MetricStream, a market leader in Governance, Risk, and Compliance (GRC) apps and solutions, has published the results of its latest survey, “What makes an effective policy management programme?” The survey evaluated 260+ organisations across 15 industries to understand the ways in which organisations create, manage, and communicate policies, the challenges they face, and the types of tools and technologies used to support policy management. A recent surge in corporate governance scandals — including sexual harassment and money laundering allegations at various companies — underscore the importance of robust policy management programmes to keep errant behaviours in check. Many organisations have written policies in place, but much more is required to ensure that those policies are adhered to across the enterprise. To build a pervasive culture of ethics and risk-intelligent behaviour, organisations need to ensure that their policies are communicated effectively, and updated regularly in line with regulatory and business changes. Moreover, policy compliance and violations need to be tracked on an ongoing basis and addressed proactively.
Against this backdrop, MetricStream Research surveyed organisations across five key areas: policy management challenges, policy management program structure, policy communication and training, managing policy exceptions, and the technology used to manage policies.
Key findings from this research include:
-
The majority of organisations (55 percent) are unaware of policy violations that may have occurred
-
While only 24 percent of organisations use policy management software, the benefits they enjoy are significant. Of these organisations:
-
21 percent take less than a month to develop and publish a policy from scratch
-
70 percent do not consider it challenging to author and distribute policies, or provide training
-
60 percent encountered less than 50 policy violations in the last year
-
80 percent of organisations using policy management software on a GRC platform take less than 3 months to author and publish policies, compared to only 55 percent of organisations using pure-play policy management software
-
42 percent of organisations that require employees to attest to certain policies encountered fewer than 50 policy violations
-
59 percent of organisations that have mapped their policies to risks and compliance requirements do not consider it challenging to update polices as regulations evolve
-
The majority of organisations that use standardised policy templates (62 percent) take less than a quarter to develop and roll out a new policy.
“Our survey findings indicate that an integrated and consistent approach to policy management can yield significant benefits,” remarked French Caldwell, chief evangelist, MetricStream. He continued, “Those surveyed who have mapped policies to risk and compliance requirements, have integrated training into policy management programmes, or are using policy management software on a GRC platform are able to create and communicate policies faster, update them effectively, and minimise compliance violations.”