Mason Karrer

OCEG Policy Management Series Wrap Up Measuring, Monitoring, and Accountability

Blog Post created by Mason Karrer Employee on Mar 29, 2013

Hello from baby central! If you detected radio silence from me lately it’s with good reason. We welcomed a little bundle of joy into the world recently and suffice it say I’ve been busy at home! Nevertheless I’m back and eager to wrap up this conversation on policy management so we can move on to other exciting things on the horizon.

The backdrop for this series was a multi-part panel forum I participated in for OCEG and Compliance Week, led by the venerable Michael Rasmussen. We began with a look at the effect external business impacts can have on the enterprise policy management program. From there we moved from detecting changes to identifying cohesive impact assessment and policy change workflow processes necessary for a strong diligence program. Now we’ll tie it together with a look at the ongoing maintenance aspects of a robust policy management program, including monitoring and accountability.


Beginning with policy measurement and evaluation, it goes without saying that effective policy management requires periodic review. Conventional wisdom tells us policies should be reviewed as needed to maintain state with changes in the business and otherwise annually at a minimum. Let’s explore why in more detail from the perspective of somebody who thinks it’s unnecessary busywork (like Morty K., the CEO of Morty’s International Widget Emporium for instance.) From Morty’s perspective the business is the same as it was last year. He still sells widgets, his tolerance for acceptable use hasn’t changed, and so on. But, like everybody else he needs to cut costs wherever he can. So he challenges the value of bothering his people to keep up appearances with some administrative review that increases his costs without a tangible return on the investment.


Okay so Morty’s thrown down the gauntlet. Now let’s respond. All other things being equal, those administrative gymnastics actually go a long way toward demonstrating diligence, and good diligence reduces exposure risk and compliance costs. Even if policies happen to be out of step with the business at any given time of examination, it’s hard to argue a company isn’t trying to be diligent if it can produce a consistent trail of reviews. Think of it as cheap insurance, for no more than the cost of a few hours per year. That doesn’t mean there won’t be findings around accuracy, but that’s a whole lot better the absence of policies entirely which is the de facto opinion of policies that are never reviewed. Plus there’s the intangible benefit of increased operational stability through raising cultural awareness stakeholder participation. So, when it comes to the “burden” of annual reviews, to quote Nike, “just do it.”


In terms of active diligence and regular review cycles the following factors can influence whether policy revisions may be required:

  • Have changes to the business occurred which may affect this policy?
  • Are there regulatory/legal changes requiring a policy update?
  • Is an unacceptable amount of exceptions being generated?
    • Could indicate issues with policy language, divergence from the business state, or training and awareness issues.
  • How many policy violations have occurred and why?


If the organization waits for problems to visit before policies are revisited, it will always lag behind the curve. This is an area where technology can be a force multiplier to ensure the train stays on the track and runs on time. Systems are great at performing repetitive tasks, like pestering policy owners (and managers) to do their reviews and capturing all of that in a verifiable system of record, year in and year out, over and over again. Anymore if a company is trying to do this by hand rather than leveraging a tool like Archer Policy Management, then they’re probably not doing it effectively at all. Instead they’re stumbling through some haphazard, analog process that will ultimately fail them when they need it the most; namely, crisis time.

The folly of a manual policy management program is further revealed in organizations with a disparate, document-centric approach. Static, dusty paper policy binders are relics of the past, not to mention boring and ineffective. Why not modernize with embedded multi-media awareness training and automated acknowledgement and acceptance features baked right into the same portal used to demonstrate that almighty diligence to the external auditors? People are engaged more effectively and disparate tracking is replaced with a single verifiable system of record.


Why is this important? Because without effective policy awareness what’s the point? Consistent publication and communication is the best way for the company to participate in an ongoing basis. Policies are conditions of employment. Employees must accept these terms and they can’t do that if they’re not aware. When that process is centralized and streamlined the company benefits multiple ways. First, the staff is kept up to speed as an integrated part of normal business so behavior is influenced more quickly and naturally. Second, capturing the acknowledgements reminds the staff they’re accountable plus provides good evidence of the overall process. Everything works in concert and the business gains confidence it can remain a step ahead of its risk.

So we’ve detected changes to the business, put those through a workflow to analyze the impact, adjusted policies to match new expectations, raised awareness, captured staff acknowledgements, and established useful metrics to measure and monitor the program. Overall our diligence picture is shaping up nicely. Let’s wrap up by covering one last item, the audit trail.


Policy archival and history is something that often gets overlooked which can often bite an organization in a bad way. When policies must change or retire, it’s extremely important to preserve legacy versions for historical reporting purposes. Otherwise how can they demonstrate adaptation over time? Remember, corporate policies are the codified basis for business operations. So they’re almost always legally discoverable as evidence in addition to being a living history log of changes to the business. The more closely the policy history coincides with shifts in business, the tighter the diligence connections are made. It’s never a good idea to enable a plaintiff to define how the business operates. A robust and complete policy revision history that is producible on demand is a very powerful indicator of strong corporate governance. Failing to preserve and protect that is wasting an opportunity to improve compliance results and reduce organizational risk.


That brings us to the end of this series on policy change management. We’ve covered a lot of ground and I hope added clarity to the main aspects of a successful policy program. Managing enterprise policy in today’s global business climate of constant change can be a challenging story. I’d love to hear how Archer helps you tell it in your organization. Be sure to watch for several exciting announcements we have coming up including updates to the Unified Compliance Framework, enhanced PCI capabilities, and much more!