Author Archives: Chris Burd

About Chris Burd

Chris is the Vice President of the policyIQ group at RGP. She gets geeky about compliance and technology, and gets to spend every day working at the crossroads of the two. With policyIQ since 2005, Chris has worked with hundreds of policyIQ clients to implement technology and enhance their internal compliance environment. In past lives, Chris worked as a system implementation consultant, a e-commerce specialist, a customer service call center manager, and - for one short but memorable summer during high school - a machine operator on midnight shift in a plastics factory. In her free time, she spoils her nieces, reads too many books, and spends more time than she should taking photos of her cats. She's on a mission to visit the hometown of every US President - so far managing to get to 14. She would like to be a rock star when she grows up.

Is anything more critical than the security of your data?

Posted on by
Reply

The security of your data – and that of your customers – poses arguably the biggest risk to businesses today, and is, therefore, the most critical compliance initiative that your company will undertake.  The stakes are high and the regulatory requirements can be vast.  And as more companies outsource tasks and utilize cloud services and infrastructure, the ability to control all of the aspects of data security becomes more difficult.

With all of the risk and complexity inherent in data security, the technology that you use to keep track of your compliance efforts should be simple.

itsecuritychalkboard

policyIQ serves as a great case study for policyIQ!

The policyIQ application has clients around the world who rely on the software, the team that supports the software, and the infrastructure on which the software resides to keep their data safe.  And the security compliance program for policyIQ involves many of the same complexities that our clients are managing:

  • Risk inherent in the storage of our own data, and even more critically in the management of our clients’ data
  • Distributed responsibility for critical aspects of IT security
    • RGP, our corporate parent, is responsible for things like employee background checks and HR functions;
    • We utilize Amazon Web Services (AWS) as our hosting partner, and rely on their IT security program to provide physical and environmental security for our data center.
  • Multiple IT and data security requirements, including…
    • SOC 2
    • SOX
    • GDPR

To keep our own commitments to data security, we utilize policyIQ to capture our IT policies, controls, action items, and audit trails.

With our own implementation of policyIQ, we are able to follow the SOC 2 framework and link our controls to the related requirements.  Controls are designated as being performed by our policyIQ division, RGP Corporate, or our AWS partner, allowing any team member to more quickly reach the right resource with questions or clarifications.

When it comes time for an external security audit, we can prepare evidence in advance of the on-site audit based, pull out policy documents to meet the audit requests, and document any follow-ups or recommended action items provided by our auditors to further enhance our security program.

Join us on Monday, July 8th at 1 PM ET / 10 AM PT for our CPE event on IT Security Compliance in policyIQ, where we’ll dig deeper into policyIQ as a case study for policyIQ – and take a look at other frameworks and resources that your organization might utilize for your security compliance!

And look for more blog posts through the month of July that highlight IT and data security compliance in policyIQ.

Are your contracts in order? Your time, reputation, and revenue are at stake.

Posted on by
Reply

When organizations think about governance, risk, and compliance initiatives, managing contracts is not typically the first thing they think about.  However a contract is, by its nature, a governance tool that is designed to mitigate risk.

In a recent webinar, we explored the challenges and risks of poor contract management, and outlined best practices for effective contract administration that can be implemented by organizations of any size.  Watch the recording of our webinar for the full story, or keep reading to see the highlights!

Do any of these sound familiar?

Whether we are helping organizations manage contracts from the buy side (contracts with vendors or suppliers) or from the sell side (contracts with their customers), there are some common challenges that organizations face.  Do any of these sound familiar?

  • We waste a lot of time tracking down contracts when we need them.
  • Contracts have renewed automatically before we had a chance to renegotiate the terms.
  • We received an invoice for a service that we weren’t using, but the contract continued to auto-renew.
  • We have been in non-compliance with a client contract due to a lack of communication around non-standard terms.
  • Our company has multiple service providers for similar services, because we were not aware of all of our existing contracts.
  • It seems like we’re always wasting time trying to remember who has to approve what and when.

 

timemoneyreputation2

What’s at risk with poor contract management?

Managing contracts well is good business.  Poor contract administration wastes time, damages your reputation, and impacts your bottom line.

Simply put:  Your time, reputation and money are at risk.

 

Seven contract management best practices for any size organization

Good contract management involves people, processes and technology – and we’ve outlined seven best practices that require all three.  The best practices below can be implemented by companies of any size – and policyIQ’s GRC platform can provide the technology you need!

goodcontractmanagement

  1. Central Repository
    Identify or procure a central location that can be accessed by the right people at the right time.  Cloud-based solutions are a great choice, as they offer accessibility from any location on a 24/7 schedule.
  2. Define & Capture Meta Data
    Identify key data, and capture those details within your repository.  Expiration or renewal dates, contract value, contact information, and details about non-standard terms can all be critical data points that will feed into…
  3. Key Reports & Metrics
    Use that meta data to create key reports and metrics that drive your business decisions.  When evaluating contract administration systems, validate your ability to customize the data captured, as well as the flexibility of reporting on that data.
  4. Robust Search
    Your central repository should provide a robust search, so that you can find contracts by key word or phrase, searching through all contract documents.
  5. Identify Contract Owner (outside of procurement!)
    Most organizations identify a contract owner, but often the internal contact is not the business user of the product or service.  Clearly identify, and maintain, the contact person for every vendor or supplier contract – and ensure that the contact knows and understands how those products or services are being used.
  6. Alerts and Reminders
    Don’t miss a deadline or allow a contract to renew without notification.  Be sure that you can set up alerts – via email or regular reporting – to let the right individuals know when contracts are up for review.
  7. Clear Procedures
    All of the technology in world is only as good as the procedures that are designed to ensure that it is used properly.  Create procedures that instruct your employees on the who, what and where of contract management – and keep that documentation accessible.

 

policyIQ can help!

pIQ_CMBP

Would you like to improve your contract management process to decrease risk?  Contact us today, and we’ll be happy to help you lay out a plan for the people, process, and – our specialty – the technology you need!

Community Credit Unions Need policyIQ

Posted on by
Reply

We’ve talked a lot about the breadth of industries that are served by policyIQ, and the diversity of our users.  When it comes to who can benefit from policyIQ, we have yet to find an organization for which we have no value to add.  We also recognize that some industries and niches need our product more than others, and community credit unions are a perfect fit.

Community Credit Unions Need policyIQcreditunion

While financial regulations can be intense and difficult to navigate, community credit unions need compliance technology that is simple and easy to use.

  • Fast and easy setup
  • Simple navigation, with little user training required
  • Flexibility that allows a single technology to be used for many needs
  • Incredibly low cost for small teams
  • Dedicated user support team committed to exceptional service

Are you exploring compliance technology for your organization?  Find out how policyIQ meets your needs by contacting us today!

Review, Revisit and Revise: Let us help.  For Free. For Real.

Posted on by
Reply

If this blog post sounds familiar, it is because you have likely heard us say this before.  However, we think it bears repeating.

We want to help you make the most of policyIQ.

As with any product that is continuously evolving, it can be difficult to keep up with all of the new possibilities that are available within the policyIQ application.  Maybe you didn’t even know that every upgrade and every new feature developed is rolled out to all of our clients automatically at no additional cost.

If you implemented policyIQ last year, there are already new features that might save time or allow you to create a solution for your team that you haven’t thought about yet.

If you implemented policyIQ more than five years ago and have not revisited the way that the application is configured, we need to talk.

What does that expert review and guidance cost you?  An hour of your time.  That’s it.  For real.  We know your time is valuable, but an hour of your time with one of our policyIQ implementation specialists can save you far more time in the long run.

Contact us today – and ask to set up a meeting with a policyIQ implementation specialist to talk about the way that you are using policyIQ!

Policies Provide Foundation through Changing Regulatory Environment

Posted on by
Reply

Regulatory environments are constantly changing, influenced by economic, political and environmental factors beyond your company’s control.  It might seem like a daily battle to deal with the push and pull of complying with changing regulations.  So how do you stay focused, prepared and sane in the world of regulatory compliance?

One critical step is to ensure that you have well documented, well communicated and well understood corporate policies.  

Policies provide the foundation, governing the way in which your employees will work and how they will meet new regulatory requirements.  When the foundation is strong, with clear policies that are followed and enforced consistently, additional external expectations and requirements are much easier to incorporate.  

Here are just a few best practices to consider:

  1. Ensure that policies are written clearly.  Avoid company jargon or acronyms that may be unclear to new employees or external regulators.

  2. Make policies easily accessible to all employees.  If you are already using policyIQ, ensure that a policyIQ link is posted or communicated regularly.

  3. Clarify whether any exceptions might be approved to the policy, and communicate the process for approval for exceptions.  If it is not clear, employees may be more likely to decide it will be easier to ask for forgiveness than permission.

  4. Document how policy violations will be addressed or how policies will be enforced.

  5. Revisit, review and revised policies regularly.  Do not allow policies to become outdated or appear to be outdated.  Even if no changes are made, regularly note that content has been reviewed, so that employees

  6. Map policies to your regulatory requirements or other compliance programs.  As regulations change, you can more easily identify any changes that must be made in your policies to address those changes.  

What other best practices would you highlight for a clear corporate policy platform?  Add yours in the comments and share ideas! Learn more about how to utilize policyIQ’s various read-only options by checking out a recent blog post by policyIQ Product Manager, Travis Whalen.

ICYMI: Assessments and Scoping in policyIQ

Posted on by
Reply

Did you miss our recent training session on completing our SOX Risk Assessments and scoping exercises in policyIQ?  Not to worry – we have you covered!

How Can I Catch Up?

If you want to get into the details, we have the training session and materials available for download!

  • You can access the slides here.
  • You can also view the recording from our policyIQ training page.
    The training page is linked from your policyIQ login page – and available from within the online Help Guide.  If you don’t have access to the training page, please reach out and we’ll send you the link!

Just the Highlights, Please!

This training session aimed to ensure that participants are able to…

rascope1

We discussed common SOX risk assessments at the financial statement line item level, targeting risk factors like…

rascope3

In addition to illustrating how to create the calculation directly in policyIQ, we also acknowledged that some folks love their MS Excel process.  policyIQ can handle that, too, through the import option!

rascope4

Then we took a close look at the relationships between the content that allows for the most effective scoping options.

rascope2

And finally, we walked through the reports that provide the final step in the scoping process.

rascope5

We would love to help YOU get started on your risk assessments in policyIQ, so that we can link into your SOX work for ease of annual scoping.  Contact us today and we’ll meet with you at no cost to help you get on your way!