“Managing” internal controls means more than just documentation and annual walkthroughs. Controls are living processes—some automated by technology and others performed by human hands. policyIQ does more than just capture the control documentation. Are you taking advantage of all that policyIQ has to offer?
If you are interested in learning more about the various ways that policyIQ can be used to manage controls, join us on January 14 at 1 PM ET (10 AM PT) for our upcoming CPE webinar, “Managing Controls in policyIQ: From Documentation to Control Performance”. Click here to register today!
Let’s face it—nothing is perfect. Mistakes are made, processes are never fully optimized, and improvements can always be made. All of those issues – big and small, critical and unimportant – mean risk or opportunity for your organization.
How are you managing those issues? Do you have insight into the big picture?
Start with a consistent issue management process…
Having a consistent process in place to document and resolve issues throughout the company is a great first step. Provide guidance, so that all departments and all projects use the same format for tracking, remediating, and resolving issues. That process should include the following steps (although not always in this order):
Document an issue as soon as it is identified in a central location.
Emails are great, but having a standard location to enter an issue as soon as it is discovered is the key to full transparency.
Assign the issue to the appropriate contact (or committee).
Your process may have a central point of contact that reviews and assigns issues – or this may be built into the issue reporting process. In either case, assignment to an individual or a specific committee is critical. Issues will never be resolved if no one is accountable for them. (That person may ultimately delegate or reassign the issue later, but assignment brings accountability.)
Rate the risk or opportunity that the issue poses.
Issues are not always about risk – sometimes an issue is simply the recognition that there’s an opportunity that could be addressed. To determine the priority of addressing issues, each should be rated to understand the risk posed or the opportunity available.
Determine if and how the issue will be resolved, and what the timeline should be.
Will the issue be addressed? Low risk/low opportunity issues may simply be put on hold or removed from the list, accepted as imperfections in the daily business. If the issue is to be addressed, document a plan and set a timeline. The less urgent the issue and the farther out the timeline, the more general or vague the plan may be. A “next step” should always be defined, even if that’s a plan to create a plan.
Assign the remediation plan to the right individuals.
For smaller organizations, it’s more likely that the original issue owner is also going to be the individual responsible for the remediation. However, for large companies, issues may be owned by a division or department leader, while the remediation of the issue falls to someone on the front line of the organization.
Regularly review the open issues and ensure that updates are documented.
Ensure that open issues are reviewed regularly, and that progress is being made and documented. If issues and remediation plans are never updated, the process will stop being effective. If progress on an issue has stalled out, a regular review will highlight that challenge and allow it to be addressed.
As remediation is completed, audit the process to ensure that the issue is resolved.
The remediation plan may be marked complete, but has it really been fully implemented? Was the remediation plan effective in addressing the issue? Is there something more that must be done?
…and make sure you have technology in place to support it!
Consider the insight gained if you had a web application that allowed employees to report issues, issue owners to build remediation plans, and management teams to review the status of all issues across the company.
policyIQ is that application.
From a simple reporting mechanism to dashboards to track progress, policyIQ offers a technology platform that supports the issue management process.
Want to learn how? Join us on October 22nd for a policyIQ training event, where we’ll focus on this issue management process – and how you can support all of the steps within the policyIQ application.
If you want to talk to us before October, we’re happy to connect with you to talk about issue management! Contact us today.
When organizations think about governance, risk, and compliance initiatives, managing contracts is not typically the first thing they think about. However a contract is, by its nature, a governance tool that is designed to mitigate risk.
In a recent webinar, we explored the challenges and risks of poor contract management, and outlined best practices for effective contract administration that can be implemented by organizations of any size. Watch the recording of our webinar for the full story, or keep reading to see the highlights!
Do any of these sound familiar?
Whether we are helping organizations manage contracts from the buy side (contracts with vendors or suppliers) or from the sell side (contracts with their customers), there are some common challenges that organizations face. Do any of these sound familiar?
We waste a lot of time tracking down contracts when we need them.
Contracts have renewed automatically before we had a chance to renegotiate the terms.
We received an invoice for a service that we weren’t using, but the contract continued to auto-renew.
We have been in non-compliance with a client contract due to a lack of communication around non-standard terms.
Our company has multiple service providers for similar services, because we were not aware of all of our existing contracts.
It seems like we’re always wasting time trying to remember who has to approve what and when.
What’s at risk with poor contract management?
Managing contracts well is good business. Poor contract administration wastes time, damages your reputation, and impacts your bottom line.
Simply put: Your time, reputation and money are at risk.
Seven contract management best practices for any size organization
Good contract management involves people, processes and technology – and we’ve outlined seven best practices that require all three. The best practices below can be implemented by companies of any size – and policyIQ’s GRC platform can provide the technology you need!
Identify or procure a central location that can be accessed by the right people at the right time. Cloud-based solutions are a great choice, as they offer accessibility from any location on a 24/7 schedule.
Define & Capture Meta Data
Identify key data, and capture those details within your repository. Expiration or renewal dates, contract value, contact information, and details about non-standard terms can all be critical data points that will feed into…
Key Reports & Metrics
Use that meta data to create key reports and metrics that drive your business decisions. When evaluating contract administration systems, validate your ability to customize the data captured, as well as the flexibility of reporting on that data.
Your central repository should provide a robust search, so that you can find contracts by key word or phrase, searching through all contract documents.
Identify Contract Owner (outside of procurement!)
Most organizations identify a contract owner, but often the internal contact is not the business user of the product or service. Clearly identify, and maintain, the contact person for every vendor or supplier contract – and ensure that the contact knows and understands how those products or services are being used.
Alerts and Reminders
Don’t miss a deadline or allow a contract to renew without notification. Be sure that you can set up alerts – via email or regular reporting – to let the right individuals know when contracts are up for review.
All of the technology in world is only as good as the procedures that are designed to ensure that it is used properly. Create procedures that instruct your employees on the who, what and where of contract management – and keep that documentation accessible.
policyIQ can help!
Would you like to improve your contract management process to decrease risk? Contact us today, and we’ll be happy to help you lay out a plan for the people, process, and – our specialty – the technology you need!
The policyIQ team recently hosted a webinar presented by GRC analyst, Michael Rasmussen, focused on how to drive employee engagement through effective policy management and communication. During the session, we asked the audience: “Does your organization have a policy communication plan?” Remarkably, one in three respondents answered, “no”.
In recent posts, we have drawn attention to the potential hazards of NOT keeping your employees informed, trained, and certified. No doubt, some companies have learned a multi-million-dollar lesson on why it is important to build out a policy communication plan. In case your organization can relate to the third of respondents who identified with not having a formal plan, we want to share some ideas on how you can get started crafting your plan and reducing legal exposure right away.
What is the risk?
Are you having a hard time figuring out how to prioritize your policy updates? Consider, first, how your policies are related to your risk environment and what practices you must have in place to protect the organization from the top down. Next, you may wish to focus on the policies and procedures that you have in place to safeguard your organization: security policies and procedures. The next area in need of attention, depending on your type of organization, may be documentation related to ensuring that product, process, or service quality is delivered. If you have a quality system in place, you likely already have associated documentation on a regular cadence of review.
How will you know that all of these practices are actually taking place and operating as designed? You could also prioritize the documentation and routine practice of monitoring, from an operations and financial perspective. Auditing your business and finance functions will go a long way to provide assurance that you have the right practices in place.
Retail store managers, truck drivers, accounting and finance personnel, nurses, IT project managers—there is a seemingly infinite list of roles in the pool of potential policy and procedure audience members. Rather than drafting policies and simply publishing them for broad access or distribution on the company’s intranet, you may want to take a step back and consider more closely, again, the level of risk associated with the documentation. Starting with your areas of greatest exposure, which of your employee roles would be impacted by the absence of the policy or documentation? Pay particular attention to those roles that are directly tied to your high-risk areas and critical controls.
How will you reach them?
The question, here, may be two-fold: What level of assurance does the situation demand? What media is most accessible to the audience?
Policies related to hours-of-service limits for truck drivers and anti-bribery policies for employees working in high-risk geographies may be among your top priorities as it relates to communicating your organization’s values and practices, but they certainly do not have the same work environment or access to information. An important step in your communication plan is the consideration of the level of assurance that the situation demands. Simply publishing some policies may be enough, but for others, it will be critical that you capture a receipt of your employees’ review, their attestation that they understand and agree to follow your policies, and some may warrant training and certification evidencing the employees’ understanding of the critical values and practices.
If you want to better ensure engagement by your employees, you may also wish to consider whether the content requires live and in-person training or if delivery to your employees’ mobile devices will be satisfactory. Getting into the flow of what your employees do and see every day is the best way to boost the likelihood that they will see and interact with your content.
And if all of this still feels like a lot to consider, you may wish to reduce your organization’s exposure sooner than later by bringing in a subject matter expert to spearhead the effort. RGP’s professional consultants can help to assess your organization’s documentation and lead the effort to map out and implement the execution of your policy management program and communication plan. Click here to be put in touch with an expert in your area.
Again, special thanks to GRC 20/20’s Michael Rasmussen for sharing his expertise with our audience (and us, too!). If you are interested in learning more from Mr. Rasmussen, we encourage you to check out his website and, specifically, his “Policy Management by Design” white paper.
Actions by the U.S. Securities and Exchange Commission (SEC) have amounted to more than a billion dollars in disgorgement, fines and penalties every year for nearly two decades. On average, nearly a quarter of actions filed also included named individuals as defendants. What does it mean for your organization if one of your employees engages in illegal activity? Well, that depends. Can your organization provide evidence that your house is in order?
The executives who sleep well at night know that 1) they have policies in place, 2) they have and enforce a process to ensure policies and procedures are kept up to date, and 3) the organization has gone to great lengths to ensure that all employees and third-party agents of the company are aware of the policies and procedures.
Upon request, managers in their organizations can provide the latest policies, proof of maintenance, access to previous versions, a list of all changes including who made them and when, as well as evidence of employee notification and certification.
Employees in these organizations can also rely on their policy management systems to help them work more effectively and efficiently. Their policies and procedures are appropriately linked to related regulations, risks, controls, and principles, and they include ties to responsible parties, departments, relevant locations, and systems touched. If a new employee, system, or regulation is introduced, they can see who and what is impacted.
The most adept organizations have a broadly communicated philosophy regarding policy documentation and practices that provides a shared foundation for all divisions, departments, and regulatory management teams throughout the enterprise. They utilize a centrally accessible policy management platform that supports collaborative authoring and monitoring while also providing all employees with easy access to the latest approved versions.
How well have you been sleeping? Reach out to us and soon you can rest, too, knowing your house is in order: 412.263.3330.
If your goal is to be a fierce competitor and to protect and defend your organization against the never-ending barrage of risks and change, a great place to start is by strengthening your core processes.
Policy management is the backbone of successful and sustainable organizations.
What do you think of when you think of policies? Does your Human Resources department manage a set of company policies that you have to attest to annually? Maybe you recognize the fact that your organization has a password policy and a policy regarding the use of social media on company equipment and company time.
In our recent webinar with guest presenter Michael Rasmussen, we heard a whole host of examples and reasons why organizations should be concerned with policies. If, up until now, you have not been particularly concerned about the value of your organization’s policies, you might want to lean in and peruse these notes from the Blueprint for Effective Policy Development and Management session:
Raise your hand if you are aware of where to find your organization’s index of official policies representing all areas of your business. Mr. Rasmussen asked a similar question of his audience at a recent conference and just 2% of attendees acknowledged awareness of an index maintained at the enterprise level of the organization’s policies.
Only a very small number of organizations see policies as the critical documents that they are. Mr. Rasmussen noted that policies are often not given proper attention and are strewn about in various systems, websites, shared drives and so on. Employees don’t know where to go to find documents or whether the document they found holds the latest version of the policy. In our session, Rasmussen emphasized why employees and leaders should value policies and highlighted some examples of how policies are at the core of every organization’s critical work:
Policies are GOVERNANCE documents.
Policies are critical documents.
They help to set boundaries to reliably achieve objectives
Policies ensure consistent business behavior and transactions.
Policies are RISK documents.
The existence of each policy was preceded by the identification of a risk!
Still, many business leaders do not think of risks when they think of policies and many do not tie organization policies to risks.
Policies help to identify risks and control risks within certain boundaries.
Policies are COMPLIANCE documents.
Policies help us to act with integrity as it relates to
Code of conduct
Values and Ethics
Corporate social responsibility
And so much more
Policies are at the core of all Governance, Risk, and Compliance work.
If the advantages of effective policy development and management are not compelling enough to motivate your leaders to establish policies throughout the organization, this regulatory environment might force the issue. An evidence trail is critical in today’s regulatory environment. Policy management requires a complete system of record and an audit trail.
policyIQ provides company and division leaders with a highly adaptable technology for managing the full range of policy, compliance, and audit needs in one cost-effective platform scalable from specific regulatory environments and department functions to division business units and at the enterprise level. Maintaining a clear and defensible audit trail is paramount to the service and benefit provided by our GRC technology.
In part I of the policy management educational series hosted by RGP’s policyIQ team, Michael Rasmussen highlighted the considerations that are critical for development of a policy management strategy, the roles that contribute to policy management, and he drilled deep into the effective policy management lifecycle.
We also encourage you to peruse upcoming events hosted by the policyIQ team. This audience, in particular, might be interested in our Introduction to policyIQ session that is delivered quarterly and demonstrates how organizations leverage policyIQ to establish consistent documentation templates, prescribe workflow and approval processes, communicate and distribute policies, monitor and enforce compliance with policies, and to establish a maintenance process for your critical documentation.
Click here to register for the sessions that interest you and we invite you to reach out to us (information@policyIQ.com or 866.753.1231) with questions about effective policy management, policyIQ (our governance, risk, and compliance technology), or if you could use the support and expertise of a RGP professional to help get your program off the ground.
Is your organization still struggling with manual audit processes? Do you have audit projects, past audits, and workpapers strewn about in various shared network folders (or worse, on various hard drives)? Do your auditors have to rely on email to collaborate and share documents? How about your naming convention—has your audit group standardized the way that documentation is labeled to help you to keep the information organized and easy to reference? Speaking of standardization, have audit processes been standardized across the organization or does each location or division manage their own audit program? And what would you say about your review and approval process? Is it clearly mapped, followed, and approvals communicated? Are audit findings routinely rolled up and reported?
RGP’s policyIQ addresses each of these challenges so that you can realize more effective and efficient management of your organization’s audit function. Leverage predefined Templates, Folders, Workflow, Reports, and Audit Trail for your compliance, audit, or policy management documentation. It is also simple to customize the structure to accommodate ongoing changes or characteristics that are unique to your organization, program, or team.
Configuration adjustments are at your fingertips. You do not have to reach out to a support desk or technical team to add templates for specialized workpapers, IPEs (Information Provided by Entity), or for your PBC (Provided by Client) process. Adjustments can be made directly by users authorized in your organization. If you haven’t yet incorporated those templates into the flow of your work and want some help getting them set up, we do have support and configuration specialists who are happy to walk you through the setup of your custom program.
We expect all of RGP’s policyIQ audit clients to be enjoying these benefits in your audit program:
Consistent enterprise-wide audit process
Centralized access to workpapers and IPEs
Simplified administration of PBCs and audit process
Ability to easily locate and leverage audit templates/projects and previous audits
Streamlined communication among management, auditors (internal and external), and approvers
Real-time monitoring capability and status reporting
Simplified management and audit committee reporting
We’re ready to help you reach your goals!
Whether you are an existing policyIQ user or a new one, we want to help you to improve and automate your audit program. Perhaps you are new to the administration of your site or you are not sure how to make adjustments to the configuration of your site’s templates or structure. Reach out to us and we’ll be happy to help you get started or to optimize your implementation. Support@policyIQ.com.
Is your team overwhelmed with activities that feel unnecessary?
How confident are you that the energy spent on testing is focused on the necessary controls?
Leverage policyIQ to systematically focus on the critical controls for management and testing. More efficiently analyze which Financial Statement Assertions, relative to each of your 10K line items, are adequately controlled, which are left vulnerable and which of your relevant assertions is over-controlled! See, plainly, the gaps in your coverage and leverage the evidence to justify the reduction of waste, and plan to concentrate effort on work that matters.
This process really starts with your risk assessment. If you have not leveraged policyIQ to bring automation and reliability to your risk assessment process and want to walk through the policyIQ solution (including the just-released feature that makes cumulative risk calculations possible), reach out to schedule a free working meeting with us! After completing your risk assessment, identifying significant accounts and relevant assertions, and determining which of your processes and objectives are in scope (all steps that can be managed in policyIQ), you can begin the process of rationalizing your controls.
Next, leverage policyIQ to move through these five Control Rationalization steps:
Each step is made more efficient with policyIQ. We can support you to customize templates for the attributes that are critical and unique to your organization. The import, linking, calculations, workflow, and reporting features will allow you to more quickly examine the effectiveness and priority of your procedures. Having confidence in your Control Rationalization process and your internal control environment then allows you to come full circle to look at the bank of risks that you previously identified. You might conclude that some process risks that have consumed time and attention for years are actually not in scope. This Control Rationalization process will help you to be more effective and more efficient through each testing cycle.
Would you like to see sample templates and schedule a working meeting to get the ball rolling? Contact us and reap the benefits by your next testing cycle!
Are you paying employees to inventory email responses or spend hours in update meetings to accomplish tasks that can be automated? With the application of policyIQ forms, your employees can take back time that was spent on tedious tasks and focus on work that matters.
If your team is still using Word, Excel, and email to manage 302 Certifications, Control Self Assessments and Narrative Reviews, they are engaging in the frustrating task of having to inventory the responses from their inbox and then babysit and pester people to complete their work. As responses do arrive, they evaluate who they’ve heard from, who hasn’t responded, and evaluate whether/which follow-up activities are warranted. They are likely also having to pull together routine assessments regarding the status of responses to share with management and others.
Before anyone invests another minute on the effort of pulling together the Narrative Reviews for next quarter, contact us to help your team realize these benefits right away:
Simplified roll-out of questions/certifications each quarter
Easy access to real-time information for monitoring of status
Automation of reminders going out to outstanding respondents
Automated compiling of results
Effortless reporting for management
There are lots of products out there that will set you back $50-$500k annually that promise efficiency gains in your compliance processes. For a fraction of that cost, we’ll deliver on that promise in a matter of weeks—not months or years. Work smarter. Spend smarter. Contact us today to schedule your configuration session.
Are your employees still manually managing Risk Assessments using spreadsheets?
If you answered yes, they are likely struggling to work with others efficiently, they are frustrated by version control issues, and they are wasting time trying to figure out who has given input and who still needs to provide information.
The data in spreadsheets is difficult to aggregate. Performing analyses within a spreadsheet is limited, and across multiple spreadsheets it is nearly impossible. There are nearly always issues with data entry and, therefore, data integrity. So, your employees are likely also spending time having to validate and track down information and they’re likely performing rework to shore up assessments and findings. For all of these reasons, spreadsheets prolong the time and expense of audits.
RGP’s policyIQ team has developed features that help you to automate questionnaires, inventories, risk ratings, capability measures, track gaps and roll-up findings. Your management and audit teams can begin collaborating on their finance, operational, fraud and enterprise risk assessments right away. Contributors from your locations can work together in one flexible and easy to use tool with confidence in the security and accuracy of their information and analyses. Templates for various risk assessments are easy to customize. Notes and assumptions from previous assessments can be easily referenced and considered in current risk calculations.
Your auditors can remotely review the content that you choose to make available to them and only after it has completed the review process that you enforce using policyIQ.
Reach out to us to request your free trial site and to learn more about how your team can end their reliance on spreadsheets. Work smarter.