Drive a Connected GRC Program for Improved Agility, Performance, and Resilience
Power Business Performance and Resilience
Discover ConnectedGRC Solutions for Enterprise and Operational Resilience
Explore What Makes MetricStream the Right Choice for Our Customers
Find Everything You Need to Build Your GRC Journey and Thrive on Risk
Learn about our mission, vision, and core values
A soon-to-be-published MetricStream Research survey report on policy management has found that 17% of large organizations manage a whopping 500-5,000 policies, while 29% manage up to 500 policies. If creating, maintaining, and distributing these policies wasn’t challenging enough, there’s also the added task of updating them in response to various external or internal business changes -- particularly regulatory changes. In fact, the majority of survey respondents reported that their biggest challenge is updating policies in line with constantly evolving regulations.
The situation becomes more complicated when there are hundreds of global regulations, as well as federal, state, and region-specific mandates. Sometimes, it can seem like just when you’ve understood a new regulation and assessed its impact on internal processes and policies, the regulation is updated again. Tracking these updates is complex in itself, but aligning organizational policies to them, and rolling those policies out to employees can be equally complicated, if not more.
With that in mind, here are a few steps to help you simplify the process of policy change management:
Keeping up with regulatory updates enables you to respond to them in a well-thought-out manner, instead of scrambling at the last minute to implement ad hoc measures. One way to ensure that you don’t miss any important updates is to subscribe to various regulatory content providers, be it regulatory agency filings, industry associations, trade publications, specialized media sources such as LexisNexis, or national/local media. There are also tools that can integrate directly with these content sources, and automatically feed regulatory updates into your organization as alerts which can then be routed to a subject matter expert.
Another good practice is to prepare ahead for regulatory change by mapping existing regulations to policies and processes. This approach is both useful and sustainable not only for large organizations that deal with hundreds or thousands of policies, but also for smaller organizations that may have less than 50 policies. Sifting through each of these policies every time there is a major or minor change in regulations can be a Herculean task. However, when the regulations have already been linked to a policy or a section of a policy, you can quickly understand which policy has been impacted by a regulatory change, and respond accordingly.
Once a regulation has been changed, subject matter experts must conduct a thorough analysis to understand the impact of the change on the policy ecosystem.
Some questions to ask:
It helps to have a robust policy management system that can streamline regulatory impact assessments, and trigger policy update processes with clearly defined review and approval workflows. Having a single system enables stakeholders to collaborate on policy changes and updates in one place, instead of going back and forth on emails, phone calls, and meetings.
While organizations need to update their policies to reflect regulatory changes, too many updates and versions of policies can be confusing for employees. The key is to find the right balance: Conduct impact assessments to determine if a policy update is really required. And if so, minimize any confusion by implementing version controls which help ensure that only the latest version of the policy is made available to employees.
Bridge the Gap in Policy Comprehension
Policy updates constitute only half the job. The more important task is helping your workforce understand the updates and their relevance. This can be challenging when you have hundreds of employees scattered across departments, business units, and locations. Many organizations have implemented policy management systems that can not only help them create and update policies, but also push those updates out automatically to the desired individuals or applicable departments.
It’s important to find creative ways of educating your staff on policy updates. The MetricStream Research survey found that online audio or video-based training is the most preferred method of communicating policy content, with 64% of the respondents vouching for it.
If the policy update is simple, an email blast to employees might suffice. On the other hand, a major policy change might warrant a dedicated classroom training session. Whatever the approach, policy training should ideally be as engaging and interactive as possible, so that employees comprehend and retain the information effectively.
The same applies to policy attestations. Conducting an interesting survey or quiz to track how much employees have understood of a policy update is likely to see more employee participation, and provide better insights than a simple yes-no attestation form. To further enhance policy learning and retention, all policies and related updates should be stored in a central repository, so that employees can access and read them whenever required.
Every time a policy is impacted by a change in regulation, it goes through a cycle of updates, reviews, approvals, communication, and attestations. Tracking the policy at every stage is important because it helps you identify and address any issues that might arise. Is the policy stuck somewhere, and if so, what is the problem? Was the policy published to the relevant groups? How many users have or haven’t attested to it yet?
Robust reporting tools and dashboards can help you keep track of the policy by automatically collecting and rolling up data from within the policy management system. Using these tools, you can slice and dice the data for a deeper analysis, and make informed decisions on how to move a policy forward faster, or mitigate compliance related risks.
The MetricStream Policy and Document Management App simplifies the process of creating, reviewing, and communicating policies, as well as updating them. The app helps in mapping policies to regulations, risks, and controls in a single, tightly-knit framework, so that if a regulatory change occurs, its impact on policies can be easily understood. The app also provides automated email notifications and alerts to users when a policy has been updated. All policies are stored in a central repository for easy search and discovery.
With the MetricStream Policy and Document Management App, you can: