Introduction

Policy management is a key part of GRC and audits in general – this is something we all know – however, the approach to it has changed surprisingly little as technology has developed and become a larger and larger part of operations for businesses.

Having moved from physical document-based approaches to digital policy management, many aspects of becoming compliant (or maintaining compliance) have become much easier.

Most businesses still operate by having a separate ‘set’ of documentation, which specifically revolves around compliance. However, siloing this information makes it far more difficult for organisations to ensure that the information is read and referenced and creates a crush in the run up to every audit of content owners rushing to update their policies, procedures and guidelines (PPGs).

Having a good policy management product in place can help to reduce some of this workload by making documents more readily accessible to staff and by providing a structure with which managers can more easily understand the scope of the audit and where there may be areas missing coverage.

However, we found this approach did not fully tackle the issue of our information not being read and updated – we needed a change.

Our experience

As is outlined briefly in our launch blog, we had previously faced an issue with our compliance documentation being ignored in day to day operations by most of our people.

They read it when they had to, and always ensured it was updated ahead of audits, but it didn’t draw people back week after week – which lead to a lot of misalignment and documentation having to be updated in bulk instead of throughout the year (as requirements / circumstances changed).

In order to resolve this we built a solution which focused on the end-user experience and created a way to embed compliance documentation in a system which our people want to use.

This kind of flexibility and user-focus has allowed Klarity Works to not only help Invotra Group (7 companies) through an audit which was passed with flying colours, but has also resulted in our people starting to use it for product specifications, meeting notes, strategy documents and much more – keeping everyone that much closer to the operational information which allows us to maintain compliance.

This goes against the rhetoric set by most of the competing products on the market – most of whom create restrictive sets of functionality which enable policy management, and policy management only. Some also incorporate risk management and other areas of GRC, but the core issue of the system not being engaging and flexible for end users remains.

The approach

Our approach was broken into the following parts:

Complete user-focus

As mentioned above, user experience was key to our compliance strategy (and therefore to Klarity Works).

By creating a smooth, intuitive experience for users who are reading, creating and managing information the cognitive load and friction our people experienced when trying to find information has been decreased.

This also made our audits easier – by allowing us to structure the information however we wanted and then pull back any relevant documents in advanced searches (based on any combination of fields required) and save these ahead of time.

Grouping policies by purpose not annex control (eg. Managing projects instead of ISO:27001 – 14.1.1)

One of the key issues we found in our previous policy-management system was that finding information was a nightmare unless you were a compliance expert or actually wrote the content you’re trying to find.

Users were having to post on our intranet and ask questions in G chat in order to try and find the information they needed – wasting their time and slowing everybody down.

Our PPGs were grouped to make running audits easier – instead of being grouped in a way that made sense to the people actually trying to find the information.

In order to get around this we completely re structured all of our PPGs (along with having completely re structured the company in the previous year) by the purpose of the actual documents – meaning even new starts are now able to find the information they need without trawling through 10 documents or running multiple searches.

Including documents not related to audits (eg. the brand manual) in Klarity Works

This is a key theme for us, and something we feel has been really key to embedding compliance into our organisational culture.

From experience, people are more likely to reference a brand manual or product manual than one on physical & environmental security (Annex A.11 – ISO:27001).

By centralising our information in an easy-to-use product we have been able to massively increase the amount of people who use it in their day to day (even this blog was written in Klarity Works).

This has made keeping policies updated and understood far easier and improved awareness of compliance internally.

Conclusion

Obviously a policy management product isn’t going to fix every problem for every company, and we were lucky enough to be supported by fantastic people within Invotra Group who helped us to bring these ideas into reality.

However, by taking a new approach to compliance and policy management, we are hoping to help other organisations to realise the same changes and build their own cultures of compliance.

If you would like to find out more, please get in touch with our team or read through our Features and About us pages.