Policy management is the capability to establish, manage, monitor, and enforce policies to reliably achieve objectives, while addressing uncertainty, and act with integrity across the organization (adapted from the OCEG GRC definition).
Policies are critical to the organization to establish boundaries of behavior for individuals, processes, relationships, and transactions. Starting at the policy of all policies – the code of conduct – they filter down to govern the enterprise, divisions/regions, business units, and processes. Policy paints a picture of behavior, values, and ethics that define the culture and expected behavior of the organization; without policy there is no consistent rules and the organization goes in every direction. The existence of a policy means a risk has been identified and is of enough significance to have a formal policy written which details controls to manage the risk. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments. Without policy, there is no written standard for acceptable and unacceptable conduct — an organization can quickly become something it never intended.
Policy also attaches a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policy can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal (both criminal and civil) and regulatory proceedings. Regulators, prosecuting and plaintiff attorneys, and others use policy violation and noncompliance to place culpability. An organization must establish policy it is willing to enforce — but it also must clearly train and communicate the policy to make sure that individuals understand what is expected of them. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot achieve strong and established culture without good policy and training on policy.
Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s GRC programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed. With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.
THE QUESTION: How is your organization approaching policy management? Can you map yourself to one of the following GRC archetypes of policy management?
- Fire Fighter. Your organization approaches policy management in an ad hoc fly by the seat of your pants approach. Policy management is not structured and policies are written or reviewed only when there is a burning issue, incident, compliance requirement, or other pressure. Even then, it is about addressing the issue before you and not thinking strategically about policy management. Policy management is addressed in manual processes with file shares, documents, spreadsheets, and emails. The organization does not have a master index of all official policies across departments and there are conflicting versions of the policy in existence (e.g., out of date).
- Department Islander. In this archetype, your organization has a more structured approach to policy management within specific departments. There is little to no collaboration between departments and you often have different departments with a vested interest in policy management going in different directions with a significant amount of redundancy and inefficiency. Departments may have specific technology deployed for policy management, or may still be relying on manual processes with documents, spreadsheets, and emails. The result is a variety of policies in different portals and file shares with inconsistent formats and templates.
- GRC Collaborator. This is the archetype in which your organization has cross-department collaboration for policy management to provide consistent processes and structure for policy management. However, the focus is purely on addressing significant compliance concerns and risks. It is more of a checkbox mentality in collaborating on what needs to be done to manage policies to meet requirements. Most often there is a broader policy management platform deployed to manage policies, but some still rely on manual processes supported by documents, spreadsheets, and emails.
- Principled Performer This is the model in which the organization is focused on managing the integrity of the organization across its business and its relationships. Policy management is more than meeting requirements but is about encoding and communicating boundaries of expected conduct to develop a strong and consistent corporate culture aligned with the ethics, values, and obligations of the organization. Policies are mapped to risks and objectives and actively understood and managed as critical governance documents of the organization. Policies are consistent in a defined template, language style, and the organization has a current index of all official policies of the organization. Policy management is tightly integrated with training to help communicate and ensure that policies are understood.
The haphazard department and document centric approaches for policy and training management of the past compound the problem and do not solve it. It is time for organizations to step back and define a cross-functional and coordinated team to define and govern policy and training management. Organizations need to wipe the slate clean and approach policy and training management by design with a strategy and architecture to manage the ecosystem of policies and training programs throughout the organization with real-time information about policy conformance and how it impacts the organization.
GRC 20/20’s Policy Management Workshop
GRC 20/20 will be leading an interactive workshop to facilitate discussion and learning between organizations on Policy Management on the following dates and locations:
- Policy Management by Design Workshop, Tampa
- July 17 @ 8:00 am – 4:00 pm EDT
Strategy Perspective on Policy Management
- Policy Management by Design: A Blueprint for Enterprise Policy & Training Management
- Regulatory Change Management: Effectively Managing Regulatory Change in Financial Services
- Benchmarking Your Policy Management Program
- Policies, The Last Mile of Risk Management: The Relationship Between Risk and Policies
Research Briefings on Policy Management
Solution Perspectives on Policy Management
- RegEd CODE™: Enabling an Integrated Compliance Lifecycle
- NAVEX Global’s Agile Code of Conduct
- MetaCompliance: Effectively Managing & Communicating Policies