Corporate Integrity, LLC: Policy Management Page 1 of 8

Corporate Integrity, LLC

Phone +1.888.365.4560
info@corp-integrity.com

About Research Events Analysts Advisory Contact us

Showing posts with label Policy Management. Show all posts

SUNDAY, FEBRUARY 14, 2010

Defining a Policy Management Lifecycle

MICHAEL RASMUSSEN

Most organizations fail to manage the lifecycle of policies. This results in policies that are out of date, ineffective, and not aligned
to business needs. It further opens the doors of liability as an organization may be held accountable for the policies it has in place
but are not appropriate or is not compliant with.

Effective policy management starts with a lifecycle approach to managing policies. This is the process of managing and
maintaining policies throughout their effective use within the organization. This lifecycle is defined in three primary phases:

1. Creation
2. Communication
3. Management
4. Maintenance

Each of these primary phases has several sub-phases.

1 - Creation. The lifecycle of policy management starts with the Creation phase, which includes the following sub-phases: GRC Pundit

 Need. It is at this beginning that the need for a policy is determined. It may be a regulatory requirement, values/ethics of
the corporation, business partner requirement, best/industry practice, awareness of potential liability, or a host of other
What is GRC?
reasons that brings the organization to the point of determining that a new policy needs to be established. An organization http://tinyurl.com/ylneb9m
needs an active risk and regulatory intelligence process to identify when a policy needs to be created. 6 days ago

What is GRC?
 Ownership. The next step in the Creation phase is to assign a policy owner. Every policy in the organization should have http://tinyurl.com/ylneb9m
an individual or business role that is the owner of the policy. Even if the policy is applied across the entire organization, 6 days ago
such as with Code of Conduct, it is necessary that someone be established as the owner of the policy to oversee its
implementation and monitoring within the environment. Follow me on Twitter

 Writing. Once an owner is established the next part of the Creation phase is writing the policy. The policy should be
written in a consistent style, format, and language as all other policies in the organization. Policies are to be clear and
Search
easily understood by the intended audience.
powered by
 Approval. Once the initial draft of the policy is written, it moves into the approval process of the Creation phase. The
owner sends the draft policy over to identified stakeholders needed to approve the policy before going to publication.
Some stakeholders may be in the approval stage for every policy written (e.g., human resources, legal). Other GRC.PUNDIT BLOG
stakeholders are approvers because the subject matter touches on their area of the business and they are needed as a ARCHIVE
subject matter/process expert. ▼ 2010 (13)
▼ February (4)
The Creation phase is iterative as the approvers may send back the policy requiring changes before it is approved and everyone
What is GRC?
comes to agreement that it is the right policy for the corporation.
Defining a Policy
2 - Communication. After the Creation phase comes the Communication phase. Communication involves the sub-phases of:
Management Lifecycle

 Publication. After approval, the policy then needs to be published. Publication can be in printed policy manuals or on Policies, Done Right,
Intranet sites. Unfortunately, many organizations have scattered systems to publish policies and procedures without a Articulate Culture
single authoritative source. This often complicates the management of policies. Multiple publication places adds to the
The Value of a Common
number of policies that become out of date. Best practice is to have a single policy publication engine in which any
individual within the environment can login and see all of the policies that apply to his/her specific job role in the Architecture for GRC
organization. Platfor...

► January (9)
 Training. We live in the day of YouTube. It is no longer good enough to have just published a policy. Organizations have to
actively show that individuals understand the policy and what is required of them. This requires that certain policies have
► 2009 (40)
associated training in either online or classroom formats to validate they understand the policy(s). Surveys and testing is
an integral part of training to validate that individuals understand policies. ► 2008 (18)

► 2007 (2)
 Attestation. Once an individual has read a policy, and taken any associated training, it is next necessary to track their
attestation to the policy - that they will adhere to it. Some policies such as Code of Conduct by their nature require
specific attestation to on a regular basis (e.g., annual). Other policies may be grouped together in an attestation. While
some policies it may be determined do not need specific attestation. LABELS

3rd Party Risk (3)

3 - Management. After a policy is communicated it enters the ongoing management phase. The management phase of the policy
Archer (2)
lifecycle contains:
Audit (1)

 Enforcement. The policy is monitored for compliance within the organization. Specific controls that the policy authorizes Audit Management (1)
are established and monitored to determine if the policy is being complied with. Incidents of non-compliance and policy Axentis (1)
violation are noted to provide feedback when the policy is next reviewed.
BI (1)
Board Entity Management (1)
 Exception management. While policies are to be complied with there are instances that arise in which the organization
accepts non-compliance. These exceptions have to be documented and managed. An exception is granted for a specific Bootcamps (2)
time period and is to be reviewed to validate that the exception is still needed. BPS (1)

http://corp-integrity.blogspot.com/search/label/Policy%20Management 25/02/2010
Corporate Integrity, LLC: Policy Management Page 2 of 8

Business Intelligence (1)

4 - Maintenance. The final phase of the policy lifecycle is maintenance. The maintenance phase includes:
Business Performance (1)

 Review. Every policy is to have a regular review cycle. The review of a policy should be done at least annually. It is during Caremark (1)
the review process that the policy owner looks at the incidents of non-compliance and exceptions granted alongside of the CCEP (1)
business requirements driving the policy. It is in this process that the policy is either authorized as is for another
CCM (1)
management cycle, goes back into the creation phase to update and approve the policy, or is archived for retention. The
updated policy then moves into the communication phase. CCO (1)
Chief Compliance Officer (2)
 Archival. Every policy, and version of a policy, is to be archived for referral at a later point in time. When an organization Compliance (21)
becomes aware of an incident or a regulator has a question it is necessary to have a full view into the history of a policy -
Compliance Management (1)
the owner, who read it, who was trained, who attested and on what version of the policy.
Compliance Week (1)
This provides a quick summary view of the policy lifecycle. Over the next several weeks we will dive into specific portions of the Conference (1)
lifecycle, including: Contract (1)
Corporate compliance (2)
 What is the right number of policies?
Corporate Integrity (1)
 Establishing policy ownership and accountability
 Providing consistency in policies through consistent style and language Corporate Integrity Agreement (
 Communicating policies across extended business relationships 1)
 Tracking policies attestation and delivering effective training
Corporate Secretary (1)
 Managing policy incidents and exceptions
COSO (1)
 Monitoring metrics to establish effectiveness and/or issues with policies
 Relating policy management to risk, issue/case, and other GRC areas CSR (4)
 Using technology to manage and communicate policies Culture (2)
Discovery Management (1)
Previous blogs on this topic are:
Economy (1)
 Corporate Policies in Disarray and Chaos
 Policies, Done Right, Articulate Culture EcoSystem (1)
 Defining a policy management lifecycle EMC (1)
ERM (7)
In addition to this series on policy management, Corporate Integrity is also offering a full-day workshop on the topic of Effective
Ethics (5)
Policy Management and Communication.
Event Management (1)
POST ED BY CORPORATE INT EGRITY AT 10: 13 PM 10 CO M ME NTS
Extended Enterprise (1)
LABELS: GRC, GOVERNANCE, RISK, COMPLIANCE CO M PLI ANCE , PO LICI ES , PO LICY M ANA GE ME NT
Forrester (1)
Gartner (1)

WEDNESDAY, FEBRUARY 10, 2010 Governance (8)

Policies, Done Right, Articulate Culture GRC (50)

GRC Bootcamp (2)
We now turn our attention back to my series on Effective Policy Management & Communication.
GRC EcoSystem (7)

In the previous posting we looked at the disarray and chaos of how policies are managed, maintained, and communicated within GRC IT Blueprint (3)

organizations. Often inconsistent, poorly written, out of date, lacking consistency, developed with no style guide, and GRC Reference Architecture (4)
ineffectively managed and communicated - corporate policy management in most organizations is a mess. Now we will turn from GRC Strategy (1)
our flogging of the corporate policy mess to constructively developing an effective policy management process. GRC.EcoSystem (1)
The first point to clearly understand - policies, done right, articulate the corporate culture. Hotline (1)

Unfortunately, most organizations have not connected the world of policies to how they influence and establish corporate culture. Integrity (2)
Granted - corporate culture is there with or without policies. However, without policies there are no written standards as to what Intellectual Property (1)
is acceptable and unacceptable conduct. Culture is allowed to morph and change without policies. The organization can quickly investigations (4)
become something it never intended.
ISO 31000 (1)
Policies provide a definition of the boundaries of the organization. At the the highest level it starts with the Code of Conduct IT-GRC (1)
laying forth ethics and values that extend across the enterprise. These filter down into specific policies at the enterprise level, Lean (1)
down into the business unit, then department, and to individual business processes. Policies are supported by procedures. Both
Legal (2)
policies and procedures at the statement level establish and authorize controls by which the organization is closely managed and
Magic Quadrant (1)
monitored.
Matter Management (1)
Policies articulate the culture of compliance. They define what is acceptable and unacceptable. This starts at the ‘Mandated
Merger (1)
Boundary’ level of communicating what is right or wrong legally and how the organization will stay within legal boundaries within
the various jurisdictions that it operates in. Policies then extend to the ‘Voluntary Boundary’ level to articulate what is acceptable Michael Rasmussen (1)
and unacceptable when it comes to matters of discretion - ethics, values, code of conduct, corporate social responsibility, and Microsoft (1)
other areas. Both the mandated and voluntary boundaries are written into policies so that individuals within the organization and NYSE (1)
its relationships know what is acceptable and unacceptable. It should not be open to broad discretion and interpretation.
OCEG (12)
Policies articulate the culture of risk. Every organization takes risk, it is part of business. Without clearly written guidance as to Operational Risk (1)
what is acceptable and unacceptable risk the organization is like a ship without a rudder. Policies provide clear guidance on what ORM (2)
is acceptable and unacceptable risk, define risk acceptance and tolerance levels, and establish who owns and manages risk.
Paisley (1)
Please do not misunderstand me - policies are not a magic answer to culture, governance, risk, and/or compliance. Not at all. An policies (4)
organization can have a wide array of policies that are not adhered to and end up in very hot water. Policies ARE a way to clearly
Policy Management (7)
define, articulate, and communicate what the boundaries, practices, and expectations of the organization are. While you can have
Policy Management. (1)
a horrible culture with policies, you cannot have a strong and established culture without them. The right policies are necessary to
define and communicate what the organization is about. Red Book (3)
Regulatory Intelligence (1)
Culture itself is broader than policies - policies are the vehicle that communicates and defines culture so that culture does not
Resolver (1)
morph out of control. This requires that policies be adhered to, exceptions closely managed, and violations dealt with.
Risk (17)
Over the next several weeks we will continue to look at Effective Policy Management and Communication. We will specifically
Risk Intelligence (2)
explore:
risk management (10)

http://corp-integrity.blogspot.com/search/label/Policy%20Management 25/02/2010
Corporate Integrity, LLC: Policy Management Page 3 of 8

RSA (1)
 What is the right number of policies?
 Defining a process lifecycle for managing policies SAP (2)
 Establishing policy ownership and accountability SCCE (1)
 Providing consistency in policies through consistent style and language
Service Provider (1)
 Communicating policies across extended business relationships
 Tracking policies attestation and delivering effective training SOX (2)
 Monitoring metrics to establish effectiveness and/or issues with policies Spreadsheets (1)
 Relating policy management to risk, issue/case, and other GRC areas
Strategy (1)
 Using technology to manage and communicate policies
Supply Chain (2)

In addition to this series on policy management, Corporate Integrity is also offering a full-day workshop on the topic of Effective Supply-Chain (1)
Policy Management and Communication. Technology (2)
Thomson Reuters (1)
POST ED BY CORPORATE INT EGRITY AT 7: 29 PM 10 CO M ME NTS
Trends (4)
LABELS: GRC, GOVERNANCE, RISK, COMPLIANCE CO M PLI ANCE , GO V ERNA NCE , P O LICI ES , P O LICY
M ANA G EM ENT , RIS K USSC (1)
Value (1)
Values (1)
WEDNESDAY, JANUARY 20, 2010
Vendor Management (3)
Corporate Policies in Disarray and Chaos
Wave (1)
Policies are a critical component of a GRC strategy – but often the most overlooked or neglected component. It amazes me the Wolters Kluwer (1)
number of companies I go into that have complete disarray and chaos in their approach to managing corporate policies and
Workshops (1)
procedures.

Simply put – organizations cannot ignore policy management. Consider that:

 Policies establish the culture, value, ethics, and tone of the organization.
 Policies establish boundaries for risk taking.
 Policies define how the organization complies with regulations and requirements.

Mismanagement of policies and procedures can introduce liability to the organization as a policy or procedure can establish a duty
of care. Improper policy management can be used by regulators, prosecuting/plaintiff attorneys, and others to place culpability
on an organization.

The typical organization suffers with ineffective policies, management, and communication. The typical organization has:

 Policies scattered across dozens of places. The typical organization has numerous portals and binders in which policies
are published. There is no single authoritative source where all policies and procedures are consolidated, maintained, and
managed. There is no place where an individual can see all the policies that apply to their specific role in the
organization.
 Policies bound by paper. The typical organization still suffers with having numerous printed policy manuals and has not
fully embraced online publishing and access to policies and procedures.
 Policies grossly out of date. The typical organization has policies that are published at some point and time and not
reviewed on a regular basis. In fact, I regularly encounter organizations that have policies that have not been reviewed in
years for applicability, appropriateness, and effectiveness.
 Policies that lack an owner. The typical organization has numerous policies and procedures that lack an owner that is
responsible for managing them and keeping them current.
 Policies that lack any lifecycle management. The typical organization has an ad hoc approach to writing, approving, and
maintaining policies with no defined system for managing the workflow, tasks, versions, and approval process.
 Policies that do not map to exceptions or incidents. The typical organization finds that it has no established system to
document and manage exceptions to policies. Further, there is a lack of a system to map incidents, issues, and
investigations to policies – this helps to understand where policies are breaking down and need to be addressed.
 Policies lack adherence to a consistent style guide. The typical organization has policies scattered across the
organization with no through to the consistency, style, and template as to how they are written. The language and format
of policies vary significantly within organization policies and procedures.

These issues are further compounded when organizations approach technology for policy management in an ad hoc manner and
begin publishing policies through various content management systems (e.g., SharePoint sites) with no process to manage
consolidate, manage, and keep policies consistent.

In summary, organizations are in a complete disarray in managing corporate policies and procedures - policies are out-dated,
scattered across parts of the business, and not managed consistently. The recent trend in legislation and regulatory guidance is to
demonstrate training and not just attestation. Policies establish the culture, values, ethics, and duties of the corporation and its
agents. Organizations that take an ad hoc approach to managing and communicating policies face significant risk to their business.

When the organization is under the microscope – having a detailed trail of what policy was in effect, how it was communicated,
who read it, who was trained on it, who attested to it, what exceptions were granted, what other incidents violated the policies
all can provide grounds for defending the organizations. An ad hoc ‘dust in the wind’ approach to policy management may very
well expose the organization to significant liability.

To consistently manage and communicate policies organizations are turning toward defined processes, workflow, and technologies
to manage the lifecycle of policies. The policy management lifecycle involves several stages from definition, approval,
communication, awareness, training, attestation, maintenance, and archiving. This is supported by a technology infrastructure to
manage the content and process of policy management.

In the generation of Web 2.0 and YouTube it is no longer enough to simply make policies available, organizations need to deliver
training and establish that individuals understand policies and procedures. Delivering interactive policy training modules has
become just as important as presenting a written policy and tracking attestations.

Over the next several weeks we will look at Effective Policy Management and Communication. We will specifically explore:

 Defining a process lifecycle for managing policies

http://corp-integrity.blogspot.com/search/label/Policy%20Management 25/02/2010
Corporate Integrity, LLC: Policy Management Page 4 of 8

 Establishing policy ownership and accountability

 Providing consistency in policies through consistent style and language
 Communicating policies across extended business relationships
 Tracking policies attestation and delivering effective training
 Monitoring metrics to establish effectiveness and/or issues with policies
 Relating policy management to risk, issue/case, and other GRC areas
 Using technology to manage and communicate policies

In addition to this series on policy management, Corporate Integrity is also offering a full-day workshop on the topic of Effective
Policy Management and Communication.

I would love to hear your thoughts, experiences, and approaches to effective policy management.

POST ED BY CORPORATE INT EGRITY AT 8: 36 PM 27 CO M ME NTS

LABELS: GRC, GOVERNANCE, RISK, COMPLIANCE CO M PLI ANCE , GR C , PO LICY M ANA GE ME NT

TUESDAY, JANUARY 12, 2010

Upcoming GRC Events & Training

2010 GRC DRIVERS, TRENDS, & MARKET DIRECTIONS

 Do you know where your GRC strategy is going in 2010 . . .

Today’s complex and competitive GRC market demands that you be at the top of your game. This requires a detailed
understanding of what GRC is all about, drivers, trends, what are specific issue sand needs are, and how to network with
others.

Corporate Integrity offers the 2010 GRC Drivers, Trends, & Market Directions course as a workshop to train individuals on
current drivers and trends in GRC, and to layout the GRC EcoSystem of technology providers, professional service firms,
knowledge providers, and non-profit organizations/associations. The technology end of this is detailed in Corporate
Integrity's GRC Reference Architecture Through this workshop, attendees will gain an understanding of the roles of GRC,
the interactions of GRC personnel, the drivers and trends in the market, and the market landscape of products and
services.

ONLINE WORKSHOP: 2010 GRC Drivers, Trends, & Market Directions

Thursday, January 14, 2010 from 11:00 AM - 1:00 PM (CT)

OCEG GRC FUNDAMENTALS, STRATEGY, & TECH BOOTCAMPS

Join Corporate Integrity, LLC, one of the contributors to the OCEG Red Book 2.0, in a three-day basic training exercise in
GRC Fundamentals, Strategy, and Technology.

Attendees will receive value in understanding GRC and defining a GRC strategy that aligns to OCEG’s Red Book 2. This
bootcamp is authorized and endorsed by OCEG.

The objective of this bootcamp is to provide attendees with the knowledge and hands-on practice necessary to efficiently
design a GRC program . Attendees will learn about defining a GRC Strategy through lectures and practical group
interaction, discussions, and exercises.

Others, such as technology providers and professional service firms, also benefit from understanding the issues and
approaches to GRC challenges that organizations across industries are grappling with.

Registration for San Jose closes this week.

OCEG BOOTCAMP San Jose: GRC Fundamentals, Strategy, & Technology

Wednesday, January 27, 2010 at 8:00 AM - Friday, January 29, 2010 at 5:00 PM (ET) San Jose, CA | Hotel Valencia Santana
Row

OCEG BOOTCAMP Atlanta: GRC Fundamentals, Strategy, & Technology

Wednesday, February 17, 2010 at 8:00 AM - Friday, February 19, 2010 at 5:00 PM (ET) Atlanta, GA | TWELVE Atlantic
Station

OCEG BOOTCAMP Chicago: GRC Fundamentals, Strategy, & Technology

Wednesday, April 21, 2010 at 8:00 AM - Friday, April 23, 2010 at 5:00 AM (CT) Chicago, IL | The Ambassador East Hotel

EFFECTIVE POLICY MANAGEMENT & COMMUNICATION

To consistently manage and communicate policies organizations are turning toward defined processes, workflow, and
technologies to manage the life cycle of policies. The policy management life cycle involves several stages from
definition, approval, communication, awareness, training, attestation, maintenance, and archiving. This is supported by a
technology infrastructure to manage the content and process of policy management.

In the generation of Web 2.0 and YouTube it is no longer enough to simply make policies available, organizations need to
deliver training and establish that individuals understand policies and procedures. Delivering interactive policy training
modules has become just as important as presenting a written policy and tracking attestations.

WORKSHOP: Effective Policy Management & Communication

Wednesday, February 24, 2010 from 8:00 AM - 5:00 AM (CT) Delafield, WI | The Delafield Hotel

http://corp-integrity.blogspot.com/search/label/Policy%20Management 25/02/2010
Corporate Integrity, LLC: Policy Management Page 5 of 8

DEVELOPING A RISK ASSESSMENT & MANAGEMENT PROCESS

Increasing demands to manage risk requires an effective framework, process, strategy, and supporting technology to
support a system of record to manage risk in a systematic way – whether in a specific business function/process or across
the entire business.

Attendees of the Developing a Risk Assessment & Management workshop will specifically learn:
 Alignment of risk in the context of business.
 Risk intelligent decision-making.
 Establishment of risk culture and policy.
 Risk monitoring and metrics.
 Communication of business relevant risk information.
 Defining ownership of risk within the business.
 Multi-perspective risk analysis.
 Effective risk treatment in context of business objectives.
 Governance of risk within the business.
 Consistent ranking and measurement of risk.

WORKSHOP: Developing a Risk Assessment & Management Process

Wednesday, March 31, 2010 from 8:00 AM - 5:00 AM (CT) Delafield, WI | The Delafield Hotel

GRC, Risk, & Compliance Strategy Planning

Corporate Integrity is actively engaged in helping organizations plan their risk and compliance strategies for 2010. If you
need a few hours of advisory time on the phone or in person to help plan your strategic approach to risk and compliance
and need to understand drivers, trends, best practices, benchmarks, assessments, and the landscape of professional
services and technology providers - contact me.

POST ED BY CORPORATE INT EGRITY AT 12: 56 PM 0 CO M ME NTS

LABELS: GRC, GOVERNANCE, RISK, COMPLIANCE CH IEF C OM PLI ANCE O F FI CER , G O VE RNA NCE , G RC , P OLI CY
M ANA G EM ENT , RIS K MAN AG EM ENT

TUESDAY, JANUARY 5, 2010

2010 GRC Research Agenda & Education

Happy New Year! I trust that 2010 will bring you success and direction in your personal and professional life.

First I need to state a deep thank you to all of my subscribers that have reached out to me over the past several weeks with your
sympathy and prayers for my family as my father passed away. I am amazed and overwhelmed with emotion at the number of
personal comforts and encouragements you have given when most of us only connect on a professional level. My father's struggle
with cancer came on suddenly at the end of May and already in June the Doctor's only gave him two weeks to live. Two weeks
turned into six months - from which we are grateful. I spent more quality time with my dad (traveling to Seattle) than I ever have
- cherished memories. My clients have been great - I had to reschedule the San Jose GRC Bootcamp (I was in San Jose for it when I
learned of his passing) and everyone attendee was encouraging and open to rescheduling. I have some of the greatest clients in
the world!

My purpose of this newsletter is to communicate my upcoming research agenda and direction in 2010.

The GRC market in 2010 is already proving to be interesting - particularly with the EMC/RSA acquisition of Archer. I am already
seeing a lot of interaction from large Fortune 1000 companies down into small to medium sized organizations to define a GRC
strategy and resolve cumbersome risk and compliance processes. There will be a lot of consolidation of the market in 2010.

The greatest shift is that I am doing more training and education worskhops/bootcamps. Since first creating the GRC market (eight
years back) I have been continually frustrated in the lack of good GRC training and understanding on what it is. I continue to
partner with OCEG to provide the best risk, compliance, and broad GRC training available. This is being offered in three day
bootcamps, as well as very topic specific workshops (e.g., policy management, risk management).

I am kicking off the New Year with my Online Workshop: 2010 GRC Drivers, Trends, & Market Directions. In this workshop I am
communicating the shape, size, and direction of the GRC market as well as best practices, approaches, and trends in a two-hour
online format.

As for my upcoming research agenda:

 GRC Reference Architecture. Representing the Technology end of my GRC EcoSystem, the GRC Reference Architecture
will be wrapped up in blog/newsletter format this week with another newsletter coming into your inbox on the
business/role specific GRC applications. I will tie all of this together in a Corporate Integrity research piece on the GRC
Reference Architecture by the end of January and will incorporate this into the revised OCEG GRC IT Blueprint as well for
review and approval by the OCEG Technology Council.

 Investigations Management. I have been working for the past three months on research covering investigations
management platforms - the market, players, feature/functionality, and best practices in investigations management. I
originally planned to publish this by the end of December but my family circumstances put this into January. This will be
published in the next month as well.

 Policy Management. After I wrap up the GRC Reference Architecture newsletter this week I will begin a newsletter series
on effective management and communication of policies across the organization. This ties into the full-day workshop
training I am doing on this subject at the end of February. I am also working on a book on policy management in 2010.

 3rd Party/Supply-Chain/Vendor Risk Management. In a few months I am going to take up the topic of managin risk and
compliance across extended business relationships. This area has been keeping me very busy for the past two years and
want to do more writing on this topic.

 Risk Management and ISO 31000. With the release of ISO 31000 I plan on doing more writing, expository, and training on

http://corp-integrity.blogspot.com/search/label/Policy%20Management 25/02/2010
Corporate Integrity, LLC: Policy Management Page 6 of 8

risk management to align with this important standard in 2010.

 Economic Value Proposition of GRC. 2010 will also bring more focus of my research on the economic justification and
reasoning for GRC processes and solutions. I am frustrated with the amount of money companies waste on manual, paper-
based efforts for GRC or ones that are encumbered by email instead of workflow and spreadsheets for assessments that
have no integrity, audit trail, or scalability. GRC processes and solutions make sense because they improve business
agility, consistency, efficiency, transparency, and accountability.

My upcoming 2010 events (those that are planned out to date for the next few months) are as follows:

ONLINE WORKSHOP: 2010 GRC Drivers, Trends, & Market Directions

Thursday, January 14, 2010 from 11:00 AM - 1:00 PM (CT)

OCEG BOOTCAMP San Jose: GRC Fundamentals, Strategy, & Technology

Wednesday, January 27, 2010 at 8:00 AM - Friday, January 29, 2010 at 5:00 PM (ET) San Jose, CA | Hotel Valencia Santana
Row

OCEG BOOTCAMP Atlanta: GRC Fundamentals, Strategy, & Technology

Wednesday, February 17, 2010 at 8:00 AM - Friday, February 19, 2010 at 5:00 PM (ET) Atlanta, GA | TWELVE Atlantic
Station

WORKSHOP: Effective Policy Management & Communication

Wednesday, February 24, 2010 from 8:00 AM - 5:00 AM (CT) Delafield, WI | The Delafield Hotel

WORKSHOP: Developing a Risk Assessment & Management Process

Wednesday, March 31, 2010 from 8:00 AM - 5:00 AM (CT) Delafield, WI | The Delafield Hotel

OCEG BOOTCAMP Chicago: GRC Fundamentals, Strategy, & Technology

Wednesday, April 21, 2010 at 8:00 AM - Friday, April 23, 2010 at 5:00 AM (CT) Chicago, IL | The Ambassador East Hotel

Additionally, my social networking has continued to increase. This newsletter goes out to over 6,000 subscribers. My Corporate
Integrity LinkedIN Group now has nearly 1900 members. And I have over 650 followers on Twitter. And my blog continues to get
significant traction and reference.

That concludes my 2010 update - now back to serious GRC strategic planning and work

POST ED BY CORPORATE INT EGRITY AT 11: 45 AM 0 CO M ME NTS

LABELS: GRC, GOVERNANCE, RISK, COMPLIANCE B O OT CA MP S , G RC , INV ES TI G AT IO NS , P O LICY MA NAG E ME NT ,
RI SK M ANA GE ME NT , SUPP LY CHAI N , VE NDO R M ANA G EM ENT , WOR KSH OP S

FRIDAY, JULY 17, 2009

Wolters Kluwer Aquires the Gem in Policy Management - Axentis

Wolters Kluwer Tax & Accounting announced today that it acquired Axentis. This acquisition further extends Wolters Kluwer role in
the GRC (Governance, Risk, & Compliance) technology and content/information market.

Axentis, according to Corporate Integrity research, has a leading policy and procedure management platform. The company has
done an excellent job at addressing investigations management and has specific addressed a broad array of GRC issues aimed to
address corporate integrity agreements, risk management, ethics, code of conduct, corporate compliance, financial controls
management, IT risk and compliance, regulatory intelligence/management, privacy, and vendor/supplier/3rd party compliance.
Axentis has also been a pioneer of addressing GRC through a Software as a Service (SaaS) model.

Wolters Kluwer has been on track in acquiring a portfolio of GRC related products. Axentis adds to their line of acquisitions which
include TeamMate, Sword, and MediRegs (ComplyTrack). Wolters Kluwer also has a range of other GRC related products that
tackle issue of matter management as well as board & entity management. However, the most significant differentiator for
Wolters Kluwer is the integration of content/information related to regulations and risks into these suite of products as they
provide a competitive information and knowledge offering that competes against the like of Thomson, Lexis, and SAI Global. Some
of these knowledge providers also see the value of GRC technology solutions integrating with content - Thomson Reuters acquired
Paisley last November, and SAI Global acquired 80/20 Software among a few others.

The challenge now for Wolters Kluwer is to bring things together. To date they have focused on different solutions across their
technology line and does not promote a single all-encompassing GRC application. This can work for as well as against them. If they
can bring together a common back-end data architecture and deliver a consistent interface across individual products - I believe
that organizations will buy this. If they fail to do this, other vendors will when the GRC game. Organizations do not necessarily
need a single application interface for GRC - but they do need a common data architecture. I also see that many GRC vendors lose
out because they try to oversell instead of addressing the specific needs set before them. Wolters Kluwer can sell to the specific
need with the specific product and expand. This also helps penetrate deals as GRC involves multiple roles. Without confusing the
buyer, Wolters Kluwer can sell the products to the meet the needs of the specific business buyer before them (e.g., legal,
compliance, enterprise risk, operational risk, finance, audit).

As Thomson, SAI Global, and Wolters Kluwer have all demonstrated significant commitment to the GRC space, I am particularly
curious about Lexis Nexis' reaction as to how they will approach this space.

The end game of the GRC market breaks down as follows:

http://corp-integrity.blogspot.com/search/label/Policy%20Management 25/02/2010
Corporate Integrity, LLC: Policy Management Page 7 of 8

 Enterprise technology providers. CA, Oracle, and SAP are all committed to the GRC space. These providers, as well as
some to change focus to GRC again, will continue to expand and grow in the market. Their value proposition will be the
integration of technology into a broader technology architecture.
 Information/knowledge providers. The likes of Wolters Kluwer and Thomson will focus on using technology to integrate
with content - delivering on what I call risk and regulatory intelligence.
 Boutique providers. There will remain a number of GRC providers that utilize their smaller size to be nimble and react
first to changing market demands and grow to be a solid GRC player, several of these players will differentiate themselves
by delivering solutions aimed at specific GRC issues (e.g., environmental, health & safety, matter management) as well as
roles (e.g., audit, legal, compliance, risk, IT).

POST ED BY CORPORATE INT EGRITY AT 9: 12 AM 5 CO M ME NTS

LABELS: GRC, GOVERNANCE, RISK, COMPLIANCE A XE NTI S , G RC , P OLI CY MA NAG EM ENT , WO LT ERS KLUWE R

TUESDAY, MARCH 31, 2009

Ultimate Legal Management Platform

Legal - the last (OK, perhaps I should state latest) technology frontier - to boldly go where no one has embraced technology
before. So it would appear to an observer of the average corporate legal department. Corporate attorneys have been technology
agnostics not willing to give up their legal pads and pens in exchange for process efficient technology.

Times are changing. Lawyers have been forced to embrace technology and understand it in more detail with the advent of
electronic discovery requirements (e.g., Federal Rules of Civil Procedure). This has caused many a lawyer to get over their severe
case of techphobia and come to understand that technology can really improve the performance and governance of the corporate
legal department. Inside counsel is now becoming tech savvy and willing to embrace technology to improve business legal
processes that have historically been very manual and paper-based.

Corporate Integrity sees a new evolution of legal management software that embraces a holistic view of legal process
management. Currently, the market is comprised of several dozen software vendors focusing on specific legal functions. The
future will show a few of these vendors successfully creating a solution that manages legal processes in an integrated platform.
The goal: to bring sustainability, consistency, efficiency, transparency, and accountability to legal process management.

The legal process management market (part of the GRC – Governance, Risk, and Compliance – Market) incorporates the following
components:

 Matter Management is the core platform for both inside and outside counsel to document and manage all legal matters
the organization is involved in. At its core it offers project, document, resource, and time management for legal matters.
Leading matter management platforms today come from Bridgeway, Mitratech, Serengeti, and CT Wolters Kluwer. Other
systems include CSC, EAG Case Track, LawTrac/LT Online, Legal Files, and PefectLaw.

 Discovery Management is a recent solution area that evolved out of the hailstorm of eDiscovery solutions in response to
the revised Federal Rules of Civil Procedure in the United States. These platforms assist in managing the accountability,
documentation, and process/workflow of fulfilling discovery requests. In one sense they are a natural extension of matter
management platforms. Leading discovery process management solutions include Bridgeway, Exterro, Mitratech, and PSS
Systems.

 Contract Management solutions manage the contracting process from a legal perspective in assisting in the writing,
review, modification, negotiation, execution, and archiving of all legal contracts and obligations of the company. Legal
contract management platforms that have had broader adoption in corporate legal departments include Compliance 360,
EAG CaseTrack, Emptoris, Mitratech, and Selectica. Archer Technologies and Axentis have also been deployed for contract
management – but have not seen the same level of traction within corporate legal departments.

 Investigations Management provides a platform for documenting all issues, events, investigations, incidents, and
wrongdoing in the corporation. Leading enterprise investigations management platforms targeted at the corporate legal
department include Archer Technologies, Axentis, Compliance 360, EthicsPoint, Global Compliance, Mitratech, and PPM
2000.

 Hotline/Whistleblower are more than a technology platform as they end up being a service to provide for reporting of
incidents (many times anonymously) via the web or telephone hotline. Leading vendors in the hotline and whistleblower
space include Allegiance, EthicsPoint, Global Compliance, and The Network. Several of these solutions also offer
enterprise investigations management as a platform as well.

 Board & Entity Management delivers a solution for the corporate secretary (typically in legal) to manage board papers,
communications, and corporate reports/filings. This includes features for board calendaring and scheduling as well as
documenting legal entities, structure, relationships, assets, and responsible parties (Executives, Directors). Vendors in this
area include BoardVantage, Bridgeway, BWise, Computershare, CSC, ICSA, Mitratech, SAI Global, and CT Wolters Kluwer.

 Policy & Procedure Management involves a platform for defining, communicating, provide training, managing, and
archiving of corporate policies, procedures, ethics, and code of conduct. Solutions in this space provide a central
repository for managing the policy lifecycle. Vendors include Archer Technologies, Axentis, BWise, Compliance 360,
Mitratech, OpenPages, QUMAS, and SAI Global. However, not all of these vendors offer the same features. Axentis offers
the easiest to use – but complete – policy and procedure management solution. Archer Technologies, Axentis, and
Compliance 360 can deliver training modules within their platforms. Mitratech just offers the management of policy
lifecycles – but not the communication component.

 Training Solutions offer a wide range of legal, ethics, and regulatory training modules to be delivered in other GRC
platforms (such as Policy & Procedure Management) or eLearining solutions. Vendors such as Corpedia, Global Compliance,
Integrity Interactive, LRN, and SAI Global offer training solutions in this area.

 Legal Risk Management & Analysis solutions are designed for defining, managing, modeling, and monitoring legal and
compliance risks in the enterprise. This is a relatively new area for technology solutions and is best done with solutions
that support decision tree risk modeling to help an organization analyze legal scenarios and outcomes. Solutions focused
on this capability include Mitratech and Riskonnect. Amenaza is another vendor but has not focused on the legal market.

 Compliance Management involves a platform for documenting requirements (laws, regulations, contractual), mapping
them to corporate controls and policies, and providing for the assessment and reporting on the state of compliance. There
is a wide range of vendors offering compliance management solutions – many of which grew out of the Sarbanes
Oxley/financial controls space such as OpenPages and Paisley. Vendors that have shown particular traction within legal
departments for managing compliance include Axentis, Compliance 360, QUMAS, Mitratech, and SAI Global. Other vendors
offering compliance management – but do not have demonstrated traction within legal – are Archer Technologies, BWise,

http://corp-integrity.blogspot.com/search/label/Policy%20Management 25/02/2010
Corporate Integrity, LLC: Policy Management Page 8 of 8

and MetricStream.

 Legal & Regulatory Intelligence is a particular feature set embedded in legal process management solutions that deliver
efficiency and accountability in monitoring changes in laws, regulations, legislation, and court rulings that could impact
the company. The leading innovator in this area is Compliance 360 as their solution profiles regulatory and legal interests
and directly integrates with Lexis Nexis and Thomson Westlaw and routes new legal developments into a process flow.
Mitratech has capabilities in this area as well. Axentis is doing similar management of the accountability and evaluation
process – but does not have the integration with content providers. Corporate Integrity fully expects that Lexis Nexis, LRN,
SAI Global, Thomson, and Wolters Kluwer will be building out solutions in this area to further leverage their content.

 3rd Party Compliance Management involves platforms for communicating ethics, code of conduct, and policies across an
organizations 3rd party and supply-chain relationships. Some of these platforms go further into managing self-assessments
and audits of the vendors as well. Most companies buying solutions in this space seek a Software as a Service (Saas)/hosted
platform for easy accessibility by 3rd party business relationships. Leading vendors in this space include Archer
Technologies, Axentis, Compliance 360, and Integrity Interactive.

 Corporate Social Responsibility Management is a relatively new space of technology that is just emerging. While there
are platforms out there for managing CSR – particularly from an environmental perspective such as Equilibrium – not many
platforms have targeted the legal and corporate secretary role in CSR. However, some vendors that have engaged with
legal are seeing their platforms retooled for CSR purposes led from the legal department. These vendors include Archer
Technologies and Compliance 360.

 Information Management consists of applications for identifying and cataloging information assets across the
organization. This category would focus on sensitive corporate information (e.g., personal information, corporate records,
and even intellectual property) and catalog its location, controls, and policies. Archer Technologies is an example of a
vendor that operates in this space.

 Intellectual Property Management consists of applications for cataloging intellectual property across the organization
including includes ownership rights, regulatory requirements as well as renewal dates, governmental correspondences, and
filing status. The focus of this area is on intellectual property (e.g., patents, trademarks, copyrights) and has vendors such
as Anaqua, Cognocys, and IPDOX.

The legal process management has many niches – as illustrated above. The begging question – who does it all? Answer: simply no
one. Though there are a few notables that provide a fairly complete enterprise legal process management platform. Mitratech and
Compliance 360 are providing very complete platforms – but from different angles. Mitratech grew out of the matter management
area and has expanded rapidly into other areas. Compliance 360 grew out of the corporate compliance function within legal
(initially within healthcare and insurance) and has been expanding out. Other vendors appear to be aggressively focusing on the
corporate legal department and providing an end to end solution – these include Archer Technologies, SAI Global, and Wolters
Kluwer.

POST ED BY CORPORATE INT EGRITY AT 5: 27 PM 1 CO M ME NTS

LABELS: GRC, GOVERNANCE, RISK, COMPLIANCE B O ARD ENT IT Y MA NAG EM EN T , CO M PLIA NCE , C ON TRA CT , C SR ,
DI SCO V ERY M ANAG E ME NT , G RC , H OT LIN E , INT E LLECT UAL PRO P ERT Y , I NVES T IG AT IO NS , LEG AL ,
M AT T ER MA NAG EM ENT , PO LI CY MA NAG EM ENT , RI SK

Newer Posts Home Older Posts

Subscribe to: Posts (Atom)

http://corp-integrity.blogspot.com/search/label/Policy%20Management 25/02/2010