versions and are being reviewed

periodically

5. Demonstrates a defensible Audit Trail as well as Change History

6. Provides legal proof of employees awareness and comprehension of company policy

7. Provides proof of stakeholder buy-in on company procedure (third-parties)

Awareness & Consistency

Ensure Success through Process

The data reveal a strong and direct correlation

between professed knowledge of the existence of

procedures and their comprehensiveness in

practice.

The reasons for this higher awareness are clear:

agencies that have gone to the effort of developing

comprehensive procedures also appear to have

been most likely to expend resources in making

staff aware of them.

4/2/2013 37

The Compliance Ecosystem

ACCESS PORTAL

Analytics & Reporting

Thir

d P

arty

Ris

k M

gt.

Fu

ture

Ap

pli

cati

on

Po

licy

Man

age

me

nt

Ce

rtif

icat

ion

s

Cas

e M

anag

em

en

t

Exp

and

ed

In

take

Emp

loye

e A

war

en

ess

On

line

Tra

inin

g

Ho

tlin

e

Fu

ture

Ap

pli

cati

on

UNIFIED COMPLIANCE DATA

AD

VIS

OR

Y S

ERV

ICES

P

RO

FESSION

AL SER

VIC

ES

Q & A

4/2/2013 39 NAVEX Global: The Ethics and Compliance Experts

Thank you.