Assisting with Organizational Policies and Compliance with Policy Management

Part 5 in the blog series “The Business Case for MSPs Offering Employee Training and Enablement”

Your customers likely have some standards (whether internal or compliance-based) that employees need to adhere to. There’s an easy way for MSPs to provide the service infrastructure to enable this.

When businesses get to a certain size (usually right around the time when HR becomes more than just paychecks), they begin to care about establishing standards of conduct that employees must comply with. Many of your customers are dealing with the challenge of ensuring policies are communicated to and agreed upon by employees. Some of these include:

  • Code of Conduct Policy – This establishes the rules and policies for how employees are supposed to behave when in the workplace. 
  • Code of Ethics Policy – This is typically a guiding set of principles used as the basis for defining the manner in which employees should act that aligns with the organization's values.
  • Social Media Policy – This defines how employees should represent themselves and the brand when participating on social media.
  • Acceptable Use Policy (AUP) – This establishes what employees can and can’t do on the corporate network, when using corporate devices, and, perhaps most recently, when incorporating AI technology into the workplace, etc. 
  • Confidentiality & Intellectual Property Agreement (CIPA) – This defines the types of information that should be considered the confidential data and intellectual property of the organization; it should describe the company’s confidentiality requirements, and emphasize that the employee should err on the side of confidentiality when in doubt. 
  • Non-Disclosure Agreement (NDA) – This is for the employee to agree that sensitive information they may obtain from the company as part of their employment will not be shared with others.

At that same time, many local, state, federal, and international laws also become pertinent to the business where they must ensure established standards and processes are used or face penalties. Some examples that apply to a broad set of businesses include:

  • General Data Protection Regulation (GDPR) – This European Union (EU) standard applies to any business that may utilize the personal digital information of European citizens. It enforces specific requirements around the collection, management, sharing, and deletion of EU customer data.
  • California Consumer Privacy Act (CCPA) – This is a similar standard to GDPR but applies to any business that utilizes the personal information of California residents. 
  • Payment Card Industry Data Security Standard (PCI DSS) – This standard covers the security of any financial card data (e.g., debit or credit cards), including the storage, transmission and management of such data.

As an MSP, this may seem well out of your area of expertise, but the providing of services that enable a business to operate most definitely is. So, if your customer is in need of a central means to ensure their employees understand and agree to act in accordance with all relevant policies and regulations, it makes sense that as long as you as the MSP can cost-effectively provide the software/infrastructure/etc. necessary to make this possible, shouldn’t you? There is a defined service that addresses this need: Policy and Compliance Management

Enter in: Policy and Compliance Management 

If you’re unfamiliar with Policy and Compliance Management, it’s an approach designed to centralize the management of standards, policies, and controls that align with either internal, external, or regulatory mandates. In a more practical sense, it’s a way of centrally communicating to employees the way the organization needs to run and ensures each employee has the proper understanding to be able to comply. In a “what does my service look like?” sense, it’s usually a software-based solution you help manage for your customers where they can self-service their policy and compliance needs.

Some of the common basic functions that are a part of Policy and Compliance Management (and, therefore, such a service offered by you) include:

  • Compliance Training – There should be an ability to provide employees with training, videos, and testing to support the internal and external standards that need to be enforced.
  • Policy Management – Templated policy documents for review and attestation by employees should be supported, including versioning.
  • Attestation Tracking and Reporting – Centralized reporting of which employees have and have not taken training, passed exams, or agreed to the corporate policy is necessary for proper oversight.

There are more advanced features that some implementations will have, but given this is likely new to you, let’s stick with the basics—since you aren’t looking to become the leading experts on policy management. 

How Policy and Compliance Management Benefits the MSP

You may be wondering how offering “yet another” service benefits your business, given it feels so out of band from the other services you offer. There are quite a few ways offering Policy and Compliance Management benefits you, and it’s much more related to your existing services than you think.

 

  • It Supports Other Services – Parts of internal policies like the AUP and CIPA help to establish employee data handling and cyber hygiene expectations, which support the underlying efforts of your Cybersecurity service offering. Parts of the AUP can also help curb any “shadow IT” activities that only increase the time spent fixing employee-generated problems. 
  • It’s Low Touch and High Value – Depending on the platform used, this can be implemented in a self-service model, where the customer can do the ongoing management and all that you’re providing is the platform and the protection of its data.
  • It Creates “Stickiness” – This is a no-brainer way to further embed your business into your customers’ operations, which make you that much more invaluable to them daily. 
  • It Adds Recurring Revenue – Organizations will see value in making an initial investment to set up their policies and also in ensuring these policies remain up-to-date requiring a recurring project for follow up. Consider the opportunity to annually provide a review of current policies to see what needs updating and whether they align with corporate and external standards.
  • It Reduces Business Owner Liability and Stress – This makes the MSP a trusted advisor in a practical sense that the business owner will see personal impact from.

Your Customers Need Policy and Compliance Management

Any customer that has more than, say 15 employees, likely is going to start to need to establish company policies, making certain each and every employee has both read and agreed to each relevant policy. You can leave this part of your customers’ operations up to them, or you can see the value offering such a service would bring to your business—especially when offered as part of a larger Employee Training and Enablement platform that includes other types of training and testing (such as Security Awareness Training and Microsoft 365 User Training). 

Policies and compliance are just one part of your customers’ overarching need to keep employees up-to-date on organizational standards, applications, processes, and more. By offering Policy and Compliance Management (via the broader ETE offering) you create an opportunity to augment a number of services, embed your business deeper into your customer’s operations, and create additional opportunities for revenue. 

In the next blog in this series, “The Business Case for MSPs Offering Employee Training and Enablement,” we’ll focus on how Employee Training and Enablement benefits the MSP in terms of customer acquisition, profitability, and revenue growth, while shifting a number of your services from strictly managing an aspect of your customers’ business to actually enabling them to help improve it.