Introduction to Good System Governance

Author: Jeanne Macarro, senior business/industry technical adviser, UL Solutions

Defining governance

To learn about proper governance implementation, it helps to begin with a definition.

Governance can be:

• A process of decision-making
• How decisions are implemented (or not implemented) 
• Systems of rules, practices and processes
• Essential for a company or organization to achieve its objectives (as well as maintain legal and ethical standing)

UL Solutions defines governance as “a formal framework for managing decision-making, operations, collaboration and communications related to the organization.” In other words, who makes the decisions about how the system will function, how will you be using the system, and what types of communication and collaboration are necessary?

Upon implementation of ComplianceWire^®, governance is critical to set system standards. Governance helps to create and then maintain the standards that were set upon implementation. It can also help to move things forward.

How can you determine where your company is with governance? To determine your current state, you need to do an honest assessment of the system to determine your baseline.

Here are some questions you can ask

• How is my company using the governance system? 
• Who is using the governance system? GxP? Non-GxP? External users?
• Who has administrative access? What security roles do you have in place?
• What does my company currently have in place for guidance and decision-making? Does my company have the proper procedures in place? What training is available for our users? 
• Have we had any observations during an audit? (Audits can help to identify gaps that exist.)

Assessing your system’s current state

Two tools that can be used to determine your company’s current state are the RACI model and a gap analysis.

The RACI tool is good to use for projects to clearly define roles. RACI is an acronym that stands for responsible, accountable, “consulted” and informed. Each of these represents the role and the level of involvement of an individual for a corresponding responsibility.

The person in the responsible role is the doer. They are responsible for getting the work done or making the decision. Every task has at least one person in the responsible role. The person in the accountable role is responsible for the overall completion of the task or deliverable. They won’t get the work done but are responsible for making sure it is finalized. Each task has one accountable role, so it is clear that this person owns the task.

The consulted person or people will provide useful information to complete the task or deliverable. It can be someone with critical knowledge, experience or information necessary to successfully carry out the task. There will be two-way communication between those responsible and those consulted. The informed people or groups will be kept up to date on the task or deliverable. This could be on the progress of the task or when the task or deliverable is completed. They won’t be asked to provide feedback or review, but they can be affected by the outcome of the task or deliverable.

The RACI method has several benefits. First, it requires that clear responsibilities be defined in an organization or project. The second benefit is that it provides an easy template that you can fill out. You know who to inform, who to consult and who you can go to for an approval request.

Another advantage of the RACI method is that you can see if the workload is shared evenly among the members of a group. If someone is entered as taking the responsible role too many times, that may be a bit unbalanced, and it may be a good idea for another person to take over some responsibility for an activity.

If you are interested in using a gap analysis, the approach is very basic and includes:

• Your current state, where you are now and where you determine your strengths and your weaknesses. What do you have in place? 
• Your desired state, where you want to be. It’s your future state or your ideal state. What do you want to have in place?
• Your action plan, what you will do to get from your current state to your desired state. What are your steps, tasks and key factors for change to close the gap? In other words, what needs to be done to get you to your future state?

The gap is what separates your current situation from your ideal situation, or your desired state, and can help to reveal the areas of improvement for many kinds of processes.

Essential documentation

There are four documents that should be considered, no matter how large or small your company is. They are:

The General Use and Operation document refers to your company’s use of the system. It should also define who will be using the system.

Some questions to ask

• Will contractors, interns and third parties also use the system? Remember: The login for these individuals may differ if you use single sign-on for full-time employees. 
• What can a user see and do in the system? Can they see training history? Catalog? Reports? Curriculum status?
• How does a user change their password?
• What types of training will you have in the system, and how will they be completed? 
• What requires an e-signature? Can a user submit a comment?

A System Administration and Maintenance procedure is specific to the administration and maintenance of your ComplianceWire^® system. Define who has responsibilities, and be specific about what those responsibilities are.

Some questions to ask

• Have you identified a system or business owner, and what is their responsibility?
• How are users added to the system? Hr feed? Manually? How are user accounts managed?
• What security roles will you have, and what can each role do in the system? 
• How do you train or qualify someone with a security role?
• How is security access handled? Who can grant a security role or change a security role? 
• Who handles system maintenance? 
• How are user groups, training items and curricula added to the system? 

A Training Policy defines what types of users will use ComplianceWire^® for training. (Full-time permanent is always assumed but should be stated. Will you also include Contractors? Interns? Seasonal?).

Some questions to ask

• What are your users’ responsibilities? (Be sure to include completing their training on time.)
• What is the department manager responsible for? System admin? QA?
• What types of training will be in ComplianceWire^®, and how will they be managed? 
• Are there paper records? Are they entered as historical training? Is the paper kept on file?
• How are you documenting on-the-job training? 
• How is external training handled? Are trainers qualified?

A Change Control policy defines who is responsible for system change control. This procedure can include roles and responsibilities for change control.

Some questions to ask

• Who can initiate a change control? Who approves it? 
• Does your company have change control classifications (minor, major and critical)? 
• Who handles system validation? How do you manage platform releases? 

Conclusion

So where do you want to go? The system and your organization will keep on evolving. Your governance practices need to evolve with it.

Governance needs to be a continuous conversation as you find new ways to use ComplianceWire^® and as you work toward your future state. A company with 20 employees will approach the system differently than one with 200 or 2,000 employees. Make sure that what works for you today will work for you in a year or two or five.

Governance is a pathway that will be different for every organization. Create a standard of excellence. There is always something to reach for. Think about continuous improvement and always making your ComplianceWire^® system better.