Here are some thoughts on how to mature a policy management strategy from the recent GRC 20/20 research report, Strategy Perspective: Policy Management Maturity Model.
Mature policy management is a seamless part of governance and operations. It requires a top-down view of policies starting with the code of conduct and filtering down into division, department, process, and asset-related policies as well as the risks, regulations, standards, procedures, and controls mapped to those policies. Mature policy management will be consistently led by the executives and the board and become an integrated part of the fabric of business operations and processes – not an unattached obscure layer of scattered documents on file shares and internal websites. It also means bottom-up participation, where business functions understand policies in the context of their roles and responsibilities. GRC 20/20 has developed the Policy Management Maturity Model to articulate maturity in the policy management processes and provide organizations with a roadmap to support acceleration through their maturity journey.
There are five stages to the model:
- Ad Hoc
The Fragmented stage sees departments with some structure and focuses on policy management within respective functions, but they are disconnected and not working together. Information and processes are highly redundant, manual, document-centric, and lack integration. With siloed approaches to policy management, the organization is still very document-centric. Processes are manual and they lack standardization, making it hard to manage policies in a way that is efficient, effective, and agile.
Characteristics of the Fragmented Maturity stage are:
- Tactical siloed approach to policy management in different departments
- Starting to determine a lifecycle and structure for policy management, with pockets of good practice emerging
- Basic policy management tasks risk in place, and some standardization and qualification of a policy management lifecycle
- Policy management lifecycle and framework loosely defined but not automated
- Policy monitoring and governance and processes not fully embedded
- Processes are defined at the department level
- Some areas of policy management are in place but are not approached in an integrated or structured way
- No integration or sharing of policy management processes between functions
- Reliance on fragmented technology and lots of documents
- Measurement and trending on policies and policy management is difficult
Key elements that identify an organization is at the Fragmented stage are:
- Pockets of good practice emerging. The program has some pockets of good practice emerging, but they need maturing and integration across departments/functions for consistency.
- Blind-spots. Businesses at this stage are still subject to blind spots, especially across the organization as so much policy information exists in departmental silos and different portals.
- Inefficient. The department can all be working hard to address policies in silos, but without a full picture of enterprise policies there is duplication of efforts.
- Disconnected. Policy management is still being addressed in a disconnected way in different departments. Disconnected across departments, disconnected across policy domains and disconnected across systems. Not only is this inefficient, but it also means policy management can be confusing as it is not understood and addressed consistently across the enterprise.
- Manual. With little technology support in place and a reliance on documents and email, policy management processes fail to be consistent. This can slow your progress, with little ability to audit programs and activities.
- Hard to measure and monitor. While some data is beginning to emerge, it’s in disparate systems and incomplete.
Organizations in the Fragmented stage of maturity answer many of the following questions affirmatively:
- Are policy management activities tactical, disconnected from each other, and siloed?
- Does the organization lack an integrated policy management approach across the organization?
- Is policy information scattered across various documents and technology sources?
- Is it difficult and time-consuming to track and trend policy information and reporting?
This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Policy Management Maturity Model.