THE DEFINITIVE GUIDE TO
POLICY MANAGEMENT
Assessment tools, best-practice tips, considerations, and more
2The Denitive Guide to Policy Management
SUMMARY
organization’s employee handbook, code of conduct, and policies and procedures, The Denitive
Guide to Policy Management is your go-to resource. No matter where you are today in your
understanding of policy management, or how effective your current system may be, this guide will
close the gaps in your understanding and offer new and practical perspectives and insights.
organization, these divisions will help you quickly access the information you seek.
3
Section 1—For the Visionary
POLICY MANAGEMENT REDEFINED:
FORGET WHAT YOU THOUGHT YOU KNEW
1.1 The Purpose of Policies
1.2 High Stakes
1.3
Section 2—For the Practitioner
POLICY MANAGEMENT PRACTICES: A HOW-TO GUIDE
2.1 Assembling a Team: Key Roles and Responsibilities
2.2 Laying the Groundwork for Policy Development
2.3
2.4 Managing the Policy Life Cycle
Section 3—For the Strategist
TRANSFORMING POLICY MANAGEMENT PRACTICES
3.1 Assessing Your Current Approach
3.2
3.3 Choosing to Automate: The Value of Policy Management Software
About NAVEX Global
4
6
10
13
17
22
28
35
39
42
47
CONTENTS
4The Denitive Guide to Policy Management
VISIONARY
For the visionary seeking a deeper understanding of policy management, the
perspective on policy management to help you determine the best course of
action for your organization.
Policy Management Redened:
Forget What You Thought You Knew
1.1 THE PURPOSE OF POLICIES
Policies are the backbone of your business. At their
best they are a dynamic body of shared knowledge
used to strengthen, support, and protect your
company’s success. Ensuring that you have the
necessary policies and procedures in place—
and enforced—will help you accomplish your
organization’s strategic vision while protecting
its people, reputation, and bottom line.
4
VISIONARY
Section 1.1
5The Denitive Guide to Policy Management
VISIONARY
Section 1.1
To convey the organization’s mission and enable the execution
of its strategy
To ensure that employees clearly understand expectations and
consequences
To inuence employee behavior and decision-making
To create a positive and respectful workplace
To foster credibility and trust with customers and business
partners
To improve productivity and business performance
To meet all legal standards required to operate
To protect the organization, its people, its reputation, and its
bottom line
To avoid litigation and mitigate risk
To prevent, detect, and respond to criminal conduct
1
2
3
4
5
6
7
8
9
10
Your company’s vision, mission, and values serve as a clearly visible“north
star” for policy development. Policies drive the various facets of corporate
support the organization’s vision as well as its desired attitudes toward
performance, including a culture of compliance.
Supporting the organizational vision by creating, maintaining,
If your team becomes buried by onerous administrative tasks, you and
they may have a tendency to begin regarding policies like some employees
do—as a necessary evil and an inconvenience. Your team cannot afford
to think this way; they must champion the idea that policies can and do
change behavior, alter decision-making, and serve many vital purposes
within the organization.
“Policies and procedures
are the strategic link
between the company’s
vision and its day-to-day
operations.”
Ingrid Fredeen, Vice President,
Advisory Services, NAVEX Global
10
PURPOSES
OF POLICIES
Training employees on the critical importance of company policies can have a positive impact on their perspective
the importance of policies is to promptly investigate allegations and enforce policies when violations occur.
set the tone from the top about the value and the importance of abiding by company policies.
6The Denitive Guide to Policy Management
VISIONARY
Section 1.2
1.2 HIGH STAKES
In 2012 more than 4,000 federal rules were scheduled and more than 3,000
have risen 400 percent, with half of those suits won by the employee.
7The Denitive Guide to Policy Management
VISIONARY
Section 1.2
The average court
award for employee
lawsuits was
$493,000 before
punitive damages
and attorneys’ fees,
and out-of-court
settlements average
$311,000.
Do you know the last time your complete business
policies came under review?
Are each of your policies reviewed periodically by
Legal to ensure compliance with current laws and
regulations?
Do you know who creates your policies as well
as the standards and the methods used to implement
and enforce them?
Do you maintain meticulous attestation records
indicating that your employees have read and
understood the policies that apply to them?
Can your employees nd the most current version
of any assigned policy in less than three minutes?
1
2
3
4
5
Can you answer yes
The stakes are high when it comes to having the right policies and
employee litigation, it is certainly no surprise that companies need a well-
what may be surprising to many is that a recent survey indicated that
66 percent of companies felt they had little or no control of their policies.
the strength of your organization’s current system.
yes to these questions,
policies current, reviewing their content, and documenting how often
employees are trained on or reminded of a given policy.
8The Denitive Guide to Policy Management
VISIONARY
Section 1.2
1
CASE
STUDY
$1 million for gender-based discrimination under Title VII
of the Civil Rights Act of 1964.
The company had a longstanding policy (established in 1938) that banned the
hiring of men as food servers. The company maintained the same policy for 39
for failing to update “longstanding” policies.
On the other hand, organizations that approach policy management strategically
in organizational alignment, corporate culture, and ultimately their bottom-line
results. Not only that but when incidents occur or regulators come knocking,
your organization will be prepared.
2
CASE
STUDY
In 2012 the US Department of Justice (DOJ) declined to
prosecute Morgan Stanley when employee Garth Peterson
violated the Foreign Corrupt Practices Act (FCPA). The
corruption risks associated with the giving of gifts, business entertainment,
travel, lodging, meals, charitable contributions and employment. Morgan Stanley
frequently trained its employees on its internal policies, the FCPA and other
groups of Asia-based personnel on anti-corruption policies 54 times. During
the same period, Morgan Stanley trained Peterson on the FCPA seven times
and reminded him to comply with the FCPA at least 35 times. Morgan Stanley’s
compliance personnel regularly monitored transactions, randomly audited
particular employees, transactions and business units, and tested to identify
on all new business partners and imposed stringent controls on payments
made to business partners.”
9The Denitive Guide to Policy Management
VISIONARY
Section 1.2
Keeping Up with the Pace of Change:
Questions You Can Ask
Workforce
Operations and Business Structure
Leadership
Technology
Compliance and Legal
policies, assessing and keeping up with
the pace of change in your particular
business environment should be a
priority. Given the staggering pace
at which business conditions evolve,
current realities. Asking some key
questions will help ensure that your
policies are aligned with constantly—
and rapidly—changing business
conditions.
Not having policies is akin to driving without automobile insurance. It is both against the law and
bad driving of others. In organizations it is only a matter of time before someone makes a mistake.
If appropriate conduct has not been outlined, published, and communicated, the accountability
and the liability of the action will fall on the organization.
10The Denitive Guide to Policy Management
VISIONARY
Section 1.3
1.3 POLICY MANAGEMENT REDEFINED
for ages, but the art of “policy management” as a business practice is relatively new.
In large part the prevailing understanding of policy management solutions available
today has been shaped by solution vendors. Unfortunately, many vendors limit the
scope of policy management to the challenges their solutions can favorably address.
In so doing they ignore important aspects of policy management.
11The Denitive Guide to Policy Management
VISIONARY
Section 1.3
guide, you will learn about how a vision statement
or declaration document helps lay the groundwork
for policy creation (see Section 2.2: Laying the
Groundwork for Policy Development).
Modern policy management takes into account the
elevated purpose of policies and the critical role they
play in protecting an organization. Effective policy
management—with strong, well-managed policies
integrated across the business—sets forth standards
for individual and business conduct that result in im-
proved performance and enhanced corporate culture.
might sound something like this: “Policy management
is all the practices associated with managing your
organization’s policies from draft to implementation,
including the collaboration, communication, storage,
and documentation at key stages of the life cycle.”
visionary, the practitioner, and the strategist at the
same time: Policy management is the art of enabling
and empowering your organization to achieve its
strategic vision by implementing safeguards that
facilitate day-to-day operations by preventing,
detecting, and responding to risks. Later in this
• Communicate your company’s vision, mission, and strategic plan
• Articulate and build the desired culture
• Drive standards for individual and business conduct
• Shape, guide, optimize, and protect performance at every level
• Help ensure regulatory compliance
• Minimize risk by reducing litigation and liability
Once transformed,
your policy practice
functions:
12The Denitive Guide to Policy Management
VISIONARY
Section 1.3
Assembling a team and assigning key roles and responsibilities
Laying the groundwork for policy development
Learning how to write effective policies
Managing policies throughout the life cycle
Assessing your current approach
Comparing alternatives for improvement
Determining a course of action and implementing it
The remainder of The Denitive Guide to Policy Management is designed to help you understand
each of these steps in greater detail. Section 2 provides practical how-to steps for getting started,
writing policies, and managing the policy life cycle.
1
2
3
4
5
6
7
transform your policy management practices—there are seven key steps:
13
“Policies and procedures
are the strategic link between
the company’s vision and its
day-to-day operations.”
Ingrid Fredeen, Vice President,
Advisory Services, NAVEX Global
Policy Management Practices:
A How-To Guide
2.1
Approaches to policy management are many and
one consistent, all-important element: people.
Only people can determine whether policies meet
objectives and provide the desired safety net for
employees and other stakeholders. And while
the right technology can transform the nature of
policy management, from task-based to strategic,
technology does not make strategic decisions
nor does it determine content. Your people do.
and responsibilities in policy management.
For the practitioner who is in the trenches day in and day out, the second
area of study provides instructions on how to get started, lay a foundation
for success, and effectively manage policies at every stage of the document
life cycle.
PRACTITIONER
PRACTITIONER
Section 2.1
14The Denitive Guide to Policy Management
PRACTITIONER
Section 2.1
Generally speaking, a Policy Oversight Committee comprises individuals
representing the following groups:
• Senior leaders with governance responsibilities who
monitor and approve policies
• Leaders representing key areas connected to policy
implementation, including Compliance, Legal, Risk,
Information, Security, Quality, and Human Resources
• Leaders of broad employee segments affected by
the policies
• Policy administrators with oversight of the policy and
procedure process
FORMING A POLICY
OVERSIGHT COMMITTEE
A Policy Oversight Committee
of senior leaders and other key
policy stakeholders is responsible
for developing and implementing
policies, procedures, and controls
throughout the organization. The
committee ensures alignment with
the organization’s vision, mission,
and values at the heart of its
business. These leaders also set a
tone of enterprisewide respect for
policy practice by making policy
management a priority worthy of
time and resources.
“Someone has to be
given responsibility
for managing the
centralized process. It
can’t be an untended
garden; it’s a labor of
love to do a great job
managing policies.”
Ingrid Fredeen, Vice President,
Advisory Services, NAVEX Global
The Policy Oversight Committee delegates roles
and responsibilities to any number of individuals
and groups of policy stakeholders.
Document control administrators
(also known as policy coordinators) are system controllers in charge of all
system functions, particularly when a company uses policy management software.
The best document control administrators are effective trainers and skilled
facilitators because they are responsible for guiding others through the policy
creation process.
Document owners and authors
monitor the implementation and the life cycle of the policy from the time it
is enacted. The owner is typically the same as the author, although separate
people who work closely together may be employed to author and then own
the policy. Document authors write a policy and manage the various stages of
its revision. It is essential that the author is well versed in issues relevant to the
policy (especially laws and regulations) and capable of producing a clear,
direct, complete policy document.
15The Denitive Guide to Policy Management
PRACTITIONER
Section 2.1
Reviewers
are assigned by the document owner and have the option to accept, reject, or
all stages of the policy management life cycle.
Approvers
have similar responsibilities to reviewers, but they also have the authority to give
may not also act as an approver.
Additional stakeholders
are often called upon by the document owner or author to take part in the
development process, including research, brainstorming, and the creation of
employees affected by a given policy, or nonemployees who are integrally linked
to operations (such as government agencies, creditors, or unions). There are also
additional roles to consider:
Proxy authors write documents on behalf of a document owner who may be too
busy but needs to maintain ultimate responsibility for the document.
Collaborators
of the document pertaining to topics that are unfamiliar to the document owner.
Translators translate documents into other languages before they are approved.
Brainstorming Committees can be helpful to the process with the use of surveys,
Other responsibilities include distributing policies and managing the promotion
or awareness efforts around the policy release. Policies that represent areas
implemented with training programs, include assessments to measure compre-
hension, and require attestation of readership by employees. Finally, someone
on the team needs to bear ownership of maintaining critical documentation
for audit and reporting purposes.
16The Denitive Guide to Policy Management
PRACTITIONER
Section 2.1
importance of a meta-policy, key terms, and how to prioritize your policy creation
and review efforts before you begin writing.
DOCUMENTING THE POLICY DEVELOPMENT PROCESS
At every stage of policy development, it is
critical that you maintain records documenting
the participants and their roles in the process.
This includes setting milestones and deadlines
to ensure that each participant brings the
expected level of expertise to the table.
BEST
PRACTICE
17The Denitive Guide to Policy Management
PRACTITIONER
Section 2.2
2.2
As with any management practice, you should have a strategic approach that serves
or declaration document that serves as a reference point for policy creation.
If you have polices or procedures that do not support your vision, they should be
18The Denitive Guide to Policy Management
The following is an example of a declaration document
formerly used by PolicyTech.
™
Vision Statement
Denes success for your organization
Our vision is to be the leading global provider of policy and procedure
for our clients.
Mission Statement
How you will accomplish your vision
and comprehensive policy and procedure management software.
Quality Policy
Also known as core values or guiding principles—the attributes that you believe
to be essential to fullling your mission and realizing your vision
At PolicyTech™, IMAGE is everything.
• Instant customer service
• Manageable project implementation
• Appealing product design
• Genuine concern for customers and employees
•
The Declaration
Document
BEST
PRACTICE
PRACTITIONER
Section 2.2
The Meta-Policy: Creating a Policy on Policies
Among a Policy Oversight Committee’s chief tasks is creating a policy on
policies, sometimes called a meta-policy, that establishes the approach
to the policy life cycle from creation, review, and approval to distribution,
creating and managing corporate policies is critical to having policies that
consistently work toward the achievement of your vision.
19The Denitive Guide to Policy Management
PRACTITIONER
Section 2.2
considered when creating and implementing new policies. This overarching
policy may also prescribe where a policy is stored, the duration that a
policy remains active, when it must be reviewed, and instructions for
standardized formatting.
A strong policy management framework includes a Policy Oversight
Committee, a policy on policies, and overarching guidelines for
policy development.
Prioritizing Documents
values or mandates, address regulatory obligations, or manage potential risk
or liability. Keep in mind that too many policies burden the organization and
as you prioritize your policy development efforts. This list could be used
to prioritize the order in which you tackle policy creation or updates, or it
might be used to identify policies that can be consolidated or eliminated
altogether.
“A policy should not
be able to get into the
central repository unless
it follows the meta-policy,
so you have that nice
circle of control.”
Lisa Hill, President, PolicyScape
Consulting, and Co-Chair, OCEG
Policy Management Group
Policy Management Glossary
As you get ready to draft policies, it is important to understand some key
terms that often cause confusion. Here are some fundamentals.
policy
A document that contains several related policy statements
policy statement
An overarching, broad-stroke statement of what an employee or other
resource will do (but not how to do it)
processes
General outlines that describe the steps needed to accomplish a major
procedures
Detailed step-by-step outlines that describe how to accomplish the tasks
needed to support a process or policy
quality record
Information generated that measures the quality of the completed
process or procedure
20The Denitive Guide to Policy Management
PRACTITIONER
Section 2.2
20
Questions for
Prioritizing Policy
Development Efforts
Does the document communicate executive direction such as vision,
mission, values, or objectives?
How critical is the document to achieving your vision, mission, values,
and goals?
How integral is the policy to the success, support, and enablement of
daily operations?
How urgent is the need for written directions on this particular subject?
How unclear or complex is this issue to the average employee?
How often will employees refer to the document?
Is the policy integral to establishing or shaping your culture?
How many employees are affected by the policy?
What are the potential consequences of not having the policy or of its
being outdated?
Is this policy critical to workplace health or safety?
Could the lack of this policy result in harm to people?
Could the lack of this policy halt or slow operations?
Is the policy required or recommended by local, state, or federal law?
Have recent events necessitated changes to or creation of a policy?
Is the policy required for regulatory compliance?
Is the policy required for a certication audit?
How probable or likely is an incident or violation of this nature to occur?
How serious would the ramications be if an incident arose and no policy
existed or a policy was outdated?
Would the policy resolve existing challenges?
Might the lack of the policy lead to reputational damage or
misrepresentation by an employee?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21The Denitive Guide to Policy Management
PRACTITIONER
Section 2.2
5 Tips to Ensure That Policies
Meet Long-Term Compliance Goals
Align policies with compliance, assurance, and
risk governance objectives.
Align and update policies based on shifts in
the regulatory environment.
Dene who is accountable throughout the
policy life cycle.
Ensure that employees understand and
adhere to policies.
Identify and address gaps in compliance and
policy exceptions.
1
2
3
4
5
ready to begin writing and editing policies. Follow your priorities and
work toward your policy objectives. Continually evaluate whether your
policy development efforts are in alignment with the organization’s
strategic objectives.
22The Denitive Guide to Policy Management
PRACTITIONER
Section 2.3
2.3 THE POLICY MANAGEMENT LIFE CYCLE:
regulatory requirements, create a corporate ethos, or back up social responsibility statements.”
Forbes magazine
23The Denitive Guide to Policy Management
PRACTITIONER
Section 2.3
Elements of a Policy
What Every Document Needs
Policy title to simplify
references to the policy
Rationale
replacing an old one—with a focus on
and the user
Denitions, including key words
and terms, to guard against ambiguity
and misinterpretation
Scope statement that stipulates
whether the policy is limited to
individuals in certain roles or with
certain responsibilities or whether it
applies more broadly to departments
or the entire organization
Related documents that
including links to those documents
Key dates to identify when the
policy was written, implemented,
or altered
The First Stage in the Policy
Management Life Cycle: Create
important elements of a policy, the process, the writing style, the look and
feel, and legal considerations. Section 2.4 we discuss the subsequent stages
in the life cycle.
The Writing Process
1. Research
the policy—should gather relevant information from a broad range of
Internal
• Employee feedback
• Risk assessment
• Incident reports in the case management system
• Quality/compliance feedback
• Governance feedback
External
• Legislation
• Regulations
• Customer feedback
•
•
2. Brainstorm
and weaknesses, metrics for evaluation, and impact on other policies and
procedures.
3. Outline
After researching and brainstorming the content with stakeholders
the information researched and brainstormed and create an outline.
Policy Management Life Cycle
Create
Review
Approve
Distribute
Track
Update
1
2
3
4
5
6
24The Denitive Guide to Policy Management
PRACTITIONER
Section 2.3
Writing Style
Policies should be direct, without room for interpretation,
but they should never come off as hostile or condescend-
ing. Policies should be written in the same professional
voice, regardless of the target audience.
circuitous statements thick with jargon will impress a point on no one. Policy
content must be unambiguous, grammatically correct, and error-free to be
certain that the policy means what it says and says what it means.
• Make sure wording is clear, precise, and easy to understand.
• Ensure that policies and procedures are complete, in proper order,
and accurate.
• Do your best to know the applicable laws and regulations—and make
sure the policy complies.
• Consider the informal and unwritten rules as well.
•
• Avoid promissory language. The word will means that you are
committed to that position or action. The word shall is the
strongest legal commitment you can make.
• can, may, must, ought,
could, should, and might.
• always and never.
• Never use wording that restricts the organization’s ability to act
or that unwittingly forms a contract.
• Reserve the right to make changes.
•
without intending to enforce it, you are better off not writing it.
• Clarify who is required to read and follow the procedure.
• Make sure you are clear about who is responsible for each step in the
procedure.
•
• Consider if the procedure is written in a safe, reasonable, and fair manner.
• Do not allow policies to become obsolete or inapplicable under a
regulatory or legal regime.
• Always remember the policy and procedure motto: say what you mean—
and do what you say!
Consistent
Terminology
BEST
PRACTICE
Part of achieving clarity is
using consistent language and
terminology. Terms such as web,
Internet, and online are often
used interchangeably. Your IT
people know the difference;
make sure those on the Policy
Oversight Committee do, too.
Pick one term for what you
mean and use it consistently
throughout all company policies.
25The Denitive Guide to Policy Management
PRACTITIONER
Section 2.3
Formatting: Looks Matter
It is important to use a standardized format for policies. Formatting
discrepancies are confusing. They can give the impression of being outdated
or disconnected from one another. If you really want readers to become
engaged in the document, you must be cognizant that people are attracted
to clean, well-designed documents just as they would be to an effective
Fortunately, you don’t have to be a graphic designer to create engaging
documents. Here are some tips for improving a layout:
•
•
•
Policy management software helps control the look and feel of policies by
providing and restricting document creation to templates you have created
or uploaded, to ensure consistent formatting across the organization.
Duis autem vel eum iriure dolor
Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam
nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam
erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci
tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo
consequat. Duis autem vel eum iriure dolor in hendrerit in vulputate
velit esse molestie consequat, vel illum dolore eu feugiat nulla
facilisis at vero eros et accumsan et iusto odio dignissim qui blandit
praesent luptatum zzril delenit augue duis dolore te feugait nulla
facilisi. Nam liber tempor cum soluta nobis eleifend option congue
nihil imperdiet doming id quod mazim placerat facer possim assum.
Typi non habent claritatem insitam; est usus legentis in iis qui facit
eorum claritatem. Investigationes demonstraverunt lectores legere
me lius quod ii legunt saepius. Claritas vel illum dolore eu feugiat
nulla facilisis at vero eros et accumsan et iusto odio dignissim qui
blandit praesent luptatum zzril delenit augue duis dolore te feugait
nulla facilisi. Nam liber tempor cum soluta nobis eleifend option
congue nihil imperdiet doming id quod mazim placerat facer possim
assum. Typi non habent claritatem insitam; est usus legentis in iis qui
facit eorum claritatem. Investigationes demonstraverunt lectores
legere me lius quod ii legunt saepius. Claritas est etiam processus
dynamicus, qui sequitur mutationem consuetudium lectorum. Mirum
est notare quam littera gothica, quam nunc putamus parum claram,
anteposuerit litterarum formas humanitatis per seacula quarta
decima et quinta decima.
Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam
nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam
erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci
tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo
consequat. Duis autem vel eum iriure dolor in hendrerit in vulputate
velit esse molestie consequat, vel illum dolore.
Duis autem vel eum iriure dolor
Sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna
aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud
-
modo consequat.
Luis autem vel eum dolor
In hendrerit in vulputate velit esse molestie consequat, vel illum
dolore eu feugiat nulla facilisis at vero eros et accumsan et iusto odio
dignissim qui blandit praesent luptatum zzril delenit augue duis
dolore te feugait nulla facilisi. Nam liber tempor cum soluta nobis
eleifend option congue nihil imperdiet.
• Doming id quod mazim plac
• Iusto odio dignissim qui blandit
• Praesent luptatum zzril delenit augue
Mutationem Consuetudium Lectorum
Mirum est notare quam littera gothica, quam nunc putamus parum
claram, anteposuerit litterarum formas humanitatis per seacula quarta
decima et quinta decima.
Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam
nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam
erat volutpat. Ut wisi enim ad minim veniam.
ci tation ullamcorper suscipit lobortis nisl ut aliquip
re dolor in
hendrerit in vulputate velit esse molestie consequat, vel illum dolore.
Which Document Would You Rather Read?
A Bor
{Title}
Introducon paragraph could go here. Text goes here. This is where one could type a complete paragraph describing
the introducon. Text goes here unl you have a complete paragraph of text to work with. Text goes here and lots
more text goes here unl you have a complete paragraph of text to work with. Text goes here unl you have a com-
plete paragraph of text to work with.
Main topics could go here:
Text goes here unl you have a complete paragraph of text to work with. Text goes here unl you have a complete
paragraph of text to work with.
• Text goes here unl you have a complete line of text to work with.
• Text goes here also.
27The Denitive Guide to Policy Management
PRACTITIONER
Section 2.3
11
Commandments
of Policy Formatting
and Writing
Use the same template for each policy so that employees know where to
look for key information.
Limit policies and procedures to one or two pages. If more pages than
that are required, consider dividing up the policy or procedure into smaller
topical areas.
Put new policies or procedures on a separate page instead of front-to-
back. While putting policies and procedures in a booklike format may
require fewer printed pages, it will confuse readers and look intimidating.
It is not effective.
Use bullets and lists to organize information. This makes the document
easier to follow.
Make sure the title describes the policy or procedure and distinguishes it
from similar documents.
Keep sentences short. A good rule of thumb is a maximum of 21 words.
One study showed that sentences with 33 words or more lost two-thirds
of the readers.
Keep paragraphs short. Long paragraphs are intimidating and hard to
read. Four or fewer lines is optimal, if possible.
Keep lines short. Text lines that run on forever are hard to follow. If
possible, consider formatting the policy to 30 characters wide.
Use long words. Long words hurt readability. A good rule for words of
three or more syllables is to use them sparingly—if at all.
Write in the passive voice. Use active verbs to make the reader more
accountable and the writing more interesting and easier to comprehend.
Use vague modiers such as proper, relevant, appropriate, timely, normal,
sizable, and small. These modiers create more questions than answers.
Be specic. For example, when explaining size directions, you wouldn’t
say, “build a large fence.” Rather, you should give specics such as “build
a 6-foot-high fence.”
Thou shalt…
Thou shalt not…
1
2
3
4
5
6
7
8
9
10
11
and feedback. Section 2.4 takes you through the remaining stages of the policy management life cycle:
review, approval, distribution, tracking, and updating.
28The Denitive Guide to Policy Management
PRACTITIONER
Section 2.4
2.4 MANAGING THE POLICY LIFE CYCLE
To ensure that policies align with your governance principles and the meta-policy, a document
control administrator should oversee the entire policy life cycle for all policies, including drafting,
29The Denitive Guide to Policy Management
PRACTITIONER
Section 2.4
Review and Approval: Embracing a Continuous Process
draft of a policy meet the criteria for approval. In fact, this should not be the goal. To develop a strong,
effective policy system that supports, advances, and protects your business, policy development must
be viewed as an ongoing process that requires careful attention, time, and resources.
completeness, and alignment with the pre-established guidelines of the meta-policy. If necessary,
reviewers provide suggestions on how to improve the process or procedure, recommend ways to
better communicate ideas in the document, and identify and correct errors.
The review cycle can be laborious. Reviewers may have differences of opinion, miss deadlines, or fail to
provide feedback at all. The policy owner has to work with them to collect and consolidate feedback,
reconcile disagreements, and make requested changes. Some documents require several rounds and
readability, second-round reviewers might ensure legality, and third-round reviewers might look at
strategic alignment.
Once reviewers have signed off on a document, it is forwarded to those with the authority to approve
it for publication. The approval stage can also result in a few iterations, but typically by this stage most
major changes have been made and only minor changes are necessary. Upon approval, the policy is
half the battle—you still need to distribute, track, and, when necessary, update it.
The organization’s legal experts should review policies to ensure
that they reect current laws and regulations. Every one of
your company’s policies should hold up under legal and public
scrutiny. If a policy seems only marginally defensible, you are
inviting liability, litigation, and risk by implementing it.
BEST
PRACTICE
30The Denitive Guide to Policy Management
PRACTITIONER
Section 2.4
Distribution
actions required.
strategy to advise employees that policy changes are forthcoming and, if necessary, prepare them
to adjust to those changes.
Audience
Keep in mind that not every policy needs to go to every employee. Determining the relevant
“audience” can help prevent policy overload caused by overwhelming users with information that
doesn’t apply to them. Too much information can be confusing and may lessen an employee’s
retention of policies that are required.
Methods of Distribution
There are three common methods of policy distribution:
• Printed copies (binders or manuals) delivered physically to the employee
• Electronic copies hosted on an intranet, shared drive, server, or hard drive, with manual e-mail
•
and reporting
31The Denitive Guide to Policy Management
PRACTITIONER
Section 2.4
Pros Cons
Printed
copies
• You make a personal impression
about how important the document is
at the time of delivery.
•
can answer questions people may
have.
• People have a copy of the policy or
procedure for easy reference.
• The policy is tangible and visibly
present.
• The method is time consuming.
• There is a cost of manual distribution in employee time.
• There is a cost for paper and binders.
•
• Changes require a new handbook for each employee.
• Maintaining hard-copy policies discourages frequent
updates.
• Obtaining signatures on thousands of documents can be
impractical, if not impossible.
E-mailed
copies
• Appropriate staff members receive a
digital copy to which they can refer.
• Distribution is much faster than hand
delivery or shipping.
• The cost of printing or photocopying
is reduced and in some cases
eliminated.
•
or saved.
• There is a risk of employees referring to outdated
document versions.
•
sent to the right people, especially new hires.
• Using e-mails as proof that documents were read may not
stand up in court (see Campbell v. General Dynamics)
Software
• Readers are automatically assigned to
procedures based on roles, job titles,
or their departments.
• New employees receive instant,
readership tasks based on their job
description.
• Employees are required to attest
electronically that they have read and
understood the document.
• Quizzes can measure individual reader
comprehension.
• Real-time reports show who has read
which documents.
•
at any time, at any location, with
advanced search capabilities.
• The cost of software may be a factor.
Compare costs by downloading our free ROI Case Study
Three Methods of Distribution: Pros and Cons
32The Denitive Guide to Policy Management
PRACTITIONER
Section 2.4
Intranet/Network Posting Software
• Have a set of binders in each department.
• Try to keep in that department only
the documents that apply to those
employees.
• Maintain a current table of contents for
each department in each binder.
• Make sure titles of documents are self-
them (with most-searched-for words at
the beginning of the title, if possible).
• or
procedures for outdated ones as quickly
as possible to avoid different employees
procedures.
• Remove outdated copies from binders
and archive them.
• Archiving is best done in a secure area.
A fairly large bookshelf that can hold
many binders is required.
• Keep tables of contents in archived
binders current in case of audit or lawsuit.
• Keep archived policies and procedures
for at least seven years (some suggest
much longer for sensitive policies).
• If you have regulatory guidelines with
which you must show policy compliance,
it helps to create a spreadsheet with
each document linked to each regulation
with which it complies.
• Design a site or folder structure that is
easily navigable.
• Although it may require posting duplicate
documents in different folders or pages,
it will be easier for employees if you can
guide them to a folder or page that is
customized for them.
• Ideally, you will have a search tool.
• Make sure the title contains relevant key
words so that employees can search for
• Add new documents as approved.
• Make sure you remove all outdated
copies.
• Create a policy that your IT team will
agree with, where they post new policies
or procedures at a certain time on a daily
or weekly basis.
• Maintain a binder/bookshelf structure
similar to that for a paper-based system
because you will need to keep hard
copies of all approved policies and
procedures.
• Use a spreadsheet to link to regulatory
guidelines.
• Ensure that the software is easy to
navigate (or it won’t be used).
• Make sure documents can appear in
multiple folders so that you can point
staff to just the one that applies to them.
• Have a powerful search tool, by title, key
• Software should automatically publish
new policies when approved and notify
relevant employees.
• Software should have a compliant
electronic signature system to avoid
having to keep hard copies outside the
system.
• Software should automatically archive
old policies when new ones are
approved.
• Software should link documents to
regulations and be easy to retrieve by
regulation.
Ongoing Accessibility
Distribution should inform users how to gain speedy and continuous access to policies through a central repository.
what they are looking for, they will give up and do what they think is best—or they will ask someone else, who may
not truly understand the policy either. Neither option leads to a standardized quality of services or product.
The following are some recommendations, depending on the type of system you will be setting up.
automatically search, catalog, and archive documents will minimize your frustration and risk.
33The Denitive Guide to Policy Management
PRACTITIONER
Section 2.4
Training
It is important that you have an effective process for
educating employees about the policies and procedures
they are responsible for following.
• Educate employees.
• Monitor employees’ activities.
• Take action when policies are misused.
•
• Re-educate employees about changes.
training employees on new policies and procedures and assessing their
comprehension:
• Quizzes
• Staff meetings
• In-service training
• Online training
policy or procedure.
Ongoing Tracking and Updates
The policy owner is responsible for monitoring the policy’s implementation
and life cycle from the time it is enacted. In the last two stages of the policy
management life cycle, it is important to establish and document methods to
track conformance with the policy and its continued relevance.
Policies can become quickly outdated, as laws, technology, work habits,
and social factors change. From the legal and quality standpoints, outdated
policies and procedures can be a liability, so policy development must be a
continual process.
Policies should be reviewed once a year to determine the need for revision.
The review should ensure that policies stay relevant, accurate, and current
with the business and still solve the problems they were meant to address.
“Policies are the vehicles
that communicate and
objectives so that culture
does not morph out of
must also be well
managed so that they
are both effective and
the organization stay on
the path it chooses.”
Michael K. Rasmussen, JD,
OCEG Fellow, CCEP, GRCP,
CISSP, Chief GRC Pundit, GRC
20/20 Research, LLC
34The Denitive Guide to Policy Management
PRACTITIONER
Section 2.4
The update period is also an appropriate time to decide when new policies
or retirement of a policy is necessary.
sure that only the current version of a policy is accessible to employees.
Failure to do so can lead to employees’ making decisions based on outdated
or incorrect information. Additionally, outdated documents should be
archived for easy access in case of an audit or investigation or for building a
legal defense.
• One method is to track policies and procedures in a spreadsheet. You
could make a list of all the policies and procedures you are in charge
• Another method is to schedule policy and procedure reviews on an
electronic calendar with alerts.
The challenge with both of these methods is that policies may be missed.
A million things are clamoring for time and attention, and policies and
use software that will help keep you and the organization’s policy authors on
top of this daunting but critical task.
PRACTITIONER
Section 3.1
For the strategist constantly assessing performance and looking for a better
way of doing things, the third area of study provides an assessment of current
policy management practices, outlines the pros and cons of alternative
approaches to managing policies, and makes a clear case for implementing a
policy management software solution that centralizes and standardizes policy
management across the enterprise.
STRATEGIST
35
Transforming Policy Management
Practices
3.1 ASSESSING YOUR
CURRENT APPROACH
management and outlined best practices for realizing
pinpoint where you are today and discuss the tools
and the approaches that will enable and accelerate
the advancement of your program to where you want
it to be.
36The Denitive Guide to Policy Management
PRACTITIONER
Section 3.1
In this section we ask a series of questions to assess your current policy management program and practices and
your use of software to standardize and automate key processes. Although this is not meant to be a comprehensive
assessment, we have broadly evaluated the key areas of policy management. You can use the results to address
See How You Are Doing with Policy Management
Strongly
Disagree
Policies
Somewhat
Disagree
Undecided/
Unsure
Somewhat
Agree
Strongly
Agree
We Use
Software to
Help with This
Strongly
Disagree
1
Policies
We have policies and procedures that communicate
leadership vision, define our standards of conduct, and
reflect our risk profile.
Enforcement
Alleged misconduct and vioations are investigated,
and policies are promptly and consistently enforced.
Perception
Our employees view our policies and procedures
as integral to our daily operations and the achievement
of our mission.
Culture
Our organizational culture reflects our standards of
conduct and commitment to compliance.
Consequences
Our policies set clear expectations about appropriate
conduct and consequences for violating policies.
2
3
4
5
6
Meta-policy
We have a policy on policies that provides clear guidelines
for the look and feel of policies as well as for processes for
policy creation, formatting, and life-cycle management.
Content
Policies are written in plain, concise language
and are visually accessible.
Properties
Document properties (i.e., title, version, owner, dates,
review interval, and roles) are maintained on each policy.
Links
We link policies to related policies, training materials,
and applicable laws and regulations. Our links are monitored
to avoid broken links or ones that reference old versions
of documents.
Templates
We use templates to preserve a consistent
look and feel across policies.
Assessments
We periodically assess our risks to gauge compliance with
applicable laws, regulations, requirements, and contracts.
Overseer
We have one person (document control administrator)
responsible for overseeing the entire policy management
life cycle for all of our policies.
Documentation
We maintain meticulous records of all policies, statuses,
dates, changes, versions, attestations, exceptions,
and enforcement actions.
Organization
Policies are partitioned, categorized, tagged, and labeled for
distribution and access with a particular audience in mind so
that they can be found easily by the appropriate employees.
Writing
We have clear processes and guidelines for those responsible
for writing or contributing to a policy document.
Review
Policies are reviewed and edited by the appropriate
stakeholders, internal or external subject-matter experts,
and Legal. Changes are documented and consolidated into
a single document.
Approval
Prior to being published, policies must be approved by
the appropriate personnel (executives, department heads,
subject-matter experts, and Legal).
Distribution
Employees are notified of new or updated policies and
are sent periodic reminders as deadlines approach.
Policies are published and displayed where employees can
readily view or access them.
Feedback
Questions, comments, and feedback on policies are
collected and documented.
Updates
All policies are periodically reviewed and updated on time,
according to a schedule.
Version control and archiving
Policies are labeled with a version number, and old versions
are promptly archived.
Awareness
Our employees know where to go to find policies when
needs arise.
Accessibility
Employees have 24/7 access to policies and procedures
from any location.
Applicability
At a glance, employees can see all policies that apply
to their role and any actions required.
Search
Robust search capabilities make finding a policy
quick and easy. Search is not limited to document titles
or exact text matches.
Security
Our policies are visible only to employees with a need to know.
Attestation
Employees are required to signify that they have read
and understood policies. The process of obtaining
employee signatures is not cumbersome to management
or the employee.
Comprehension
Employees are trained on policies, and comprehension of
policies and procedures is evaluated through quizzes, surveys,
or other means.
Reporting
We can easily generate reports measuring employee
readership, attestation, comprehension, policy notifications,
exceptions, and policies in various stages of the life cycle.
Workflow
We have standardized processes for writing, reviewing,
approving, and distributing policies in a timely manner.
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Tracking
Somewhat
Disagree
Undecided/
Unsure
Somewhat
Agree
Strongly
Agree
We Use
Software to
Help with This
Policy Look and Feel
Somewhat
Disagree
Undecided/
Unsure
Somewhat
Agree
Strongly
Agree
We Use
Software to
Help with This
Strongly
Disagree
Policy Life-Cycle Management Practices
Somewhat
Disagree
Undecided/
Unsure
Somewhat
Agree
Strongly
Agree
We Use
Software to
Help with This
Strongly
Disagree
Policy Awareness and Access
Somewhat
Disagree
Undecided/
Unsure
Somewhat
Agree
Strongly
Agree
We Use
Software to
Help with This
Strongly
Disagree
Strongly
Disagree
W
e
U
se
S
oftw
a
r
e
t
o
H
e
l
p wit
h
T
h
i
s
W
e
U
se
S
oftw
a
r
e
to
H
e
l
p wit
h
T
h
i
s
W
e
U
se
S
oftw
a
r
e
to
H
e
l
p wit
h
T
h
i
s
W
e
U
se
S
oftw
a
r
e
to
H
e
l
p wit
h
T
h
i
s
W
e
U
se
S
o
f
tw
a
r
e
t
o
H
elp with Thi
s
37The Denitive Guide to Policy Management
PRACTITIONER
Section 3.1
Strongly
Disagree
Policies
Somewhat
Disagree
Undecided/
Unsure
Somewhat
Agree
Strongly
Agree
We Use
Software to
Help with This
Strongly
Disagree
1
Policies
We have policies and procedures that communicate
leadership vision, define our standards of conduct, and
reflect our risk profile.
Enforcement
Alleged misconduct and vioations are investigated,
and policies are promptly and consistently enforced.
Perception
Our employees view our policies and procedures
as integral to our daily operations and the achievement
of our mission.
Culture
Our organizational culture reflects our standards of
conduct and commitment to compliance.
Consequences
Our policies set clear expectations about appropriate
conduct and consequences for violating policies.
2
3
4
5
6
Meta-policy
We have a policy on policies that provides clear guidelines
for the look and feel of policies as well as for processes for
policy creation, formatting, and life-cycle management.
Content
Policies are written in plain, concise language
and are visually accessible.
Properties
Document properties (i.e., title, version, owner, dates,
review interval, and roles) are maintained on each policy.
Links
We link policies to related policies, training materials,
and applicable laws and regulations. Our links are monitored
to avoid broken links or ones that reference old versions
of documents.
Templates
We use templates to preserve a consistent
look and feel across policies.
Assessments
We periodically assess our risks to gauge compliance with
applicable laws, regulations, requirements, and contracts.
Overseer
We have one person (document control administrator)
responsible for overseeing the entire policy management
life cycle for all of our policies.
Documentation
We maintain meticulous records of all policies, statuses,
dates, changes, versions, attestations, exceptions,
and enforcement actions.
Organization
Policies are partitioned, categorized, tagged, and labeled for
distribution and access with a particular audience in mind so
that they can be found easily by the appropriate employees.
Writing
We have clear processes and guidelines for those responsible
for writing or contributing to a policy document.
Review
Policies are reviewed and edited by the appropriate
stakeholders, internal or external subject-matter experts,
and Legal. Changes are documented and consolidated into
a single document.
Approval
Prior to being published, policies must be approved by
the appropriate personnel (executives, department heads,
subject-matter experts, and Legal).
Distribution
Employees are notified of new or updated policies and
are sent periodic reminders as deadlines approach.
Policies are published and displayed where employees can
readily view or access them.
Feedback
Questions, comments, and feedback on policies are
collected and documented.
Updates
All policies are periodically reviewed and updated on time,
according to a schedule.
Version control and archiving
Policies are labeled with a version number, and old versions
are promptly archived.
Awareness
Our employees know where to go to find policies when
needs arise.
Accessibility
Employees have 24/7 access to policies and procedures
from any location.
Applicability
At a glance, employees can see all policies that apply
to their role and any actions required.
Search
Robust search capabilities make finding a policy
quick and easy. Search is not limited to document titles
or exact text matches.
Security
Our policies are visible only to employees with a need to know.
Attestation
Employees are required to signify that they have read
and understood policies. The process of obtaining
employee signatures is not cumbersome to management
or the employee.
Comprehension
Employees are trained on policies, and comprehension of
policies and procedures is evaluated through quizzes, surveys,
or other means.
Reporting
We can easily generate reports measuring employee
readership, attestation, comprehension, policy notifications,
exceptions, and policies in various stages of the life cycle.
Workflow
We have standardized processes for writing, reviewing,
approving, and distributing policies in a timely manner.
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Tracking
Somewhat
Disagree
Undecided/
Unsure
Somewhat
Agree
Strongly
Agree
We Use
Software to
Help with This
Policy Look and Feel
Somewhat
Disagree
Undecided/
Unsure
Somewhat
Agree
Strongly
Agree
We Use
Software to
Help with This
Strongly
Disagree
Policy Life-Cycle Management Practices
Somewhat
Disagree
Undecided/
Unsure
Somewhat
Agree
Strongly
Agree
We Use
Software to
Help with This
Strongly
Disagree
Policy Awareness and Access
Somewhat
Disagree
Undecided/
Unsure
Somewhat
Agree
Strongly
Agree
We Use
Software to
Help with This
Strongly
Disagree
Strongly
Disagree
W
e
U
se
S
oftw
a
r
e
t
o
H
e
l
p wit
h
T
h
i
s
W
e
U
se
S
oftw
a
r
e
to
H
e
l
p wit
h
T
h
i
s
W
e
U
se
S
oftw
a
r
e
to
H
e
l
p wit
h
T
h
i
s
W
e
U
se
S
oftw
a
r
e
to
H
e
l
p wit
h
T
h
i
s
W
e
U
se
S
o
f
tw
a
r
e
t
o
H
elp with Thi
s
38The Denitive Guide to Policy Management
PRACTITIONER
Section 3.1
Scoring Guide
Tally up your score according to the point scale below.
Strongly
Disagree
Policies
Somewhat
Disagree
Undecided/
Unsure
Somewhat
Agree
Strongly
Agree
We Use
Software to
Help with This
Strongly
Disagree
1
Policies
We have policies and procedures that communicate
leadership vision, define our standards of conduct, and
reflect our risk profile.
Enforcement
Alleged misconduct and vioations are investigated,
and policies are promptly and consistently enforced.
Perception
Our employees view our policies and procedures
as integral to our daily operations and the achievement
of our mission.
Culture
Our organizational culture reflects our standards of
conduct and commitment to compliance.
Consequences
Our policies set clear expectations about appropriate
conduct and consequences for violating policies.
2
3
4
5
6
Meta-policy
We have a policy on policies that provides clear guidelines
for the look and feel of policies as well as for processes for
policy creation, formatting, and life-cycle management.
Content
Policies are written in plain, concise language
and are visually accessible.
Properties
Document properties (i.e., title, version, owner, dates,
review interval, and roles) are maintained on each policy.
Links
We link policies to related policies, training materials,
and applicable laws and regulations. Our links are monitored
to avoid broken links or ones that reference old versions
of documents.
Templates
We use templates to preserve a consistent
look and feel across policies.
Assessments
We periodically assess our risks to gauge compliance with
applicable laws, regulations, requirements, and contracts.
Overseer
We have one person (document control administrator)
responsible for overseeing the entire policy management
life cycle for all of our policies.
Documentation
We maintain meticulous records of all policies, statuses,
dates, changes, versions, attestations, exceptions,
and enforcement actions.
Organization
Policies are partitioned, categorized, tagged, and labeled for
distribution and access with a particular audience in mind so
that they can be found easily by the appropriate employees.
Writing
We have clear processes and guidelines for those responsible
for writing or contributing to a policy document.
Review
Policies are reviewed and edited by the appropriate
stakeholders, internal or external subject-matter experts,
and Legal. Changes are documented and consolidated into
a single document.
Approval
Prior to being published, policies must be approved by
the appropriate personnel (executives, department heads,
subject-matter experts, and Legal).
Distribution
Employees are notified of new or updated policies and
are sent periodic reminders as deadlines approach.
Policies are published and displayed where employees can
readily view or access them.
Feedback
Questions, comments, and feedback on policies are
collected and documented.
Updates
All policies are periodically reviewed and updated on time,
according to a schedule.
Version control and archiving
Policies are labeled with a version number, and old versions
are promptly archived.
Awareness
Our employees know where to go to find policies when
needs arise.
Accessibility
Employees have 24/7 access to policies and procedures
from any location.
Applicability
At a glance, employees can see all policies that apply
to their role and any actions required.
Search
Robust search capabilities make finding a policy
quick and easy. Search is not limited to document titles
or exact text matches.
Security
Our policies are visible only to employees with a need to know.
Attestation
Employees are required to signify that they have read
and understood policies. The process of obtaining
employee signatures is not cumbersome to management
or the employee.
Comprehension
Employees are trained on policies, and comprehension of
policies and procedures is evaluated through quizzes, surveys,
or other means.
Reporting
We can easily generate reports measuring employee
readership, attestation, comprehension, policy notifications,
exceptions, and policies in various stages of the life cycle.
Workflow
We have standardized processes for writing, reviewing,
approving, and distributing policies in a timely manner.
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Tracking
Somewhat
Disagree
Undecided/
Unsure
Somewhat
Agree
Strongly
Agree
We Use
Software to
Help with This
Policy Look and Feel
Somewhat
Disagree
Undecided/
Unsure
Somewhat
Agree
Strongly
Agree
We Use
Software to
Help with This
Strongly
Disagree
Policy Life-Cycle Management Practices
Somewhat
Disagree
Undecided/
Unsure
Somewhat
Agree
Strongly
Agree
We Use
Software to
Help with This
Strongly
Disagree
Policy Awareness and Access
Somewhat
Disagree
Undecided/
Unsure
Somewhat
Agree
Strongly
Agree
We Use
Software to
Help with This
Strongly
Disagree
Strongly
Disagree
W
e
U
se
S
oftw
a
r
e
t
o
H
e
l
p wit
h
T
h
i
s
W
e
U
se
S
oftw
a
r
e
to
H
e
l
p wit
h
T
h
i
s
W
e
U
se
S
oftw
a
r
e
to
H
e
l
p wit
h
T
h
i
s
W
e
U
se
S
oftw
a
r
e
to
H
e
l
p wit
h
T
h
i
s
W
e
U
se
S
o
f
tw
a
r
e
t
o
H
elp with Thi
s
Strongly
Disagree
Somewhat
Disagree
Undecided/
Unsure
Somewhat
Agree
Strongly
Agree
We Use
Software to
Help with This
+2
+1
0
–1
–2
+1
Program Grade B = 46 to 52A = 53 to 60 C = 36 to 45 D = 26 to 35 F = –60 to 25
Software Grade B = 20 to 22A = 23 to 30 C = 17 to 19 D = 14 to 16 F = 0 to 13
39The Denitive Guide to Policy Management
PRACTITIONER
Section 3.2
3.2 COMPARING APPROACHES:
For organizations with struggling policy management systems or processes, failure to make
changes presents serious operational and legal risks. It can also represent misalignment among
shore up certain areas, they are, ultimately, simply bandages on serious wounds. Sometimes even
sweeping changes to the people and the processes that govern your policy management
practices may not adequately address the root causes of most policy management failures.
40The Denitive Guide to Policy Management
PRACTITIONER
Section 3.2
Policy management challenges result when systems lack centralization,
automation, standardization, distribution, and tracking. These systems
include manual approaches that still use printed manuals or binders, an
challenges associated with a lack of centralization, a lack of automation,
and limited distribution.
and approvers; publishing in a timely manner; ensuring that readers can
access the appropriate documents; and evaluating readership requires
organization, documentation, attention to detail, discipline, and frequent
document in your organization, even the most talented manager will fall
short and need the help of additional personnel and systems.
error is inevitable, and the end result can be costly. Failure to fully implement
lack of an audit trail is even more problematic—opening the door to legal
the task requires automation to create a centralized, standardized, and
controlled environment.
Build or Buy?
There are a number of factors and risks to consider with a
build-your-own approach.
•
considerable period of time.
• The capital cost of building a customized solution is the highest of any
alternative—and thus bears the highest risk.
• The ongoing resources required to support and maintain the system
the obvious choice, a
common question is:
Should I build a
solution that meets
our very specic
needs, or should
I buy a policy
management
solution?
41The Denitive Guide to Policy Management
PRACTITIONER
Section 3.2
• The implementation time for building your own policy management
software is by far the longest of any of the alternatives.
•
audit-trail capabilities, attestation, quizzing, tracking, advanced search,
tagging, version control, and security.
• Leading policy management systems have been around for more than
Organizations building from scratch will have a long road ahead to get
the system just the way they want it.
• Getting additional features or capabilities approved and prioritized
in the queue of IT projects after the initial project is complete can be
a challenge.
• Many organizations struggle through implementation and
maintenance of homegrown solutions only to later abandon the
effort and the investment in favor of a more desirable and affordable
purchased solution.
In the end, the cost of training, maintenance, and management time, let alone
the inconsistencies in document creation and categorization, as well as the
challenges of policy management. For most organizations, realizing the full
potential of the policy management function will require an automated policy
solution.
42The Denitive Guide to Policy Management
PRACTITIONER
Section 3.3
3.3 CHOOSING TO AUTOMATE:
43The Denitive Guide to Policy Management
PRACTITIONER
Section 3.3
In choosing a software solution, your goal should
that provides your organization with the following
key advantages.
Store all policies in a central, accessible, and
secure location.
A policy management system houses all of your policies and enforces key
standards and processes for policy development. Employees can access
policies at any time, from any place, on any computer or device with Internet
access.
View a dashboard of documents, tasks, and reports.
View at a glance how many documents you have in each stage of the policy
life cycle. View documents by type, department, sub-department, template,
Signal the importance of policies and improve
awareness.
A dedicated policy management solution increases employee awareness and
policy visibility and also reinforces the integral role that policies play in the
preservation of values, culture, day-to-day operations, and the achievement
of long-term objectives.
Standardize and centralize the document
creation process.
The beauty of policy management software is that anyone can easily create
a policy. A document creation wizard takes the document owner step-
by-step through a controlled development and process. Consideration is
given to templates, document properties, settings, personnel involved,
role assignments, and security. As soon as document authorship begins,
collaboration.
Organize and categorize your policies.
Categorize documents by departments, topics, regulatory guidelines, or
any other structure you use to delineate access to your documents. As your
breaking folder hierarchies, directories, or links.
“Policy management
software addresses
the challenges of
managing a litany of
policies within business
boundaries—enabling
employees, giving
and boundaries, and
doing so in a way that
protects the organization
from harm.”
Michael K. Rasmussen, JD,
OCEG Fellow, CCEP, GRCP,
CISSP, Chief GRC Pundit, GRC
20/20 Research, LLC
44The Denitive Guide to Policy Management
PRACTITIONER
Section 3.3
Find documents quickly and easily.
Search for policies by department, custom categories, the alpha-bar, title
advanced search dialog to apply any or all search methods and to display
relevant search results with applicable search terms highlighted.
Streamline communication.
Creating policies requires the involvement of multiple stakeholders
increase in frequency as deadlines approach and escalate if deadlines are
missed. Automation enables more-frequent communications, saves time,
shortens review and approval cycles, and keeps policy development and
implementation on track and on schedule.
Create and edit documents in real time with
Microsoft Word and Excel.
the application installed on their computer, enabling them to do everything
they can do in the desktop application. Employees can write, edit, track
changes, and make updates in real time without the need to download
documents to their desktop and re-upload. All changes made to documents
by any employee are tracked, recorded, and available in reports. The result is
an audit trail of all changes made to policies or procedures.
Automate version control and archiving.
Display only the approved version of a policy that is current. Older versions
are automatically archived when updates are made. New versions are
automatically given a new version number. Automatic communications notify
or acknowledges a policy, the system records the version number.
Maintain a consistent look and feel across all policies
and procedures.
Create templates within the system or upload templates to give policies a
what they need.
“To create a policy
management repository,
an organization needs
a policy management
tool as opposed to
a general document
management system.”
Lisa Hill, President, PolicyScape
Consulting, and Co-Chair, OCEG
Policy Management Group
45The Denitive Guide to Policy Management
PRACTITIONER
Section 3.3
Maintain a system of record for reporting and audit.
Maintain a system of record that tracks the status, implementation,
understanding, and enforcement of policies, including when employees
receive a policy communication or access a policy, the version they accessed,
whether or not they attested, the results of a quiz or survey, edits made to
drafts, approvals, and all key dates associated with any like activities.
Certify that employees have attested to policies.
and reminders can be enabled to require actions by employees. Employees
may be required to read, attest, view a training video, take a quiz, participate
the system. Employees review policy documents in the system and submit
attestation at the click of a button.
Restrict access and hide policies from view.
Password protection makes policies available only to those with login
credentials. Security levels on policies and role- and permission-based
policy accessibility restrict document visibility to those with a need to know.
Sensitive or inapplicable documents are hidden from view altogether.
Link to related materials.
courses, or other web-based pages or programs. Eliminate time spent
looking for related documents and forms and enable the creation of policies
that are focused and concise.
Map policies to regulations and requirements.
Mapping policies to obligations, risks, controls, legal requirements,
regulations, and contracts helps you ensure compliance coverage where
missing policies or clauses as well as promptly make updates when legal
requirements change.
Implement policies effectively.
Embed training videos in policies, link to a learning management system
encourage information retention by implementing quizzes. Follow policy
and enforcement actions. Collect and store comments on policies and more.
46The Denitive Guide to Policy Management
PRACTITIONER
Section 3.3
Schedule and manage tasks.
Manage employee deadlines by creating tasks and automatically sending
reminders. Schedule document review intervals, and let the system remind
you when to update policies. Notify and periodically remind authors,
reviewers, approvers, and readers of deadlines. Automatic escalation notices
loop in managers when deadlines are not met.
Leverage scalability.
The capabilities, security, and capacity of the system scale to meet
Enjoy commercial support.
your system, train employees on how to use it, and provide ongoing support.
request will be prioritized in the queue.
47The Denitive Guide to Policy Management
About NAVEX Global
NAVEX Global helps protect your people, reputation, and bottom line
through a comprehensive suite of ethics and compliance software,
more than 8,000 clients in over 200 countries. Our solutions are informed
by the largest ethics and compliance community in the world. For more
information visit
Learn more about NAVEX Global by following us online:
Contact
866-297-0224
CONCLUSION
cost of policy management. Ultimately, your organization will not realize its true potential
without effective management and implementation of policies and procedures.
Policy management software is present at nearly every stage of the policy management
life cycle and is the key to developing and implementing documents effectively.
