3 Key Findings from the Policy Management by Design Workshop

June 12, 2018

Policy management is a crucial component of a larger corporate governance, risk management, and compliance (GRC) program. Adherence to external regulations and instilling employee accountability starts with well-established organizational policies and procedures.

Workiva teamed up with GRC expert Michael Rasmussen of GRC 20/20 Research, LLC for a workshop on policy management. Attendees from across industries came together to learn about policy management best practices and how they can be implemented to modernize compliance programs.

Here are three of the top takeaways from the Policy Management by Design Workshops.

1. Policy management affects organizations of all sizes

The challenges of managing policies and procedures were common across all attendees—impacting large and small, public and private companies alike. Attendees shared several concerns for internal compliance, including:

  • Updating policies is a reactive process rather than proactive, meaning policies are often outdated
  • Searching for policies is difficult without a cross-organizational master index
  • Ownership and enforcement is insufficient
  • Version control is not available and understanding what changed in the event of an audit is problematic
  • Visibility into how policies link to other internal control frameworks is limited
  • Measurement of policy effectiveness is inadequate or unavailable

2. Policy management can be like a "choose your own adventure"

A key part of the discussion revolved around how the creation, review, and update of policies is like a "choose your own adventure," as no two programs are alike, even within the same company. Departments see varying levels of stakeholder commitment and uncoordinated use of policy management tools. Many in the room agreed: there is a need for standardization in order to create a clear path from point A to B.

3. Consistency, consistency, consistency

Many attendees cited the challenges of policies that are managed by multiple departments. Everyone has their own way of doing things, which means the way an employee code of conduct is written, accessed, and enforced may be very different than a non-disclosure agreement (NDA). A united approach keeps everyone on the same page and should include:

  • Consistent user experience (UX): The number one criteria attendees want in policy management software is ease of use. How can leaders expect to engage employees if the tools they are given are disconnected, clunky, or require a steep learning curve?
  • Consistent policies: Intent, messaging, and enforcement among policies must match. Conflicting messages between policies weakens buy-in and generates mistrust across the organization.
  • Consistent governance: Leaders must be able to track issues or incidents back to policies in order to ensure the proper level of training. Selecting when and what to enforce is ineffective.

What should you look for in a policy management technology?

Evaluating policy management options can be daunting. Rasmussen suggested looking at solutions like Wdesk from Workiva, which are proven to streamline the process of policy drafting, document management, and distribution across the team.

Rasmussen recommended comparing the following criteria when selecting a policy management solution:

  1. Ease of use and intuitiveness
  2. Defensible system of record with a precise, electronic record of who changed what policy, how, and when
  3. Access to a master index of all policies
  4. Ability to cross-reference linking to other policies
  5. Ability to link policy information across documents, spreadsheets, and presentations
  6. Tools for policy review and attestation workflow and tasking
  7. Survey capabilities

Workiva has earned awards for the Wdesk platform's policy authoring, editing, and maintenance capabilities, based on its ability to deliver flexibility and security to boost productivity. Learn more about how GRC 20/20 outlines policy management requirements.

Continuing the conversation on governance, risk, and compliance

The Policy Management by Design Workshop enabled participants to learn from experts, share ideas, and network with peers on best practices for company policies. Attendees came away from the event with a number of new strategies for strengthening policy management in their own workplaces.

For additional advice on best practices for risk management, check out the key findings from our internal control workshops.

For future educational opportunities, check out our schedule of events, which includes upcoming SOX and internal control workshops.