Here are some thoughts on how to mature a policy management strategy from the recent GRC 20/20 research report, Strategy Perspective: Policy Management Maturity Model.
Mature policy management is a seamless part of governance and operations. It requires a top-down view of policies starting with the code of conduct and filtering down into division, department, process, and asset-related policies as well as the risks, regulations, standards, procedures, and controls mapped to those policies. Mature policy management will be consistently led by the executives and the board and become an integrated part of the fabric of business operations and processes – not an unattached obscure layer of scattered documents on file shares and internal websites. It also means bottom-up participation, where business functions understand policies in the context of their roles and responsibilities. GRC 20/20 has developed the Policy Management Maturity Model to articulate maturity in the policy management processes and provide organizations with a roadmap to support acceleration through their maturity journey.
There are five stages to the model:
- Ad Hoc
1: Ad Hoc
Organizations at the Ad Hoc stage of policy management maturity have ad hoc reactive approaches to policy management at the department level. Businesses at this stage do not actively manage policies; few if any resources are allocated to policy management. The department addresses policy management in a reactive mode — writing policies when forced to. There is no ownership or monitoring of policies, and certainly no integration of policy information and processes in the context of objectives, strategy, performance, and business change.
Key elements that identify an organization is at the Ad Hoc stage are:
- Blind-spots. Businesses at this stage are subject to many blind spots. Writing and monitoring of policies is disconnected with no defined structure or approach.
- Reactive. The organization addresses policies in a reactive, firefighting mode e.g., writing policies when forced to.
- Lack of ownership or accountability. No one has been appointed to take control of policies or policy management.
- Lack of process. There are no defined or consistent processes, lifecycle, or methodologies for managing policies.
- Under resourced. Few resources are allocated to policy management and governance.
- Manual. With little technology support in place and a reliance on documents, file shares, and email, policy management processes fail to be consistent.
Organizations in the Ad Hoc stage are very much in reactive mode and are likely to answer many of the following in the affirmative:
- Does the policy management program lack clear owners and accountability within departments and disconnected from each other?
- Are policies written and put in place after the fact, when the organization realizes it is exposed or someone is insisting on them?
- Is policy management largely undocumented, or trapped in silos of emails and documents?
- Does the organization lack any process, information and technology architecture to support policy management?
- Does the department or business function have no ability to report and trend on policies and policy management over time?
Characteristics of the Ad Hoc stage are:
- Siloed and ad hoc policy management practices
- No structured and ongoing policy management program
- No skills and resourcing dedicated to policy management
- No defined policy management roles and responsibilities
- No policy governance structure or matrix in place
- No defined policy management program
- Policies are written to put out a fire
- Ad hoc and reactive policy authoring and maintenance
- Document-centric approaches
- Ad hoc reactive approach that addresses policies as issues arise
- Little to no technology in place for policy management
- No visibility, trending, or analytics of policies or policy management
- No board or senior management sponsorship of policy management
This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Policy Management Maturity Model.