As explained by the OCEG (formerly the Open Compliance and Ethics Group) – a global nonprofit organization and community focused on GRC topics, “Policies are critical to the organization as they establish boundaries of behavior for individuals, processes, relationships, and transactions.”, “Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments.”
As such, policies are a vital part of any Governance, Risk, and Compliance program – especially the Code of Conduct policy that establishes the dos and don’ts for employees and is often the first policy anyone signs when joining a new organization.
Many companies have also extended their Code of Conduct to 3rd parties as well, often by creating a dedicated policy and having it signed by 3rd party personnel to ensure they adhere to the very same level of ethics and integrity.
For instance, to implement a sustainable supply chain, companies could have a Supplier Code of Conduct that addresses topics relating to bribery and corruption, insider trading fair competition, labor and human rights, health and safety, etc. and requires signatories to uphold these commitments.
To do so, companies have 2 choices:
Or
And now comes my 2 hidden gems today: did you know that there is an embedded Policy Management module in both SAP Process Control and SAP Risk Management? And what’s more, did you know that it includes features to distribute policies to external parties and track their acknowledgements?
In the Policy Management module, the policy activities (surveys, acknowledgements, quizzes) are distributed by default by email to the end-users documented in the “People” tab of the policy:
These end-user recipients can be roles, user groups, specific users or even distribution lists (this option requires LDAP).
That’s all good, but let’s take a simple use case that can quickly become a headache. Before onboarding a new supplier, you would like to make sure that they follow your requirements in terms of Labour and Human Rights. For this, you’d like them to acknowledge your 3rd party policy on this aspect. But there’s a catch: you only have a generic address such as “info@”.
You know that your message will be forwarded internally to the right stakeholder, but you are concerned this poses 2 issues:
The good news is that both are possible in the Policy Management module!
The ability to forward these offline surveys to other recipients – while still tracking the responses and associate them with the right signatories – can be activated in the dedicated “Maintain Settings for Offline Survey Forwarding” activity in the SAP Implementation Guide (IMG).
There are 4 options available:
In our example above where you only have the “info@” email address, options 3 and 4 would be applicable to help your survey get to the right person.
Once activated, your main contact within your supplier can then forward the policy activity internally to the relevant stakeholder who can then sign and return it directly to the solution.
2nd Line can then use the Policy Management module to track the response.
What about you, how does your company distribute and track policies? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard
And if you are interested in learning more about SAP solutions for Governance, Risk, and Compliance, feel free to fill-in the demo request form!