Summary
Policy management is a huge part of not only audits and compliance, but of keeping your people aligned with your organisation.
Writing effective policies, procedures and guidelines allows you to provide guide rails for your organisation, and support your employees and teams in getting what they need to get done, done.
However, managing and maintaining your policies can be a huge challenge for organisations of any size, regardless of what standards you are adhering to.
Ensuring that your documentation is accurate and up to date, that policy owners and collaborators are aware of necessary changes, and that your end users know where to find the information they need all feed in to your compliance culture – and are difficult factors to address.
The following steps are what we found helped us in building a compliance culture, and ensuring that our policies are referenced and maintained as a part of our BAU (not just once a year).
Organise by purpose, not annex (design for your people, not your auditors)
One of the first changes we made in the run up to our audit was to re-organise our policies completely.
Previously, every policy was organised in a way which solely made it easier to get through audits. This was all well and good once a year, when we had to go through our internal and external audits, however, it made it far more difficult for our people to actually find the information they needed (a problem which was exacerbated for new starters).
In order to resolve this, we decided to group all our policies under topics or purposes, instead of by the specific annex control that they related to. This resulted in us having manuals called ‘Managing security’ instead of ‘Information Security Roles & Responsibilities’ – making finding documentation easier and removing friction in our onboarding processes.
Use your solution for more than just compliance
Another thing which was critical in our compliance strategy, was that we wanted people to actually read and reference our policies.
A key way that we have achieved this was by embedding all key documentation and not just our policies. This included migrating Brand manuals & product documentation all the way to our to-do lists and meeting minutes.
The result of this is that it became far easier for us to bring our people back to the system every day because they rely on it for their day-to-day tasks. This reduces the cognitive load users experience when they have to update policies as they no longer have to open and log into a separate system.
Their daily activities keep them close to the compliance documentation, and features such as an activity channel mean they see key updates as soon as they happen – without compliance managers having to chase them.
Put user experience first
User Experience is something which is commonly overlooked when sourcing a new policy management solution – by both customers and suppliers.
Often feature-driven solutions can seem better on paper, but in reality they can overload users with complicated screens which drive them away from the product – and lead to a situation where people rush to update their policies once a year when audit season comes round, but actively move towards other documentation tools as soon as they can.
By utilising a solution which prioritises the end user’s experience with the tool (not just the compliance managers) you are able to ensure that users are not being driven away from your documentation and are fully supported in the tasks they need to complete in their daily activities.
Remove unnecessary workload
Policy management can be a highly time consuming stream of work, and can create a lot of strain on businesses throughout the year as they adapt to changes in the market.
One of the biggest obstacles in embedding compliance in an organisation is the time that it takes out of people’s day to day lives – implementing a tool which helps to reduce manual processes and shorten the amount of time required by your policy management makes it easier for your people to engage with your policies and compliance documentation.
If you can allow people to automate processes and streamline the work they have to complete, compliance and policy management will become much less of a chore – and therefore far easier for them to engage with.
Make your solution collaborative
Throughout the year, and especially in the run up to an audit, your policy owners and subject matter experts will have to work closely with each other in order to complete key documents and ensure that you remain compliant.
One of the best ways to engage these people, and make the process of maintaining and updating documents easier is by making sure that they are easily able to collaborate on these key documents and work with their peers in order to better understand important topics.
Allowing your users to @mention each other in comments, invite specific people to documents and quickly and easily control access and visibility are just some of the ways that you can create a collaborative culture
Conclusion
These points are just some of the ways which have enabled us to embed compliance and policy management in our organisation from the ground-up. However, it is obviously a complicated and highly-important business function so if you would like to learn more about building a compliance culture, or if you are interested in enhancing your existing strategy – please get it contact with us below.