The mismanagement of policies has grown exponentially within organizations with the proliferation of collaboration and document sharing software such as Microsoft SharePoint. These solutions to their credit as well as downfall enable anyone to post a policy. Organizations end up with policies scattered on dozens of different internal websites and file shares, with no defined audit trails or accountability for them. This produces policies that are written poorly, out of sync, out of date, and with no evidence of how the policy was communicated, read, and understood.
Collaboration and content software is a great tool for managing and sharing content in a general way — such as wikis, blogs, Web content, and documents usually shared among a specific group. While collaboration and document-sharing software appears easy and cheap to implement, the reality is that the cost to the organization is significant in the liability and exposure of ineffective policy management if not done properly. Many organizations have decided to take that path only to find that it is cumbersome for policy management.
There are strict compliance and legal requirements that must be instituted when managing policies — requirements that a build-your-own policy management system makes difficult to achieve, and come at a significant cost to the organization. Some organizations feel that they could accomplish at least some of the necessary features, requiring significant internal IT development effort to achieve an appropriate and effective policy management environment. The cost actually exceeds the cost of purchasing a policy and procedure management (PPM) software platform. Add ongoing maintenance and support of a build-your-own policy management system, and the costs grow higher.
Consider that an organization will have to dedicate IT development resources to this project for several months and ongoing years. Is the organization willing to maintain the policy portal project as the priority for that long — and will it continue to test it and support it with updates as needed? Can it continually verify an audit trail that can hold up in court and with critical regulators? Can the organization demonstrate a strong policy management program that maintains and keeps policies current while showing who accessed them and when?
Another point of consideration is whether the organization wants to live with a home-grown system that will most likely have a fraction of the features contained in a purchased system. Companies can spend as much as 10,000 man hours to build a policy portal on collaboration technologies — and increase that development time every year thereafter trying to enhance it and provide the features an organization learns it needs to manage policies correctly. What are the opportunity costs an organization is losing by focusing on this a custom approach to policy management?
Some specific features to consider when building your own policy management solution:
- The desirability of a consistent platform for the entire enterprise instead of each department implementing their own policy portal.
- The ability for the platform to manage the lifecycle of policies through creation, communication, assessment/monitoring, tracking, maintenance/revising, to archiving and record keeping.
- The ability to restrict who can read what documents, and who has the permission to edit, review, and approve.
- The training requirements needed to show that individuals understand what is required of them through linkage to learning systems/modules, quizzing, and attestation.
- The accessibility of the system, with the ability to communicate policies in the language of the reader as well as provide mechanisms of policy communication for those with disabilities.
- The requirement to be able to gather and track edits and comments to policies as they are developed or revised.
- The mapping of policies to obligations (e.g., regulatory or contractual requirements), risks, controls, and investigations so there is a holistic view of policies as they relate to other areas of governance, risk management, and compliance (GRC).
- The ability to provide a robust system of record to track who accessed a policy as well as dates of attestation, certification, and read-and-understood acknowledgments.
- The ability to provide a user-friendly portal for all policies in the environment that has workflow, content management, and integration requirements necessary for policy management.
- The capability to provide a calendar view to see which policies are being communicated to areas of the business, so that policy communications do not burden the business with too much in any given month of the year.
- The need to provide links to hotlines for reporting policy violations.
- The ability to publish access to additional resources such as helplines and FAQs to get questions answered on policies.
- The cross-referencing and linking of related and supporting policies and procedures so the user can quickly navigate to what they need to understand.
- The ability to create categories of metadata to store within policies and to display documents by category so that policies are easily catalogued and accessed.
- The requirement to restrict access and rights to policy documents so that readers cannot edit/change them and sensitive policy documents are not accessible to those who do not need to see them.
- The necessity that the organization keep a system of record of the versions and histories of policies to be able to refer back to when there is an incident or issue that arises from the past and the organization must defend itself or provide evidence.
- The capacity to enforce templates and style on all policies with the ability to guide policy authors and prompt them to maintain the corporate brand as well as associate specific properties, categories, or regulatory obligations with the document.
- The need for accountable workflow so certain people can approve policy documents and then tasks can be moved to others with full audit trails on who did what to the policy.
- Deliver comprehensive reporting — consider the time it takes in a build-your-own approach, and organization could spend months or years trying to create the depth and breadth of reports included in commercial policy and procedure management software.
Although you may be able to implement a few of these features using a build-your own approach, the cost in training, maintenance, and management time, let alone the legal ramifications due to lack of proof of reader signoff and comprehension makes it a risky venture for policy and procedure management.
More detail on the issue of policy management build versus buy can be found in my detailed research piece on this topic POLICY MANAGEMENT SOFTWARE: BUILD VERSUS BUY.
Hi Michael,
Interesting and excellent write-up!
It seems to coverall the bases.
Might you know a few leaders in this space with an enterprise product?
Thanks
Walt Stumpf
BonAqua Inc
Michael,
Great article shedding light on all the benefits of buying a policy management software instead of building one in-house. Much of this is what we’ve spent a decade championing. I’m going to link this article in our own policy management blog, hopefully gain some coverage for you.
Cheers,
Daisy
As a market research analyst covering the corporate compliance and ethics space (and broader GRC space) there are approximately 30 vendors offering policy management software. All with varying strengths and weaknesses – many are really good solutions that address these issues.
This is a really great description of all of the considerations of a policy management solution, Michael. Several of your bullet points are often overlooked, even as organizations are evaluating purchasing a solution: accountable workflow, comprehensive reporting and mapping to obligations stand out as valuable features that are frequently underestimated.
In the interest of full disclosure, like Daisy, I work with a vendor of policy management software, policyIQ. (www.policyIQ.com) I do have a vested interest in an organization’s decision to build or buy.
Thanks for the great overview, Michael.
LinkedIn Groups
Group: Open Compliance & Ethics Group (OCEG) GRC Professionals
Discussion: Policy Management Platform: Build Versus Buy
This is a very good analysis of how policy management tools can aid an organization. For example, the list of features is a good starting point for comparing different products.
However, in the opening paragraph, this statement has little to do with technology:
“This produces policies that are written poorly, out of sync, out of date, and with no evidence of how the policy was communicated, read, and understood.”
All of that is about the PROCESS that the organization uses when creating, deploying, and maintaining policy. If the technology “… enable(s) anyone to post a policy”, then that is having poor policies is a very likely result. However, if an organization follows a defined process that has executive level buy-in, addresses organizational change, integrates risk management, and periodically measures or evaluates policy effectiveness, nearly all of the pitfalls listed can be avoided. Perhaps in some highly regulated environments it is necessary to show a forensic audit trail that makes having a technology solution a requirement, but I’d think an up to date policy inventory and a version history table in each policy suffices for the majority of situations.
If I was in a position to select a technology for policy management, I would focus first on the business process of the policy development and management cycle, then determine if a tool is actually needed.
Posted by Kevin Stever
Pingback: Buy or build your policy management system? « The Policy Management People
Pingback: Build versus Buy: What considerations should you be contemplating? - policyIQ Blog
LinkedIn Groups
Group: Health Care Compliance Association (HCCA)
Discussion: Policy Management Platform: Build Versus Buy
Michael,
Your listing of 19 items to consider is very, very useful. I wish I would have had this list a few years ago as I think I was lucky to have 10 of them. The good news is that over the years, I’ve come to appreciate that those you list and perhaps a few others can really make a policy management platform build a very successful undertaking.
Now some of the items below may be subsets of those items you listed. Some that come to mind include:
- owner or responsible person for making sure policy gets updated timely (this may be under what you refer to as “accountable workflow”
- last review date and next scheduled review dates (might be under what you refer to as metadata
Posted by Frank Ruelas
LinkedIn Groups
Group: Risk, Audit, and Compliance Executives (RACE)
Discussion: Policy Management Platform: Build Versus Buy
I prefer to see and use document management applications that are the source of record for approved policies and procedures, as well as tracking revisions to the same. A task-based application helps any organization by providing workflows where key, predefined role holders are responsible for add/change/delete, review, and approval prior to final publication of the revised document.
Posted by Chris Shepherd
Hello Michael,
An excellent summary of the current situation! In my view, an effective policy environment provides one of those rare areas where, with a minimum effort, a maximum benefit can be achieved. That is, if one can make it work. With that, one question arising is this: Are the features listed sufficient to make it work?
During the previous decade, companies have tried to achieve better efficiencies through implementing best practices. Too many times, the results were disappointing (see project management best practices versus project failure rates, ITIL, governance, etc.). It is since roughly 2008 that leading advisors (Gartner, etc.) demand fresh approaches. Meanwhile, employees have experienced many well intended initiatives that have failed to deliver to their promise. Those employees can now intuitively spot whether a new initiative is positioned for success or failure. The success of a new policy/compliance initiative depends on how those employees see this initiative and, hence, whether they will support, ignore or oppose it. With that background, may I propose a few additional features:
• ‘Policy’ includes strategies, standards, guidance, instructions, etc. This is necessary to prevent gaps of critical importance, which would lead to different decisions in different locations and high-impact complications between locations.
• The system needs to provide non-bureaucratic functionality for policies and associated documentation that change faster than the documentation can be updated.
• The system needs to be able to cope with the dynamics and complexities of today’s environment (observe the conflict with today’s preferred process approach and software designs assuming a stable environment of modest complexity).
• Target users should be able to find the for them relevant policy documents within just a few mouse clicks (observe that traditional search functionality provides too many hits or misses important policies).
• Within documents, target users should be able to find the for them relevant instructions within about ten minutes, even if the document has 300 pages (observe that text style documents and summaries are inadequate for this need). Something similar applies for software trying to deliver concrete instructions.
• In order to prevent higher-level management from being overloaded with approval and deviation approval requests, approval and deviation approval need to happen at the optimum level. Hence, approval needs must be clear with each instruction and allow for the vast majority of decision to be taken at lower levels.
• The instructions and surrounding structures need to be written in such a way that employees can quickly take effective decision for situations the instructions have not foreseen. This is necessary to prevent colleagues and clients from getting stuck in bureaucracy and conflicting instructions.
• The whole system needs to align to how human beings think and act. E.g. overloading employees with instructions they can’t remember when they should, needs to be avoided as much as possible.
• The policies need to have easy to find and understandable ‘use’ and ‘avoid’ instructions, reasoning so target audiences understand why it makes sense to follow them and information so the employee can comfortably discuss it with other colleagues and clients.
Overall, the system should focus on (1) putting the colleagues in a position to be compliant, (2) provide functionality to make compliance attractive and (3) address remaining functionality needs through auditing/control functionality.
LinkedIn Groups
Group: Governance, Risk & Compliance
Discussion: Policy Management Platform: Build Versus Buy
Hi Michael, you raise some good points and in my experience, many companies, or the IT departments tell their compliance colleagues ‘we can do that’ or ‘lets use SharePoint’ etc – neither of which are advisable and possible (in relation to SharePoint). It takes a lot of time and investment to match up the list you mention. Indeed, many organisations often think that just ‘posting on the intranet’ or ‘emailing a copy round’ is sufficent – clearly this isn’t the case.
My own company, Hi Tec Labs in the UK is a market leader in Policy Management software with some of the biggest companies in the UK and abroad using our CONFORM system successfully, which manages all of your list and more – visit http://www.hiteclabs.com for more information. One of our speciualist areas is in Financial Services – we currently represent around 70 banks globally.
Regards, Jamie
jamie.taylor@hiteclabs.com
Posted by Jamie Taylor
LinkedIn Groups
Group: Governance, Risk & Compliance (GRC) Professionals
Discussion: Policy Management Platform: Build Versus Buy
Biggest downfall of policy management systems in my opinion is that they are all about document management. What is really needed is the ability to manage guidance at a more atomic level. For security, it involves being able to correlate requisite security controls to the assets within scope, aggregating them into “Policy” documents is really tangential to what is needed. I understand what I am saying is non-traditional, but I believe it presents a better paradigm. check out http://www.complid.info for the beginnings of an open source GRC that will [eventually] provide this functionality.
Posted by Richard Dahl
Kevin,
We have different perspectives – process is all about technology and technology is all about process in this area. Technology provides the accountability and control of policy management processes that are in such a bad state. When organizations do not have defined control over policies it leads to policies that are written poorly (no defined workflow and approvals for policies), out of sync (they get distributed across storage areas and individuals are not sure which is the most current), and no evidence of communication and understanding (lack of audit trail and authentication on who accessed a policy and when).
Granted this can all be done manually without technology – but my experience is that it does not get done and is a mess. Technology enables this and provides the collaboration and accountability for effective policy management. I helps organizations manage the policy lifecycle and communication process to avoid these issues.
Richard,
Paradigm depends on perspective. Yes, what you describe is a good function for IT security level controls that are first authorized or defined in written policy documents. However, you will not get around the need to have written policies and the need to manage and communicate these documents. The automation of certain controls is a further level of maturity. The ability to map policies and corresponding controls to assets is a further level of maturity.
The greatest difference I have with you is one of understanding that GRC is much broader than IT security. You get into policy areas such as anti-corruption, gifts/entertainment, insider trading, harassment, discrimination, and many other areas and the need to have clearly managed policy documents and a robust ability to track who interacted with them is a huge need.
_____________________________________
Michael Rasmussen, J.D., GRC Fellow, CCEP
Business Ethics & Compliance Lecturer, Author, & Advisor
Corporate Integrity, LLC
4948 Bayfield Drive – Waterford, Wisconsin 53185-3376 USA
+1.888.365.4560 (office)
+1.262.332.9188 (mobile)
mkras@Corp-Integrity.com
Jamie,
As a market analyst covering the policy management and broader GRC space – I have identified approximately 30 vendors that have built policy management software solutions. Each of these vendors has their strengths and weaknesses – and cover the points that I bring out to vary degrees of depth. It is necessary for anyone looking at policy management solutions to do their research and comparisons. I continue to offer complimentary 1/2 hour phone or email consultations to organizations looking for policy management solutions to help with this process.
_____________________________________
Michael Rasmussen, J.D., GRC Fellow, CCEP
Business Ethics & Compliance Lecturer, Author, & Advisor
Corporate Integrity, LLC
4948 Bayfield Drive – Waterford, Wisconsin 53185-3376 USA
+1.888.365.4560 (office)
+1.262.332.9188 (mobile)
mkras@Corp-Integrity.com
LinkedIn Groups
Group: Governance, Risk & Compliance
Discussion: Policy Management Platform: Build Versus Buy
Mike,
Good post. I would add that those attempting to build a policy management solution are probably doing so because it is expeditious and convenient in the short term. To someone with a new hammer, all problems look like a nail. But for reasons you mention, this is not a viable long term strategy.
The proliferation of SharePoint and collaborative tools such as Corporate Wikis gives any GRC Executive a reason to shudder as employees may take what they see in the intranet-sphere, or receive via email, as the absolute truth.
What really ought to happen is for organizations to choose the vendor that best GOVERNS the policy management process and can provide most, if not all, the features you list in its native platform and can leverage SharePoint and other tools to supplement capabilities.
We at QUMAS have embraced SharePoint and other collaborative tools by closely integrating them with our policy management solution. And our customers use them with great success. Especially since they take comfort in the fact that the policies are still governed and orchestrated by the QUMAS platform.
Thus, the Compliance System of Record is never in doubt.
Posted by Murtuza Vasowalla
LinkedIn Groups
Group: Corporate Integrity (GRC)
Discussion: Policy Management Platform: Build versus Buy
Definitely some interesting points! Before I would ask the question on build vs. buy for policy management platforms, I think you first need to define your requirements (whether compliance and legally defined or organizationally defined) for your policy management framework.
Then, you can define a process and then either build or buy a solution that supports that process. One benefit of buying a policy management solution is that, in theory, the vendor has a proven process that will allow you to establish and communicate appropriate policies, train and test employees on policies, and maintain an auditable record of employee acceptance.
Posted by Julie Pham
This is exactly where our company is at the moment. Our Intranet is SharePoint (SP) and I have a site within SP for PPM.
I use workflows to obtain electronic feedback and approval. As I am not a SP specialist, the biggest challenge I have is being able to use the functionality such as content types and columns etc.
I would prefer the ‘buy’ option – with a solution that has the ‘PPM end-to-end Lifecycle’ and includes monitoring and tracking and reporting – something that is frustrating in SP.
I would love to learn more on how to put a ‘policy management framework’ together.
Andrew