Six Reasons You Can’t Rely on SharePoint to Manage Policies in Your Compliance Management System


This post is the first in a series on the risks of using Sharepoint for policies in your compliance management system.

Sharepoint is a beast in the world of enterprise document management. As of late 2012, SharePoint was a $2 billion source of revenue for Microsoft, and Microsoft claimed that over 60% of enterprises use it.

If you’re reading this, there’s a significant chance your company has invested resources in SharePoint. You may already have your ethics and compliance policies stored on SharePoint, and because of that investment, you’d like to think that SharePoint has your compliance policy problems under control.

Think again.

Effectively managing company ethics and compliance policies can be a real challenge, for a number of reasons. Consider the difficulties in policy version tracking and recording who signed off on which version. This is key for defensibility. Another common difficulty is the typical multi-step process required to cross reference violations to the specific version of the policy in force at the time. These are objectives of a robust policy management process.

Sharepoint simply does not support the requirements of a mature policy process. In this blog post series, we’ll explain the many risks of relying upon SharePoint to manage corporate policies in the enterprise.

Policy is Out of Date

How often are you reviewing your policies?

Most ethics and compliance policies should be reviewed by their owners at least once per year to ensure they are in line with current strategic thinking and risk tolerance, external regulations and any other changes in the organization. Even if no changes are needed, the periodic review ensures policies aren’t allowed to sit indefinitely without being reviewed, effectively being abandoned.

With a rigorous policy process in place, policy owners are reminded to review their policies prior to the annual review date. They can designate a policy as reviewed or make changes if needed. If the policy isn’t reviewed within a set period of time, an alert can be sent to the policy owner’s manager or to the owner of the corporate policy program to ensure it is done.

This process is crucial to ensure that employers do not rely on outdated policies that provide incorrect guidance.

SharePoint is essentially a storage mechanism. It does not provide a way to remind the policy owner that it’s time to review a policy. It remains up to the policy owner to set calendar reminders to perform this task. If the reminder is ignored, SharePoint provides no escalation capability to remind the supervisor or policy program owner that a policy has not been reviewed.

SharePoint is not an effective compliance management system.

The Policy Was Forgotten

How engaging are your policies? Do they look like a “wall of text,” or even more daunting, a “wall of legalese”? Or do they include engaging imagery, short video clips and other devices to make them more of an experience?

With the optimal policy process in place, policies are delivered in an experience that includes textual policy information and supporting multimedia and training, all in one. Employees are reminded periodically of the key points through awareness campaigns, and if they don’t remember the specifics of a given company policy, it’s close enough to top-of-mind that the employee knows to go search for the policy before making a decision. Incidents of blatant forgetfulness are minimized.

Without such a process in place, employees review a dry-looking document that doesn’t have an optimized visual style, and is not supported by any multimedia elements. They review the policy and the corresponding training months apart, resulting in minimized retention of the material. The experience makes a negligible impression and is likely to be forgotten.

SharePoint acts as a document repository, usually hosting policies in Microsoft Word or Adobe Acrobat format. Neither format provides much assistance in embedding multimedia, and IT departments frequently limit the size of the documents, making embedded video uncommon. SharePoint doesn’t provide a way to display relevant multimedia along with a textual document. Policies remain dull and boring.

SharePoint is not an effective compliance management system.

Policies Overlap and Conflict

What happens when the same topic is covered in more than one company policy? What if the treatment of those topics varies based upon the policy you read?

With a robust policy process in place, subject matter is distributed such that each topic is covered by the appropriate party. The set of policies in place for the organization is evaluated to ensure every topic is covered, but only once, and in a consistent manner.

Without such a process in place, multiple business units or departments within the company create their own policies that cover common topics. The departments and business units don’t check with each other to confirm the policies are consistent, and conflicting elements are published. Employees who are subject to policies from different sources are placed in a state of conflict, which creates employee confusion.

Again, SharePoint is an enterprise-scale document management application. Most organization putting their policies on SharePoint use SharePoint as a common file storage location to save the latest documents. SharePoint does not provide an information architecture or common tagging system that can help identify when a topic is covered multiple times. Different teams often use different SharePoint sites for their documents, further making it less likely to spot conflicting passages.

SharePoint is not an effective compliance management system.

Inconsistent Policies Fail to Support a Compliance Culture

What happens when employees read policies that are in conflict with each other, or even policies that just look different?

With a robust policy process in place, all policies go through the proper review so that topics are addressed in the same way and provide consistent guidance. They’re published in the same visual and structural templates so that when an employee reads them, they all look consistent. Employees can easily identify a company policy just by its “look”.

Without such a system in place, policies from each department have a different look and feel. Some policies may provide conflicting guidance on the same topic. Employees are confused about what to do, and they walk away thinking the company doesn’t care enough about its own rules to invest in making sure they’re consistent. Things feel sloppy, and worse, confused employees can inadvertently engage in non-compliant behavior.

SharePoint does not manage the look and feel of documents at all. It can ensure approval workflows are followed but even this requires custom programming.

As with any customization of SharePoint, you run the risk of the attestation forms no longer working when a patch or upgrade is applied to SharePoint.

SharePoint is not an effective compliance management system.

Hard to Know Which Policies to Update When a Regulation Changes

When the rules change on the outside, can you quickly follow the trail to the relevant policies?

With a robust policy process in place, every section of every policy is linked to the regulations and authoritative sources it supports. Once you learn of a change, you can start with that regulation or source and find all the relevant policies and sections that should be reviewed.

Without such a system in place, you won’t have thorough traceability. When a regulation changes, you may only review some of the relevant policies and sections of policies that depend upon it. Some policies will remain out of date, and may provide inaccurate guidance given the changes in the law.

SharePoint does not provide an automatic way to maintain traceability of policies to regulations, because it’s a document storage solution, not a policy management solution.

SharePoint is not an effective compliance management system.

Employees Don’t Report What They Don’t Understand

Why aren’t reports coming in about suspected types of misconduct? Is it because they aren’t happening, or because your employees don’t have a clear understanding of the unacceptable behavior?

With a robust policy process in place, employees know desired behavior and can recognize undesirable behavior, because they’ve been trained on all the policies relevant to their duties. Policy and training certification results clearly identify which topics are understood and which cause confusion, and therefore require additional training. When employees see someone stepping out of bounds, they are confident of your company’s guidelines and report it in the interest of ensuring the company does the right thing.

Without such a process in place, all you can say for certain is that training was offered. Individual performance is not readily available, and is not used to identify topics needing additional clarification. Employees fail to report perceived wrongdoing because they haven’t clearly internalized what is and what is not acceptable behavior.

Sharepoint provides access to policy documents and forms, but does not gather certification results to help you improve the training.

SharePoint partially addresses this risk.

Check back for further analysis of SharePoint, including six reasons SharePoint isn’t a solid compliance policy certification system and five reasons SharePoint costs you undue time and money when used as a policy management system.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© The Network, Inc. | Attorney Advertising

Written by:


The Network, Inc. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.