Issuing well-crafted and appropriately targeted policies is a necessary first step in clearly defining and communicating the organization’s values, boundaries, practices, and expectations. Policies are the vehicle to ensure culture is defined and does not morph out of control. This enables the organization to embed culture into the action and behavior of processes, transactions, relationships, and individuals. A strongly embedded culture is driven by an effective policy management capability that provides consistency in behavior, reduces costs and inefficiencies, and supports growth and change management. This leads to higher employee engagement and achievement of objectives. 

Policy management has been one of the hottest topics in my GRC research for the past few years. When the pandemic hit and lockdowns started in March of 2019, I found my interactions increased. Organizations restructured their strategy, processes, roles, in the context of a work from home environment. In this process, they found policy management a complete mess of a disaster internally. Several organizations found that they had over 20 policy portals in their environment, and policies looked different, were written in different styles, used terms inconsistently, were out of date. Employees were scrambling to try to find policies in the work-from-home environment and were very confused.

During and coming out of the pandemic organizations find policy management to be a critical element to communicate confidence, ease employees’ frustration, and concern, reinforce a strong culture of ethics, and provide stability in the midst of uncertainty. Organizations have been working hard to address consistency in policy management, authoring, and engagement across departments and to deliver a singular portal for policies that engage employees in a hybrid dynamic environment.

I see even more attention to policies and policy management as we come out of the pandemic. Many organizations are maintaining a remote workforce and see the need to have an intuitive and engaging policy portal for employees and consistency in policy management.

There is also heightened concern of rogue unauthorized policies that open the doors to legal liability and a duty of care. Particularly if managers at different levels think they are a little smarter than the rest of the organization and writing what they think the COVID-19 related policies should be (e.g., personal safety equipment, vaccine policy). There is a lot of attention being focused on structured policy management programs that provide a singular interface and process into all official and approved policies in the organization to reduce exposure to rogue unauthorized policies.

Policy Management by Design Workshops New Content . . .

I am so excited that my most popular GRC workshop, Policy Management by Design, is back in person for deep interactive, and free, training on policy management! These workshops are interactive and engaging to learn from GRC 20/20 but also from each other. It is a great place to meet your peers in policy management and broader GRC and share your challenges and experiences to learn from others.

What is really exciting . . . there is all new content for this workshop! The updated workshop includes a structured approach to policy management found in the official Policy Management Capability Model. This is a free and open-source tool that I authored with OCEG and is available at This comes from years of experience advising on policy management programs and teaching my Policy Management by Design Workshop around the world.

Policy Management is a critical enabling element of the organization’s culture, integrity, performance, governance, and risk management. This capability should be built on a solid foundation of principles with a defined capability model that provides consistent processes and engagement on policies in your organization . . .

Anatomy of the Policy Management Capability Model


The Policy Management Capability Model is organized into five Components that outline an iterative, continuous improvement process to achieve Principled Performance in policy management. While there is an implied sequence beginning with Govern, once the capability is established, Components operate concurrently, interactively, and also symbiotically.

  • G – GOVERN — Govern policy management by establishing policy governance and management teams and developing a “Policy on Policies” to guide the design and operation of the Policy Management Capability with standardized forms and processes.
  • D – DEVELOP — Establish standard methods for policy development to apply, whether creating new policies, revising existing ones for broader application, making changes in response to change in the external or internal environment, and retiring out-of-date policies.
  • C – COMMUNICATE — Establish a risk-based and ongoing communication and training approach for each policy or category of policy, taking advantage of enabling services with skilled personnel and tools relevant to the design, delivery, attestation, and measurement of outcomes.
  • E – ENFORCE — Establish tasks, methods, and processes for implementation, exceptions, enforcement, and assurance of policies.
  • I – IMPROVE — Establish methods to periodically review and improve policies, retire policies, and evaluate the policy management capability’s design, effectiveness, and operation.


Each Component contains Elements that outline key aspects of high-performing integrated policy management capabilities. Each Element includes Practices that outline specific management actions and controls and address documentation considerations. Elements define the core aspects of effective capabilities and can serve as the starting point for assessing the current state of your organization’s approach.  

Join us for one of the following free Policy Management by Design workshops coming to these popular cities over the next few months . . .

Leave a Reply

Your email address will not be published. Required fields are marked *