Organizations of all types and sizes are researching and implementing Policy Management Systems globally. Traditionally associated with regulated or high compliance sectors, Policy Management is now considered a necessary tool for most organizations to achieve operational effectiveness. How do you know if it is time for your organization to make the investment in a formal solution? We explore the deciding factors in this article.
What is a Policy Management System?
Before you can evaluate if you need a Policy Management System, we need to start with what it includes. Many people think of a Policy Management Software or a Policy Management System as one of two extremes:
- A place to simply upload documents so other people can read them
- A huge complicated, expensive quality management system or governance, risk and compliance system that is overkill to store a some documents
As with many things, the answer lies between these two end points. A Policy Management System certainly needs to effectively store your Policies and Procedures, but it also needs to manage the entire lifecycle of each document.
A valid Policy Management solution needs to facilitate each of the follow stages:
- Draft or Revise. Creating and editing Policies and Procedures, including applying relevant meta-data and security.
- Collaboration and Feedback. Facilitating input from process owners, subject matter experts and other key stakeholder.
- Approval. Handles the approval workflow, signatures and audit trails for each Policy and Procedure.
- Publish. Releases finalized documents to the proper audience based on security rules
- Training and Attestation. Attestation tracks which individuals have read and acknowledge that they understand the Policy or Procedure. Training can take this one step further by deploying quizzes that test the knowledge of the individual after they have read the document.
- Periodic Reviews. Proper Policy and Procedure processes should always include a periodic review of each document to confirm that it is still relevant to the organization. A periodic review should be completed at least once per year.
What type of organizations need a Policy Management System?
When many people think of a Policy Management System, it is usually associated with Regulations and Compliance. This is for a good reason! Most organizations that need to follow specific Regulations, Industry Standards or other compliance requirements have a higher bar for Policy and Procedure effectiveness. This includes controlling the Policy or SOP process, enforcing authorizations, tracking audit trails and confirming effective security controls are in place.
The Accountability Factor
Good governance can help any organization eliminate waste, prevent issues and protect organization continuity through change. Many organizations though, require a higher level of governance and quality assurance that must be put in place. This higher level can be driven from many sources, including:
Any of these drivers can not only determine what Policies and Procedures are in place, but also require an organization to prove that they are effective. In these environments, the process of creating, revising, reviewing, approving, distributing and training for new Policies and Procedures can become very complicated, very quickly. The manual burden to keep up with the requirements can become overwhelming and as a result can drive the need for a Policy Management System well before other organizations that do not fall under any these structures.
Now that we have explored what types of organizations experience a greater need for a formal solution around Policies and Procedures have, we reach the next question. How big does my organization need to be before we need a formal Policy Management System?
What size of organizations need a Policy Management System?
The need for effective management of Policies and Procedures can begin as soon as there are 2 people in an organization. This of course does not mean that you need a Policy Management System with only 2 people, simply that the underlying process exists very early on in an organization and only grows
The Accountability Factor Re-Visited
Although there is not a magic number to determine at what size does an organization need a Policy Management System, there are relative benchmarks an organization can apply.
The higher the accountability, the sooner the need for a formal Policy and Procedure solution. Eventually, the level of accountability is no longer relevant and the simple need for processes to be done correctly in a larger organization determines the need for a Policy Management System.
Policy and Procedure Lifecycle Stages and Roles
Another method to examine the relationship between the accountability factor and the size of an organization is by breaking the number of individuals involved in the process by role. Each stage in the Policy Management lifecycle can be associated with different roles. Roles are groups of individuals that need to complete a common task or group of tasks. The demands within a given role can determine if the threshold has been met to implement a formal solution.
Let’s look at some examples with roles:
Example 1 has 5 people involved in the creation / maintenance of the Policies and Procedures and 80 people that need access to the published versions. Does example 1 need a Policy Management System? Probably not, as long as there is a system to distribute any Policies and Procedures. The number of authors/collaborators/approvers is small enough to managed manually. In addition, there is no need to track Attestation or Training. Only document access is required, which can be done with a simple file share without security. Are there any benefits to implementing a Policy Management System for this organization? Probably. Well-run organizations understand at an early stage that by implementing tools early on can reduce waste, provide cultural acceptance and stop issues before they even start.
Example 2 has the same number of authors/collaborators/approvers as Example 1, the same number of people that need access to the Published Policies and Procedures, but Example 2 also needs those same people to attest and sign off that they have read and understand each of the documents that applies to them. This has now created a compliance burden and complexity that needs a proper solution in place. Even if there are only 50 documents, 4,000 individual signatures would be needed to track compliance! Does Example 2 need a Policy Management System? Definitely.
In example 3, documents are being distributed in an outside system, such as an intranet which eliminates the need for published document access, attestation and training. Does example 3 need a Policy Management System? Absolutely. The 25 different authors, collaborators and approvers indicates a larger volume of activity that would quickly lead to waste if not controlled by a dedicated solution.
What about the number of Policies and Procedures?
The last item to take into consideration is the number of Policies and Procedures that exist. Typically, this is self-governing measurement. It would be highly unusual for an organization to only have 5 Policies and Procedures, but need to distribute them to over a 100 people. Conversely, needing 25 authors/collaborators/approvers for only 5 Policies and Procedures would be extremely odd.
As a result of the direct correlation between the number of Policies and Procedures to the number of individuals involved in the process, the number of documents can be excluded from the question of whether or not your organization is in need of a Policy Management System.
Public Policy Portals
Beyond the primary drivers discussed in this article, there are could be additional considerations that could warrant an investment in a Policy Management System, even if the other criteria listed is not met.
A public portal distributes policies and procedures to the general public. Public facing portals do not require any logins or security. As a result, any person with an internet browser can access the public facing portal. This creates two unique challenges.
- Can your portal infrastructure handle the demand from a publicly accessible website?
- How do you know that you always have the right Policies and Procedures published in the right area of the portal?
The answer to the first question is dependent on the technology being used to distribute your Policies and Procedures. Although it is possible to deploy a Public Facing Portal without a Policy Management System, the answer to the second question enforces the need to ensure your Public Facing Portal is part of your Policy Management Solution.
The answer to the second question is where a Policy Management System becomes important. There are a number of steps to Publish a document to a Public Portal and make sure it is current.
Following each of these steps is required to ensure the Policies on the Public Facing Portal are correct, current and in the proper location. Deploying a public facing portal for Policies and Procedures without the proper process for preparing documents, creates an unacceptable level of risk.
The cost of the wrong Policy Management System?
The selection of the right Policy Management Software or system can have an impact on whether or not it should be implemented in the first place. The primary purpose of a Policy Management System or any software solution, is to provide efficiencies. If the solution that is implemented is too much of a burden on an organization or is mis-aligned with your policy and procedure processes, the negative impact could be greater than the benefits. Below is a list of items to avoid when evaluating Policy Management solutions.
- On-premise installations. One of the largest costs in both the initial implementation and on-going costs can be generated from installing software locally. Everything from security access, to backups to upgrades can continuously add unnecessary costs to the process.
- Self-hosting cloud providers. Although it may be less cost and less time to have a self-hosted cloud provider, it can create a significant amount of risk for your organization. There are several large providers of Cloud data centers that have made significant investments in their facilities, such as Microsoft Azure. It is not possible for a Policy Management System to replicate the same level of reliability and security as a dedicated cloud provider in their own data center.
- Document Management systems. Although a Document Management system can provide the reliability and general storage that a Policy Management System provides, the core processes around your Policies and Procedures will not be supported. The full lifecycle of Policies and Procedures can contain many stages, steps, requirements, auditing and security structures that are specific to Policies and Procedures.
- Legacy systems. In the area of technology and selecting cloud-based Policy Management System, the age of the technology can become a concern for providers that are 10 years, 15 years or even older. Systems collect “technical debt” over time. If your organization is selecting a system today that is planned to be used for the next 10 years, but it was first launched 15 years ago, it will have technology or code in it that is over 25 years old!
Conclusion: Does your organization need a Policy Management System?
The purpose of this article was to provide some guidance on when manually processes and the simple storage of Policies and Procedures is no longer effective. If your organization falls under any of the definitions covered here, we would recommend investigating the options available for a Policy Management System.