Preparing for Policy Management Change: An OCEG Roundtable

OCEG President, Carole Switzer, talks with Michael Rasmussen of GRC 20/20 and Yo McDonald, Vice President, Customer Success and Engagement at MetricStream, about how to get ready for making big changes to your policy management approach.

Switzer: People want to know what preparatory steps to take when they are looking to mature policy management. Let’s start by talking about the need to understand the current state of policies. We need to know what policies are out there, what they address, and whether they were issued by someone with authority to do so. What is the biggest challenge in getting that information?

Rasmussen: A huge challenge is just finding all of the policies. Sometimes you're going to find different versions of the same policy with the current version in one portal and older versions of the policy in other locations. So, the first part of the process is to determine all the portals, file share sites and other places policies reside. Once you find them all, then you can begin to look at who authored them, the templates being used, if any, and how consistent they are in style and language.

Switzer: Yo, you've mentioned the challenge presented when people act in accordance with what they believe to be policies, but you can’t find them stored anywhere other than in people's brains because they aren't formal, written policies. How can we go about finding what I'll call shadow policies?

McDonald: Yes, too often people adopt a way of doing things associated with a business process without documenting it or recognizing that it ought to be a documented policy or procedure. For example, in the European privacy scheme, GDPR, there are a lot of implications about the way business processes work with respect to the privacy of data. Not everybody in the business may be aware of the obligation of a particular regulation, and as a result may have a repeatable process in place that isn’t documented as a procedure tied to a policy. As you are inventorying policy information, you need to ask about and distinguish between what is a policy and what is a related procedure, but also what are those shadow procedures or policies.

Switzer: Assume you've been able to collect all of the policies and you find you have thousands of them that you now need to sort and analyze. That is not an easy task. Can technology help you to do that? And then, how do you then go about prioritizing what needs to be addressed first?

McDonald: You can use tools like eDiscovery software when you're doing an inventory. You start with gross categorization of types of policies by subject area, such as privacy or anti-corruption, and as you interview stakeholders, you'll ask them what their key business processes are. So, it's pretty easy to tag, through mappings, where a policy resides in a general information architecture or taxonomy of policies.

What you're really trying to do is organize which policies need refreshment most immediately. And those policies that are associated with high risk business processes or critical business processes should at least be reviewed on the first pass. If there are regulatory changes coming down the pipe, that may trigger an impact assessment of what policies need to change to be compliant.

For mapping, you need to decide how deep you are going. Are we going to map the policies at the citation level to parts of regulations or just at the top regulation level? Are we going to map policies to international standards like ISO? You can't do everything at once, but the first pass should at least look for the highest-level risks. What you'll typically find, even if you have 20,000 policies spread around your operations, is probably 15 or 20% need immediate attention.

Rasmussen: Keep in mind, when you go through this process you are going to find a lot of rogue policies. One financial services firm that I interact with said that it found that one of their divisions had an unauthorized anti-money laundering policy because they didn't like the official one. I'm interacting with a large retailer right now where any store manager can write a document and call it a policy, which puts a legal duty of care upon the retailer. They are cracking down and saying if you find anything that is not on the policy portal in the approved template, report it because it's not an official policy of the organization. They're creating a culture to combat rogue policies.

Switzer: Let’s move on to how you determine the current methods of policy management. How do you gather information about each stage of policy management?

Rasmussen: So that’s going to get into understanding which departments are issuing and managing policies and then finding documentation or asking questions about any protocols they have in place. Do they have policy development authorization and to what extent? When they're writing the policies, what type of language and style guides and templates are they using, if any? What technology or manual methods are they using to publish and deliver policies? How do they make decisions about the level of training required on each policy for each person? You need to use a mix of methods to gather all of the needed information about every stage of the policy management lifecycle, including document review, interviews, and informal discussions.

Switzer: The final piece is analyzing the technology in use and figuring out what to keep, what to trash, what to combine or tie together with a central system. What are the key steps for analyzing your current and end use of technology?

McDonald: A company might have multiple SharePoint sites and a few different policy portals that may be unknown to the centralized corporate compliance group. Doing an inventory of systems is key. You may have a departmental system that is actually fit for purpose across the entire enterprise. Regulators love enterprise systems and they want to see consistency. So rather than allow a siloed departmental approach with different taxonomies and information feeds that are extremely hard to roll up into a clear picture, go for a common platform and a single source of the truth.

You’ll want a policy management platform that will take you into the next decade. For example, imagine a policy portal where I've got just the policies that matter to me on my dashboard. I've got a right rail that says what my tasks are, what I have to attest to, what training is outstanding. I have a place to ask questions. I should be able to access my dashboard on my mobile phone as well.

You really need to look at your planned future state and see what you can leverage that you already have. Decide what to retire and replace and then choose a vendor that has a ramp program that can help you lay out your use cases by each of the business units and decide what's crawl, walk, or run to make sure that the rollout and adoption is full and vital. Then you can get the business value that you anticipate.