Prepared By: Michael Rasmussen J.D., OCEG Fellow, GRCP Risk & Compliance Lecturer, Author, & Advisor Policy Management Build vs. Buy: Why Policy Management Software Makes Sense Why Policy Matters Policy management software addresses the challenges of managing the litany of policies within business boundaries enabling employees, giving them the expectations and boundaries, and doing so in a way that protects the organization from harm. Policies articulate corporate culture the values and boundaries of individual and business behavior, and personal conduct. They are a necessary means to clearly define, articulate, and communicate the organization s boundaries, practices, and expectations. The right policy is necessary to define and communicate what the organization is about. Unfortunately, policies that are outdated, miscommunicated, or just plain nonexistent can lead to severe loss in productivity, reduced quality, and possible litigation. Thus, it is necessary to ensure that organizational policies and procedures are fresh and managed correctly. This means that they are readily available to employees and kept current. When one examines the intricacies of policy management, it becomes clear that a paper/binder system is ineffective for performing such management. Policy management done correctly requires a dedicated technology solution. A policy management software platform delivers peace of mind through its distribution, tracking, and reporting functions. However, to their error, many organizations balk at the cost of purchasing policy management software because they feel they can build something in-house (either through an intranet or SharePoint) that will accomplish the task. Build your own approaches why they fail The mismanagement of policies has grown exponentially within organizations with the proliferation of collaboration and document sharing software such as Microsoft SharePoint. These solutions to their credit as well as downfall enable anyone to post a policy. Organizations end up with policies scattered on dozens of different internal Web sites and file shares, with no defined audit trails or accountability for Table of Contents www.corp-integrity.com research@corp-integrity.com +1.888.365.4560 2011 Corporate Integrity, LLC - All Rights Reserved Why Policy Matters... 1 Build your own approaches why they fail... 1 Policy Management Software Returns the Greatest Value... 3 Policy Management Software Delivers Policy Effectiveness... 4 About this Paper..... 5 About Corporate Integrity..... 5 About Michael Rasmussen..... 5 Page 1
them. This produces policies that are written poorly, out of sync, out of date, and with no evidence of how the policy was communicated, read, and understood. Collaboration software such as SharePoint is a great tool for managing and sharing non-sensitive documents in a very general way such as wikis, blogs, Web content, and documents usually shared among a specific group. While collaboration and document-sharing software like SharePoint appears easy and cheap to implement, the reality is that the cost to the organization is significant in the liability and exposure of ineffective policy management. Many organizations have decided to take that path only to find that it is neither intuitive nor appropriate for policy management. There are strict compliance and legal requirements that must be instituted when managing policies requirements that a build-your-own policy management system makes difficult to achieve, and come at a significant cost to the organization. Some organizations feel that they could accomplish at least some of the necessary features, requiring significant development effort to achieve an appropriate and effective policy management environment. The cost actually exceeds the cost of purchasing a policy and procedure management (PPM) software platform. Add ongoing maintenance and support of a build-your-own policy management system, and the costs grow higher. Consider that an organization will have to dedicate IT development resources to this project for several months or years. Is the organization willing to maintain the policy portal project as the priority for that long and will it continue to test it and support it with updates as needed? Most corporate roles struggle to get IT s attention on their initiatives as it is. Another point of consideration is whether the organization wants to live with a home-grown system that will most likely have a fraction of the features contained in a purchased system. Companies can spend as much as 10,000 man hours to build the a policy portal on collaboration technologies and increase that development time every year thereafter trying to enhance it and provide the features an organization learns it needs to manage policies correctly. What are the opportunity costs an organization is losing by focusing on this a custom approach to policy management? Some specific features to consider when building your own policy management solution: The desirability of a consistent platform for the entire enterprise instead of each department implementing their own policy portal. The ability for the platform to manage the lifecycle of policies through creation, communication, assessment/ monitoring, tracking, maintenance/revising, to archiving and record keeping. The ability to restrict who can read what documents, and who has the permission to edit, review, and approve. The training requirements needed to show that individuals understand what is required of them through linkage to learning systems/modules, quizzing, and attestation. The accessibility of the system, with the ability to communicate policies in the language of the reader as well as provide mechanisms of policy communication for those with disabilities. The requirement to be able to gather and track edits and comments to policies as they are developed or revised. The mapping of policies to obligations (e.g., regulatory or contractual requirements), risks, controls, and investigations so there is a holistic view of policies as they relate to other areas of governance, risk management, and compliance (GRC). The ability to provide a robust system of record to track who accessed a policy as well as dates of attestation, certification, and read-and-understood acknowledgments. The ability to provide a user-friendly portal for all policies in the environment that has workflow, content management, and integration requirements necessary for policy management. The need to provide links to hotlines for reporting policy violations. 2011 Corporate Integrity, LLC - All Rights Reserved Page 2
The ability to publish access to additional resources such as helplines and FAQs to get questions answered on policies. The cross-referencing and linking of related and supporting policies and procedures so the user can quickly navigate to what they need to understand. The ability to create categories of metadata to store within policies and to display documents by category so that policies are easily catalogued and accessed. The requirement to restrict access and rights to policy documents so that readers cannot edit/change them and sensitive policy documents are not accessible to those who do not need to see them. The necessity that the organization keep a system of record of the versions and histories of policies to be able to refer back to when there is an incident or issue that arises from the past and the organization must defend itself or provide evidence. The capacity to enforce templates and style on all policies with the ability to guide policy authors and prompt them to maintain the corporate brand as well as associate specific properties, categories, or regulatory obligations with the document. The need for accountable workflow so certain people can approve policy documents and then tasks can be moved to others with full audit trails on who did what to the policy. Deliver comprehensive reporting consider the time it takes in a build-your-own approach, and organization could spend months or years trying to create the depth and breadth of reports included in commercial policy and procedure management software. Although you may be able to implement a few of these features using a build-your own approach such as SharePoint, the cost in training, maintenance, and management time, let alone the legal ramifications due to lack of proof of reader signoff and comprehension makes it a risky venture for policy and procedure management. Policy Management Software Returns the Greatest Value An organization can choose one of two primary models to manage and communicate policies. One approach is a build-yourown, ad hoc and ultimately labor-intensive process that produces significant development and administrative overhead to do it right. An economical approach focuses on commercial policy management software that has been built to meet the complex and diverse needs of policy management. NAVEX Global is a technology provider in the GRC market that Corporate Integrity has researched and evaluated. Through a purpose-built policy management system, NAVEX Global eases the policy management burden by delivering operating effectiveness, human and financial efficiency, and business agility to policy management processes. NAVEX Global enables an organization to have an enterprise policy management portal that delivers: Policy management lifecycle: The ability to manage policies across the lifecycle of creation, approval, communication, enforcement, maintenance, and archiving of the policies. Complete system of record: Within the policy management lifecycle, NAVEX Global provides a comprehensive audit trail so the organization can understand and when necessary prove who read and accessed a policy as well as how policies have changed providing evidence to defend the organization. 2011 Corporate Integrity, LLC - All Rights Reserved Page 3
Policy portal: Employees and business partners do not have to search and navigate dozens of intranet sites to find the policies relevant to their job role and function. With NAVEX Global s software they gain access to a single policy portal that presents the policies that apply to their job role as well as any tasks the employee has to complete (such as read-and-understood documentation). Commercial support: The breadth and depth of capabilities and reporting are maintained by NAVEX Global with experience across a range of clients and industries to bring a policy management solution that is complete the organization does not have to invest in a large IT project to implement the features necessary for a policy management system on top of document collaboration software. Integration with office applications: NAVEX Global s software was designed to integrate with standard Microsoft desktop applications, which are part of the policy portal itself. This delivers complete word processing and editing functions for policies, as well as conformity to defined templates without users having to learn new word processing software. Low cost of ownership: Through a commercial product, NAVEX Global eliminates the development overhead and greatly reduces the administrative overhead of a build-your-own approach. It achieves greater human capital efficiency as employees of the organization have a simple to use portal to read and understand the policies that apply to them. Policy Management Software Delivers Policy Effectiveness Organizations need to consider how they will address the many features and issues surrounding policy management and communication outlined here. The end result must be that corporate policies are no longer in disarray. This is achieved through policy management software that manages the lifecycle, keeping policies current and communicated with clear accountability and audit trails. Oversight of policies is managed by responsible parties with a holistic view of policy and the implications of policy changes and violations. The proper policy management solution will see that policies and policy-driven expectations are pushed out to employees and attestation to understanding of them is validated. In the event that a policy failure occurs, accountability is achieved by using the software to unwind the policy violation in question and determine what went wrong, with feedback on how to improve the policy to improve policy effectiveness. Effective management of policies within a policy management software solution is crucial for the modern organization to function within the bounds of the legions of regulatory obligations. It is also critical for other obligations, such as those among business partners. Policy management software addresses the challenges of managing the litany of policies within business boundaries enabling employees, giving them the expectations and boundaries, and doing so in a way that protects the organization from harm. 2011 Corporate Integrity, LLC - All Rights Reserved Page 4
About this Paper... This white paper is brought to you by NAVEX Global. NAVEX Global is the trusted global ethics and compliance expert for more than 7,500 clients in over 200 countries. A merger of industry leaders ELT, EthicsPoint, Global Compliance Services and PolicyTech, NAVEX Global now provides the world s most comprehensive suite of solutions to manage governance, risk and compliance. NAVEX Global equips clients to protect their organizations from adverse risks, enhance their corporate cultures and employee relations, and safeguard their brand equity and shareholder value. NAVEX Global provides an array of GRC services to capture and respond to business risk, improving the economic and social value of organizations around the world. The company works with clients to manage ethics and compliance programs through a deep portfolio of solutions including case management, whistleblower hotlines, policy management, online training, risk assessment and expert advisory consulting. Their fully- integrated offering provides clients with key learnings and actionable data to inform change management. About Corporate Integrity... Corporate Integrity, LLC is a GRC strategy advisory firm providing leadership in education, research, analysis, and advisory services by monitoring the challenges and trends in business for corporate governance, risk management, and compliance (GRC). Through ongoing research, interactions, and analytics, Corporate Integrity is the authority in understanding how organizations can foster a culture that walks the talk, where integrity is central to GRC practices. Corporate Integrity educates organizations and GRC professionals within those organizations on achieving sustainability, consistency, efficiency, and transparency in their corporate GRC practices to maintain a position of integrity aligned with corporate values and business performance. About Michael Rasmussen... J.D., GRCP, OCEG Fellow: Risk & Compliance Lecturer, Author, & Advisor Michael Rasmussen is an internationally recognized pundit on the topics of business ethics, corporate culture, policy management, and compliance. With more than 18 years of experience, Michael helps organizations understand their culture and improve related governance, risk, and compliance (GRC) strategies, processes, and technologies that deliver business agility, efficiency, and effectiveness. He is a sought-after keynote speaker, author, and advisor on compliance and risk management strategies. He is noted for being one of the earliest advocates for a collaborative and integrated approach to GRC. 2011 Corporate Integrity, LLC - All Rights Reserved Page 5