Proper policies are integral to the good governance of any organization. Clear and actionable policies, for instance, a cybersecurity policy or an employee safety policy define the boundaries of employee conduct and set the stage for a compliant workplace.
That being said, it isn’t sufficient to write a policy and leave it as a permanent institution. Policies must undergo renewal if they are to remain relevant. Likewise, it is important to assess which policies you really need. If you have too many policies, compliance itself would cripple business progress. Conversely, if you have too few policies you run the risk of undue exposure to threats and legal complications. Hence, it is incumbent that your organization follows a policy management process. It is a strategic tool decision-makers can use to guide the organization.
Below are some points that outline what an effective policy management process looks like and secondly, offer guidance as to whether you need policy management software.
What is policy management?
Policy management refers to how an organization develops, communicates, manages and maintains its policies. It is a comprehensive process that is aimed toward ensuring that the various parts of the organization work together for the good of the whole. Thus, good policy management would verify that various departmental policies do not undermine the functioning of the organization as a whole.
A policy management lifecycle is generally defined by these phases:
What does an effective policy management process look like?
An effective policy management consists of the following phases and sub phases:
- Need: It isn’t possible to create policies for every contingency. However, you need to create policies to manage your areas of risk, for meeting regulatory requirements, and covering all legal bases. Do your employees need a dress code policy? Do you need to comply with medical leave requirements? What are the legal burdens of not having an anti-harassment policy? Such questions help assess the need for policies.
- Ownership: Once the need is identified, and prior to the development of the policy, you should define who, or what business role owns the policy. At which corporate level will the policy be owned and distributed? For instance, the policy manager, owner, approvers, and recipients could all be on different levels of ownership.
- Drafting: You should use careful language while drafting a policy and make it consistent in format with other administrative policies, it can be helpful to use a template. Your policy should be clear so that the policy is understood easily by the target audience and will not be misinterpreted. Policy writing is ideally a collaborative effort.
- Approval: Once written, the policy undergoes reviewing and is subject to approval. This step is iterative and even post the review, senior management, the board of directors, or the concerned department may reject the policy. Once approved, the policy may be published.
- Publication: Your policy should be distributed to all employees and stakeholders. Having multiple modes of publication can prove to be counterintuitive as they may leave you without an authoritative source. Rather, having a single repository for your policies works better. You can maintain a policy portal so that the policy updates can be easily accessed as well.
- Training: For proper adoption of the policy, individuals need to be made aware of what it entails. You can create videos and quizzes to disseminate information and check how well it has been received. Explaining the rationale behind the policy is also a good way to concretize it. Case studies are also a powerful medium of imparting training. In case of updates, reeducation efforts should be made.
- Attestation: By signing a policy receipt acknowledgement or a policy attestation form, employees confirm that they have read, reviewed, and will abide by the policy. Multiple policies may be listed on a single attestation form or conversely, the form may refer to a specific policy. The attestation form should be dated and contain the policy version.
- Enforcement: This is the process of ensuring that the laws are being complied with. Just having a policy on paper, or even controls in place, is not enough. If laxity creeps in, and employees perceive that policy enforcement is not a priority, then the organization’s exposure to risk increases even though a policy is there on paper. Hence, the CCO, for instance, should call out instances of non-compliance and controls must be monitored.
- Exception management: Some instances of temporary non-compliance with the policy are justifiable. This involves going beyond the letter of the law to the spirit it was written in, accounting for the greater good of the organization. Such flexibility adds to the policy’s worth and compliance managers should review, document, and assess the risk of each policy exception request.
- Review: Policies must be monitored and revised for them to be continually effective. Such reviews may happen annually or more frequently. At such review meetings, aspects such as instances of non-compliance and exceptions are considered alongside regulatory and business requirements. Accordingly, the policy is updated, approved, and re-communicated, or it is retired. If it can stand as is, it is left without amendment.
- Archival: The archives store each policy, and every version of it, for future reference. This can be helpful for investigation purposes and both, the organization as well as regulators benefit from a well-kept policy archive, containing all levels of detail.
When do you need a policy management solution?
Not every organization requires a policy management solution immediately. As the level of accountability grows, the need for a solution arises. The complexity involved with managing your policies also determines the need of a software solution.
Here are some indicators that you need a policy management solution:
- You need to track the attestation and training status of a large number of employees
- You have a large number of authors, collaborators, and approvers
- You have no central repository of all policies
- Your policies exist only on paper till date
- Your policies require frequent updating
- You struggle to map policies to regulations and standards
- You need to coordinate policy management between departments
- You want an efficient way to monitor policy controls
- Your policies are in different formats, as per each department
- Your policy management is being hindered by documents, emails, and spreadsheets
Cloud-based solutions like VComply’s Policy Management Software give you a powerful way to create, modify, distribute, and test policies. For instance, with VComply, you can create questionnaires to gauge the effectiveness of a policy, assign privileges to give proper access, have a convenient audit trail, get real-time alerts, and more. Policy is a crucial component of GRC and VComply offers a range of tools for governance, risk, and compliance management.
Having considered what a policy management process looks like and some reasons to invest in a policy management solution, deliberate on how to better govern your organization. Remember, the cost of bad policy management may far exceed that of investing in a policy management solution. So, when the time is right, do not think twice about using a smart software to empower your efforts!