Policy management is an end-to-end compliance solution to specify, maintain, publish, communicate, and enforce policies and to measure policy compliance. One of the business benefits of policy management is that it automates the task of creating and maintaining policies.

Policy management enables you to attribute different policies (i.e., a work instruction) to a specific organizational structure, business process, and activity. For example, you can assign work instructions for a new piece of machinery to a specific warehouse and business process. Users can then be notified to read the work instructions and take a related quiz to ensure that they have read and understand the policy (machinery manual).

I discuss policy management, and highlight many of the features that SAP Process Control offers with regard to policy creation, approval and acceptance. I describe configuration steps as I take you through the process of organizing your policy hierarchy to improve transparency and visibility for global and corporate policies. I also define options for integrating policy management with other applications across the SAP solutions for GRC.

Features of Policy Management

One challenge many organizations face is that most companies face regulations from the top-down, but compliance must be achieved from the bottom up. All people, whether they are purchasing agents or salespeople, must understand what obligations this poses on their daily jobs and act accordingly. Policy management can be used as a tool to combat known risks and to bring awareness to all types of information and potential instructions that may affect an organization. With Adobe Interactive Forms, end users have the opportunity to confirm training and policy awareness through custom surveys, quizzes, and acknowledgements.

Policy management enables visibility through detailed reporting and analytics. The value of policy management, however, is that it is fully integrated with other components in the GRC suite, such as SAP Access Control and SAP Risk Management. You can associate policies with regulations, risks, and corporate and industry standards.

Implementation Steps

The first step in creating policies is to determine the various policy types, and to configure them in the back end. Policy management is a bit of a misnomer in that policy types can include one or more of the following: policies, procedures, work instructions, or standard operating procedures (SOPs). You can create new policy types to fulfill additional business requirements.

To create a policy type, execute transaction code SPRO and follow menu path Governance, Risk and Compliance > Policy Management. Click the execute icon beside Maintain Policy Types and Distribution Methods. In the initial screen to maintain policy types (Figure 1), click the Policy Type folder and enter a policy type and description. In my example, I entered types for Policy, Procedure, Work Instruction, Standard, and SOP. Click the save icon.

Figure 1

The initial screen for Policy Type maintenance

Coordination and communication among multiple people and departments can be time-consuming and difficult to manage, so in addition to grouping policies by types, SAP Process Control houses policies in the Policy Library, a hierarchical master data structure that allows policies to be grouped based on business need for easy organization and maintenance. The structure outlines the available policies and procedures structured by policy groups.

In the Policy Library, policy groups are often organized by organizational entity, policy type, or functional area. Policy groups provide a logical grouping for policies for documentation and reporting. Policy categories are created to group and organize policies at an additional level. Lastly, policy source categories are defined, which serve as the rationale or basis for the creation of policies.

Common source categories include business goals and objectives, laws or legal requirements, corporate strategies, or voluntary commitments. By assigning specific attributes to policies and systematically maintaining the Policy Library, policy management can be used affectively for all mass communication and organizational training events. The unfamiliarity of policies among the employee base decreases as do incorrect processes, quality problems, legal issues, and non-compliance events.

To access the Policy Library, follow menu path Master Data > Regulations and Policies > Policies (Figure 2). In the Policy Hierarchy, two types of entities can be created: Policy Groups and Policies. To create a policy group, highlight Policy Hierarchy, click the Create button, and select Policy Group. In my example, I have created three policy groups: HR Policies, IT Policies, and Global Compliance.

Figure 2

Maintain the Policy Library

The policy group must have a name designated, and an associated approval survey needs to be identified prior to saving (Figure 3). To save your entries, click the Save button located in the upper-left corner of the screen.

Figure 3

Create Policy Groups

To configure a policy category, execute transaction code SPRO and follow menu path SAP Customizing Implementation Guide > Governance, Risk and Compliance > Common Component Settings > Policy Management. Click the execute icon beside Maintain Policy Categories. In the screen that appears (Figure 4), enter the name of a policy category in the Category column and a description in the Text column. In my example, I entered policy categories for Finance, Human Resources, and IT. Click the save icon to save your entries.

Figure 4

Create Policy Categories

After you create a policy category, you create a policy source category. To complete this process execute transaction code SPRO and follow menu path Governance, Risk and Compliance > Common Component Settings > Policy Management. Click the execute icon beside Maintain Policy Source Categories. In the screen that appears (Figure 5), enter an indicator for a policy source in the Category column and a description of the source in the Text column. The category column can have any combination of alphanumerical characters with a maximum of nine. Click the save icon to save your entries.

Figure 5

Create policy source categories

In the front end, users with the appropriate authorizations can build and maintain custom policy surveys, quizzes, and acknowledgments. In many organizations, policy awareness and training are still conducted primarily through paper. SAP Process Control, however, serves as a central repository. This repository increases management visibility into the effectiveness of such policies and ensures the successful approvals and distributions of policies to targeted groups of individuals. SAP Process Control provides detailed audit trail capabilities, reporting, and analysis. Quiz results can validate employee and stakeholder understanding by aggregating results at different levels (i.e., by employee or organization). Surveys, acknowledgments, and quizzes are built in the assessment work center by first creating questions via the Question Library and then by assigning those questions to custom surveys, quizzes, and acknowledgments in the Survey Library.

To access the Question Library, follow menu path Assessments > Surveys > Question Library (Figure 6). To create a quiz, click the Create button and assign the quiz question to a category.

Figure 6

Question Library

To assign the question to an acknowledgment, quiz, or survey, the status must be designated as active (Figure 7). To make a question active, select Yes as the option in the Active field. In my example, I have set the Answer Type to Rating. Questions can also be designated as Text, Yes, No, NA, or Choice. Questions are tied to an acknowledgment survey or quiz within the Survey Library.

Figure 7

Create a Question

To access the Survey Library, follow menu path Assessments > Surveys > Survey Library (Figure 8). To create a policy quiz, survey, or approval, choose the create icon and assign a category. The Survey Library groups questions that are created in the Question Library and ties them to acknowledgments, quizzes, and surveys that are then distributed to the user base.

Figure 8

The Survey Library

In Figure 9, I have created a Policy Quiz and assigned one question to it. The status must be set to active in order for it to be associated with a policy and be available for distribution.

Figure 9

Create a quiz

One of the greatest business values of policy management is that multiple users can collaborate on the creation of a single policy by using standard SAP authorizations and role assignments in SAP Process Control. Upon policy creation, GRC users can be designated as a Policy Approver, Reviewer, Owner, or Viewer in the Roles tab of the Policy Creation Template. This ensures consistent and transparent management of policy versions and increases accountability for policy creation and maintenance. Policy management requires that policy administrators and approvers be selected. Therefore, policy ownership must be defined by the business prior to implementation.

The Master Data Upload Generator (MDUG) now allows for batch input of policy information. Therefore, initial policies no longer need to be manually input into the system. SAP Process Control also facilitates the documentation of policy changes and the creation of new policies. Policies must go through a workflow-driven approval process before they are published and distributed throughout the organization. This reduces the manual effort involved in distributing the policy drafts to the correct people in a timely manner. Ultimately, the time and costs associated with policy distribution are reduced.

Policy creation, review, and approval integrate with various other aspects of SAP Process Control, SAP Access Control, and Risk Management. To set up policy management effectively and integrate it with other areas of SAP solutions for GRC, the master data must be configured properly. Master data can be shared across SAP Access Control, SAP Process Control, and SAP Risk Management. However, to achieve this, careful attention must be paid so that validity dates of data elements coincide and that risks and controls are appropriately assigned to the correct organizational elements, business processes, and sub processes. Policies can be tied to risks, controls, and issues. Manual and automated controls can also be used in conjunction with policy management to monitor policy effectiveness and sign-offs.

For example, if a critical action or critical permission risk has been identified by the organization, the risk and control can be tied to a policy to ensure employee awareness surrounding the known risk. Associated risks can be assigned during policy creation under the risks tab (Figure 10). In this instance, the policy is the medium of the compensating control, stating that all users who have the critical action or permission must acknowledge the policy (or take a quiz or survey) on an annual or semiannual basis. A semiautomated control can be created for compliance monitoring in which a business rule might designate a policy management report to be extracted from the GRC system. A designated user then receives a notification that the report is ready to be reviewed and approved.

Figure 10

Create a policy

Ad-hoc issues can be raised against a policy during policy approval and after a policy has been published. For example, if an external auditor or key stakeholder reviews the policy and finds a discrepancy, ad-hoc issue management can track the remediation process until a new policy version is approved and published.

To access the Policy Library, follow menu path Master Data > Regulations and Policies > Policies (Figure 2). In the Policy Hierarchy you can create two types of entities: Policy Groups and Policies. A policy is created (Figure 2) by highlighting a Policy Group, clicking the Create button, and choosing Policy. Policies must have the following fields maintained: Name, Policy Type, Distribution Method, and Purpose (Figure 10). If the chosen distribution is a quiz or survey, the associated templates must also be defined as seen in Figure 10. Policies can be associated with a control (Figure 11) or a risk.

Figure 11

Policy has been tied to a control

Policy scoping is the process of determining which organizational entities are affected by the policy. Upon policy creation, reviewers and approvers must also be defined. Once the policy has been submitted for review or approval, the designated recipients receive a notification. An audit trail for the review and approval process can be viewed directly in the policy along with any comments (Figure 12).

Figure 12

Policy Review and Approval Audit inside the policy documentation

Through the use of Adobe Document Services (ADS) and Interactive Forms, policy awareness and training are made more accessible. SAP Process Control creates and deploys interactive forms that look exactly like their paper counterparts and policies documents can be embedded as attachments. Forms can be worked in online and offline scenarios, and data is then captured and imported directly into the SAP GRC system. Employees are now able to receive and acknowledge policies directly from their email inboxes without having to log in to the SAP GRC system (Figures 13 and 14). Figure 13 is an example of an e-mail notification indicating that the user must perform a policy acknowledgment. The policy is also attached and can be viewed via PDF.

Figure 13

Policy acknowledgment email notification

Figure 14

Policy acknowledgment interactive form

Figure 14 is an example of the associated interactive form via Adobe Document Services that end users can virtually complete and submit directly from their e-mail. One of the key considerations is that end users must understand the purpose of policy assessment prior to implementation.

Responses are tracked and managed via SAP Process Control standard reports. Real-time tracking reports can be generated for policy acknowledgement status, risks associated with policies, processes and controls associated with policies, policy profiles, policy versions, and policies by regulation (Figures 15 and 16). Figure 15, for example, allows users to display current and past versions of each policy.

Figure 15

The Policy Versions report

Figure 16

Processes and Controls associated with the Policies Report

Figure 16 reports on the basic information for each policy, including the policy name and description and the associated business process, subprocess, and control. This knowledge reduces confusion and improves results. Policy management reports can be accessed in the Assessments Work Center and Master Data Work Center.

To access the policy reports, follow menu path Assessments > Reports. From there, any of the following reports can be selected by clicking the hyperlink in the work center: Policy Profile, Policy Issue, and Policy Survey Result. To access additional policy reports, follow menu path Master Data > Reports. From there, any of the following reports can be selected by clicking the hyperlink in the work center: Policies by Regulations, Policy Versions, Risks Associated with Policies, Processes and Controls with Policies.

Tracy Levine

Tracy Levine (CPIM) is an SAP application consultant at itelligence. She has four years of experience in SAP security and authorizations, SAP Access Control, SAP Process Control, and core cross-module integration across many industry verticals. Tracy is an SAP Certified Application Associate- SAP Access Control 10.0 and is the voice behind the blog Tracy-Levine.com.

 

You may contact the author at .

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.