A new study by NAVEX Global solicited the thoughts of nearly 1,000 executives on policy management and the systems they have in place for that process. To say the reviews are mixed would be charitable.
Keeping policies current with continuously evolving laws and regulations was identified as a top challenge. Also, despite some good news and value-adds trumpeted throughout the findings, most organizations are not very satisfied with aspects of their existing policy management program and see room for improvement. When asked to assess their policy management programs, less than 40 percent of respondents ranked any attribute of their system “very good” or “excellent.” Policy communication to employees and third parties received particularly low ratings.
Seventy percent of all organizations consider their system either “basic” or “maturing,” while only 17 percent consider their system “advanced.” The lowest satisfaction ratings came from respondents who did not use any technology to manage policy-related tasks, followed closely by those who used basic spreadsheets.
“At every level of an organization, I see frustration and challenges people have with their policy management process,” says the study’s co-author Randy Stephens, vice president of advisory services at NAVEX Global. “Every organization out there, with very few exceptions, thinks they can do this better.”
Policy management consists of the practices associated with managing an organization’s policies or procedures throughout all of the stages of their life cycle—including drafting, editing, approving, updating, distributing, storing, and documenting. A policy can include codes of conduct, standard operating procedures and other documents.
Goals for a policy management program include: keeping policies up to date with new and changing regulations; training employees on policies; improving version control; reducing policy redundancy and inaccuracies; legal compliance; easy access to the most current policies and procedures; creating audit trails and tracking completions; and customizing policies across languages and regions. Among the firms offering automated policy management solutions are NAVEX, MetricStream, and RSA.
The dissatisfaction many executives have with their policy management systems is not very surprising to Daniel Paula, vice president of risk Management at Ocwen Financial, even though he counts himself among those very happy with their system.
He splits the challenges into three parts.
One is “keeping up with laws and regulations that change all the time,” Paula says. “If you are a financial services firm like we are, the amount and the pace of change that you have to keep up with when it comes to regulation has grown exponentially since the Dodd-Frank Act. The old ways of doing things—Microsoft Excel, SharePoint, Word—those things don’t scale any more. They were fine when you had to deal with 50 policy changes a year; we are now doing 50 changes a month.”
The second roadblock: Many companies haven’t figured out where to place policy management in terms of organizational structure. “I’ve always placed it under risk management,” Paula says. “But many companies struggle to find the right place for it. They end up with either no ownership or split ownership, which are both horrible. I prefer a single point of accountability and a single point of ownership.” Chief compliance officers and chief risk officers are the most common points of contact he has seen.
“At every level of an organization, I see frustration and challenges people have with their policy management process. Every organization out there, with very few exceptions, thinks they can do this better.”
Randy Stephens, Vice President of Advisory Services, NAVEX Global
When determining who has oversight, don’t expect an excited rush of volunteers. “It takes a lot to convince people,” Paula says. “It’s an ugly baby. No one wants to own it because it is associated with a bunch of regulatory problems the company has to solve. Nobody wants to be part of the mess. Myself, I’m a contrarian and see opportunity, but a lot of people run away from the project.”
Another challenge is version control. “Your auditors and regulators want you to be able to showcase what’s been changed in each policy, who changed it, and when it happened,” Paula says.
The good news, he says: “Once you see the results nobody wants to go back to the way you did things before. Once you see it working as a real technology-enabled solution there is no coming back.
Although the new survey uncovers challenges, it may also help companies improve aspects of their policy management program, Stephens says. Companies, he says, can use the data to determine whether their policy management practices are protecting the organization, or putting it at risk. A deeper dive allows them to benchmark their program against best practices.
Among the survey’s findings:
“Silos” or diffused ownership of policy management across departments contributes to dissatisfaction. More than 50 percent of respondents’ organizations have seven or more departmental stakeholders with some “ownership” of the policy management program and budgeting process.
Shared ownership is a likely contributor to the lack of sufficient funding for policy management improvement.
Nearly 30 percent of respondents who don’t have automated policy management software cited “no single owner” or “internal “roadblocks” as to why they haven’t moved to an automated system.
More than 63 percent of organizations believe their policy management program reduced legal costs and the time it takes to resolve regulatory issues and fines.
Fifty-seven percent of respondents use online training to ensure policy comprehension, followed closely by 55 percent who use in-person training.
A key takeaway: “Many organizations fail to embrace an automated system not because they do not see value in one, but due to organizational silos and lack of clear ownership over the policy management function. This may be indicative of the growing pains of policy management as a function within an organization. As policy management and compliance continue to increase in organizational visibility, some of these issues may change.”
“Ownership of policy management is often widely dispersed across the organization and different business and operational units, with each owning pieces of that,” Stephens says. “It contributes a lot to some of the dysfunction or opportunity to make improvements. You have HR doing their policies. You may have IT with their policies that may not be on the same template and stored in a different place.”
While siloed operations may cause problems, Stephens suggests that “having multiple parties involved n policy management is not a bad thing.”
“I would argue that it’s a good thing,” he says. “You get differences of opinion. You get the input from various people in the organization. The damage comes when it’s a silo opposed to an inter-departmental or inter-disciplinary group. You have to have the realization that you are going to have to involve multiple parties to have the best policies that are up to date and most effective for your organization. You need to have a structure in place that will allow you, as an organization, the benefit of that interplay…You just have to take the best of each element of the organization and put them in place so that you have strong and effective compliance.”
Stephens, armed with the survey data, agrees that “keeping policies current with continually evolving laws and regulations is a top challenge.”
“An effective policy management system can help address that,” he says. “That’s why it is important to have your policies in a centralized database. We also found that an automated process dramatically improved satisfaction
When it comes to communicating policies and changes to employees, online training was the top pick of respondents. “Online training is a great way to reach a lot of people with consistent information,” Stephens says. “If you are using an automated program you can track responses and follow up with people who have not completed. It is important that the people in your organization who have a need to know the policies are reviewing them regularly and certifying that they have done so. It ensures they are getting the information they need to make the right decisions.”
The study, and Stephens himself, make the case that policy reviews need to be both risk-based and consistent. “The risk-based element should apply to everything in a compliance program. You want to focus on your highest risk. With respect to policy management, ask yourself whether you have a policy to address all of your risks. Sometimes companies are surprised to find out that they don’t.”
“You certainly want, for your high-level and high-risk policies, to review them on a regular basis,” he adds. “In the event there is a change to your businesses risk tolerances or a change to a regulation that covers you, you have to go back in and address that immediately.”