Previously we looked at Why Policies Matter and The Principles of Policy Management from the newly published Policy Management Capability Model that I developed with OCEG for This week we turn our attention to the structure of a strong policy management capability in your organization found in the Policy Management Capability Model (which is free and opensource, but also has a training and certification program for policy management professionals and authors/subject matter experts as a Certified Policy Management Professional (CPMP) . . .

Policy management has been one of the hottest topics in my GRC research for the past few years. When the pandemic hit and lockdowns started in March of 2019, I found my interactions increased even more. Organizations are restructuring their strategy, processes, roles, and a move to the work from home environment found policy management a complete mess to a disaster internally. Several organizations found that they had over 20 policy portals in their environment, and policies looked different, were written in different styles, used terms inconsistently, were out of date. Employees were scrambling to try to find policies in the work from home environment and were very confused.

In an environment this past year organizations found policy management a critical element to address to communicate confidence, ease employees’ frustration and concern, reinforce a strong culture of ethics, and provide stability in the midst of uncertainty. Organizations have been working hard to address consistency in policy management, authoring, and engagement across departments and to deliver a singular portal for policies that engage employees.

I see even more attention to policies and policy management as we come out of the pandemic. Many organizations are maintaining a remote workforce and see the need to have an intuitive and engaging policy portal for employees and consistency in policy management. There is also heightened concern of rogue unauthorized policies that open the doors to legal liability and a duty of care. Particularly if managers at different levels think they are a little smarter than the rest of the organization and writing what they think the COVID-19 related policies should be (e.g., personal safety equipment, vaccine policy). I am seeing a lot of attention being focused on structured policy management programs that provide a singular interface and process into all official and approved policies in the organization to reduce exposure to rogue unauthorized policies.

A structured approach to policy management is found in the Policy Management Capability Model. This is a free and open-source tool that I authored with OCEG and is available at This comes from years of experience advising on policy management programs and teaching my Policy Management by Design Workshop around the world. I encourage you to look at this free guidance to what an effective policy management program looks like and adapt it to your environment.

There is a related training and certification program based on the model to become a Certified Policy Management Professional (CPMP). Several organizations are sending dozens of employees (in one case a healthcare organization is looking at sending 300 employees – being all policy management related staff as well as policy authors and subject matter experts) through this training so everyone is on board and shares the same vision of what an effective policy management program is in their organization. The goal in these organizations is to increase consistency and deliver efficiency, effectiveness, and agility in policy management and communications. It is also to define and enhance a culture of integrity in the organization.

There are also professional service firms as well as solution providers sending their staff through this training to better advise and deliver policy management strategies and solutions to their clients. This is a really exciting time for policy management!

Policy Management is a critical enabling element of the organization’s overall GRC capability. It should be built on a solid foundation of principles with a defined capability model that provides consistent processes and engagement on policies in your organization . . .

Anatomy of the Policy Management Capability Model


The Policy Management Capability Model is organized into five Components that outline an iterative, continuous improvement process to achieve Principled Performance in policy management. While there is an implied sequence beginning with Govern, once the capability is established, Components operate concurrently, interactively, and also symbiotically.

  • G – GOVERN — Govern policy management by establishing policy governance and management teams and developing a “Policy on Policies” to guide the design and operation of the Policy Management Capability with standardized forms and processes.
  • D – DEVELOP — Establish standard methods for policy development to apply, whether creating new policies, revising existing ones for broader application, making changes in response to change in the external or internal environment, and retiring out-of-date policies.
  • C – COMMUNICATE — Establish a risk-based and ongoing communication and training approach for each policy or category of policy, taking advantage of enabling services with skilled personnel and tools relevant to the design, delivery, attestation, and measurement of outcomes.
  • E – ENFORCE — Establish tasks, methods, and processes for implementation, exceptions, enforcement, and assurance of policies.
  • I – IMPROVE — Establish methods to periodically review and improve policies, retire policies, and evaluate the policy management capability’s design, effectiveness, and operation.


Each Component contains Elements that outline key aspects of high-performing integrated policy management capabilities. Each Element includes Practices that outline specific management actions and controls and address documentation considerations. Elements define the core aspects of effective capabilities and can serve as the starting point for assessing the current state of your organization’s approach.  

This article is from the newly published Policy Management Capability Model and tied to the Certified Policy Management Professional (CPMP) certification @ that GRC 20/20’s Michael Rasmussen worked on in partnership with OCEG.

Leave a Reply

Your email address will not be published. Required fields are marked *