Does your organisation need security policy management?

Does your organisation need security policy management?




Security is a priority for all organisations. It covers many aspects of working life – the buildings we work in, the technology we use, the data we share with others, our professional behaviour and so on. Being safe in the workplace, cyber-security, data privacy, safeguarding confidential information and other related areas are topics that all employees need to be aware about. It’s also particularly important in some industry sectors.

Security is a big topic. But one of the challenges associated with ensuring security measures are in place is that if often relies on the awareness, knowledge and co-operation of employees. Only too often, employees and their carelessness are the cause of security issues, usually inadvertently but sometimes wilfully.

Because of this it is important to have security policies in place that provide clarity for employees on security and related matters.

To support the effective distribution of security policies, organisations must have active security policy management in place. In this article, we’re going to cover what a security policy is, why we need them and how they help minimise risk. We’ll also explore some of the different types of security policy as well as some good practice tips.


What is a security policy?

A security policy can be defined as any policy which helps to protect an organisation against security threats and vulnerabilities through risk prevention as well as processes to minimise any potential damage. It can cover both the security relating to a physical building as well as technology and digital channels, and include aspects such as overarching principles, specific procedures, terms of usage and staff training.


Why do you need security policies?

Security is a priority for every organisation. It’s an area where there is little room for compromise. Policies provide clarity and a critical backbone to ensure the right procedures are followed to maintain security and reduce the associated risks.

Specifically, policies help to:

  • Prevent specific incidents by reducing vulnerabilities.
  • Reduces and contain the potential damage when an incident occurs.
  • Drives compliance with regulatory and legal requirements.
  • Keep everybody safe, supporting an organisation’s duty of care to employees, customers and suppliers.
  • Keeps client and employee data secure.
  • Protect an organisation’s overall brand and reputation.



How do security policies help minimise risk?

More specifically, security policies help minimise risks in the following ways:

  • They educate employees about the approaches to take and steps to follow to support security, and are particularly important in onboarding new starters.
  • They keep employees up to date about any changes to security policies or procedures.
  • They are an essential reference point, providing absolute clarity and a definitive source of truth relating to security.
  • They support decision-making.
  • They support various different processes such as recruitment, procurement, due diligence on technology purchases, employee onboarding and more.
  • They can play a role in compliance-related reporting, particularly in regulated industries, and where standards such as ISO 27001 are important.
  • The provide essential information on processes to follow if there is an incident, so are often related to disaster recovery planning and crisis management.
  • They support the creation of new security policies and the review of existing policies.
  • They provide information on expected behaviours for employees.
  • They allow you take action against employees if they are putting security at risk through negligence or behaviour.

What are the different types of security policy?

There are many different types of security policy, with different aspects relating to scope, theme and type.

Scope

The scope of a security policy can vary. Sometimes they can be organisation-wide and more to do with general principles, for example, setting out a “zero trust” policy. Sometimes they can apply to something more specific such as a particular topic – for example relating to information management or building security. A security policy might also apply to something more granular like a particular building or a specific application or platform.

Theme

Security policies can cover different themes, including:

  • The physical security of buildings and other assets.
  • Cybersecurity principles and actions that must be followed.
  • Data protection and privacy, ensuring the protection of client and employee data.
  • Information management, covering sensitive and confidential information.
  • Personal security for staff when travelling or undertaking work.
  • Disaster recovery plans.
  • And more!

Type

Security policies can also be of different types:

  • General principles to follow.
  • Detailed policy and procedures.
  • A terms of usage policy.
  • Guidelines for employees.
  • Security, recovery or incident response plan to follow.
  • Access control list on who can access which system.
  • External security documents produced by a third-party such as a property management company or technical vendor.
  • Part of employee training.
  • One of more of all the above!



What are some good practices in managing security policies?

The kind of good practices that help manage your security policies are not necessarily that much different to managing other kind of policies. However, they are potentially more important as security policies are critical.

Clear ownership

Always establish clear ownership of a security policy with a named person or people who are responsible and accountable for keeping a policy up to date. Without that clear ownership, it is all too easy for a security policy not to be managed properly. In particular, sometimes ownership is attributed to a department or team; while clearly a department will have responsibility, naming the individuals helps ensure that a policy needing updating doesn’t get missed.

Version control

Version control is a central pillar of policy management. You can’t have two, three or more versions of the same policy in circulation as people may follow the wrong policy or process. It also undermines confidence and trust in policies. Always carry out robust version control with elements such as clear policy numbering and in providing access to only the latest version through your policy library. This is an area where a solution like Xoralia can help.

Regular reviews

Regular reviews of security policies by subject matter experts and policy owners is essential to ensure policies are always up to date. Having a regular review – say every six months – is important. It will also be important to have a review when there is either an external change such as a new IT system or a security incident as circumstances have changed.

Central access

Providing easy, central access to your security policies so everybody can find them is a must. This might be through a central policy library on your intranet or perhaps through relevant intranet pages covering IT, legal & compliance and more.


Employee attestation processes

Employee attestation processes are where people positively confirm that they have read and understood a policy, or an update to a policy. By managing this process, it adds an extra “nudge” to increase the likelihood of:

  • new employees reading a policy
  • all employees knowing that a policy has changed
  • able to show regulators and other third parties that you are compliant in compliance areas where you need to show that employees are trained in and informed about areas relating to security.

Write policies so they can actually be used

No one is pretending that security policies are going to be the world’s most interesting or engaging documents, but all too often they are written in ways that make them hard to follow or make employees skip over sections.

Security policies are there to be followed. Use inclusive and accessible language, break documents up into steps so they are easier to follow, write additional guidelines, translate sections if necessary and more. Write a security policy that is there to be read and used by employees.




How Xorlia policy management software can help

Managing security policies is not always straightforward, but policy management software can help by doing a lot of the heavy lifting. Security policy management is much easier and far less time-consuming when you apply automation and ready-made features and functionality.

A robust policy management solution like Xoralia can:

  • Ensure everybody can access your security policies in a central policy library, for example reached via your SharePoint intranet.
  • Help employees find different types of security policy – and other policy types too - via a dedicated search or through browsing.
  • Enable robust version control to ensure that only the latest version of a security policy can be accessed.
  • Support policy owners manage their policy through content lifecycle features.
  • Drive personalisation and audience targeting so different groups can see and are notified about policies they must read.
  • Action employee attestation features so that employees must confirm they have read and understood a policy, with extensive reporting that can even be used with external third-parties.
  • Go further with an additional employee attestation feature to ask questions about the content of a policy to confirm it has been digested.
  • Use automation to send reminders to policy owners to review their security policy, as well as to notify new joiners about policies they need to read, and recurring policies that need to be read each year.
  • Integrate seamlessly with your Microsoft 365 digital workplace and SharePoint intranet.
  • And more!

Arrange a free Xoralia demo!

Security policies are critical and they need active management. A policy management solution like Xoralia will help. Why not arrange a free demo?

Book a live demo

Find out more about Xoralia policy management software

During the demo, we'll walk you through Xoralia’s various features and functionality, providing plenty of time for you to ask our experts questions along the way.

Book a demo

How automated policy management software can benefit your business

How automated policy management software can benefit your business




Policy management is an important area for many organisations, particularly those in highly regulated industries. It reduces risk, enables decision making, ensures you have robust reporting processes in place, drives efficiency, reduces accidents and more.

Employees need to have easy access to policies, be able to find what they need quickly and easily, and understand when there have been changes. Meanwhile policy owners need to keep their policies up to date, be confident that changes have been understood, and sometimes report on this for compliance purposes.

All of the above might sound straightforward, but it can take a lot of coordination and effort, particularly when everyone is extremely busy. It only takes one out-of-date policy in circulation to create risks with a range of potential negative outcomes. Understandably, many organisations decide to invest in policy management solutions like Xoralia that help them to establish a central policy library, carry out employee attestation process, support policy owners to manage their content and more, while significantly reducing the effort and time taken.

An essential key feature of a solution like Xoralia is its automation, that saves both huge amounts of time but also ensures that policy owners don’t forget to carry out aspects of policy management. In this post we’re going to explore why automation is so important in robust policy management software, and how it benefits a business.




Problems with traditional policy management

One of the problems with traditional policy management is that is has tended to be carried out manually, usually using email and spreadsheets. For example, a central compliance or policy team might have to:

  • Email policy owners to remind them to update or review a policy.
  • Use email to ask individuals to confirm they have read and understood a policy (“employee attestation”), and then send follow-up emails until they have confirmed they have done so, or send these via managers.
  • Use a spreadsheet to monitor compliance reporting relating to an employee attestation process.
  • Use email and spreadsheets to monitor compliance reporting and employee attestation around policies for new starters, which may differ from group to group.

As anyone who has used email and spreadsheets for policy management, employee attestation and compliance reporting, they can confirm that it is a significant undertaking and administrative burden that:

  • wastes huge amounts of time which could be spent on more value-added activities.
  • is highly inefficient and prone to errors, with areas being missed.
  • significantly increases the risk of policies going out of date or more than version of a policy being in circulation.
  • makes it harder to complete an employee attestation process and successfully report on it.
  • is extremely frustrating and tedious for the teams involved.
  • leads to less targeted efforts around policy management and attestation – for example aimed at specific groups within the organisation – as they are simply too difficult and time-consuming to manage.
  • weakens the ability of central compliance and policy teams to influence distributed policy owners.
  • leads to inconsistent approaches to policy management across an organisation.



The advantages of using an automated system

The digital workplace provides huge opportunities to automate workflows and basic, repetitive tasks. Workflow engines such as Power Automate and Nintex are evolving as “low code no code” platforms that mean even non-IT professionals can create simple automation. Specific products including policy management solutions like Xoralia are also embracing automation.

Policy management is an area where there are multiple opportunities for automation, with several advantages.

Saving time

Policy management involves multiple repetitive tasks that are very time-consuming. Chasing up on employee attestation processes. Reminding policy owners to update their policies. Notifying new starters about the policies they must read. All these can be automated, saving huge amounts of time for administrators who can then focus their efforts om more valuable and less tedious tasks.

Reducing errors

When everything is done manually, it leads to errors. People get missed and don’t have access to the right policy. Employee attestation processes aren’t complete. A policy doesn’t get updated. When you use automation, it reduces the chance of these simple but potentially damaging errors.

Standardising processes

Bringing automation to policy management helps standardise processes across different policy owners who might sit in different functions. It helps to bring a more robust approach to keeping policies up to date.

Completing the gaps for compliance and certification

As automation brings a more reliable and through approach to employee attestation processes it can provide better reporting for compliance and certification purposes, not only in the actual report, but also if you are letting a third-party regulator or certification body about how you approach employee attestation.




Automating policy management in Xoralia

Xoralia is built on SharePoint and takes advantage of the powerful workflow features within Power Automate to automate several aspects of policy management, allowing you to “set and forget” so your team can focus on more value-add activities. Xoralia’s automation focuses on three main areas.

Assignment for new joiners and leavers

Many of your policies will be assigned to different groups. When a person joins a group, they will automatically be assigned to that policy and get any notifications. This is particularly valuable for employee onboarding, as if you have a policy set for a new starter group, a new joiner will automatically be assigned and notified about the policies they need to read as part of your overall onboarding programme.

Recurring assignment notices

The need for employees to read policies is sometimes a recurring event. Sometimes for compliance, regulatory or professional reasons employees need to confirm annually they have read and agree to follow certain policies. The ability to set automatic policy notifications on a recurring basis is one of Xoralia’s most popular automation features, with the ability to set a number of days between reassignment. For example, this could be 90 days (quarterly), 365 days (annually) or any set time period – it is up to you.

Employee attestation

Employee attestation processes can involve a lot of chasing people up if done manually. Xoralia’s automation avoids this time-intensive task by automatically sending out notifications and reminders until the employee attestation process is complete. If you do want to remind someone manually, automatic reporting also can show who has yet to read or electronically sign a policy.


Want to automate aspects of policy management? Arrange a Xoralia demo!

Automation brings efficiency and accuracy to policy management. Xoralia is a policy management solution that uses automation to deliver value.

If there are aspects of managing your policies that could be automated, then why not arrange a free Xoralia demo?

Book a live demo

Find out more about Xoralia policy management software

During the demo, we'll walk you through Xoralia’s various features and functionality, providing plenty of time for you to ask our experts questions along the way.

Book a demo

Why compliance is critical and how to avoid compliance failure

Why compliance is critical and how to avoid compliance failure




Compliance with various legal and regulatory processes and procedures is a fact of organisational life. There are certain practices that must be carried out by organisations and their employees because it is the law, is mandatory for businesses in a particular sector or helps to minimise risk. Subsequently organisations spend a lot of time, effort and resources on making sure different areas of compliance are followed.

When there is a failure of compliance the consequences can range from mild to very severe. It can result in fines of millions of dollars or euros and huge damage to an organisation’s brand and reputation.

In this comprehensive guide we’re going to explore why compliance is so important and the areas that organisations need to think about in order to avoid compliance failure. We will look at what compliance is, the different reasons its important and the key areas that compliance relates. We also explore the industry sectors where compliance is a particular priority. We then go on to cover the reasons for compliance failure and the consequences of a failure to comply. Finally, we look the role that policy management can play and how software like Xoralia can reduce compliance-related risks.

What is compliance?

At a fundamental level compliance can be defined as the act of complying with a particular command or request. In terms of corporate life, compliance can be defined as the measures and practices put in place to make sure that specific legal and regulatory requirements and commitments are met and strictly adhered to. Compliance can also relate to internal policies, procedures and rules that are imposed within an organisation to reduce risk, maximise efficiency and support operations. Inevitably some internal compliance measures will be linked to external regulations too.

From an organisational point of view, compliance often involves demonstrating that you are doing everything possible to ensure compliance, for example designing processes and communicating with employees. There may well be related reporting around this, both internally and to external third parties such as regulators.

Why is compliance so important?

Compliance-related activities are not necessarily the most interesting or enjoyable elements of the working day, but they are important. While sometimes it can feel like compliance involves a lot of red tape and paperwork, and sometimes there can be more bureaucracy involved than is needed, fundamentally compliance is there for good reasons. Even if you feel some areas of compliance are unnecessary, the fact is that the relative policies, procedures and rules will need to be followed.

Let’s explore some of the reasons why compliance is so important.

It’s the law

Some compliance is based around following the law, protecting organisations and citizens, and wider society. Breaking the law is not an option, and compliance helps to reduce the risk of legal action being taken against your organisation and the individuals within it.

Reducing risk

It’s inevitable that things will go wrong in organisations. There are problems and issues that need to be overcome, with incidents and examples of fraud, accidents, and data breaches. But compliance significantly reduces the risk of things going wrong and the frequency of incidents. It also reduces the severity of the consequences when something does occur, such as reputational damage caused to a brand.

Protect customers

Compliance impacts various areas including the delivery of products and services to customers. External regulations and internal compliance are often there to ensure that consumers are protected and a business carries out its duty of care to it customers. Compliance can also relate to protecting suppliers.

Protect employees

Compliance also protects employees so that employment law is adhered to, that the workforce operates in a level playing field, that their working environment is safe, and more. It helps to create professional standards that influence the interaction between employees. Overall, compliance ensures organisations carry out their duty of care to their employees.

Compliance also ensures that employees don’t inadvertently break the law and reduces the chance of them being liable for something that goes wrong which could result in legal or disciplinary action.

Maintains standards and competition in particular sectors

Many sectors have specific regulations that must be adhered to that ensure certain standards are met, while also helping to support competition that is ultimately beneficial to customers.

Ensure safety

A safe working environment is critical, particularly in sectors where there is a chance of accidents. Compliance supports health and safety, for example in manufacturing, construction and utilities.

Establishes privacy

Privacy is becoming increasingly important as everything we do becomes more digital. Compliance protects the data and privacy of employees and customers.

Drive efficiency and productivity

Compliance with internally produced policies and procedures is also often about driving efficiency and raising productivity, an important area that ultimately hits the bottom line.

Supports certification

Some organisations need to establish certification around various different standards, ranging from security to safety to quality. These are externally audited. Compliance supports certification.

Supports ethical approaches

Most organisations and employees want to do the right thing. Taking ethical approaches is also very important for an organisation’s brand and reputation. Compliance helps employees and organisations to make the right decisions.


What are some of the key areas where compliance matters?

Compliance matters across a whole variety of areas. The specifics and emphasis placed on each will depend very much on the industry sector an organisation operates in, the related country and region and, to a certain extent, the appetite for risk that the organisation has.




Core business activities

Often there may be regulations relating to the core business activities of an organisation either due to a professional body that covers a particular sector, or due to legislation. For example, gaming companies have restrictions on what they can and cannot offer to customers. Restaurants must follow strict environmental standards and so on.

Finance and accounting

Finance and accounting are areas where it is critical to follow the right processes around reporting, recording and declaring information. Compliance helps minimise the chance of fraud and provides reassurance to authorities, investors, employees and customers.

Health & safety

Health & safety is an area where compliance is king and minimises accidents to protect employees, as well as reduce risks around reputational damage and legal action.

Data privacy and GDPR

Data privacy is an area that has come sharply into focus in the last few years thanks to legislation such as the General Data Protection Register (GDPR) and the California Consumer Protection Act (CCPA). A number of high profiles data breaches has also ensured the protection of consumer and employee data is an area of concern for individuals.

Accessibility

Accessibility related compliance relates both to the built environment and digital channels; this is an area where growing awareness has meant there has been more progress in recent years, but compliance is still patchy on the digital side.

Disclosure and reporting

Depending on the industry and for certain types of organisations, there will be various areas which require certain disclosure and reporting requirements. Some of these are formal, but others will be more around demonstrating to regulators that action is being taken.

Cybersecurity

Cybersecurity remains a significant problem for everyone. Compliance relating to cybersecurity matters is not necessarily required by regulators but is very important for certification such as ISO 270001. It will also be very important internally for organisations, and certain measures may also be demanded by key customers in B2B scenarios as well as by professional indemnity insurers.

HR and employment

Employment law requires compliance around particular processes including recruitment, promotion, disciplinary procedures and terminating positions. This is a key area where managers in particular must follow due process.

Sales and marketing

Sales and marketing processes will need to follow consumer laws, but in some sectors there are additional processes that must be followed, for example in financial services.

Environmental

As the climate crisis starts to bite, environmental regulation and reporting will increasingly become important in the compliance landscape.


Which sectors is compliance particularly important?

Compliance is important for all organisations, but there is particular emphasis across some industry sectors or type of company. Here a failure of compliance can be a significant issue.



Sectors include:

  • Construction and engineering: these sectors have strict regulations to follow around health and safety, as well as relating to the specific construction and engineering projects.
  • Financial services: this sector is heavily regulated, for example with processes that must be followed to prevent the misselling of financial products and to reduce fraud.
  • Healthcare: healthcare depends on strict compliance with everything relating to the provision of care, as well as the protection of patient data.
  • Public sector and government: public sector organisations often have very strict processes around reporting and recording data, as well as other core activities such procurement and contracts.
  • Utilities and mining: this is another sectors where health and safety is critical and where there are also strong environmental regulations that must be adhered to.
  • Manufacturing: health & safety is important in manufacturing, not only the process but also to ensure that products are safe to use.
  • Professional services: sectors such as accountancy and the legal industry are subject to sets of regulations including relating to professional practices, conflicts of interest and how services are marketed.
  • Aviation and transport: there are regulations around safety, treatment of passengers and more.
  • Gaming: gaming is a sector which is heavily regulated, particularly with measures that are designed to reduce gambling addiction.
  • Listed companies: listed companies have many different rules relating to reporting and disclosure with different procedures in place to protect against fraudulent practices such as insider trading.

What are common reasons for compliance failure?

There are a number of common reasons for compliance failure. Of course, organisations can never complete eliminate the risk of not complying, but they can do a lot to mitigate the risks around it.

Lack of process

Compliance requires having the right processes in place that align with compliance commitments. Where there is a lack of formal or clear process, there is a risk of not following the right process steps of rules. A badly designed process can also create risks.

Lack of monitoring and controls

Important areas of compliance need much more than a fingers-crossed approach to hope that everything is being followed. Organisations will need to have the right monitoring tools and controls to support compliance.

Lack of training and awareness

Most compliance relies on the right actions, decision-making and even goodwill of employees. Where there is not the right level of training and awareness, there is a chance that employees will not follow the right steps, increasing the risk of non-compliance.

Lack of a compliance culture

Some organisations have a strong compliance culture and a low appetite for risk, particularly in sectors such as energy and financial services. In some organisations – or in particular teams within that organisation – there may be a higher appetite for risk where corners are cut and sometimes a blind eye is turned to non-compliance.

Leaders don’t set an example

In organisations where there is a lack of a compliance culture, it may be that leaders and senior managers don’t set an example, increasing the risk of behaviours that can lead to non-compliance, or a lack of maturity relating to monitoring and reporting.

Lack of ability to report to third parties

Sometimes compliance is down to demonstrating to third parties that approaches to supporting compliance are in place, such as employees completing annual training. Not having the right reporting software in place can undermine the ability to demonstrate successful compliance.


What are the consequences of non-compliance?

There are a variety of different consequences associated with a failure to comply. There range from relatively mild to extremely serious.



Fines and worse

The consequences of an organisation found to have failed to company to regulations can result in a significant fine for a company that can stretch to millions of dollars, pounds or euros. Even if this is covered by an organisation’s indemnity insurance, it will mean premiums will rise. The consequences can even stretch beyond financial penalties with the potential for executives to be banned from practice or even jailed, if there is evidence of criminal activity.

Legal action

A failure of compliance can result in legal action. Whether this is successful or unsuccessful it will result in having to pay out legal fees, not all of which may be recovered. Sometimes organisations choose to settle out of court. Again, even if this is covered by insurance, it can mean premiums have the potential to rise.

Business disruption

One aspect of ongoing legal action or an investigation that is not often stated, is the significant business disruption it can cause. Senior leaders and internal teams may have to spend significant time and energy on focusing on it, while still having to manage “business as usual”. It can also be stressful and an ongoing distraction that can disrupt plans.

Processes may also have to be redesigned to avoid it happening again. It’s a disruption to operations and growth that nobody wants.

Suspension of activities

In rare occasions an organisation might have to suspend its activities due to a serious failure to comply, either because this is demanded by a regulator or authority, or because it is deemed necessary to make an urgent change to operations.

Reputational damage

A failure of compliance can cause significant reputational damage both with consumers but also internally with your employees. Data breaches, high profile accidents and financial misconduct all can damage confidence in your brand, and the record is permanently there on the internet. When there is an ongoing investigation or legal action it will also continue to appear in the news and cause damage.


The importance of policy management in compliance

Of course, there are huge amounts that need to be done to avoid compliance issues in some organisations, from introducing corporate governance procedures to redesigning processes to fundamentally shifting organisational culture. However, there are also more operational and tactical changes that can make a real difference, including introducing taking a more robust approach to policy management.




Having the right policies and procedures in place and making sure that employee can easily access and find these is a foundation for compliance. This ensures:

  • Employees are aware of the policies and procedures they need to follow.
  • There is clarity over the finer detail of the procedural steps and guidelines that must be adhered to.
  • There are no misunderstandings about what is mandatory for compliance and what isn’t.
  • External regulators can see that policies are being effectively managed, and an organisation is doing what it can to support compliance.
  • Organisations are protected in case they need to take action against employees who deliberately choose not to follow compliance-related rules.
  • Employees are protected in case organisations try to unfairly blame them for a failure to comply.

The role of policy management software to prevent compliance failure

However, sometimes policy management is easier said then done. Despite the best intentions to introduce robust policy management to prevent a failure to comply, in practice organisations trip up because:

  • Employees simply can’t find the policies they need, and therefore might not even be aware there are rules they need to follow.
  • Policies are not adhered to due to a lack of easy access.
  • There are multiple versions of policies in circulation causing confusion and employees not sure about which to follow, or even following the wrong policy or procedure.
  • It becomes very difficult to let employees know about a change to a policy.
  • It is impossible to report on effective policy management or the successful dissemination of policies to third-party regulators or certification bodies.

All of the above can result in an increased risk of compliance failure.

However, policy management software can do some of the heavy lifting around policy management and help to avoid many of the issues mentioned above. A policy management solution like Xoralia does this by

  • Creating a central policy library that everyone can access, and where everybody can find the policies they need.
  • Ensuring there is one source of truth with strict version control to eliminate duplication of policies circulating.
  • Enabling policy management lifecycle features such as review reminders to support policy owners in keeping polices up to date.
  • Including employee attestation and even e-learning features so that employees confirm they have read and understood a policy, and are tested to ensure that knowledge is embedded.
  • Using personalisation and targeting to ensure employees find and view the policies that are relevant to them, but also are aware when there are updates.
  • Enabling compliance reporting to help internal policy management but also to show to external parties to confirm compliance efforts.

It’s critical to minimise the risk of a failure of compliance

Compliance is king, particularly in regulated sectors and a failure to comply can be very serious. There are various measures and tactics that organisations can carry out to minimise risks around compliance failure, including introducing better policy management. If you’d like to see if Xoralia could help reduce risks in your organisation, then why not book a free demo?

Book a live demo

Find out more about Xoralia policy management software

During the demo, we'll walk you through Xoralia’s various features and functionality, providing plenty of time for you to ask our experts questions along the way.

Book a demo

Power automate workflows

Power automate workflows

Power Automate is a cloud-based workflow automation tool that helps individuals and organizations automate their business processes. With its easy-to-use interface and pre-built connectors, Power Automate allows users to create custom workflows that automate repetitive tasks, streamline business processes, and integrate with other applications.

One of the many use cases for Power Automate is creating template documents. This can be particularly useful for businesses that frequently create standardized documents such as contracts, proposals, or invoices. With Power Automate, users can automate the creation of these documents by using pre-built templates, merging data from other sources, and even automating the approval and sending process.

Other benefits that Content Formula utilise is the ability to automate the document lifecycle beyond the creation of the content using the template. This includes anything from a simple one step approval process to a multi complex stream of workflows triggered using different metadata but to the end user seems like a simple click of a button.

The project steps we take to set up these processes to ensure they are entirely relevant and valuable is first to run a discovery process. During this meeting we delve deep into your current business processes and also your desired process, then with our specialist knowledge we try to simplify the process even further before implementing the PowerAutomate flow.

While implementing the PowerAutomate flows, we also utilise the power of Active Directory groups. Either of the flows, for example a document review or approval process, the automated audience used can be linked to an Active Directory group. This allows for a dynamic approach to the document lifecycle, making sure the efficiency of document updates is kept at an all time high.

The process demonstrated in our video demonstrates a document review and approval process. These processes have been configured to take different actions and different styles and methods of communication to meet those requirements analysed during the discovery process.

In summary, our specialist knowledge in PowerAutomate, workflows and policy management solutions (enhanced with Xoralia) we can create efficient automated processes to meet multiple criteria.

Creating a change management policy: why it’s important and what to include

Creating a change management policy: why it’s important and what to include




Managing change is challenging for every organisation and its employees, especially in the fast-paced and ever-changing current business environment. Working patterns, use of technology, the services offered to customers and organisational culture are just some of the areas where there has been a shift in the past few years, and navigating through that change can take a lot of effort, at the organisational, team and individual level.

To help make any process of transition or change easier and more effective, many organisations chose to establish a formal approach to change management that can help with the adoption of new technologies and practices.

Having a policy is a good way to formalise the approach to change management. The level of formality required in the policy can vary depending on the organisation's needs. It can range from a comprehensive methodology that everyone must follow, to a set of guidelines that offer a more general direction or can be applied to different use cases. In both instances, having a change management policy can add value to your organisation.

In this article, we will explore different types of change management policies, the features that should be included in the policy, and how to disseminate the policy throughout the organisation.

What are some of the different types of change management policy?

Change management policies can vary based on the organisation's scope and focus. Some policies may cover the whole change management methodology and philosophy, while others may be more specific to managing change in certain areas to reduce risks.

More comprehensive policies will cover a broad range of change management areas, such as project management, IT change management, stakeholder management and changing user behaviour. Generally, these policies might have an overarching philosophy and set of steps, but then also provide detailed guidance on how to apply the methodology to different scenarios. This may be an integral part of an organisation's overall project methodology.

Sometimes change management policies are more specific to a certain scenario or use case and means there could be more than one within any organisation. For example, there might be a very specific policy for IT change management, which outlines the detail process that must be followed to ensure that technology changes are implemented correctly, as well as adopted.

Defining the scope of the policy

When developing a change management policy, it's essential to define the policy's scope and focus. This will help determine what needs to be included in the policy. The scope of the policy should clearly state who the policy applies to, what processes it covers, and to what extent it must be followed.

Establishing a definition of a policy provides the clarity that employees need and better positions it as an “official” document, which can then be placed in a central policy library that's easily accessible to everyone. This will also help ensure that the change management policy is visible, findable and up to date.



What should be included in a change management policy?

There is no standard set of elements to include in a change management policy and in practice policies may vary considerably from organisation to organisation, or even from function to function. However, here are some common features that are included in change management policies. .

Scope:

As mentioned earlier, the scope of the policy should clearly state who the policy applies to, what processes it covers, and to what extent it must be followed.

Policy information:

The policy should also include information such as the version of the policy, the date it was issued, the date it was last reviewed, who is responsible for the policy, and who has reviewed the policy. This helps to ensure that everyone understands the importance of the methodology and that they are confident they are using the latest version.

Definition of change management and relative scenarios:

It's helpful to define what is meant by change management. This term can mean different things to different people and cover elements such as adoption, support, training, communications, stakeholder management, user research and more. It is also useful to explain the different use cases that the change management policy covers, such as external projects, internal projects, IT changes and technology roll-outs, product launches and more.

Steps for change management:

Most change management methodologies have defined steps that indicate the kind of change management effort required over the lifespan of a project and potentially beyond. These steps should be clearly outlined in your policy, providing an overview of what needs to be done at each stage and also the reasoning behind it.

Very often change management policies are based on a change management philosophy such as ADKAR, which is a popular five-step model that we use here at Content Formula. With ADKAR, each step relates to different stages of changing user opinion and behaviour, so there is a very logical sequence and rationale behind the different stages.

Detail of change management techniques:

The change management policy also needs to cover the detail of some of the specific change management techniques and tactics to follow, so that people can make the right change interventions and actions at the optimum time. Techniques outline in the policy could also be illustrated and supported by useful assets such as diagrams, presentations and even spreadsheets. There could also be specific techniques around areas such as budgeting, risk reduction, documenting change processes and more.

Link to valuable resources

Change management is a topic where there tend to be a lot of useful resources available, as well as expertise. Your policy might include links to valuable resources, both internal and external, that can be useful reference points. There may also be a team or experts that people can contact to ask questions or seek support.



How should I disseminate a change management policy?

The way you disseminate a policy is important and will depend on factors such as whether it is mandatory, how often it is updated and if it is just being applied to a specific group such as project managers. Generally, it should sit where all your other policies sit – ideally in an easily accessible policy library, perhaps available through your intranet. Here a policy management solution like Xoralia can help in establishing one source of truth where policies can easily be found.

A policy management solution can also help you inform employees about the policy or when there are changes. If the policy is mandatory or very important, you can use employee attestation features so that all employees or a particular targeted group have confirmed they have read and understood the policy; with Xoralia you can even ask them questions to help embed understanding of the policy.

Implementing a change management policy

Change is an inevitable part of organisational life, and it is essential that organisations are prepared to manage change effectively. Creating a change management policy ensures there is a structured and systematic process in place and will help employees and organisations navigate the ever-changing workplace.

If you’d like to see how Xoralia can support you with your change management policy, then book a demo!

Book a live demo

Find out more about Xoralia policy management software

During the demo, we'll walk you through Xoralia’s various features and functionality, providing plenty of time for you to ask our experts questions along the way.

Book a demo

How to create a policies and procedure manual

How to create a policies and procedure manual




Organisations spend a lot of time and energy trying to make employees follow particular policies and processes. This helps to drive efficiency, minimise risk, standardise operations, ensure compliance, support customer service and more. While creating and managing policies and procedures isn’t necessarily the most exciting activity, it’s undoubtedly critical.

One of the ways that organisations do this is by establishing a policies and procedures manual that provides employees with the “official” line on different aspects of work, including the way processes are carried out and any associated rules. It also provides guidelines to support decision-making. Given the importance that many teams stress on creating robust policies and procedures, it’s often surprising how informal their approach to doing so is. In this post, we’re going to explore some of the ways that can help you to create and implement an effective policy and procedures manual or handbook.

What is a policies and procedures manual?

A policies and procedures manual is usually an overarching document or collection of documents or pages that gathers together a number of related policies and procedures. It’s usually different from a single policy or procedure because it generally consists of a collection of them.

Examples of a policy and procedures manual include:

  • an employee handbook which might be read or referred to when a person has joined the company as part of the onboarding experience
  • a series of sales processes and procedures for sales staff
  • processes to follow for call centre staff
  • a bundle of different IT policies to follow.

A manual might also be referred to as a handbook or even sometimes a playbook, although the latter term tends to be more around providing different options on how to get things done.

Why is a policies and procedures manual important?

For many of the reasons already stated, policies and procedures are a key part of organisational life. They ensure an organisation runs smoothly in the day-to-day in a consistent way, ensuring compliance with legal and regulatory commitments, and supporting professional conduct. An organisation without clarity over different policies and procedures is opening the door to risk, inefficiency, and chaos.

The “manual” or “handbook” for policies and procedures is a standard, effective, familiar and trusted way for employees to access what they need to know, providing an essential reference point and one source of truth.




Seven tips for creating and implementing a policies and procedures manual

It’s worth bearing in mind that establishing a good policies and procedures manual encompasses many of the general best practice approaches to managing policies. However, it is slightly different from managing a single policy.

Here are seven tips for creating and implementing a policies and procedures manual.

1. Work out the scope

The first thing to consider is always the scope of your manual. This will usually be focused on a particular theme such as employment, health & safety or professional responsibilities. Your manual might also be geared towards a particular group or role, such as managers, sales staff or plant workers.

In working out the scope, it’s always worth getting a balance between the information you want to convey and the main questions that a person will ask when making decisions or following process in their everyday work. You don’t want to make a manual too long, overwhelming or confusing so it puts employees off from using it.

2. Manage each section as a separate policy

A manual is made up of a series of policies. It really helps to manage each section of the handbook as a separate policy. For example, different teams might be responsible for different sections of the handbook, so breaking it into sections makes governance and lifecycle management easier. Moreover, if you need to update a certain section you then don’t want to have to update the whole of the employee manual.

Perhaps most importantly, having different sections as separate policies even if presented as a single handbook, will naturally make it more digestible and easier to navigate for users.

3. Establish robust governance and lifecycle management

Governance and lifecycle management are essential pillars of managing policies. Always ensure this is applied to your handbook with clear ownership and responsibilities, and processes for reviewing and renewing each section.

You can use a dedicated solution like Xoralia to support the management of each section, for example notifying owners when they need to review the policies, they are responsible for, and providing dedicated views of the status of each policy. It cannot be stressed how important this element of policy management is otherwise sections of your handbook can go out of date.

4. Present in digestible chunks via one source of truth

A policies and procedure manual must always be presented via one source of truth. Having two versions of a policy – for example reproducing an original policy as part of a manual so there are two versions – is never a good idea. Not only does it mean that you have to maintain and update two documents or pages, but there is the risk of one section contradicting the other. It can also cause confusion for users when results are presented in search.

However, presenting a whole handbook to users can present a challenge, especially if you are managing policies within separate documents or pages. In this case you may want to present a landing page as an overview of the handbook that then breaks down into separate pages or links out to different documents, ensuring that you have that one source of truth. Within SharePoint, embedding an original document within a page via the file viewer web part can also be an option. Taking this kind of approach also means your handbook is presented in a more granular and digestible format for people to find what they need and avoids people having to plough through an enormous and unwieldy PDF.

5. Reference other policies

It can be tempting to cram too much into a handbook and sometimes you may need to refer to other policies within your company, but which might be more peripheral to your handbook. Usually, it’s better to link to other policies rather than including or repeating that policy within your handbook structure; otherwise, things can get complicated very easily and employees can get overwhelmed with too much information.

6. Make it easy to read and access

Sometimes a policies and employee handbook can be written too much from the standpoint of the person or team responsible for it, rather than for the user. This is a mistake because a policy and procedure manual is there to be read and referenced. If it’s complicated, difficult to access or written in off-putting “legalese” then it won’t get used.

Of course, sometimes it is necessary to have detailed version of policies that do need to be written from a risk, legal or compliance view to protect an organisation and its employees. However, on a practical level, nobody is actually going to read the small print, so it’s always important to have a readable and actionable version of a policy. It may also be important to make sure your policies are translated into a particular language or languages if you’re working in a global company with a multi-lingual workforce.

Your manual also needs to be easy to access and reachable from channels that employees have access to. An intranet is usually a good place for people to access a central policy manual.

7. Consider using policy management software

Policy management software can help with all the above, from supporting governance to version control to establishing one source of truth to present your handbook. A solution like Xoralia takes away a lot of pain and effort associated with policy and procedure management and ultimately helps employees to follow the right processes and make the right decisions.

Creating the perfect policy and procedure manual

Creating and implementing a strong policy and procedure manual that will help employees in their daily work is important. By following the right approaches, it can also be relatively straightforward to achieve, but it’s important to get the details right. Using policy management software like Xoralia can make this easier to achieve and do much of the heavy lifting.

If you’d to see how Xoralia can help you, why not get in touch or even arrange a free Xoralia demo.

Book a live demo

Find out more about Xoralia policy management software

During the demo, we'll walk you through Xoralia’s various features and functionality, providing plenty of time for you to ask our experts questions along the way.

Book a demo

The top 10 HR policies every organisation should have

The top 10 HR policies every organisation should have


hr policies and procedures

Policies are an important part of organisational life. They help establish processes, provide clarity on rules, support efficiency, minimise risk and ensure everyday operations go smoothly. A particularly important policy area is HR and people. When it comes to employment, most companies have a set of policies that relate to different areas of HR such as annual leave, pay & benefits, health & safety, and more. Some of these will make up an employee handbook and should be easily accessible, perhaps on the company’s intranet or HR portal.

However, resource-challenged HR teams can sometimes find it hard to keep these policies up to date and ensure employees can easily find them. In this post we’re going to look at ten of the most important HR policies every organisation should have, and how a solution like Xoralia can help busy HR teams manage their HR policies make them easily accessible for employees.

What are HR policies?

An HR policy is a document or set of statements that sets out an official, standard position relating to HR, people and employment-related processes. It might contain the overall rationale and approach relating to an area of HR such as professional conduct or pay and benefits, and then a more detailed set of procedures and rules. HR policies often come with additional guidelines to help managers and employees to follow them.

Why is it important to have HR policies?

As every HR department knows, it’s critical to have clear, up-to-date HR policies that all employees can access. This is important for several reasons:

  • HR policies help guide employees to carry out the right people-related processes and procedures, helping drive efficiency, consistency and standardisation.
  • HR policies help to define an organisation’s employee value proposition so employees know what to expect and understand all the benefits they experience. .
  • HR policies define professional conduct and expected levels of behaviour to support a safe and optimal working environment. .
  • Policies also establish expectations around performance, to help employees succeed in their role.
  • Having the right policies helps establish a culture of fairness and inclusion, supporting important areas such as Equity, Diversity & Inclusion (EDI). .
  • Policies help managers to make the best decisions in managing their team and also ensures consistency in decision-making. .
  • HR polices ensure an organisation adheres to legal, regulatory and compliance commitments, reducing any associated risks. .
  • Having the right policies also help the HR team to streamline their operations to provide consistency and drive efficiency. .
  • Policies should also support change management within the organisation. .

What are the ten most important HR policies?

Let’s look at ten of the most important HR policy areas where every organisation should have a clear policy available for staff.

1. Pay, benefits and rewards

Policies relating to pay and benefits are always going to a key area, providing information that staff need to access on a regular basis. Policies relating rewards will establish everything relating to salaries and benefits, covering the details around overtime, who is eligible for benefits, processes around salary reviews, any bonus scheme, the company pension scheme, any choices relating to benefits and more.

2. Performance management

Performance management policies help to establish expectations around the performance of employees and provide clarity on processes that are put in place to support performance. This will include annual performance reviews, providing ongoing feedback around performance, details around promotions and any links between performance and rewards. The policy or policies will be a valuable reference point for employees and managers.

3. Professional conduct and disciplinary procedures

Most companies have policies relating to professional conduct and expected levels of behaviour, and will usually be a core part of the “employee handbook”. The policy will also usually detail disciplinary procedures too in the event of misconduct. It might cover specific use cases for certain industries where there are regulations, for example relating to receiving and declaring gifts in financial or professional services.

4. Annual leave and absence

Everyone needs clarity around policies relating to annual leave and absence. A policy in this area could cover elements such as annual leave allowance and how this relates to role and tenure, details of maternity and paternity leave, approaches to volunteering and if a organisation allows for any absence, compassionate leave, sick leave, whether the annual leave allowance rolls over from year to year, and so on. This is a key area where it is essential to have everything written down and where employees and managers can access all the necessary information.

5. Home and hybrid working

Since the pandemic, hybrid and home working have become a common pattern of working. It’s still a relatively fast- moving area with some senior management keen to get more people to return to the office. Having clarity is king and having a policy is valuable. This might encapsulate the expectations of the company relating to hybrid working, the rights of employees to work from home, the level of discretion managers have in defining working patterns for their team and so on. There may also be related processes relating to health and safety at home, working in the office and booking desks.

6. Health, safety and wellbeing

Health and safety at work has been an area where many companies have strict policies for compliance and risk purposes. In particular companies in certain sectors such as mining, utilities and engineering will feature health and safety policies prominently; sometimes the policy may not always be the responsibility of HR, and there will be a separate team. Health and safety can also apply to homeworking, with risk assessments relating to workstations being a legal requirement. Wellbeing is also a related area with HR functions increasingly having policies that better support staff, particularly relating to mental health issues; sometimes a wellbeing policy might be separate to a health & safety policy.

7. Learning and development

Learning and development is central to employee experience. A policy will cover both the expectations and opportunities around learning and development, including areas such as any mandatory training that needs to be carried out, professional training or Continuous Professional Development (CPD), learning for new staff as part of employee onboarding, and optional training, for example around softer skills. A policy may also cover learning budgets.

8. Diversity, equity and inclusion

Diversity, equity and inclusion (EDI also sometimes DI&E) is an important area for many companies with a raft of potential benefits. Many companies support EDI with a range of different measures including support for employee affinity groups and accessibility. The policy could cover a business’s commitment to diversity and inclusion as well as measures that have been put in place. A policy in this area is sometimes shared externally as employers are keen to display their credentials, particularly in relation to recruitment.

9. Recruitment and onboarding

Recruitment and onboarding is another area where there are a complex set of processes with many moving parts, and there is actually like to be more than one policy. Managers will need to know the process around hiring a new person and the details such as role descriptions, interview protocol, involvement from the HR team and so on. Employee onboarding is also very process-led with a set of tasks involving multiple functions required to set up a person with all they need by their first day, and then a programme of learning and engagement to follow. There may also be a policy detailing a referral programme for employees who introduce people they know to fill a position.

10. Whistleblowing

It’s not always considered a core HR policy but actually a whistleblowing policy is very important, helping drive a culture of transparency, reducing fraud and supporting ethical practices. A whistleblowing policy will state an organisation’s approach to whistleblowing and also the process, which usually involves contacting a third party service.

How Xoralia policy management software can help

HR teams tend to have many policies that must be keep up to date and are frequently accessed by employees and managers. Without a comprehensive and consistent approach to policy management there is always the danger of a policy not being kept up to date, multiple versions begin in circulation or employees not being able to find a policy and then continually emailing the HR team, asking for the latest version of a document.

A dedicated policy management solution like Xoralia enables busy HR functions to streamline their approach to managing policies and makes it very easy for employees to find the policy they need. Xoralia achieves this by:

  • Providing one source of truth for HR policies
  • Having an easy-to-access, searchable single library that employees trust to quickly find the right policy
  • Using robust version control to ensure employees only find the latest versions of policy documents.
  • Including policy lifecycle management features such as granular permissions, automated reminders, approval workflow and dedicated reports to help busy policy owners across HR teams keep their policies up to date.
  • Enabling employee attestation features to help notify users about policy changes
  • Supporting personalisation and targeting so the right people can see the right policies, which is particularly useful for global organisations where some HR policies might be location-specific.

Need help with HR policy management? Get in touch!

Managing your HR policies is important and a solution like Xoralia can help. Why not schedule a free demo?

Book a live demo

Find out more about Xoralia policy management software

During the demo, we'll walk you through Xoralia’s various features and functionality, providing plenty of time for you to ask our experts questions along the way.

Book a demo

Seven common mistakes made in policies and procedures management

Seven common mistakes made in policies and procedures management




Policies and procedures management has never been the most glamorous business activity, but it has continued to prove to be one of the most useful – providing clarity for employees, reducing risks and underpinning efficiency. When employees can find all the policies and procedures they need, it helps them get things done quickly and successfully, and ensures they are following the right processes and making better decisions.

However, not every organisation carries out policies and procedures management as well as they could. Mistakes are common and when this happens it can lead to problems; employees cannot find the everyday policies they need and end up having to contact policy owners and wasting time. Even worse, employees may follow an out-of-date policy or simply ignore a policy that they cannot find, leading to potential risks.

In this article we’re going to explore seven of the most common mistakes made in policies and procedures management and how a solution like Xoralia can help avoid making them.


1. Not actively reviewing and updating policies

One of the main mistakes organisations make is not actively reviewing and updating their policies so they go out of date. This happens surprisingly often – a policy gets written with good intentions, usually to embed a change of rules or to clarify an area where there are particular risks. It might be then placed on the intranet as a useful reference resource. However, when the rules perhaps change – even if only slightly – the original policy never gets updated.

This has two impacts. Firstly, it means people simply don’t follow the right process. A new starter joins, downloads the policy, and will assume that it is up to date. Secondly, many employees realise a policy document is not up to date, so they simply ignore it. This also undermines confidence in whether other policies are up to date too. A central pillar of policy management has to involve actively reviewing and updating policies.


2. Not providing a central access point to browse and search for policies

Most organisations have policies, but they are not always easy to find. In fact, they tend to be distributed across multiple repositories. Some in a Microsoft Teams space. Some spread over SharePoint intranet departmental sites. Some within the HR platform. Some in the IT service platform such as Service Now. Perhaps others on the shared file drive. And some even only available by emailing the right person.

When policies are distributed like this they are very hard to find and access – and in practice people end up ignoring them, using out-of-date versions or relying on email to ask colleagues for policies, which is highly inefficient.

Many of these issues are solved by having a central access point for employees to browse and search for all the different policies they need. This might be available via the intranet or perhaps via a central SharePoint site. By providing one central access point for policies, it means employees can find what the right policy quickly. A core capability of most policy management software like Xoralia is establishing that centrally accessed policy library that employees trust and find useful.


3. Not applying version control

One of the biggest mistakes in managing policies is not properly applying strict version control to policies that are in circulation. When there are multiple versions of the same document floating around it gets very confusing. Employees don’t know which is the latest version and either end up using the wrong policy, or have to contact the policy owner to get sent a version that is up to date.

A variety of different approaches can support version control, including a document management solution like SharePoint or dedicated policy management software like Xoralia. Ensuring each version has an updated number, providing version information within the document itself and ensuring existing versions are replaced, also all help support version control.


4. Failing to communicate a policy change

Often when there is a policy change, its important that employees know about it, as it usually means it is a change of process or rules. But some organisations fail to communicate either that a policy has changed or what the change actually is. Employees who might actually be used to carrying out a process are very unlikely to refer to a policy to check if something has changed; this means that the policy change is effectively worthless as nobody is following it.

Some policy management solutions like Xoralia have features that mean employees to know that a policy ha both changed but also what the change is. These include personalized notifications alerting a user that a particular policy has changed as well as employee attestation processes to confirm that they have read the new policy. In Xoralia you can even ask specific questions so they can confirm they have understood and accept the particular change.


5. Not having clear ownership of policies

Effective policy management requires clarity over who is responsible for keeping each policy up to date. If you don’t have clear ownership of policies, then they simply won’t get updated. People may assume it is the responsibility of somebody else – and when a person leaves a company, then a policy may even get forgotten about.

Every policy needs to have a named individual associated with it who is the clear owner. While a policy might be the responsibility of a department or function, ownership should not be just at the team level. There needs to be an individual who is responsible for keeping a policy up to date and actively manages updates.


6. Making policies hard to understand and find

Policies are there to help employees follow particular processes, complete tasks more easily, reduce risks and make the right decisions. However, some policies are not always easy to follow or understand. This can be down to a variety of reasons:

  • The title of a policy might be wrong or ambiguous so it makes it hard for employees to find
  • A policy may be written more in “legalease” or use specialist language or terms that makes it harder to follow
  • Some policies may be especially hard to follow for employees who are not native speakers of the language the policy is written in – and sometimes it may be necessary to perform a translation.
  • Policies may be too long and the important detail that employees really need to access is hidden inside pages and pages

Although policy management software can’t write your policies for you, it can help you think about structuring them in ways that make it easier for employees to find what they need, so encourages elements such as clear titles, targeting policies to the right audience, and keeping policies shorter and manageable.


7. Mixing global and local policies up

In complex international organisations there will be global policies, but then also regional or local policies that apply specifically to a region or country. This is particularly the case elating to HR processes or where there are differences in using different systems and applications. In companies built up by acquisition, local processes and systems can endure for a long time.

Sometimes when policy management is not rigorously applied it can be difficult to ascertain when a policy is local, regional or global. Sometimes global policies are tweaked to be localised but then not properly renamed. Sometimes an intranet or Microsoft search can return ten versions of the same policy – some global and some local. This means it is very difficult for employees to find the right policy to follow – and it also means that they may question if they use a global policy, whether there is also a local policy they need to find.

When you have global and local policies living side by side, active policy management and the ability to target policies to different audiences based on their location becomes critical.


How policy management software like Xoralia helps

Many of the mistakes mentioned in this article are completely avoidable. Having a dedicated policy management solution like Xoralia can help by:

  • Having a single policy library that is easily accessible via all staff through the intranet or within the Microsoft 365 digital workplace.
  • Having search and intelligent views with custom filters to allow employees to find the policies they need and make it clear what is a global and a local policy.
  • Having strict version control to avoid duplication of policies
  • Delivering content lifecycle management features that will ensure polices are reviewed and updated, and that there is clear ownership for each policy.
  • Ensuring that policies are now findable, visible, and trusted, encouraging policy owners to be more accountable and be more proactive in managing their policies and ensuring they are more readable and actionable.
  • Using personalisation and targeting to ensure that people get a view of policies that have updated and which they must read, as well as access the right regional and local policies relevant to them.
  • Including employee attestation and testing features so employees can confirm they have read an updated policy and also understood it, making it easier to communicate policy changes.
  • And many more!

Need to better manage your policies? Arrange a demo!

When it comes to policy management, organisations can’t afford to make mistakes. If you’d like to see how a solution like Xoralia can help, then arrange a demo!

Book a live demo

Find out more about Xoralia policy management software

During the demo, we'll walk you through Xoralia’s various features and functionality, providing plenty of time for you to ask our experts questions along the way.

Book a demo

Xoralia appears in ClearBox Consulting’s 2023 Intranet and Employee Experience Platforms guide

Xoralia appears in ClearBox Consulting’s 2023 Intranet and Employee Experience Platforms guide




Xoralia is profiled in the 2023 edition of ClearBox Consulting’s Intranet and Employee Experience Platform guide. Xoralia is the only employee experience product that specialises in policy management to be included in the guide.

The ClearBox guide is recognised as the leading independent product guide to intranet and employee experience platforms and has been praised by digital workplace industry figures like Mark Kashman at Microsoft. The guide has been running since 2016.

With independent reviews written by recognised experts in the field, the latest 2023 guide has now been released. Amazingly, the 772-page guide is free to download and is an essential resource for anybody considering buying an intranet or employee experience product or wanting to keep up to date with what’s happening in the marketplace.

In the guide, the Xoralia profile provides salient details about the product. There is also a “ClearBox view” that describes Xoralia as a “useful digital workplace application that works well alongside a SharePoint-based intranet.”

ClearBox also praises various different elements of Xoralia including the “good variety of reporting available” as well as rich features such as employee attestation process with can be set for any policy and group in the Microsoft 365 environment such as new starters. ClearBox comments “we liked the flexibility in this approach and the possibilities around employee onboarding it provides.”

ClearBox also regards Xoralia as providing a “more user-friendly place than SharePoint libraries” and also making “far more sense than trying to develop an in-house alternative” for businesses requiring stricter governance around their policies.

Want to experience Xoralia for yourself? Then arrange a free demo.

Ten policy management and compliance statistics you need to know for 2023

Ten policy management and compliance statistics you need to know for 2023





Compliance and policy management remains a critical activity for every organisation, particularly in regulated sectors such as financial services and healthcare. At a high-level there are many challenges associated with managing policies and reducing the risk around compliance. These remain, but increasingly policy management and compliance technology solutions like Xoralia are making a difference.

The challenges and role of technology associated with policy management are reflected in various industry statistics, some of which are truly eyebrow-raising. These numbers are useful in:

  • helping compliance and digital workplace teams consider how they can overcome challenges
  • feeding into useful conversations with business stakeholders
  • inserting into a business case for policy management software.

In this post we've gathered ten policy management and compliance statistics for 2023 which we think you'll found interesting. These are all from authoritative sources and while most come from more recent reports, some are a little older but are still valuable.

Here's are ten policy management and compliance statistics you need to know for 2023.


1. Over 41% of organisations list updating policies and procedures as a major compliance challenge

In a survey from Metricstream, organisations were asked to list their top five compliance challenges. Among three of the top four challenges listed were "updating polices and procedures" ,"tracking employee awareness and conducting compliance awareness training" and taking a "manual approach to compliance assessments, control testing and cases", each rated by over 40% of people responding to the survey.


2. 61% of compliance functions say high levels of regulatory change have made them less effective

In Deloitte's State of Compliance Survey, 61% of internal compliance functions said that recent increases in the level of regulatory change had had an adverse impact on the function's ability to perform its role effectively. This was up from 49% in 2020.


3. Between 2011 and 2018 the cost of non-compliance increased by 45%

Although published back in 2018, a report sponsored by Globalscope shows the eye-opening increase in the cost of non-compliance between 2011 and 2018. By benchmarking multinational organisations, the report reveals that the cost of not being compliant has risen by 45%, with a dizzying average cost of $14.22 million for organisations that experience problems. It is very likely that the associated costs are even higher today.


4. The cost of non-compliance is 2.71 times the cost of being compliant

The same report also calculates that cost of being compliant by using the right tools and training is actually 2.71 times the cost of being non-compliant!


5. 51% of internal audit professionals rate compliance and regulatory matters as "high" or "very high" risk

The 2022 edition of an annual survey of internal audit professionals from the US Institute of Internal Auditors found that 51% of them believe that the area of compliance and regulation represents a "high" or "very high" risk to organisations.


6. 69% of executives don't have confidence that current policies will meet future needs

According to Ropes & Gray's Global Risk Management Report, just under 70% of executives fear that their current policies will not meet their needs in the future. Although this statistic is from 2018, it reflects a belief that policy management needs to be ongoing.


7. The global policy management software market will grow to over $3 billion by 2027

More and more organisations are choosing to use software such as Xoralia in order to help manage their policies. In fact, there is now a significant global market for policy management software that is growing at a rapid rate. Analysts Allied Market Research have forecast the global market to reach a value of $USD3.06 billion by 2027, presenting a Compound Annual Growth Rate (AGR) of 15.7% between 2020 and 2027.


8. Over two fifths of risk professionals think technology would help support compliance policy tracking

Many risk and compliance functions are leaning on technology to help them carry out their main activities, but there is always room for improvement. According to a report from ACA Group, 41% of risk and compliance professionals believe that their function would benefit from technology to support compliance policy and activity tracking.


9. 37% of organisations are not leveraging regulatory technology solutions

Compliance and regulatory functions are using Regulatory Technology ("RegTech") solutions such as Xoralia to help organisations meet their compliance obligations. However, there are a sizeable number of compliance teams who are not using RegTech. In Deloitte's State of Compliance Survey, 37% of organisations said they weren't leveraging RegTech with a further 9% saying they were unsure.


10. 95% of organizations have built or are trying to build a culture of compliance

According to Accenture's 2022 Compliance Risk Study (which is based on a survey), 95% of respondents have built or are working on building a culture of compliance throughout their organisation in order to share responsibility for compliance more widely.


Supporting compliance and policy management

The statistics show the continuing challenges around compliance and policy management, but also the positive role technology can play. Xoralia is an example of a solution that is making a real difference for compliance and digital workplace teams in helping them manage their policies by:

  • Enabling all employees to find all policies clearly and simply, supporting compliance processes and creating a culture of compliance
  • Reducing the manual overhead around policy management with automation, allowing busy teams to focus on more value-added work
  • Reducing risk by creating one source of truth – no more duplicate and out-of-date policies
  • Supporting owners to keep their policies up to date and be more accountable
  • Revolutionising policy-related communications and employee attestation processes to underpin compliance.

To get an idea of how Xoralia can help you, book a free demo.

Book a live demo

Find out more about Xoralia policy management software

During the demo, we'll walk you through Xoralia’s various features and functionality, providing plenty of time for you to ask our experts questions along the way.

Book a demo

We use cookies to give you the best experience on our site. By continuing to use our website, you are agreeing to our use of cookies. To find more about the cookies, please see our Cookie notice

You can also read about our Privacy policy

Contact Support

If you have a question about Xoralia software, please fill out the form below and a member of our support team will be in contact with you shortly.