Let’s talk about the elephant in the room: heavy GRC technology.

RGP’s policyIQ team is seeing a lot of movement in the governance, risk, and compliance (GRC) technology market. Organizations are complaining of complex tools that are difficult and time consuming to implement. Many have expressed frustration and regret after investing several months—years, even—and tens to hundreds of thousands of dollars into the implementation of GRC platforms only to find they were still not producing the promised benefits. They struggled with finding the right time to cut the cord. Others tell tales of the constant perks in the flashy sales and marketing process that ended in crickets after they signed the dotted line—there was very little support to help them make the application do what they expected it to do. Some companies got up and running in a tool and later found it was very cumbersome to manage as business needs evolved.

Are you wrestling with heavy, cumbersome GRC Technology?

Many compliance officers, auditors, controllers, and IT directors have stories about how long they have tried to hang on and make it work.

It’s time.

It’s okay to say it out loud. There are other options that are easy to configure and customize for your team’s specific needs that don’t break the bank. Clients have raved about the flexibility of policyIQ and their ability to make adjustments in just a few moments when the business, market, or regulatory bodies call for it. They have praised the speed of deployment of policyIQ and return on investment that they observed almost immediately through improved effectiveness in meeting their objectives.

We understand if you’re feeling a little skeptical…

…after what you’ve experienced. Let us show you! We offer a 30-day free trial and are happy to show you YOUR data in the trial site as proof of concept before you buy.  You can spend time kicking the tires, so to speak, and working with your implementation expert and the policyIQ Support team.

P.S. The policyIQ Support team will be by your side for the long haul! We enjoy reviewing our team’s interactions with clients—we are prepared to tackle your tough business questions, to help you expand or adjust as needed, and we can’t help but celebrate the friendships we make serving our clients over time.

We are excited to partner with you, too! Contact us to start your free trial.

1 in 3 do not have a plan!

The policyIQ team recently hosted a webinar presented by GRC analyst, Michael Rasmussen, focused on how to drive employee engagement through effective policy management and communication. During the session, we asked the audience: “Does your organization have a policy communication plan?” Remarkably, one in three respondents answered, “no”.

In recent posts, we have drawn attention to the potential hazards of NOT keeping your employees informed, trained, and certified. No doubt, some companies have learned a multi-million-dollar lesson on why it is important to build out a policy communication plan. In case your organization can relate to the third of respondents who identified with not having a formal plan, we want to share some ideas on how you can get started crafting your plan and reducing legal exposure right away.

What is the risk?

1 in 3 respondents reported not having a formal policy communication plan in place.

Are you having a hard time figuring out how to prioritize your policy updates? Consider, first, how your policies are related to your risk environment and what practices you must have in place to protect the organization from the top down. Next, you may wish to focus on the policies and procedures that you have in place to safeguard your organization: security policies and procedures. The next area in need of attention, depending on your type of organization, may be documentation related to ensuring that product, process, or service quality is delivered. If you have a quality system in place, you likely already have associated documentation on a regular cadence of review.

How will you know that all of these practices are actually taking place and operating as designed? You could also prioritize the documentation and routine practice of monitoring, from an operations and financial perspective. Auditing your business and finance functions will go a long way to provide assurance that you have the right practices in place.  

Can your organization provide evidence that your house is in order?

Who is the audience?

Retail store managers, truck drivers, accounting and finance personnel, nurses, IT project managers—there is a seemingly infinite list of roles in the pool of potential policy and procedure audience members. Rather than drafting policies and simply publishing them for broad access or distribution on the company’s intranet, you may want to take a step back and consider more closely, again, the level of risk associated with the documentation. Starting with your areas of greatest exposure, which of your employee roles would be impacted by the absence of the policy or documentation? Pay particular attention to those roles that are directly tied to your high-risk areas and critical controls.

How will you reach them?

The question, here, may be two-fold: What level of assurance does the situation demand? What media is most accessible to the audience?

Policies related to hours-of-service limits for truck drivers and anti-bribery policies for employees working in high-risk geographies may be among your top priorities as it relates to communicating your organization’s values and practices, but they certainly do not have the same work environment or access to information. An important step in your communication plan is the consideration of the level of assurance that the situation demands. Simply publishing some policies may be enough, but for others, it will be critical that you capture a receipt of your employees’ review, their attestation that they understand and agree to follow your policies, and some may warrant training and certification evidencing the employees’ understanding of the critical values and practices.

Can your training materials for efficient and repeatable distribution when possible, but be sure to bring employees in for training on values and practices that are mission critical.

If you want to better ensure engagement by your employees, you may also wish to consider whether the content requires live and in-person training or if delivery to your employees’ mobile devices will be satisfactory. Getting into the flow of what your employees do and see every day is the best way to boost the likelihood that they will see and interact with your content.

Next steps:

RGP’s own policyIQ is an easy to setup and use SaaS platform that can be leveraged to author, manage and share policies, procedures, links to training materials, certifications, and other related documentation on an employee’s device-of-choice. Click here to learn more about our policy management solution or reach out to us, directly! We are happy to help you see your data in a free policyIQ trial site.

And if all of this still feels like a lot to consider, you may wish to reduce your organization’s exposure sooner than later by bringing in a subject matter expert to spearhead the effort. RGP’s professional consultants can help to assess your organization’s documentation and lead the effort to map out and implement the execution of your policy management program and communication plan. Click here to be put in touch with an expert in your area.


Again, special thanks to GRC 20/20’s Michael Rasmussen for sharing his expertise with our audience (and us, too!). If you are interested in learning more from Mr. Rasmussen, we encourage you to check out his website and, specifically, his “Policy Management by Design” white paper.

Can your organization provide evidence that your house is in order?

Actions by the U.S. Securities and Exchange Commission (SEC) have amounted to more than a billion dollars in disgorgement, fines and penalties every year for nearly two decades. On average, nearly a quarter of actions filed also included named individuals as defendants. What does it mean for your organization if one of your employees engages in illegal activity? Well, that depends. Can your organization provide evidence that your house is in order?

The executives who sleep well at night know that 1) they have policies in place, 2) they have and enforce a process to ensure policies and procedures are kept up to date, and 3) the organization has gone to great lengths to ensure that all employees and third-party agents of the company are aware of the policies and procedures.

Upon request, managers in their organizations can provide the latest policies, proof of maintenance, access to previous versions, a list of all changes including who made them and when, as well as evidence of employee notification and certification.

Employees in these organizations can also rely on their policy management systems to help them work more effectively and efficiently. Their policies and procedures are appropriately linked to related regulations, risks, controls, and principles, and they include ties to responsible parties, departments, relevant locations, and systems touched. If a new employee, system, or regulation is introduced, they can see who and what is impacted.

The most adept organizations have a broadly communicated philosophy regarding policy documentation and practices that provides a shared foundation for all divisions, departments, and regulatory management teams throughout the enterprise. They utilize a centrally accessible policy management platform that supports collaborative authoring and monitoring while also providing all employees with easy access to the latest approved versions.

How well have you been sleeping? Reach out to us and soon you can rest, too, knowing your house is in order: 412.263.3330.

What comes to mind when you hear “digital evidence”?

Who cares?

I mean, who actually has to care about digital evidence? Consider the audiences or different roles of people who need to produce or rely on digital evidence: management and business unit leaders; auditors; information management, technology, compliance, and security professionals; and the officers of your organization. We are producing unstructured data, much of it valuable, at a breakneck pace. Do you know who your producers of quality digital evidence are?

When I hear digital evidence, I think of the artifacts that may be considered digital evidence such as raw data, reports, signed documents, test results, specifications, and performance receipts. Documentation of activities that provide assurance, including procedures, work instructions, training sessions and materials, and attestations are also critical. Have you identified which practices and assurances are closest to your significant accounts, risks, and controls?

How do we wrap our arms around digital evidence?

There are systems and practices that provide the bookends for ensuring relevant and reliable results contributing to digital evidence such as systematic management and monitoring of workflow, milestones, deadlines, analyses, and remediations. Digital evidence also relies on the trail of bread crumbs that show who touched what and when including the audit trail of changes, versions, handoffs, and approvals. Without a central portal or system in place, it is plain to see, we cannot reliably manage digital evidence.

Are you taking advantage of all that policyIQ has to offer in these areas?

Alerts, dashboard notifications, and email generated systematically by RGP’s policyIQ helps employees know when work is required of them. The taxonomy of the digital content is configurable and can be subject to the information governance preferences of your organization with appropriate read, write, and approve rights established during initial configuration. policyIQ can provide an enforceable framework to manage contributions, the complete capture, monitoring, and reporting on critical documentation and evidence.

If your opportunity has more to do with the quality of your existing evidence or the need for corroborating evidence, RGP’s subject matter experts can help to assess your need and to fill any gaps identified. Right now—whether related to technology, process, quality, or completeness—make a note of some of those gaps or pain points that just crossed your mind. And then reach out to us: Information@policyIQ.com; 412-263-3330.

5 Simple Steps to GRC Technology Implementation

Whether for IT Security Compliance, Enterprise-wide Policy Management, Contract and Lease Administration, your organization’s GRC or Audit program, policyIQ can be up and running in 5 simple steps. Read on for more information and contact us to automate your initiative in Q1!

Step 1: Configuration
A policyIQ expert will assist you and/or your RGP Consultant to customize the design of the user interface in policyIQ for input of data, navigation, reporting, content and user security based on your input and feedback. Of course, we do not progress to step 2 until you, the client, approve of the configuration.

Step 2: Prepare data
RGP Consultant requests data from your team or organization, then scrubs provided data to help ensure completeness and accuracy. You give approval regarding the condition of the data before progressing to step 3.

5 Simple Steps to Go-Time!

Step 3: Populate
RGP Consultant populates approved data (import or authoring, depending on your needs) and subsequently validates the completeness of what is in the system to the approved data. The RGP Consultant will provide you with a walkthrough of your site and data for feedback and your approval.

Step 4: Refine (Reports, Dashboard, Planning for roll-out/training)
RGP Consultant demonstrates the policyIQ user interface using the populated data. You provide a live example of a transaction, and with your RGP Consultant’s side-by-side help, you drive the live example from input to reporting. Any additional configuration items identified during this process will be considered for further customization. You give the green light when you’re ready to go-live.

Step 5: Go live and train
Often there are a handful of “power users” who are expected to regularly participate in the process that is being automated using policyIQ. The RGP Consultant sits side-by-side with your power users, individually or as a group, to train on use of the software. Your power users will be directed to policyIQ’s written and recorded materials that you can leverage for your personalized procedural guide. Your RGP Consultant and the policyIQ support team are available onsite or remotely for any questions.

Our methodology your yours?
What initiatives or processes are you looking to digitize and manage more efficiently in 2019? Hit the ground running with RGP’s subject matter experts implementing our proven methodology in our technology or we can support your team to implement your methodology. What kind of support do you need? Contact us, information@policyIQ.com, and we’ll help you to get the ball rolling!

Fierce Competitors are Built on Strong Core Processes

If your goal is to be a fierce competitor and to protect and defend your organization against the never-ending barrage of risks and change, a great place to start is by strengthening your core processes.

Policy management is the backbone of successful and sustainable organizations.

What do you think of when you think of policies? Does your Human Resources department manage a set of company policies that you have to attest to annually? Maybe you recognize the fact that your organization has a password policy and a policy regarding the use of social media on company equipment and company time.

In our recent webinar with guest presenter Michael Rasmussen, we heard a whole host of examples and reasons why organizations should be concerned with policies. If, up until now, you have not been particularly concerned about the value of your organization’s policies, you might want to lean in and peruse these notes from the Blueprint for Effective Policy Development and Management session:

Raise your hand if you are aware of where to find your organization’s index of official policies representing all areas of your business. Mr. Rasmussen asked a similar question of his audience at a recent conference and just 2% of attendees acknowledged awareness of an index maintained at the enterprise level of the organization’s policies.

Only a very small number of organizations see policies as the critical documents that they are. Mr. Rasmussen noted that policies are often not given proper attention and are strewn about in various systems, websites, shared drives and so on. Employees don’t know where to go to find documents or whether the document they found holds the latest version of the policy. In our session, Rasmussen emphasized why employees and leaders should value policies and highlighted some examples of how policies are at the core of every organization’s critical work:

  • Policies are GOVERNANCE documents.
    • Policies are critical documents.
    • They help to set boundaries to reliably achieve objectives
    • Policies ensure consistent business behavior and transactions.
  • Policies are RISK documents.
    • The existence of each policy was preceded by the identification of a risk!
    • Still, many business leaders do not think of risks when they think of policies and many do not tie organization policies to risks.
    • Policies help to identify risks and control risks within certain boundaries.
  • Policies are COMPLIANCE documents.
    • Policies help us to act with integrity as it relates to
      • Regulatory requirements
      • Contract obligations
      • Code of conduct
      • Values and Ethics
      • Corporate social responsibility
      • And so much more

Policies are at the core of all Governance, Risk, and Compliance work.
If the advantages of effective policy development and management are not compelling enough to motivate your leaders to establish policies throughout the organization, this regulatory environment might force the issue. An evidence trail is critical in today’s regulatory environment. Policy management requires a complete system of record and an audit trail.

policyIQ provides company and division leaders with a highly adaptable technology for managing the full range of policy, compliance, and audit needs in one cost-effective platform scalable from specific regulatory environments and department functions to division business units and at the enterprise level. Maintaining a clear and defensible audit trail is paramount to the service and benefit provided by our GRC technology.

In part I of the policy management educational series hosted by RGP’s policyIQ team, Michael Rasmussen highlighted the considerations that are critical for development of a policy management strategy, the roles that contribute to policy management, and he drilled deep into the effective policy management lifecycle.

In part II, Michael will concentrate on the second half of the effective policy management lifecycle. The attendees of our first session gave rave reviews of the presentation. Be sure to register for Part II: Engage the Front Lines Through Effective Policy Communication.

We also encourage you to peruse upcoming events hosted by the policyIQ team. This audience, in particular, might be interested in our Introduction to policyIQ session that is delivered quarterly and demonstrates how organizations leverage policyIQ to establish consistent documentation templates, prescribe workflow and approval processes, communicate and distribute policies, monitor and enforce compliance with policies, and to establish a maintenance process for your critical documentation.

Click here to register for the sessions that interest you and we invite you to reach out to us (information@policyIQ.com or 866.753.1231) with questions about effective policy management, policyIQ (our governance, risk, and compliance technology), or if you could use the support and expertise of a RGP professional to help get your program off the ground.

We look forward to seeing you in future sessions!

Suffering low morale and a disconnect between executives and those doing the work every day?


 

 

 

 

Art Weeast has helped a number of organizations to “think beyond the task of documenting policies and procedures to the intelligence of the information that is in those documents.” In other words, think of the value or purpose that the documents serve. One of his objectives, as he trains organizations on how to create valuable documentation, is to “keep what’s in it for me, from the end user’s or the employee’s perspective, in mind as you develop content”. The end user and all stakeholders might consider, “What problems and questions can this documentation solve?”

To demonstrate the application of Process Intelligence practices (as Mr. Weeast termed his work), consider three common problems:

  1. Employees and Management do not value the documentation (mainly the procedures).
  2. Work tasks are not clearly connected to executive priorities.
  3. Business Units/Departments/Functions do not collaborate on cross-functional processes, often leading to tension and decreased productivity.

With Art Weeast’s help, let’s tackle each of these problems one at a time.

The problem faced by many (maybe most) organizations: Employees and Management do not value the documentation.

Consider how you can make your documentation useful. Follow this three step process:

  1. Set a course to establish more comprehensive documentation. Rather than tracking just the steps of the procedure, frequency, who performs…think of all of the everyday business questions that come up related to the procedures. Add Roles and Responsibilities, Applications Used, Definitions, Procedure Input and Output–these fields will help you to address common problems. Read further to see how.
  2. Make it easy for process owners and your front-line doers to capture the documentation. You don’t have to complete the fields in consecutive order. Starting with the procedure, then considering what leads into the procedure and what the outcome of the procedure is before moving on to the purpose and other data is a much easier thought process.
  3. Make use of the intelligence that is inherent in your documentation to solve business problems. With updated, comprehensive procedures, you can address common problems…effectively and efficiently!

Put your information to work for you!

Another common problem: Work tasks are not clearly connected to executive priorities. 

The front line doers, on a day to day basis, do more repeatable processes than executives do. At the executive level, it is unlikely that you will see procedures. This is the root cause of the disconnect between the tasks and executive priorities. It’s no wonder that executives generally don’t feel the value of the documentation and therefore, the employees don’t feel the priority from the executives to create and maintain the documentation. So, per human nature, documentation becomes an unwelcome task to do, and usually it is tackled at the last minute with a mad rush to get it done.

The solution?

Help your organization to establish the connection between top priorities of the business and the tasks that hardworking employees carry out day after day.

A master at translating the complex into simple steps, Art Weeast developed a method for creating this connection. He calls it an Operational Map. To build your Operational Map you will:

  • Interview the Business Owner and document Primary Functions and Sub-functions from her perspective
  • Prepare List of Procedures for each Process Owner’s Area
  • Create a visual representation of Functions and their related Sub-functions
  • Map Procedures to related Sub-Function by playing “Operational Bingo” with Process Owners—you hold and call out the Procedures while she identifies the related Sub-function.
  • Validate the mapping with the Business Owner.

The result?

  • Executives come down to a level that they rarely visit—they better understand what it takes to get things done! They begin to appreciate the value—and the NECESSITY—of the documentation in a more highly regulated and complex world.
  • Process Owners (the everyday do-ers) appreciate the collaboration with executives. They sense the tone from the top and the priority becomes clear. The do-ers begin to understand the bigger picture—the risks that the organization faces and the importance of what they’re being asked to do. And they are very curious about what other departments do!

The final problem we aim to address: Breakdown in cross-functional processes.

Frustrations build in an organization when communication and collaboration breaks down or does not exist among certain parties. You can tell this is happening when you or others can easily blame someone for inadequate, inconsistent or untimely inputs into your process—or others who put disruptive demands on you to produce an output with a nearly impossible delivery date and provide inadequate information needed to meet the demand. It is natural for all of us to personalize the process under these circumstances.

The art of establishing collaboration among cross-functional parties can be reduced to four main steps. The following steps serve to “de-personalize” the process and issues, and allow parties to focus on the desired end result.

  1. Meeting: Bring functional representatives together for a collaborative process review mediated by a neutral party.
  2. Current state: Have them describe the standard process; first without the history, exceptions or problems. Then revisit the standard process with issues.
  3. Future state: What does it look like? How is it better?
  4. Transition state: Outline steps to get from where we are today to where we need to be.

Think about what’s happening here. Typically, if anyone ever does dare to address the communication breakdown among parties, what do they typically do? They work to identify the issue(s) and to problem solve against those issues. The process outlined by Mr. Weeast, an expert in operational and change management, takes an opposite approach; helping parties to very quickly begin working together effectively.

Applying these practices outlined by Art Weeast results in an efficient and effective organization that can:


Art Weeast has decades of impressive experience in enterprise-wide leadership, technology & data expertise, Lean Six Sigma methodologies, organizational change management, and in defining and refining operational processes. Art has been a client of policyIQ with three different organizations. When I met Art, I had been involved in the work of streamlining, refining, re-engineering, and automating processes for many years, myself, and—while it was my responsibility and mission to help him in any way that I could to solve his organization’s business problems using our software—I was forever changed by what he taught me!

This post was originally shared following a policyIQ-sponsored webinar in which Mr. Weeast shared his Process Intelligence practices. The policyIQ team continues to share the lessons of his Process Intelligence session year after year. If you’re interested in more information or hands-on support with applying Mr. Weeast’s methodology, reach out to us and we’ll connect you with the appropriate tools, information, and resources!

Support@policyIQ.com, 866.753.1231