This is part 2 of a series about various GRC scenarios for leveraging surveys. Let’s have a look at how surveys can be applied to policy certifications!
Companies need a way to document employee certifications of policies for their compliance monitoring program to provide governance. Policies are stored on the intranet—but the intranet is not designed to track policy compliance with an audit trail. It can be a nightmare trying to distribute the surveys globally to verify policy certification.
Essentially, the compliance team has difficulty tracking: 1) who read the policy; 2) how frequently it has been read; 3) whether employees or vendors understand the policy; 4) reporting on results; and 5) identifying and responding to exceptions. What good is a policy if no one knows or understands it?
Why herding cats may be easier than manual policy certification…
There are a number of ways that compliance teams currently turn to in trying to solve these challenges:
- Individually email everyone to request for written confirmation that they have read and understand the policy.
Downside: This is time-intensive and complex to track if the respondent size is greater than 25 people and you work in a multi-office or global corporation.
- You can ask the manager of each respective team to provide verification.
Downside: Asking other people, who do not see the risk in the same way as you do, is often unfruitful.
- You can leverage a learning management system to track readership and provide a report.
Downside: It’s completely disjointed from your compliance management software, and needs to be policed by running reports and manually tracking down non-compliant departments, managers and employees.
None of these methods provide automation, traceability and workflow all in one. Yet, compliance teams need to be able to gain immediate insight into who has read an updated policy. They need to capture a full audit trail of policy acceptance and adoption, while identifying and responding to exceptions—all in a timely manner.
How to herd policy certifications using technology
To create effective compliance monitoring with a full evidence trail for regulators, compliance teams can leverage an automated policy certification software, such as ACL GRC to automate the policy certification process. The software allows the team to build the process with customizable questions; periodic chaser emails to prompt users and assist with supervision; automated trigger notifications to escalate high-risk issues; and real-time tracking and reporting of results to identify and respond to exceptions. All this is documented electronically to provide a highly auditable trail for regulators to protect your organization.
A Code of Conduct example: Conflict of Interest disclosure with the help of surveys
Let’s illustrate automated policy certification with an example. Let’s say you require employees (or vendors doing business with your corporation or government entity) to submit a Conflict of Interest (COI) Disclosure annually as part of your Code of Conduct (CoC) policy. Using ACL GRC compliance management software, each employee can be emailed a copy of the policy along with a survey form, and their responses can be tracked within the system. The survey can be set up in three easy steps:
- Set up your employee contact list in ACL GRC Results Manager.
- Design your survey, include a hyperlink to the respective COI policy on your intranet. Add questions free text form or multiple choice, and allow attachments.
- Deploy the survey to your employee contact list.
Sample Conflict of Interest employee survey
The fun part: Setting up automation
Now, with your survey all set up, comes the fun part where you can set up automation to give you the efficiency and effectiveness that compliance teams crave. You can now create different types of automated trigger notifications, such as:
- Notify supervisor if the survey has been left idle for X number of days
- Resend the survey request to the employee if the survey has been left idle for X number of days
- Escalate a conflict of interest to the compliance analyst for low risk exceptions
- Escalate a conflict of interest to the Director of Compliance for high risk exceptions
- If a response requires further details, trigger a follow-up survey. For example, If the employee has indicated they or a family member is seeking to do business with your corporation, send a follow-up survey about the nature of the business
- Assign supervisors to policy infractions for immediate remediation
- And much more!
Policy certifications can be automated, managed, and tracked to create a full audit trail for regulators; thereby, creating efficiency and effectiveness for compliance teams.
There are so many ways to leverage surveys. Stay tuned for our next blog entry to learn how structured data can be collated with unstructured data!
Sign up to receive email updates from ACL