Last week we looked at Why Policies Matter from the newly published Policy Management Capability Model that I developed with OCEG for This week we turn our attention to the principles of policy management for those seeking training and certification as a Certified Policy Management Professional (CPMP) . . .

Policy Management is a critical enabling element of the organization’s overall GRC capability. It should be built on a solid foundation of principles. There are both universal principles and organization-specific principles established to support the policy management capability. Universal principles for policy management are:

  • Necessary – Effective policy management is necessary to enable governance, risk management, and compliance at every level of the organization. Without policy management-led and supported by senior management, it is difficult to have policies that consistently define organizational goals and values, define risks that must be addressed, and provide a roadmap to adherence.
  • Tailored – The policy management capability must be designed to fit the business context, objectives, values, and strategies. There is no one size fits all structure for policy management. It needs to be aligned with the risk appetite and operational model of the organization. 
  • Integrated – Policy management should be integrated into business operations. While centralized oversight and design of policy management are important, without acceptance of the defined approach and assignment of policy responsibilities within the affected operations, the system will be ineffective.
  • People-Centered – At its heart, policy management is people-centered from employees, to clients, and even third-party relationships. It is significantly influenced by human conduct and culture – it cannot be automated away. Subject matter experts must develop policies that support the governance, risk concerns, and compliance requirements of the organization, and the audiences for policies must understand and apply them. The ecosystem of individuals impacted by policies must be able to provide input into policies.
  • High-Performing – The capability must be designed to fit the organization and its objectives. It must be supported by resources to ensure high performance and embedding of policies into the culture of the organization. Policy management needs to be effective, resilient, efficient, and agile in the organization. 
  • Standardized – Both policies and the procedures for developing, distributing, and enforcing them should be standardized. Having a consistent approach is key to enhancing understanding and developing an audit trail for the defense of the organization.
  • Collaborative – Good policy management involves coordination and collaboration across a range of departments and roles in the organization. It is necessary to engage and collaborate on policy management as well as on individual policy authoring.
  • Accessible – Policies, and therefore policy management, need to be accessible at all levels of the organization. At any point in time, the organization should have a complete view of what the official policies are. Employees should be able to readily find policies and interact with them. 
  • Engaging – Policies need to be clearly written and understood. This requires policy management processes that conform to consistent writing style and language as well as communication strategies to engage employees.
  • Dynamic – The policy management capability must be designed for continual improvement and adjustment as the business objectives and model, operations, and risk profiles change over time.

As you are developing the capability, consider ways to make these principles evident in the design and operation of policy management.

This article is from the newly published Policy Management Capability Model and tied to the Certified Policy Management Professional (CPMP) certification @ that GRC 20/20’s Michael Rasmussen worked on in partnership with OCEG.


Leave a Reply

Your email address will not be published. Required fields are marked *