Going Nuclear on Employee Policy & SOP ManagementRajesh Unadkat
One of the major challenges for organizations in managing GRC is that GRC is not really an application. It is a category of a lot of different applications associated with the adherence, tracking, remediation, and reporting of policies within an organization. Historically, these applications were managed as independent applications. Regulatory compliance was compliance, information security, safety programs, quality management, HR policy management, etc.
But, as these programs have evolved and broadened, as well as, the increased continuous management; organizations are struggling to manage all of these program types in a singular system of record that is flexible enough, yet nimble enough to meet their needs. Historically, a safety system was purpose-built. But as everything has expanded, employees are being asked to manage multiple programs, yet different. The ability to have configurable program workflows – change of a screen, add a different set of fields, consolidate the multiple policies and SOPs that impact an employee to reduce overhead and redundancy. Streamline and coordinate the questions to the employees into a simple, yet easy to manage single point of management throughout the policy or procedure lifecycle; including versioning and updates. You also need to be able to run targeted campaigns based upon role, geography, division, etc.
Targeted compliance assessment campaigns
- Policies & SOPs can be mapped to compliance regulations and controls
- Identify compliance gaps.
- author, review, approve, and distribute
- Campaigns can target based upon roles, regions, countries, laws, and standards.
- Configurable workflow for versioning, automatic updates, track changes, search, approvals, attestations, and comparison capabilities
Policy management around specific functions like HR, safety, security, quality, etc. or globally around implementing process controls or auditing require a baked-in approach to succeed. The biggest challenge in these automations is the adoption by the end users. We find that unless there is a specific mandate with teeth in case of failure, these programs need to be integrated into the daily job life. If it is a low priority for the end user, it has a high risk of being postponed or half-way done. Human nature means that urgent fire drills supersede less urgent, but important house cleaning. Think of orphaned compliance programs as the business equivalent of “hoarders” collecting dust in the corner of the office with the stack of other things that never gets done. Until there is a fire drill to clean out stuff or meet an audit, etc.
In college, I lived in a fraternity house that I am embarrassed to say should have been condemned. Think Animal House leapt off the screen. I still to this day remember the jury rigged fire alarm handle that we wired up to pass the Fire Marshall’s inspection. This was on top of the massive clean-up that we did the night before to make sure that we passed. You could say that was a failure in compliance all the way around.
As a parent, I think of how I would feel if something would happen to my children because of something similar. Responsible adults look beyond the immediacy and the urgency of a situation to prepare for the event of failure. As the group responsible for protecting the business from outsiders and internal laxity, you have to find ways to bake the compliance into the lives of the stakeholders. Even in the face of tough consequences as many people default to the old habits.
Think of the recent example of the nuclear weapons control center that failed its annual audit due to poor practices and failure to follow security protocols. You can’t say they weren’t trained or weren’t aware of the criticality of the situation. I would say it is a failure on the part of the program designers to account for human error and decay of attention. IT security must implement programs that account for continuous adoption by the users as the consequences of failure are too great.