July 21, 2022
Policy Attestation: If You Can’t Measure It, You Can’t Manage It
4 Min Read
Having a dynamic policy management program is a key part of any organization, as it sets the standard for how a business (and its employees) should operate. A successful policy management program will help you establish governance, achieve compliance, and reduce business risk.
Once policies are developed, policy attestation is the critical first step to enforcing your policies. Key elements of a well-managed program include distributing policies at the right time, to the right audience, in an accessible manner. You should establish interactive development cycles to get feedback from the business, remain up to date with laws, regulations, and internal compliance mandates while providing a paper trail for updates and attestation in the event of an audit.
If you can’t measure your policy program, you can’t manage it. That’s where policy attestation becomes an essential factor.
What is policy attestation?
An attestation is a way to confirm, view, or authenticate internal stakeholders have read and agree to abide by a policy. Attestations can be conducted in a variety of ways, including emails to and from stakeholders. However, a manual process like that is both time-consuming and creates a great margin of error due to lack of version control and speed of response.
Attestations are essential to your policy management program to ensure there is no mismanagement of policies or procedures that could put the organization at risk. It’s imperative that an organization implements an effective procedure to track attestations to ensure that policies are reaching the right people at the right time.
Attestation provides insight to your policy management effectiveness
How can you measure policy attestation? This can include, but is not limited to confirmation of receipt, application of knowledge (e.g., survey of policy knowledge), and request for evidence.
By collecting and confirming attestation across stakeholders and business groups, organizations can understand:
- Where there may be communication gaps in distribution
- What language may be unclear, or uncommon to everyday readers
- Who in the business may pose a vulnerability due to a lack of policy knowledge
- When policies may need to be updated due to exception requests
Taking an integrated approach to policy management solutions allows businesses to look at these insights in line with other risk insights, such as control effectiveness. For instance, an organization may have a low attestation rate for a policy, but the control for the risk or compliance obligation is consistently executed throughout the business. This may be an indication that there is an issue with the attestation metric itself since the practice is being executed appropriately in practice.
Implementing an effective way to track policy attestation helps to reduce liability with a detailed audit trail. This record of activity and acknowledgement helps to reduce negative business risk and protect the business against issues of non-compliance.
How a policy management solution can help
A policy management solution can better help you track attestations by:
- Improve Accessibility: Provide a centralized location or portal where individuals can access policies and standards that apply to them
- Distribute Swiftly & Precisely: Integrate your organizational hierarchy into the attestation process to quickly filter the audience of attestation campaigns
- Track Attestation Status: Automate documentation and reporting on attestation (or lack of) with a system that captures activity in real-time
- Automate Reminders: Send automated reminders to follow up on past due attestations and escalate after a set number of days
- Manage Exceptions: Automatically capture exception requests through the attestation process, set an expiration period, and track with an “exception register”
Once you’ve developed and published policies that align to your risk and compliance initiatives, a good policy management solution will help you track policies across the business with targeted attestation and monitoring.