We at The Network listen very closely to our customers. We place a lot of importance on their feedback, whether it comes in the format of comments on our blogs, conversations in the sales process, or interactions during implementations. Our clients share many interesting requests for new features as well as their opinions on where they as compliance professionals see the industry going, which is very valuable to us as we continue to plan our product roadmap.
We recently hosted a group of clients in Atlanta for our annual Client Advisory Council (CAC). The CAC is a two-day forum featuring subject matter experts speaking about hot topics in the ethics and compliance industry, as well as discussion sessions giving our clients a chance to network with each other and share best practices, challenges, etc.
The CAC is attended by compliance professionals from a wide variety of industries and companies of varying sizes, so we get to hear multiple perspectives throughout the event. On the second day we broke into small roundtable discussions. The clients at my table shared an interesting cross-section of process maturity around their organizations’ policy management programs.
On the one hand, four of six individuals stated their organizations have a Meta Policy in place. In case you aren’t familiar, a Meta Policy is a “policy on policies” that establishes the framework and guidelines for policies throughout the organization, such as what is a policy and what’s not, who must grant approval for something to be a policy and where policies can be found.
This was interesting, because we were having our discussion just after Chief GRC Pundit of GRC 20/20 Research, Michael Rasmussen, had finished a presentation on his analysis of deficient, common and leading practices around policy management. Having a Meta Policy in place was one of the things Rasmussen cited as a leading practice. I thought this might be the reason so many of my tablemates claimed to have a Meta Policy, until I noticed that the majority of clients at other tables did not have one. I still haven’t figured out how the Meta Policy fans all ended up at the same table!
As the discussion progressed, we discussed overall process maturity — centralized versus decentralized management of policies, who owned the policy program overall, how much oversight was conducted by Compliance, whether a compliance management system was in place, whether one tool was shared across teams or whether teams used separate tools, and more. Unlike the near unanimous implementation of a Meta Policy, the participants at my table varied widely on all the remaining measures!
Current Issues Compliance Leaders are Having with Their Compliance Management System
This echoes what we see in the market when we speak with clients and prospects — lots of variety. We discussed in more depth and realized that not only is it difficult to get teams within an organization to use the same compliance management system, it’s often difficult to get them to follow the same process. What is key is that the process is nailed down before the selection of a compliance management system or a policy management system. If departments aren’t operating the same way when it comes to policies, there’s little chance they’ll agree to use the same tool anyway.
At my table, we were discussing how to get everyone to unite around a common process, and one point that got all the heads nodding was the idea that the employee’s perspective needs to win out at the end.
From IT to Accounting, from HR to Compliance, many departments have policies, and therefore, most individual contributors are subject to policies from multiple departments. At the same time, there are several aspects about policies and the management of them that tend to frustrate employees, such as when they cannot find the information they need in a standardized location; when they find multiple overlapping policies that conflict with each other; when policies are written in confusing language or legalese and so on.
While the idea of getting a task force together to coordinate policy process may sound labor intensive, several of the clients at my table agreed that it’s the best alternative to having employees frustrated by the way the company’s official documents are managed.
Speaking of keeping the employee in mind, another participant volunteered that in the last two years, his company purchased a compliance management system to manage policies, specifically so they could link policies to the legislative requirements that they support.
Without taking a breath, he followed that by saying how difficult the product is to use! He admitted regret that he hadn’t found a policy management system that was built with the employee in mind, that provided simple navigation and simple search capabilities to allow the employee to find relevant information, and which displayed the policies in an engaging multi-media fashion.
As we say frequently, if the employee doesn’t remember the policies he agrees to follow, or can’t find them when needing to reference the information, you’re at some serious risk.
It’s definitely great to listen to the wide variety of clients that attend our CAC. Since I helped with the early strategy and design of The Network’s policy management system, the comments about the policy management process at these companies were really interesting to hear, and reinforced a number of the design decisions that helped us create our product that exists today. I’m already looking forward to what I’ll learn next year!
For more information on policy management check out these resources:
On-Demand Webinar: Building Bullet-Proof Policy Programs for Today’s Complex Business Environment
Whitepaper: 7 Reasons to Choose a Natively Integrated GRC Solution
Survey Report: Key Trends in Effective Policy Management