How organizations across industries create and manage policies

MetricStream evaluated 260+ organizations across 15 industries to understand the ways in which organizations create, manage, and communicate policies, the challenges they face, and the types of tools and technologies used to support policy management.

A recent surge in corporate governance scandals—including sexual harassment and money laundering allegations at various companies—underscore the importance of robust policy management programs to keep errant behaviors in check. Many organizations have written policies in place, but much more is required to ensure that those policies are adhered to across the enterprise.

To build a pervasive culture of ethics and risk-intelligent behavior, organizations need to ensure that their policies are communicated effectively, and updated regularly in line with regulatory and business changes. Moreover, policy compliance and violations need to be tracked on an ongoing basis and addressed proactively.

Against this backdrop, MetricStream Research surveyed organizations across five key areas: policy management challenges, policy management program structure, policy communication and training, managing policy exceptions, and the technology used to manage policies.

Key findings from this research include:

• The majority of organizations (55%) are unaware of policy violations that may have occurred.
• While only 24% of organizations use policy management software, the benefits are significant.
• 80% of organizations using policy management software on a GRC platform take less than 3 months to author and publish policies, compared to only 55% of organizations using pure-play policy management software.
• 42% of organizations that require employees to attest to certain policies encountered less than 50 policy violations.
• 59% of organizations that have mapped their policies to risks and compliance requirements do not consider it challenging to update polices as regulations evolve.
• The majority of organizations that use standardized policy templates (62%) take less than a quarter to develop and roll out a new policy.

Percentage of policies updated in the last year

“Our survey findings indicate that an integrated and consistent approach to policy management can yield significant benefits,” remarked French Caldwell, Chief Evangelist, MetricStream. He continued, “Those surveyed who have mapped policies to risk and compliance requirements, have integrated training into policy management programs, or are using policy management software on a GRC platform are able to create and communicate policies faster, update them effectively, and minimize compliance violations.”