Policy management is a critical component of a governance, risk, and compliance (GRC) strategy because it describes the desired practices and behaviors of the company under specific circumstances. Too often, the organizational approach to managing corporate policies and procedures is in complete disarray and chaos. The breadth and depth of the voluminous increase in relevant laws and regulations can’t be grasped in the manner enterprise behaviors are currently directed and coordinated.
The typical organization suffers with ineffective policy structures, content, coordination, lifecycle management, accessibility, accountability, and communication. As a result, organizations have:
- Policies scattered across dozens of places: There is no single authoritative source where policies and procedures are consolidated, maintained, and managed. No single portal exists where an individual can see the policies that apply to their role, structured to support efficient access.
- Policies bound by paper: With numerous printed policy manuals, the typical organization has not fully embraced online publishing and ubiquitous access to policies and procedures.
- Policies grossly out of date: In most cases, a published policy is not reviewed and maintained on a regular basis. In fact, many organizations have policies that have not been reviewed in years for applicability, appropriateness, and effectiveness.
- Policies have no owner: The typical organization has numerous policies and procedures that lack an owner responsible for managing them and keeping them current.
- Policies lack lifecycle management: Most organizations maintain an ad hoc approach to writing, approving, and maintaining policy with no defined system for managing the workflow, tasks, versions, approval, and maintenance processes.
- Policies do not map to exceptions or incidents: Typically, an established system to document and manage exceptions to policy is missing. Further, there is a lack of a structure to map incidents, issues, and investigations to policy — the organization is unaware of where policy is breaking down.
- Policies do not map to standards, rules, or regulations: The typical organization does not have the ability to define and maintain a record of policies that address legal, regulatory, or contractual requirements. The organization does not have the ability to easily assess the impact of new or changing regulations that affect policy.
- Policies lack adherence to a consistent style guide: The organization has policy that does not conform to corporate style and templates. Policies use complex language, excessive legalese, and are often written in the passive voice, making it difficult to read.
I would love to hear your thoughts on the chaos, disarray, and hordes of policies you see scattered across organizations and corresponding GRC policy management strategies to address this issue.