Let’s talk about the elephant in the room: heavy GRC technology.

RGP’s policyIQ team is seeing a lot of movement in the governance, risk, and compliance (GRC) technology market. Organizations are complaining of complex tools that are difficult and time consuming to implement. Many have expressed frustration and regret after investing several months—years, even—and tens to hundreds of thousands of dollars into the implementation of GRC platforms only to find they were still not producing the promised benefits. They struggled with finding the right time to cut the cord. Others tell tales of the constant perks in the flashy sales and marketing process that ended in crickets after they signed the dotted line—there was very little support to help them make the application do what they expected it to do. Some companies got up and running in a tool and later found it was very cumbersome to manage as business needs evolved.

Are you wrestling with heavy, cumbersome GRC Technology?

Many compliance officers, auditors, controllers, and IT directors have stories about how long they have tried to hang on and make it work.

It’s time.

It’s okay to say it out loud. There are other options that are easy to configure and customize for your team’s specific needs that don’t break the bank. Clients have raved about the flexibility of policyIQ and their ability to make adjustments in just a few moments when the business, market, or regulatory bodies call for it. They have praised the speed of deployment of policyIQ and return on investment that they observed almost immediately through improved effectiveness in meeting their objectives.

We understand if you’re feeling a little skeptical…

…after what you’ve experienced. Let us show you! We offer a 30-day free trial and are happy to show you YOUR data in the trial site as proof of concept before you buy.  You can spend time kicking the tires, so to speak, and working with your implementation expert and the policyIQ Support team.

P.S. The policyIQ Support team will be by your side for the long haul! We enjoy reviewing our team’s interactions with clients—we are prepared to tackle your tough business questions, to help you expand or adjust as needed, and we can’t help but celebrate the friendships we make serving our clients over time.

We are excited to partner with you, too! Contact us to start your free trial.

1 in 3 do not have a plan!

The policyIQ team recently hosted a webinar presented by GRC analyst, Michael Rasmussen, focused on how to drive employee engagement through effective policy management and communication. During the session, we asked the audience: “Does your organization have a policy communication plan?” Remarkably, one in three respondents answered, “no”.

In recent posts, we have drawn attention to the potential hazards of NOT keeping your employees informed, trained, and certified. No doubt, some companies have learned a multi-million-dollar lesson on why it is important to build out a policy communication plan. In case your organization can relate to the third of respondents who identified with not having a formal plan, we want to share some ideas on how you can get started crafting your plan and reducing legal exposure right away.

What is the risk?

1 in 3 respondents reported not having a formal policy communication plan in place.

Are you having a hard time figuring out how to prioritize your policy updates? Consider, first, how your policies are related to your risk environment and what practices you must have in place to protect the organization from the top down. Next, you may wish to focus on the policies and procedures that you have in place to safeguard your organization: security policies and procedures. The next area in need of attention, depending on your type of organization, may be documentation related to ensuring that product, process, or service quality is delivered. If you have a quality system in place, you likely already have associated documentation on a regular cadence of review.

How will you know that all of these practices are actually taking place and operating as designed? You could also prioritize the documentation and routine practice of monitoring, from an operations and financial perspective. Auditing your business and finance functions will go a long way to provide assurance that you have the right practices in place.  

Can your organization provide evidence that your house is in order?

Who is the audience?

Retail store managers, truck drivers, accounting and finance personnel, nurses, IT project managers—there is a seemingly infinite list of roles in the pool of potential policy and procedure audience members. Rather than drafting policies and simply publishing them for broad access or distribution on the company’s intranet, you may want to take a step back and consider more closely, again, the level of risk associated with the documentation. Starting with your areas of greatest exposure, which of your employee roles would be impacted by the absence of the policy or documentation? Pay particular attention to those roles that are directly tied to your high-risk areas and critical controls.

How will you reach them?

The question, here, may be two-fold: What level of assurance does the situation demand? What media is most accessible to the audience?

Policies related to hours-of-service limits for truck drivers and anti-bribery policies for employees working in high-risk geographies may be among your top priorities as it relates to communicating your organization’s values and practices, but they certainly do not have the same work environment or access to information. An important step in your communication plan is the consideration of the level of assurance that the situation demands. Simply publishing some policies may be enough, but for others, it will be critical that you capture a receipt of your employees’ review, their attestation that they understand and agree to follow your policies, and some may warrant training and certification evidencing the employees’ understanding of the critical values and practices.

Can your training materials for efficient and repeatable distribution when possible, but be sure to bring employees in for training on values and practices that are mission critical.

If you want to better ensure engagement by your employees, you may also wish to consider whether the content requires live and in-person training or if delivery to your employees’ mobile devices will be satisfactory. Getting into the flow of what your employees do and see every day is the best way to boost the likelihood that they will see and interact with your content.

Next steps:

RGP’s own policyIQ is an easy to setup and use SaaS platform that can be leveraged to author, manage and share policies, procedures, links to training materials, certifications, and other related documentation on an employee’s device-of-choice. Click here to learn more about our policy management solution or reach out to us, directly! We are happy to help you see your data in a free policyIQ trial site.

And if all of this still feels like a lot to consider, you may wish to reduce your organization’s exposure sooner than later by bringing in a subject matter expert to spearhead the effort. RGP’s professional consultants can help to assess your organization’s documentation and lead the effort to map out and implement the execution of your policy management program and communication plan. Click here to be put in touch with an expert in your area.

Again, special thanks to GRC 20/20’s Michael Rasmussen for sharing his expertise with our audience (and us, too!). If you are interested in learning more from Mr. Rasmussen, we encourage you to check out his website and, specifically, his “Policy Management by Design” white paper.

Here a cloud, there a cloud, everywhere a cloud application! What information governance!?

I came across an article, More Employees “Going Rogue” On IT that reminded me of a recent client experience. Doolittle writes in the piece, “Employees are signing up for free apps and cloud services without running it by IT!” Yes, this practice is reaching near epidemic levels. So often people have something that they want to accomplish and the natural tendency is to come up with the fastest and easiest way to get it done. They recall encountering one of the bajillion tools that they’ve used in their personal life that would work “perfectly” in this situation.

Ulgh! It is difficult to keep up with all of the easy access web applications that are coming online.

policyIQ-for-Information-GovernanceThe client that I worked with has used policyIQ for their Sarbanes Oxley compliance documentation, historically. They recently discovered that employees from all ranks of the business were storing and sharing company information on a wide range of cloud applications. Alone, that might not seem like a big deal—they’re being creative and finding ways to be productive—great! The issue is that many of those tools matter-of-factly state (as Google did this week) that users should have ‘no legitimate expectation of privacy’ when sharing content through a third party. Most of those apps were not intended for business use and certainly not for the confidential sharing of sensitive business information! Not to mention that employees were driving up costs in an uncontrolled manner by subscribing to many services and loading content indiscriminately.

This is really what drove our client to reach out to us. While their IT organization had not yet adopted the practice recommended in Doolittle’s post of creating and educating their employees on their IT Security Policy, they knew that policyIQ’s hosting service was SAS70 and SSAE16 Type II compliant. They had put it through the necessary reviews and had trusted their financial compliance to policyIQ for years. They had experience with locking down some content to small teams while allowing others read only access to a broader base of work. They knew that policyIQ really walked them through the information governance discussion upon initial configuration. They had to think about who would hold the keys to the structure, who could add content and how content would be shared.

Of course, security is the paramount in the discussion of information governance. Knowing where to find things, which is the master version and having instant access to the status of work is really critical to efficient business. Just ask anyone who has tangled with multiple SharePoint sites running different versions with overlapping content that don’t speak to each other. SharePoint was intended for business and often runs head on into the information governance wall (or the wall created from the lack thereof).

If you can relate to this common issue written about in the linked post and experienced by the policyIQ user described here, reach out to us! We can help you to draft a plan for transitioning processes and documentation to a secure and controlled environment—a plan that you can then use to broach the topic of information governance with your executives who are passing confidential data via their iPad app. Yikes!