Menu Close Menu

Menu

Account

Plan to Engage

After years of toiling in the back office, policy management professionals are extending their activities to the front lines by leveraging interactive technologies to engage employees with relevant policy communications and training content in an optimal manner.

That means delivering the right type of policy content to employees at the right time and in the right place. When a sales executive touches down in a bribery-prone country, a centralized policy management system pushes a text on Foreign Corrupt Practices Act (FCPA) information and related policies to her cell phone; she can click a link in that message to pull additional jurisdictional-specific FCPA guidance to her device. When a freshly promoted manufacturing manager enters a production facility for the first time, he’s already viewed site-specific policy training videos delivered to his tablet a week before.

Creating that context -- meeting employees where they are -- is crucial to developing a next-generation policy lifecycle management capability. Technology is a foundational component of this capability. “If you’re managing all your policies, policy communications and training material in documents, spreadsheets, emails, and off-the-shelf content management systems, you probably don’t have a system of record that’s legally defensible in court -- just ask your external auditors or your regulators,” notes MetaCompliance CEO Robert O’Brien.

With a unified policy portal in place, organizations are more likely to engage employees with interactive policies and training that strengthen awareness throughout (and beyond) the enterprise. They are also well-positioned to increase the efficiency of the overall policy management lifecycle while strengthening legal defensibility when issues arise.

Achieving that win-win-win proposition begins with an effort to optimize two components of the policy management lifecycle:

  • The development of a comprehensive communications and awareness (including training) plan on policies; and
  • Engaging employees with interactive policies

Within leading organizations, the sophistication of both activities has increased significantly in the past few years as policy management professionals have invested more time, and implemented more advanced technology, in the service of getting to know their audiences better.

The Shift Has Started

The policy management profession’s shift to a front-line focus has intensified recently, notes Michael Rasmussen, GRC Analyst & Pundit at GRC 20/20, and an OCEG Fellow.

A decade ago, 90 percent of the policy management solution requests for proposal (RFPs) Rasmussen was involved with centered on back-office processes and activities. “The emphasis then was on workflows related to approving and maintaining policies,” Rasmussen recalls. “Policies then were often dumped into various fileshare and intranet sites in a haphazard fashion. Some larger companies wound up with a dozen or more policy portals scattered throughout their enterprises.”

More recently, however, Rasmussen has observed a groundswell of interest in solutions that also address how employees interact with policies daily. “Addressing back-office policy management challenges remains critically important,” Rasmussen adds, “but we’re seeing a significant shift to front-office issues: How do we communicate our policies to employees in an interactive way that truly engages them in their roles? More people are waking up to the value of engaging the front lines of the organization -- the first line of defense -- where decisions with policy-compliance ramifications are made every day.”

Establishing that engagement requires policy management professionals to address a significant challenge: knowing their audience.

The Team with the Plan

That knowledge ultimately enables policy management teams to deliver the right type and volume of communications and training to employees and other stakeholders based on numerous factors, including their current role and the legal and the regulatory requirements that apply to their decisions and actions. Leading policy management practitioners also factor other considerations -- primary language, learning styles, device preferences, and more -- into how they tailor and deliver policy content to employees.

The ability to customize policy content according to those factors requires a comprehensive communications plan and a team to design and deliver that plan. Policy communications plans should address seven essential elements:

  • Overall goals
  • A rundown of the needs of each unique audience segment
  • Sufficient budget and staffing
  • A wide range of accessibility considerations to ensure that communications are understandable and actionable
  • Success measures
  • The alignment of policy communications and training strategies with organizational culture, the code of conduct, and enterprise communications and training conventions; and
  • The support of key stakeholders.

The most effective communications and awareness plans O’Brien has seen typically cover 12 months of activities, at a minimum, and up to 24 months of work. Like an effective marketing campaign, these plans are organized into multiple stages that roll out over time. Month 1 might focus on generating awareness of a policy (or multiple policies) while Month 2 concentrates on training activities, Month 3 centers on the CEO’s messaging of the policy, and so forth.

Designing the team responsible for developing and implementing the plan is equally important. The most effective teams -- sometimes identified as a “policy steering committee” or similar type of governance council -- tend to consist of human resources (HR), compliance, and legal managers along with several policy owners, O’Brien notes.

A crucial risk-based assessment -- of both a specific policy as well as the employees for whom that policy is relevant -- figures prominently among the numerous activities that the policy steering committee will perform when creating and updating the communications and awareness plan. This evaluation helps ensure the relevance, timeliness, and efficiency of policy communications and training delivered to different employee segments. Key steps in this assessment include:

  • Identifying the risk to the company a policy is designed to address: The magnitude of that risk helps determine the scope and intensity of the communications and training activities related to the policy.
  • Knowing, and segmenting, your audience: Basic evaluations (e.g., high, medium and low) of the degrees to which various audiences -- a group that includes full-time employees, part-time workers, contractors, vendors, and outsourcers -- are affected by policy also help ensure that policy communication and training activities are calibrated to different groups in an effective and cost-efficient manner.
  • Customizing policy communications and training content and activities accordingly: When it comes to maintaining awareness of organizational cybersecurity policies, for example, a cloud-based customer relationship management (CRM) vendor requires lengthier and more frequent communications related to General Data Protection Regulation (GDPR) compared to a janitorial services vendor.

With a plan in place, policy management professionals can get on with the business of engaging their audiences.

Greater Accessibility = Deeper Engagement

In the same way that they take a page from the marketing function’s playbook when designing a communications and awareness campaign, leading policy management professionals also monitor the advanced tools and functionality that their information technology (IT) select and implement.

Policy management systems are designed to house and organize all of a company’s policies in a unified manner in a single location. The user interface in these systems, called policy portals, benefit from a range of advanced functionality -- including geolocation technology, gamification techniques, social media integration, chatbots, video, natural language processing (NLP) and speech recognition, other forms of artificial intelligence (AI) and more -- designed to enhance policy users’ interaction with policies relevant to their role and daily activities.

These systems enable employees to pull policy information and training modules that they need while also letting policy management professionals push relevant content to employees in response to changing regulatory compliance requirements, employee activities, evolving business conditions, employee role changes, and other internal shifts. The most effective systems are intuitive, adaptive, personal, and accessible, O’Brien stresses.

“The purpose of policy management technology is to engage people with the right information at the right time regardless of what type of device they’re using,” continues O’Brien, who stresses that the system should also provide “one-stop shop” for policy users. This means that policy information should be integrated and unified with all related procedures and enterprise training materials.

O’Brien’s point on the importance of policy engagement highlights the need for different types of accessibility and relevance, including:

  • Roles and activities: Policies and related training are organized and presented to policy users according to their job roles and responsibilities. When an IT manager clicks the “My Policies” tab in a policy portal, he should see different content than what the sales VP of the EMEA region views when she clicks the same tab.
  • Languages: Policy users should receive communications and training in their workplace’s primary language. Larger global companies may need to publish policy content in 20 or more languages.
  • Jurisdictions: In addition to publishing global policies on regulatory compliance requirements, many organizations tailor several different versions of a single master policy due to nuances in how different regulatory regimes interpret and/or enforce the requirements -- or given the fact that risks may be significantly higher in some countries or regions. A large bank may need to have several versions of a policy related to anti-money laundering (AML) regulations.
  • Device: As O’Brien points out, policy users access information on a range of different devices. As such, policy communications and training content should be consumable on desktops, laptops, smartphones, tablets, and more. In some industries and companies, some employee groups are not assigned any computing devices. In this case, policy management teams should install other delivery mechanisms. A manufacturing company may set up a kiosk to deliver training to deliver content to workers on the shop floor, for example.
  • Individual preference and needs: Some policy users are visual learners, in which case video-based training is more effective from an engagement perspective; others may be visually impaired and require large-text training documentation supplemented with audio content. Policy management systems and policy portals should be customizable to address the unique needs and preferences of the audience.

As more companies migrate to cloud technologies and cloud services, it is also important for policy management professionals to recognize and address the need to disseminate more policy communications (and, sometimes, training) to third parties -- and, in a growing number of instances, to fourth and fifth parties (i.e., your vendor’s vendors). GDPR compliance hinges on a company’s ability to protect customer data regardless of whether it resides in-house or on the server in an “nth party.” This trend elevates the need for policy management professionals to collaborate with the procurement function and, in a growing number of companies, third party risk management groups.

Similarly, it is important to recognize that a growing number of non-full-time employees -- a group that includes part-time employees, contingency and contract workers, and gig workers -- are also members of the expanding audience that policy management professionals need to understand and address.

Evidential Heft

In addition to optimizing the effectiveness and efficiency of the policy management lifecycle, supporting technology should provide what O’Brien describes as “evidential weight.” The centralized policy management system should enhance the defensibility of policy communications and training efforts in situations where the organization is taken to task by regulatory or legal authorities for alleged violations.

“It’s about creating a situation where you can prove that you actually took specific actions on specific dates,” O’Brien continues. “Trying to do that in a manual system is impossible. Trying to do it with a solution that does not have evidential weight embedded into its technology is also extremely difficult, if not impossible.”

A policy management system should allow HR, compliance and legal executives to quickly and easily access past records of all policies and updates to those policies and then pinpoint the dates that policies were communicated to employees; training activities that were completed; and tests of training comprehension were completed by employees and other stakeholders.

Now Press Repeat

Many policies require regular updates because the risks, regulations, and external business conditions addressed within these policies continually change. Those changes can also eliminate the need for individual policies, elevate the importance of awareness and training efforts for other policies, or require the creation of new policies.

As such, the communications and awareness plan -- as well as the way policy management professionals engage audiences -- needs to adapt and change in response. The plans and methods may also need improvements due to low training comprehension metrics or based on input from policy users (another important type of interactivity that a policy management system should support).

The fluid nature of policy management explains why O’Brien advocates for a “repeatable cycle,” when it comes to building awareness campaigns and engaging employees. “Communications never end,” he adds. “They can always become more effective.” Extending their reach to the front lines in an engaging method represents a sound way for policy management professionals to increase their effectiveness.

Featured in: Policy Management

Related Resources
Back to top
OCEG © 2002 - 2024 OCEG

Terms of Service

Privacy Policy

support@oceg.org

Contact Us

Information & Billing:
+1 (602) 234-9278

Principled Performance, Driving Principled Performance, Putting Principles Into Practice, OCEG, GRC360°, ActiveLearning, EventDay and LeanGRC are registered trademarks of OCEG.

Protector Skillset, Protector Mindset, Protector Code, Lines of Accountability, GRC Professional, GRCP, GRC Fundamentals, GRC Auditor, GRCA, GRC Audit Fundamentals, Data Privacy Fundamentals, Integrated Data Privacy Professional, IDPP, Policy Management Fundamentals, Integrated Policy Management Professional, IPMP, Integrated Audit & Assurance Professional, IAAP, Integrated Governance & Oversight Professional, IGOP, Integrated Strategy & Performance Professional, ISPP, Integrated Risk Management Professional, IRMP, Integrated Decision Management Professional, IDMP, Integrated Compliance & Ethics Professional, ICEP, Integrated Business Continuity Professional, IBCP, Integrated Information Security Professional, IISP are trademarks of OCEG.