in

smartercommunity

Bringing policyIQ users together

This Blog

Syndication

Tags

policyIQ Blog

May 2010 - Posts

  • Tips for Successful P&P Implementation

    Thank you to those who recently joined our policyIQ Solution session on Developing an Effective Policy and Procedure Management Process. And special thanks to Donna McLean, from Surgical Care Affiliates, for presenting and providing her expertise on the subject! We stuffed the session full of tips on developing your own project plan, on successful implementation of that plan and on the use of policyIQ throughout the implementation, as well as for ongoing management of your documentation.

    Write a "policy on writing policies"! What?!

    One of the key steps in a successful P&P implementation is starting with a “policy on writing policies”. policyIQ users can access a sample within your policyIQ Help guide. Some key topics that you might consider for your policy on writing policies can be found here:

    • Maintenance
    • Format
    • Responsibility
    • Communication
    • Approvals
    • Revisions
    • Retention
    • Retiring a Policy
    • Storage
    • Tracking


    Senior-level Sponsorship 

    A critical point that was re-iterated by session attendees is the need for executive level buy-in. Establish buy-in and the “tone at the top” early in the process. This level of support and sponsorship of the implementation will better ensure that users engage in the process and contribute to its success.


    Lessons Learned

    Outside of the typical project management traits (i.e. planning, communication, training, change management, continuous improvement), Donna shared some lessons learned from her experience in this and similar implementations. In addition to landing that top level support early, she recommends to project managers:

    • Be willing to adapt: come in with a plan, but be prepared to revise or even abandon it and start again depending on the current state and needs of the organization.
    • Build a strong, committed team.
    • Provide training for tools and techniques.
    • Listen!  Don’t assume you know how the business works in the various units.  Business Process Mapping can help to establish the foundation.
    • Capture reality and move toward best practices. Your documentation must reflect what “is”, not what “should be”.

    Want more information? See for yourself, read our materials, talk to us directly! 

    If you are interested in reviewing the recording of this P&P session or any of our solution-focused training sessions, you may access them on our Training Page. Click here to launch the latest recording, Effective Policy and Procedure Management, directly.

    Check out our written guidance on developing your own effective policy and procedure management process within your online Help guide.

    We can help you to lay out your plan, to configure policyIQ for your organization's unique needs and to create and save key reports to your favorites. We can also put you in touch with an expert in your area to join or lead your project team--whatever your need might be. Contact us for more information!

    Posted May 27 2010, 01:05 PM by stepheniebuehrle with no comments

  • Kicking off your P&P Implementation

    Are your policies and procedures up to date and accessible to your employees?

    Maybe it’s time to put together a plan to bring some consistency to your documentation format, the method that employees will use to access important information and to your process for capturing and maintaining useful information on an ongoing basis.

    Here are some high level steps to help you get started:

    1. Develop a Project or Implementation Plan
    2. Establish executive buy-in and sponsorship
    3. Assemble the documentation team, agree upon steps of the plan
    4. Prepare the tool for managing your documentation: configure policyIQ!
    5. Prepare and deliver training
    6. Roll-out—begin documenting, review and approval in policyIQ
    7. Change Management: acknowledge progress and celebrate success
    8. Continuous Improvement: gather feedback, make adjustments
    9. Ongoing Documentation: move into day-to-day maintenance mode


    Agree on the Definitions of Policy and Procedure

    You will likely have a number of individuals authoring policies and procedures from various functions throughout your organization. Do they all follow the same definitions of “Policy” and “Procedure”? One of the first items that you’ll want to address in your training materials is the agreement and communication organization-wide on your definitions of these terms. Here are some examples that might be useful to you:

    Policy: A statement or position on a topic that says what is allowed or should take place providing the organization governance and guidance.

    Procedure: A description of the actions required or steps taken to complete a task and implement or uphold a policy (every procedure will support a corresponding policy and any policy may be supported by multiple procedures).
     


    Make sure you reflect the “Tone at the Top” 

    A word of caution: take care to document and understand, first, what drives or governs the business—your policies. A common bad habit that many organizations fall into is documenting what you do (your procedures) and then authoring a policy to match. Documenting corporate policies first provides the necessary governance (and reflects or sets the "tone at the top") that leads to a good foundation for decision making throughout all levels of your business. Your procedures should support the policies that govern your organization.  


    Stay tuned…

    We will be hosting a training session for CPE credit this afternoon (Thursday, May 27, 2010) on this very topic: “Developing an Effective Policy and Procedure Management Process”. You may click here to register. If you are not able to join us, we will make the recording available on our training page in the coming week.
    Next week we will share a follow-up post with you including a number of best practices and any Q&A that takes place during our training session.

    Posted May 27 2010, 06:54 AM by stepheniebuehrle with no comments
    Filed under: , , ,

  • Staying current with IFRS – As easy as 1 – 2 - 3

    As finance and accounting professionals, it is important to keep up to date with all that is happening on the IFRS front.   The IASB and the US FASB continue to move towards their goal of creating a common set of high quality standards. Many changes to IFRS are taking place, with new standards being issued and older standards being revised or replaced.

    IFRS EVERYWHERE

    A clear sign that IFRS is becoming top of mind for everyone – IFRS will be included in the CPA exam starting in 2011.  Is your IFRS knowledge where it needs to be?    Here is a sample question (borrowed from the Journal of Accounting), do you know the answer? 

    Question: Under IFRS, changes in accounting policies are

     

    A. Permitted if the change will result in a more reliable and more relevant presentation of the financial statements.

    B. Permitted if the entity encounters new transactions, events, or conditions that are substantively different from existing or previous transactions.

    C. Required on material transactions, if the entity had previously accounted for similar, though immaterial, transactions under an unacceptable accounting method.

    D. Required if an alternate accounting policy gives rise to a material change in assets, liabilities, or the current-year net income.

     

    * Make your guess and see below for the right answer.  (Hey – don’t cheat!)

    Keep yourself up to date!

    The AICPA (American Institute of CPAs) launched www.ifrs.com to help CPAs get ready for the arrival of IFRS. This website is full of useful information including FAQs, trainings, publications and a blog.   A great way to keep up to date on all things IFRS, is to add the RSS feed from the www.ifrs.com site to your policyIQ site.    

    It is as easy as 1 – 2 – 3.

    1)     Copy this link: http://feeds.feedburner.com/ifrsblog
     

    2)     In the Home Module of your policyIQ site, navigate to the RSS Feeds items in the left navigation

     

    3)     Select Add from the table toolbar and then paste the URL.

    a.     Reminder – The Available to Everyone checkbox will add this RSS feed to everyone’s list of RSS feeds.  If this checkbox isn’t available to you, no worries, it just means you don’t have permission to add RSS feeds

     

     

     

     

     

     

    Unlike some RSS feeds that overwhelm you with too much information or extraneous “news”, the IFRS Blog from www.ifrs.com is good about only posting when there is substantive news.  You can be sure to stay on top of critical developments, without wasting your time on information you don’t need!

    * The correct answer is A.  How did you do?    

    Posted May 21 2010, 07:02 AM by carolinevillella with no comments

  • Policy sign-offs are simple and efficient in policyIQ!

    Once each year, I and all of my colleagues here at Resources Global Professionals review our corporate policies and fill out associated sign-off forms, indicating we've read the policies and we agree to comply with them. It's actually a very smooth process, which is managed efficiently and is easy for employees like myself to participate in. This is due in large part to the tool Resources uses to manage the process. I'll give you one guess what that tool is. That's right: policyIQ!

    The foundation of this process is the Effective Policy Management policyIQ offers. Building upon this, it's easy to implement a corresponding policy sign-off process using policyIQ's Forms Management feature in just a few simple steps.

    1.  Identify (or create) a Group for the desired respondents

    Simply set up a Group to include the desired respondents (the folks you want to read the policies and provide a sign-off). Assuming your respondents don't have other policyIQ responsibilities (such as managing content) they can be Standard Users, meaning they will have access to read published policyIQ content and respond to Forms.

     

    2.  Create the Form Template to collect the responses

    Each policy will have a related Form, which accomplishes a number of goals. First, it displays the policy directly in the body, so your readers see the policy information without needing to navigate any further. Next, it provides the reader with a sign-off statement that you have designed; you're free to customize the language to present the compliance statement of your choosing.



    3.  Assign to respondents and manage the responses in policyIQ!

    When the Forms are ready to be sent out to respondents, the Administrator assigns it out to the relevant Group. The Form is then conveniently placed on the reader's policyIQ Dashboard, easily accessible to them upon login. They open the Form, read the associated policy, indicate their compliance, and then submit the Form. It's automatically routed to the approver, who reviews, approves and archives it.

    As you can see, this is a huge improvement over the way this process might run if managed manually. There are no reams of paper to print out and drop off on respondents' desks. You don't need to point your employees to a network directory, where they may find an older, outdated copy of the policy. You don't need to keep track of and archive a multitude of email responses.

    If you'd like to consider implementing a policy sign-off process for your organization, let us know. We'd be happy to work with you to develop a solution tailored specifically to your needs!

    Posted May 20 2010, 07:18 AM by scottpalermo with 1 comment(s)
    Filed under: , ,

  • Take policyIQ to the top of the governance food chain – put it in the hands of your Board of Directors

    This month we’ve been spending a lot of time talking about corporate governance and how using policyIQ can support your corporate governance activities.  Have you considered taking policyIQ directly to the top of your corporate governance structure - using policyIQ to help your Board of Directors more effectively manage their vital communications and content?

    A corporation’s Board of Directors has some unique challenges when it comes to effectively communicating and storing their critical information:

    • Board members do not typically have access to your company’s internal network, and therefore cannot access the information stored there.

    • Information shared with the Board is some of the most critically confidential information that your company needs to retain, making email an unattractive method of distribution.

    • Your Board members are busy individuals with their own daily responsibilities – and therefore, they want information to be easily accessible with little effort required to retrieve it.

    • Board members are often scattered geographically and therefore access to information needs to be available 24/7 from around the globe.

    Ease of access.  Security.  Available anywhere at any time.  Sound familiar?

    policyIQ meets the challenges faced by the Board of Directors by providing a secure, online portal that allows them to access information from around the globe at any time.  policyIQ clients have found that extending policyIQ to house the information important to their Board of Directors brings value to the highest levels of their organization – Board members are more informed and can easily share information in a secure environment.  Consider using policyIQ to house:

    • Board of Directors Meeting Minutes
    • Board Meeting Presentations
    • Vital Reports distributed to the Board

    Using policyIQ means that you can limit access to this information to only the Board members (and Site Administrators).  It is possible to track when your Board members viewed the files, and communicate when critical information is added or updated. 

    If you are interested in extending policyIQ to be a central information hub for your Board of Directors, please don’t hesitate to contact us for more information or assistance!

    Posted May 18 2010, 09:14 AM by chrisburd with no comments
    Filed under: , , , ,

  • IASB proposals for pension accounting and financial liability changes

    The IASB recently issued two proposals that differ substantially from current practice and from US GAAP.  The first involves pension accounting, moving asset gains and losses to other comprehensive income.  The second changes the recognition financial liability changes due to a company’s credit rating change. 

    Check out this recent blog post by Resources Global Professional's Colleen Cunningham for more insight.

    Posted May 13 2010, 11:31 AM by chrisburd with no comments
    Filed under: ,

  • FPIC Insurance Group, a "Most Trustworthy Company", talks about Corporate Governance

    In a blog post earlier this month, I talked about what exactly Governance, Risk and Compliance (GRC) really meant.  In that post, we put off the question of how to know if you were doing well at your GRC programs, and focused instead on how you might use policyIQ to be more efficient.

    Today I'd like to take a moment to tell you about a policyIQ client who is clearly doing it well.  Named to Forbes Magazine's 100 Most Trustworthy Companies for 2010 with an impressive score, FPIC Insurance Group is doing a lot of things right when it comes to corporate governance.  We asked their management team to share with us the philosophies that they follow when it comes to corporate governance.

    At FPIC Insurance Group, Inc., our vision is to be a consistently profitable, financially strong, and well-managed company that provides the best medical professional liability products and services to our customers and delivers long-term value to our shareholders. Our management team and Board of Directors are committed to achieving this vision for the benefit of our customers, employees and shareholders.

    Ethical behavior is required and expected of each of our officers, directors and employees. We have adopted a Code of Conduct and Ethics, which sets forth specific corporate policies governing the conduct of our business. These policies were developed and are intended to be applied in good faith with reasonable business judgment to enable us to achieve our operating and financial goals within the framework of the law and good business practices.

    Other important governance tools employed by us include:

    • appropriate internal controls over accounting and financial reporting as well as appropriate "disclosure controls" to ensure proper public reporting;
    • a robust internal audit program;
    • close cooperation with outside auditors;
    • an active Antifraud Policy and Program;
    • systematic employee training with respect to our policies and programs;
    • compliance officers responsible for the effectiveness of our policies and programs; and
    • most importantly, active involvement and oversight by the Audit and Governance Committees of our Board of Directors and by our Board as a whole.

    We continually review and enhance our corporate governance practices by benchmarking against accepted best practices and are pleased that on April 5, 2010, we were named by Forbes as one of "The 100 Most Trustworthy Companies" for having transparent and conservative accounting practices and prudent management.

     

    Congratulations to the entire team at FPIC Insurance Group for the great work they have done, and continue to do, in the area of corporate governance!

    Posted May 12 2010, 03:12 PM by chrisburd with no comments
    Filed under: , , , , , ,

  • Information is power—control the information and you’ll control the world!

    Okay, we don’t really believe that policyIQ is the key to world domination, but it can certainly help your organization and associates to realize significant gains in efficiency!

    Did you know that you could give your employees, members, or even the general public read-only access to your content (the content that you specify) for free?!

    Sharing the Basics

    Is your organization still updating and distributing a hard-copy of the company’s Employee Handbook? Save a significant amount of time and money by capturing your handbook electronically and then making it available company-wide—for free—using a Read Only access account. Your employees will always have access the most up to date information and you will not have to incur the print and distribution costs!

    You don’t have to go company-wide

    Did you know that you could create as many Read Only access accounts as you’d like? If you’re wishing that you could share certain policies and procedures with a select group of people, rather than company-wide, your wish is our command! Create a Read Only access account just for your Accounting Department or create one just for your Executive Leadership Team or your Board of Directors.

    Oh, you want to go the other way and share with an even larger audience?

    Do you have content that you'd like to share with the general public via your company's website? Set the “Viewers” on a set of your content to a “Public” Group containing a Read Only access account for the general public and place the resulting Pass Thru link on your company’s website. This is similar to the way that some of your policyIQ non-profit peers share information with the public, as required by non-profit regulations.

    Here’s how to get it done:

    You might have to start by adding the appropriate Group to your Groups and Users structure. Remember, to restrict the viewing of your content, you have to select specific Groups to be “Viewers” on each Page. You can carry out this action of adjusting Viewers in bulk within the Create And Edit and in the Reports module.

    Next, set up a Free Read Only access account similar to the way that you add a new user to policyIQ:


    This Pass Thru link can be added as a Desktop Shortcut for simplified access for the Read Only group. To accomplish this, each of the Read Only users can perform the following steps: copy the Pass Thru URL from the Edit User window (pictured above), Right Click on your Desktop and select New > Shortcut, paste the link into text field where the blinking cursor appears, click Next and enter a name for the Shortcut, then click Finish. You might also suggest that your IT department include such a Desktop Shortcut on every workstation that they prepare for new employees.

    Go Home. Go directly Home, do not pass the Login Screen.

    Users with access to this Pass Thru link will be able to bypass the login screen and go directly to the Home screen of your policyIQ site. They will only see the content that you have made “viewable” by the Read Only account’s Group(s).

    Note that you can provide specialized guidance to your Read Only users by changing the message that appears within the large pane of the policyIQ Home screen normally occupied by the Dashboard for Standard and Advanced Users. To customize this message and, perhaps, direct Read Only users on where to locate their content, go to Setup > System Setup > Site Style and Edit the Read Only Alert Text.

    Let us upload your content for free!

    One in three policyIQ clients still have not taken advantage of free Read-Only access. Are you among them? If you have any questions or would like some more guidance on meeting your organization’s specific needs, contact us and we’ll help you to begin benefitting by this feature almost immediately.

    No time to populate policyIQ with the content that you wish to share company-wide via free Read Only Access Accounts? Let us help you. Send us policies from your Employee Handbook or procedures commonly performed by a large audience and we'll add them to your site and set up a Read Only access account--all at no additional charge! Contact support@policyIQ.com for more information or to take advantage of this offer.


    Posted May 10 2010, 12:14 PM by stepheniebuehrle with no comments

  • 8 Years Later, Policy Management Hasn't Changed

    Do you remember what you were doing in June of 2002? A new TV show called American Idol premiered.  There were reports of “alleged” fraud at Worldcom. We hadn’t invaded Iraq yet, and it would be 6 more years before the first iPhone was released.  Think about how much the world has changed since then.

    What hasn’t changed are the simple recommendations for Effective Policy Management made in the whitepaper that was released that month, and soon after would be published in the Journal of Accountancy.  The whitepaper – subsequently updated in 2004 to incorporate Sarbanes-Oxley – describes a set of 10 simple activities to better manage your policies, procedures and controls as a continuous cycle.  Some of the steps include:

    • Organizing your content logically
    • Communicating updates on a timely basis
    • Encouraging employee feedback
    • Forcing periodic review to make sure content wasn’t outdated

    Each step in the whitepaper includes descriptions and examples or guidnace. 

    The process worked 8 years ago, it works today, and it will work 8 years from now. 

    It is important to remember that technology will only provide a company with the capabilities to properly manage their information – systems can’t write the policies for you, they can’t update the policies when they should change, and they can’t read the policies for your employees.  Effective Policy Management is certainly easier to do with a solution like policyIQ, but it still requires a commitment to the process to ultimately be successful.   

    Posted May 06 2010, 12:07 PM by roccotarasi with 3 comment(s)
    Filed under: , , ,

  • Wrap up: policyIQ for Operational Audits

    Thank you to those who joined us for our April 29th policyIQ solution-focused session, “Internal Audit (Beyond SOX)”, which focused on developing and implementing a successful Operational Audit program. Special thanks to David Doney, Vice President of Internal Audit at Sirva, Inc., who delivered a well-rounded presentation on Operational Audit best practices from his experience. If you were not able to attend the session, we’ll try to re-present the highlights and direct you to related materials here.

    If you’d like to gather more information and guidance on your Operational Audit program development, please contact us and we’ll help to connect you with the policyIQ or Resources representative to help you on your way!


    Review the “Internal Audit (Beyond SOX)” Session On-Demand
    We have made the recording of the session available for you to review at your leisure (note that we cannot award CPE credit for reviewing the recording). Visit our training page to see this and other solution-focused sessions or click here to launch the webinar immediately.


    Recap of our Operational Audits session and related materials:

    What is an Operational Audit?

    • Focus on operational objectives (delivering value to customers)
      • Customer Service
      • Quality
      • Effectiveness
      • Efficiency / Productivity
      • Safeguarding of Assets
    • Not financial reporting accuracy or Legal / Regulatory compliance; may overlap
    • Tailoring to business-specific risks is necessary; there is no generic audit approach


    Operational Audit Sequence: (notice the familiar Top-down Risk-based Approach)


    Operational Audit Solution pages in Help

    We have added an Operational Audit chapter to the online policyIQ Help guide with guidance to support you to get started with your implementation. In addition to the slides presented in the training session, you will find definitions and guidance on the process of developing your program as well as detailed examples of Templates, Folders, Groups and Reports within Help. To launch directly to the Operational Audit section within Help, you may click on the image below.


    Practice, Practice, Practice
    Do you have access to the policyIQ Practice site? We have a generic “play place” for you to create sample content, forms, reports and to experience the process of moving content through the workflow. We will be adding our Operational Audit examples to the Practice Site this week. If you would like to access to the Practice site, send us an email to let us know and we’ll get you set up! Keep in mind that we will “refresh” this Practice site periodically—so any content that you create in the site will not be saved.


    Attendees’ Chat Questions and our Responses
    There were a handful of questions “chatted” in to our co-presenter, David Doney. We have compiled the questions and answers (some that we did not have time to share during the session) below:

    Q: Do you typically perform the Operational and financial reporting tests at the same time?  Do you perform a lot of continuous audit routines?

    A: (David Paraphrasing) At Sirva, they work on those distinctly - because the objectives of the audit are very different.  However, David does acknowledge that for some organizations it may make sense to do some of that together.  (For example, if your organization has many locations and you have to test at a lot of locations, it might make sense to have the testing happen at the same time.)
    Regarding “continuous auditing” – David acknowledged that there is a lot of discussion in the discipline regarding exactly what is meant by “continuous auditing”. Sirva does perform account reconciliations in policyIQ with the ability to report at any time and to know if people are compliant.  This is the closest thing David has experienced to “continuous auditing”.


    Q: Time-savings - how has policyIQ saved you time in Operational Audits?

    A: (David, Paraphrasing) While it might take a bit more time up front to set up, the savings comes in when you can easily access the information - through reporting.  If you keep the information up to date with bi-annual updates, you don't have to go through the same difficult process of gathering the information each year.


    Q:     How does aging and reporting of open items (deficiencies) occur?

    A: (David) We have an "Audit Report Date" field in the deficiency template that is "day zero."  We age from the date the final report was issued. We can then use the current date to age each item in Excel. We also have a "Status" field for each deficiency that indicates open, implemented or remediated.  Twice per year we run reports in Policy IQ that we extract to excel that give us all the necessary inputs to generate the graphs I showed in the presentation.  You need both the prior period and current period reports to complete the graphs on status, as you have essentially two snapshots and must back into the differences.  It takes one person about two days to generate this reporting, do the aging in excel, and prepare the graphs for the audit committee.


    Q:     I just wanted to confirm that it's still not possible to export this view to Excel (the grid view of the Detail Link report)?

    A:     No, it is not currently possible to export the grid view of the Detail Link report.  However, you can export the Detail Link report results from the table view into Excel.  The data is the same, but the format or layout is a bit different.


    Q:     David mentioned that first year implementation is time consuming.  If one assumes that planning, systems documentation update takes approximately 25% of total project time.  How much additional implementation time would be needed (e.g., twice as much, more???)?  How much training is needed to get staff up to speed?

    A:
    Answer directly from David -

    a) Training: I think 12 hours of formal PIQ training for staff is appropriate.  Eight hours should focus on completing the pages (building content), tailored to the template structure you want to use. I suggest building the templates and instruction guides for the fields first (management team working with PIQ consultant) so you can teach staff to add content in the format you prefer during the training class.
     Reporting is more complex and would require another four hours. Not everyone needs to know how to create reports from scratch, just how to run the various key reports with slight modifications. That should be the focus of the four hours of report training for staff...modifying the key canned reports like control matrices to the process they are working on or running deficiency reports. You should have a designated admin who invests say a couple of days shadowing the PIQ consultant and creates the canned reports your department will use as templates with the PIQ consultant looking over their shoulder.

    b) Daily audit time:  This depends on how much additional data you want to capture in PIQ versus what you captured manually or in another tool. I would say planning for each process takes about 20% longer in the first year than it normally would, to populate the additional information.  So if you budgeted 100 hours of planning time for a new project in the past, budget 120 hours during the first year to document that process in PIQ.  You will save time in workpaper review, status reporting, handoffs among auditors, etc. immediately, but planning time will go up.  On the second audit of the same scope, you can just send the control matrix to the client for an update, so planning time is minimal.

    Additional example from policyIQ Account Manager: In a specific Operational Audit example from this year, the client spent one week planning with their Account Manager and discussing the ideal configuration for their Programs, Scope Areas, Locations, Processes, etc. In week two, the client worked through the remainder of the project plan with guidance from the policyIQ Account Manager: set up Templates and Folders in policyIQ, prepared Excel templates for importing content (populating policyIQ Pages), and reviewed relevant reports. In the following week, the client point of contact walked auditors through the policyIQ process (this client had been previously using policyIQ for Internal Audit and was expanding to Operational Audits, so internal training required was minimal).


    We can help you to get on the right track!

    Let us know if you have questions that we have not yet addressed—and tell us how we can support you to move forward with your Operational Audit implementation. We will absolutely respond to all inquiries and will provide you with, or direct you to, the necessary resources.

    Posted May 03 2010, 01:09 PM by stepheniebuehrle with no comments
    Filed under: , , ,

  • Governance, Risk and Compliance: We have an app for that.

    Over the past few years, we've all been hearing a lot about "GRC", or "Governance, Risk and Compliance".  Products are marketed as GRC Solutions and organizations are advised to implement strong GRC programs.  GRC seems to be all the rage lately.  But what is GRC?

    What is GRC?

    First let me state for the record that I do not consider myself an expert in anything.  I am not an industry analyst or a compliance consultant.  However, as a policyIQ Product Director what I AM is a person who has spent a large amount of time listening to clients talk about the challenges in their organizations.  I've helped countless organizations use technology (specifically policyIQ) to better manage their documentation - from policies and procedures to Sarbanes-Oxley compliance to account reconciliation tracking.

    In my experience, it is all related to GRC.

    What are the components of GRC?

    Let's talk for a moment about each of the components of GRC individually.

    Governance is all about how your organization is driven to be an ethical and responsible company (or not) - established first and foremost by the "tone at the top", and formally documented in your corporate policies and procedures.  Legal regulations certainly play a part in how the organization defines "ethical", but every organization has its own culture, which can be partly defined by the policies put in place to govern it.

    Risk Management is just that - identifying and managing the risks to the organization's success.  Risk management isn't just about defining the risks, though, but also determining the organizational appetite for risk.  Will we shy away from risky ventures or seek out high payoff / high risk opportunities?  Risk Management is about making good decisions based on the risk appetite of the corporation.

    Compliance means making sure that at the end of the day, your employees are following the guidelines established.  This might mean regulatory or legal compliance - such as Sarbanes-Oxley or Payment Card Industry Data Security Standards (PCI DSS).  It also means compliance with those corporate policies - such as your internal Code of Conduct that dictates appropriate workplace behavior.

    Does all of this sound familiar?  Of course.  Every organization is doing some degree of GRC management.  The question is - are you doing it well and efficiently?

    So is policyIQ a GRC solution?

    policyIQ is a solution for GRC - policyIQ is not a GRC-specific solution.  Clear as mud?   Here is another answer: most of our clients are using policyIQ to manage their Governance, Risk and Compliance initiatives, but policyIQ wasn't designed any more as a solution for GRC than it was designed as a solution for SOX, or policies and procedures, or internal audit workpapers, or contract management, or any number of other uses for which our clients are successfully leveraging policyIQ.   In an industry analyst's list of GRC vendors we might not be listed; that is their loss, considering the number of companies successfully using policyIQ for those needs. 

    Take advantage of ALL that policyIQ has to offer

    Earlier I said that the question really is whether or not you are managing your GRC program well and efficiently.  Whether you are doing it well is a question for another time.  Whether you are doing it efficiently... well, that's something that I might be able to help you with.

    If you are already using policyIQ for some aspect of your GRC program, such as Corporate Policies or Sarbanes-Oxley compliance, why not expand your usage to encompass more?  For example:

    • Document regulations that apply to your organization and link those to the Policies that you have in place to meet those regulations. (Better yet, use Web Link objects where possible to link to the information on the regulatory website, so that the most current text is always accessible!) When updating a policy, you will be reminded to review the regulation to confirm that your changes are still in line with the regulation. Reporting on those linked relationships will highlight any regulations that might not have related policies documented.

    • Build out policyIQ to encompass more areas of compliance management. If you are a retail organization using policyIQ for SOX, have you considered adding PCI DSS compliance to the application? Some controls may overlap - and by documenting everything in one place, you can identify those overlaps and streamline your testing!

    • If you are using policyIQ to manage your policies, are you utilizing Forms to capture the annual sign-offs from employees confirming their ongoing compliance with those policies? If you aren't yet managing your policies and procedures in policyIQ, consider the version control and compliance capabilities that the tool offers.

    • Implement policyIQ to track your ERM program. Last month we presented a live training session (now available as a recording) that outlined how policyIQ can be used not only to capture your Risks and Capabilities as an ERM documentation repository, but how you can create a fully interactive and sustainable assessment tool for both Risks and Capabilities by using policyIQ forms.

    Want to talk more about how policyIQ can add efficiencies in your organization and pull together your Governance, Risk and Compliance initiatives?  Call your account manager or email our support team and we'd be happy to give you some ideas.

    Posted May 03 2010, 11:00 AM by chrisburd with 2 comment(s)
    Filed under: , , , , , , , , ,
© 2011 Resources Global Professionals