The Foundational Role of Policies in GRC Strategies
Policies are critical to the organization as they establish boundaries of behavior for individuals, processes, relationships, and transactions. Starting at the policy of all policies – the code of conduct – they filter down to govern the enterprise, divisions/regions, business units, and processes.
GRC, by definition, is “a capability to reliably achieve objectives
[governance] while addressing uncertainty
[risk management] and acting with integrity
[compliance].” Policies are a critical foundation of GRC. When properly managed, communicated, and enforced policies:
- Provide a framework of governance. Policy paints a picture of behavior, values, and ethics that define the culture and expected behavior of the organization; without policy there is no consistent rules and the organization goes in every direction.
- Identify and treat risk. The existence of a policy means a risk has been identified and is of enough significance to have a formal policy written which details controls to manage the risk.
- Define compliance. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments.
Unfortunately, most organizations do not connect the idea of policy to the establishment of corporate culture. Without policy, there is no written standard for acceptable and unacceptable conduct — an organization can quickly become something it never intended.
Policy also attaches a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policy can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal (both criminal and civil) and regulatory proceedings. Regulators, prosecuting and plaintiff attorneys, and others use policy violation and noncompliance to place culpability.
An organization must establish policy it is willing to enforce — but it also must clearly train and communicate the policy to make sure that individuals understand what is expected of them. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot achieve strong and established culture without good policy and training on policy.
Hordes of Policies Scattered Across the Organization
Policies matter. However, when you look at the typical organization you would think policies are irrelevant and a nuisance. The typical organization has:
- Policies managed in documents and fileshares. Policies are haphazardly managed as document files and dispersed on a number of fileshares, websites, local hard drives, and mobile devices. The organization has not fully embraced centralized online publishing and universal access to policies and procedures. There is no single place where an individual can see all the policies in the organization and those that apply to specific roles.
- Reactive and inefficient policy programs. Organizations often lack any coordinated policy training and communication program. Instead, different departments go about developing and communicating their training without thought for the bigger picture and alignment with other areas.
- Policies that do not adhere to a consistent style. The typical organization has policy that does not conform to a corporate style guide and standard template that would require policies to be presented clearly (e.g., active voice, concise language, and eighth-grade reading level).
- Rogue policies. Anyone can create a document and call it a policy. As policies establish a legal duty of care, organizations face misaligned policies, exposure, liability, and other rogue policies that were never authorized.
- Out of date policies. In most cases, published policy is not reviewed and maintained on a regular basis. In fact, most organizations have policies that have not been reviewed in years for applicability, appropriateness, and effectiveness. The typical organization has policies and procedures without a defined owner to make sure they are managed and current.
- Policies without lifecycle management. Many organizations maintain an ad hoc approach to writing, approving, and maintaining policy. They have no system for managing policy workflow, tasks, versions, approvals, and maintenance.
- Policies that do not map to exceptions or incidents. Often organizations are missing an established system to document and manage policy exceptions, incidents, issues, and investigations to policy. The organization has no information about where policy is breaking down, and how it can be addressed.
- Policies that fail to cross-reference standards, rules, or regulations. The typical organization has no historical or auditable record of policies that address legal, regulatory, or contractual requirements. Validating compliance to auditors, regulators, or other stakeholders becomes a time-consuming, labor-intensive, and error-prone process.
Inevitable Failure of Policy Management
Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.
If policies do not conform to an orderly style and structure, use more than one set of vocabulary, are located in different places, and do not offer a mechanism to gain clarity and support (e.g., a policy helpline), organizations are not positioned to drive desired behaviors in corporate culture or enforce accountability.
With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.
The bottom line:
The haphazard department and document centric approaches for policy management of the past compound the problem and do not solve it. It is time for organizations to step back and define and approach policy management with a strategy and architecture to manage the ecosystem of policies programs throughout the organization with real-time information about policy conformance and how it impacts the organization.
Check out GRD 20/20’s additional policy management resources . . .
Workshop: Policy Management by Design Workshop in Dallas, October 11th
Research Briefing: How to Purchase Policy Management Solutions & Platforms
- This is a complimentary full day interactive workshop to help organizations define a policy management strategy, write a policy on writing policies (meta-policy), define a policy management lifecycle, understand the role of technology in policy management, and build a business case for policy management. This workshop is only open to individuals managing policies in their internal environment and is not open to solution providers or consultants.
Inquiry: Ask GRC 20/20 Your Questions on Policy Management
- This is GRC 20/20’s on-demand Research Briefing that advises organizations on what to consider in evaluating and selecting policy management solutions and technologies. It reviews critical capabilities needed in policy management technology as well as what differentiates a basic, common, and advanced solution in the market. Particular guidance is given into considerations when engaging solution providers and navigating solution provider hyperbole.
RFP Template & Support: Policy Management RFP Requirements Template
- The challenge is: how do you find the right policy management solution for your organization? This is where GRC 20/20 comes in. If you are looking for policy management solutions for various purposes, GRC 20/20 Research offers complimentary inquiries to explore your needs and identify a short list of solutions that best fit your specific needs. Simply register an inquiry on the GRC 20/20 website.
Written Research on Policy Management
- GRC 20/20 can be engaged on policy management RFP projects to rapidly enable organizations to develop RFPs based on our policy management RFP criteria library. Simply email firstname.lastname@example.org and we can scope your needs for a RFP criteria project. GRC 20/20 is often engaged in more detailed RFP projects to help manage the RFP and keep solution providers honest based on our broad experience in the market.