ConnectedGRC

Drive a Connected GRC Program for Improved Agility, Performance, and Resilience

MetricStream Named Category Leader in All Seven Quadrants of the Chartis Research RiskTech Quadrant® for Integrated GRC Solutions, 2024

MetricStream Named Category Leader in All Seven Quadrants of the Chartis Research RiskTech Quadrant® for Integrated GRC Solutions, 2024

Learn More

Discover ConnectedGRC Solutions for Enterprise and Operational Resilience

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn More

Explore What Makes MetricStream the Right Choice for Our Customers

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Learn More

Discover How Our Collaborative Partnerships Drive Innovation and Success

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Learn More

Find Everything You Need to Build Your GRC Journey and Thrive on Risk

Download this report to explore why cyber risk is rising in significance as a business risk.

Download this report to explore why cyber risk is rising in significance as a business risk.

Learn More

Learn about our mission, vision, and core values

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Learn More
+1-650-620-2955
+1-650-620-2955 Contact Us Request Demo
×
Hit enter to search or ESC to close
Overview

A soon-to-be-published MetricStream Research survey report on policy management has found that 17% of large organizations manage a whopping 500-5,000 policies, while 29% manage up to 500 policies. If creating, maintaining, and distributing these policies wasn’t challenging enough, there’s also the added task of updating them in response to various external or internal business changes -- particularly regulatory changes. In fact, the majority of survey respondents reported that their biggest challenge is updating policies in line with constantly evolving regulations.

The situation becomes more complicated when there are hundreds of global regulations, as well as federal, state, and region-specific mandates. Sometimes, it can seem like just when you’ve understood a new regulation and assessed its impact on internal processes and policies, the regulation is updated again. Tracking these updates is complex in itself, but aligning organizational policies to them, and rolling those policies out to employees can be equally complicated, if not more.

READ MORE
Resource

With that in mind, here are a few steps to help you simplify the process of policy change management:

 

Track Regulatory Change Proactively

Keeping up with regulatory updates enables you to respond to them in a well-thought-out manner, instead of scrambling at the last minute to implement ad hoc measures. One way to ensure that you don’t miss any important updates is to subscribe to various regulatory content providers, be it regulatory agency filings, industry associations, trade publications, specialized media sources such as LexisNexis, or national/local media. There are also tools that can integrate directly with these content sources, and automatically feed regulatory updates into your organization as alerts which can then be routed to a subject matter expert.

Another good practice is to prepare ahead for regulatory change by mapping existing regulations to policies and processes. This approach is both useful and sustainable not only for large organizations that deal with hundreds or thousands of policies, but also for smaller organizations that may have less than 50 policies. Sifting through each of these policies every time there is a major or minor change in regulations can be a Herculean task. However, when the regulations have already been linked to a policy or a section of a policy, you can quickly understand which policy has been impacted by a regulatory change, and respond accordingly.

 

Conduct Impact Assessments and Update Policies

Once a regulation has been changed, subject matter experts must conduct a thorough analysis to understand the impact of the change on the policy ecosystem.

 

Some questions to ask:

  • Can an existing policy be updated to address the regulatory change, or should we write a new policy?
  • Is the effort and money required to administer the new policy reasonable compared to the benefits that will be obtained?
  • Do we have enough methods to communicate and enforce the updated policy?
  • Will the updated policy improve business performance?

It helps to have a robust policy management system that can streamline regulatory impact assessments, and trigger policy update processes with clearly defined review and approval workflows. Having a single system enables stakeholders to collaborate on policy changes and updates in one place, instead of going back and forth on emails, phone calls, and meetings.

While organizations need to update their policies to reflect regulatory changes, too many updates and versions of policies can be confusing for employees. The key is to find the right balance: Conduct impact assessments to determine if a policy update is really required. And if so, minimize any confusion by implementing version controls which help ensure that only the latest version of the policy is made available to employees.

 

Bridge the Gap in Policy Comprehension

Policy updates constitute only half the job. The more important task is helping your workforce understand the updates and their relevance. This can be challenging when you have hundreds of employees scattered across departments, business units, and locations. Many organizations have implemented policy management systems that can not only help them create and update policies, but also push those updates out automatically to the desired individuals or applicable departments.

It’s important to find creative ways of educating your staff on policy updates. The MetricStream Research survey found that online audio or video-based training is the most preferred method of communicating policy content, with 64% of the respondents vouching for it.

If the policy update is simple, an email blast to employees might suffice. On the other hand, a major policy change might warrant a dedicated classroom training session. Whatever the approach, policy training should ideally be as engaging and interactive as possible, so that employees comprehend and retain the information effectively.

The same applies to policy attestations. Conducting an interesting survey or quiz to track how much employees have understood of a policy update is likely to see more employee participation, and provide better insights than a simple yes-no attestation form. To further enhance policy learning and retention, all policies and related updates should be stored in a central repository, so that employees can access and read them whenever required.

 

Ensure Sufficient Visibility and Control over Policy Change

Every time a policy is impacted by a change in regulation, it goes through a cycle of updates, reviews, approvals, communication, and attestations. Tracking the policy at every stage is important because it helps you identify and address any issues that might arise. Is the policy stuck somewhere, and if so, what is the problem? Was the policy published to the relevant groups? How many users have or haven’t attested to it yet?

Robust reporting tools and dashboards can help you keep track of the policy by automatically collecting and rolling up data from within the policy management system. Using these tools, you can slice and dice the data for a deeper analysis, and make informed decisions on how to move a policy forward faster, or mitigate compliance related risks.

 

HOW METRICSTREAM CAN HELP

The MetricStream Policy and Document Management App simplifies the process of creating, reviewing, and communicating policies, as well as updating them. The app helps in mapping policies to regulations, risks, and controls in a single, tightly-knit framework, so that if a regulatory change occurs, its impact on policies can be easily understood. The app also provides automated email notifications and alerts to users when a policy has been updated. All policies are stored in a central repository for easy search and discovery.

 

With the MetricStream Policy and Document Management App, you can:

  • Effectively manage and update policies at the local, regional, and organizational levels through a federated data model
  • Create, categorize, and centrally store policies and procedures with reference links and supporting documents
  • Collaborate on policy changes, reviews, and approvals
  • Capture and monitor policy exceptions
  • Search for policies based on multiple attributes such as content and author
  • Track policies with the help of ready statistics and data on the policies available by type, status, audit history, in-process documents, approval cycle time, usage summaries, and average review time

 

lets-talk-img

Ready to get started?

Speak to our experts Let’s talk