In one of my last articles I already wrote about policy management and how it can/should be handled in theory. Today I would like to show you the first part of how we can support this process of policy management with our new version 4.1 of ARIS Risk & Compliance Manager.
Let me start with a quick reminder about how the process of policy management looks like (for details please have a look on my previous article):
So first of all the process starts with the need and the definition of a policy. In this phase the policy is written, the responsible people are defined, the aim of the policy is specified and the affected systems, organizations, processes are checked. Modeled in the ARIS Business Architect an example for a policy could look like this:
In this example the policy 'code of conduct' is used to reduce the risk 'damage to image' and it affects the complete organization. On the left side you can see the responsible persons:
-The policy owner group is responsible for the complete workflow of the policy.
- The policy approver group (e.g. the members of the legal department, the management board etc.) are the ones who have to approve that the policy is correct and compliant with the company aims and regulations.
- Furthermore there are the policy addressees who are those people that should be addressed by the policy. In our example the addressees are probably all employees of the company because everybody in the company should know the code of conduct and act according to it.
- Last but not least there are the policy auditors who have read rights for the policy.
When the definition of the policy is finished, all the information can be imported into the ARIS Risk & Compliance Manager and as soon as a before defined start time is reached the approval workflow starts. This means that the members of the approver group are notified by the system about the new/updated policy and then they can check the correctness of the policy within the ARIS Risk & Compliance Manager. If they approve the policy, it can be finally published within the company.
Depending on the criticality for some policies the publication might be enough but if a company wants to be compliant with special laws and regulations sometimes it is also necessary that the employees sign or confirm the policy. This means that the addressees confirm that they read it, understood it and will act according to it. In the ARIS Risk & Compliance Manager you can define for each policy if an attestation by the addressees has to be done or is not needed. If you choose the attestation, the ARIS Risk & Compliance Manager will automatically generate a form for each addressee which he/she can accept or reject.
Of course the policy owner has an overview about how many people accepted it or not at any time. For our example it could look like this:
In the list you can see the different people who need to confirm the policy with their current status of the confirmation (in the example there are two people who accepted the policy already, one is still open and one person rejected the policy). The accumulated result is shown in the pie chart.
That’s it so far about the first two phases “definition” and “communication” of the policy management process. The next two phases I will describe in another article.