27 Feb Policy and Document Management
The Need for Policy and Document Management
Today we’re discussing a vital component of compliance: policy and document management. By now, we all know the importance of being compliant… but is that enough on its own? We could just as easily ask the old philosophical question of “if a tree falls in the forest and no one is around to hear it… does it make a sound?”
The analogy may be a bit of a stretch, but the point is that if you’re compliant and don’t have record of that compliance or policy… then who’s to say you actually were? Anyone looking into your compliance isn’t going to accept a “yup, I remember 2014. We were fully compliant with PCI and SOX standards” answer from an employee. You’ll need records of these standards being part of your policies and records that those policies were assessed. From this viewpoint, policy and document management almost become as important as compliance management.
Steps for Policy and Document Management
In general, an efficient management strategy begins with a well-written policy and a secure system for indexing information. If all of your documents are in an easy-to-access central location, they will be easier to organize, maintain, and retrieve when needed. In the case of compliance documents or policies, you will need these documents to be organized in cases of audits, preparing business proposals and contracts, or during the process of a lawsuit. From experience, just make sure you have digital files; physical copies, if desired, should only be backups.
Although the storage system should be easy to access, it doesn’t mean everyone needs to be able to access this information. Follow your security protocol in encrypting certain files and restricting access to key personnel. When it comes to distributing company policies after updates, the new file(s) should be placed in your storage system and then distributed by a particular member of staff. This ensures you have record of everyone receiving the documents and the original files remain secure and untouched in your records.
In an ideal world, we would have all documents easily organized and dating back to the beginning of time, but this isn’t always possible. Document retention is difficult and will vary for each organization. It’s sometimes necessary to toss old documents to ensure you have the space to store new ones and ensure organization. As such, our advice would be to carefully research the required retention period of certain documents. For example, OSHA Incident Report forms must be retained by employers for 5 years following the end of the calendar year that these records cover. You can see some general retention rates on business documents here. As for our recommendation… when in doubt, don’t throw it out!
The last “major” step is to set schedules and methods for maintenance and archiving. Archiving depends largely on your system of organization. If you choose the “current year” folder route, decide when you’ll move those documents to the archive folders and create new documents. Also consider when policies are due to be reviewed, approved, or distributed. Set a schedule so you don’t miss any of these windows and stay out of hot water.
RiskWatch for Compliance Policy and Document Management
In addition to all the other fun stuff regarding compliance, our tool ComplianceWatch provides a centralized location that allows you to store and access previous and current policies and documents.
Company policy can be incorporated into survey questions and is stored as an assessment. The questions can be sent to key personnel to gauge if the policies have been implemented and are being followed. This allows your organization to store not just typical word documents or PDFs, but also actual assessments that prove your compliance and the dates. For document management, survey questions can use the “File Upload” response type to gather and store any documents you require.
Each assessment has a tab labeled “Upload Responses” where the user can access any files that were uploaded for that particular assessment, providing automatic organization and easy access to authorized personnel. As a bonus, there is less risk when you have policy and assessment info also stored in the cloud, so this information is always available on protected servers.
Take a free trial of ComplainceWatch to test how you can store policies and documents and easily export anything needed for distribution.