Policies are critical documents in organizations. They define how business is to be conducted as they establish boundaries and expectations for individual and process behavior. Policies enable and intersect all three elements of governance, risk management, and compliance (GRC). It is through policies that are clearly written, communicated and understood, and enforced that the organization can “reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].”

As the global crisis of the pandemic unfolds and impacts business operations, one of the clear areas of mismanagement being exposed is the scattered approach to policies. Organizations need to at least temporarily change policies and communicate them to a remote workforce. In this context, they are finding that they have policies and procedures scattered across many portals, One organization I just talked to found they have 20 portals for policies and each had different formats/templates and writing styles. This works against the organization that is trying to respond to a global crisis and provide a singular consistent view of policies and procedures across the organization. This is necessary to make sure there is one single source of truth and that remote employees are working from the same consistent and current policies and procedures.

Even worse, many organizations I am talking to right now are finding they do not even know what policies they have in their organization. It is the Wild West – complete anarchy – as different parts of the organization have gone in different directions in writing policies. In a time of crisis, organizations are finding out that there is no master list of all of the organization’s policies and procedures. This is critically needed to be able to flag which ones need to be communicated in a time of crisis as well as modified to address changing business processes, transactions, relationships, and a remote workforce.

Already GRC 20/20 Research has seen a growing interest in enterprise policy management that provides a consistent policy on writing policies with an established policy management lifecycle to ensure that policies are documented, consistent, and available in a single portal in the organization. The need for this is becoming more apparent in the current crisis, and the demand for a singular integrated approach to managing and communicating policies across the organization is growing. This includes

  • Back office management of policies. It requires a consistent process to author, approve, communicate, manage, monitor, maintain, and retire policies.
  • Front office engagement on policies. It also mandates a consistent singular portal for an employee to access policies and procedures with related resources (e.g., training, issue reporting, helpline, forms). This portal needs to be available from the desktop and laptop down to the tablet and smartphone. And it needs to be available whenever and wherever an employee needs to access policies . . . particularly in a time of crisis.

What are your thoughts on how to manage and communicate policies in a time of crisis?

My point of view: Organizations need to be moving to an enterprise-wide view of policies that are consistent, with a consistent portal for employees to access every policy and procedure in the organization. In a time of crisis, not having a singular view into policies causes confusion and mistakes and has a direct impact on the culture and morale of employees who need guidance.

Check out GRC 20/20’s upcoming webinars and events in this time of crisis . . .


  1. Hi Michael, an insightful posting as usual!

    I agree with you on the importance of systematic policy management, perhaps even a Policy Management System to support and enable all that. However, right now is arguably the worst possible time to specify, select and implement a PMS, given the urgent need for clarity and guidance around strategy, policy and controls relating to Working From Home, in particular.

    I’m quite sure many organizations have leapt en masse into WFH without even considering the associated information risks, plus the information and IT security controls, physical security, compliance, oversight, malware, backups, patching, VPNs, monitoring, privacy, incident management and other issues – not because they don’t care, but because they’ve been forced to press ahead, now. This is currently a business continuity/existential issue, which trumps all the above. However, once the dust settles, there will once again be opportunities to review and reevaluate – provided they survive long enough and fit enough to do whatever needs to be done.

    Meanwhile, we have the chance to plan and prepare for the recovery – hinting at the need for more policies, or at least thought-through strategies and approaches (which should precede policy) to transition from crisis management through recovery management to business as usual. The trick is to be prepared for future situations, rather than knee-jerk responses to current and recent events. And that, for me, is where the PMS approach comes into its own. It’s a crackin’ idea, just not yet.

    Kind regards,

    1. We have different points of view. Policies govern and authorize controls. Your perspective is from an IT security control perspective, policies are much more than IT policies. Working from home and supporting remote workers means revisions and communications of conduct, HR, accounting (e.g., expenses particularly), health and safety, and many other policies that need to be communicated and easily accessed right now. Employees need access to and understanding of changing and current policies in the context of adapting business processes and response to a crisis.

      The challenge with IT security people (and I cut my professional teeth in IT security in the 1990’s) is they think myopically. Too many IT security professionals think that policies, risks, controls, and compliance is all about IT security. The reality is that is just a piece of what has to be managed and communicated right now. An important piece, but still just a piece.

      1. I agree there are several policies needed, not just information security … but my central point remains: now, in the midst of a crisis, is probably not the best time to attempt to implement a policy management system, or indeed any other new system, for fear of overwhelming organizations under extreme stress.

Leave a Reply

Your email address will not be published. Required fields are marked *