Developing a Policy Management Strategy
Organizations need a coordinated cross-department strategy for managing policies and training programs across the enterprise. The goal is to develop a common framework and approach so that policies and training are understood and managed as an integrated whole rather than a dissociated collection of parts.
Policies and training programs that are managed as dissociated documents, data, systems, and processes leave the organization with fragments of truth that fail to see the big picture of policy and training across the enterprise and how it supports the organization’s governance, risk management, and compliance (GRC) responsibilities. The organization needs to have holistic visibility and situational awareness into policy and training across the enterprise. Complexity of business and intricacy and interconnectedness of policies and obligations requires that the organization implement a policy and training management strategy.
Contrasting Policy & Training Management Approaches
The primary directive of a mature policy and training management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of GRC. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of policies and training needs across the extended enterprise.
Organizations have three policy & training management strategies to choose from:
- Anarchy – ad hoc department silos. This is when you have different departments doing different yet similar things with little to no collaboration between them. Distributed and siloed policy and training initiatives never see the big picture and fail to put policy and training in the context of the rest of the organization. The result: complexity, redundancy, and failure. The organization is not thinking big picture about how policy and training management processes can be designed to meet a range of needs. An ad hoc approach to policy and training management results in poor visibility into the organization’s obligations and values, as there is no framework for managing policies and training consistently. When the organization approaches policies and training in scattered silos that do not collaborate with each other, there is no possibility to be intelligent and align policies and training initiatives to achieve efficiency, effectiveness, and agility.
- Monarchy – one size fits all. If the anarchy approach does not work then the natural reaction is the complete opposite: centralize everything and get everyone to work from one platform and framework. However, this has its issues as well. Organizations run the risk of having one department be in charge of policy and training management that does not fully understand the breadth and scope of the needs across departments. The needs of one area may shadow the needs of others. From a technology point of view, it may force many parts of the organization into managing policies and training programs to the lowest common denominator.
- Federated – an integrated and collaborative approach. The federated approach is where most organizations will find the greatest balance between common policy and training management. It allows for some level of department/business function autonomy where needed but focuses on a common governance model and architecture that the various groups in policy and training management participate in. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of GRC as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in policy and training management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.
A federated model for policy and training management provides a central coordination of the policy management lifecycle to ensure consistency in policies across the organization while there is ownership and management of non-enterprise-wide policies in distributed areas across the organization that align with the central governance. The Federated model is the ideal for large global organizations. It allows for policy and training management to be centrally coordinated, but allows for distributed management and oversight of the policies to address divisional, legal entity, business unit, and regional needs. These entities must adhere to all mandated enterprise-wide policies and will often design their own procedures in a way that makes the policy fit their operations and supports their compliance with the policy. They may create their own policies and procedures relating to their specific operations, which may be imposed based on federal, state, or local laws. These policies and procedures must be written so that they do not conflict with the overall mission and values of the organization. A federated model often has layers of policy governance in which a policy steering committee is established centrally to define the policy process and templates, while “entity” policy committees oversee the governance of policies within their respective areas.
Policy & Training Management Strategic Plan
Designing a federated policy and training management program starts with defining the strategy. The strategy connects key business functions with a common policy and training governance framework. The strategic plan is the foundation that enables policy and training transparency, discipline, and control across the ecosystem of the enterprise.
The core elements of the policy and training strategic plan include:
- Policy & training governance team. Effective policy management and communication requires policy governance and oversight. The first piece of the strategic plan is building the cross-organization policy and training governance team (e.g., committee, group). This team needs to work with policy owners to ensure a collaborative and efficient oversight process is in place. The goal of this group is to take the varying parts of the organization that have vested in policy and training management and get them collaborating and working together on a regular basis. Various roles involved in the policy and training governance team are: compliance, ethics, legal, human resources, finance, information technology, security, audit, quality, health & safety, and business operations. One of the first items to determine is who chairs and leads the policy and training governance team. This committee provides the structure and connective tissue to coordinate and drive consistent policy management. Its team members represent the best interests and expertise of the different parts of the organization. They leverage the knowledge, charter and authority of the committee to benefit their business areas and the whole organization. A large distributed organization may have layers of policy and training committees for different geographies or business units. If a layered approach is in place, the organization still needs a central policy and training governance committee that the rest roll-up to, to enforce consistency and structure.
- Policy and training management charter. With the initial collaboration and interaction of the policy and training management team in place, the next step in the strategic plan is to formalize this with a policy and training management charter. The charter defines the key elements of the policy and training management strategy and gives it executive and board authorization. The charter will contain the mission and vision statement of policy and training management, the members of the policy and training governance team, and define the overall goals, objectives, resources, and expectations of enterprise policy and training management. The key goal of the charter is to establish alignment of policy and training management to business objectives, performance, and strategy. The charter also should detail board oversight responsibilities and reporting on policy and training management. The charter should specifically address:
- An organized policy & training management committee to govern the oversight and guidance of policies, and ensure policy collaboration across the enterprise.
- An individual assigned to the role of policy & training manager to assure accountability to the standards, style, and process defined by the policy management committee. The policy manager does not write policy, but is the champion of the policy management process; for ensuring the creation and revision of policies conforms to the policy management lifecycle defined by the organization.
- The authorization and allocation of resources for program management architecture, policy review cycles, executive “tone from the top” on policy governance, extending policy governance to mergers and acquisitions, compliance monitoring and assurance activities, and management reporting and dashboards.
- Policy management policy (e.g., MetaPolicy, Policy on Policies). The next critical item to establish in the policy and training management strategic plan is the writing and approval of the organization’s MetaPolicy (or policies on writing policies). This sets the policy management structure in place. The policy should require that an inventory of all policies be maintained with appropriate detail and approvals. The MetaPolicy is the foundation on which to build an effective policy and training management program. It defines the critical elements of the organization’s policy management program. The major components of an effective MetaPolicy are:
- Roles and responsibilities. Key organizational roles, responsibilities, and accountabilities for policy governance and lifecycle and specifically the scope of governance and influence of the meta-policy itself.
- Scope of MetaPolicy. Scope of what is and is not under remit/scope of the MetaPolicy (e.g., internal facing policies, client facing policies, policies of subsidiaries, and joint ventures).
- Definition of terms. Definitions of specifically— for a given organization—what a policy is as well as a procedure, standard, and guideline in addition to other applicable governance documents and resources.
- Format and structure guidance. Common structure and content of a policy with specific reference to what topics are required (e.g., purpose, scope, accountability, and policy statement) and what is optional (definitions of key terms/acronyms/abbreviations, authoritative sources/obligations, and cross-references to other documents) to establish a policy.
- Policy writing and layout. Writing style for policies and other documents as well as the layout of policy documents. Also included by reference are policy template(s), which are absolutely critical for driving consistency across policies.
- Central repository and indexing of policies. Requirements for central repository as the system of record for policies and related governance documents. This repository must be accessible to all of the organization’s employees and contingent workers.
- Policy approval. Policy governance rules for approving policy creation/update/retirement, general requirements for exception approval, and definition of maintenance and review cycles with appropriate accountability of roles and responsibilities for policy development and maintenance.
- Policy assurance and compliance monitoring. Assurance methodologies to ensure that compliance with the MetaPolicy is in place, that exceptions to the MetaPolicy are documented and managed appropriately, and violations are identified and remediated.
- Style guide. Policy writing that is wordy and confusing damages the corporate image and costs time and money. Every organization should have a policy style guide in place to provide clear and consistent policy. This establishes the language, grammar, and format guidance to writing policies. It expresses how to use active over passive voice, avoid complicated language and “legalese”, how to write for impact and clarity, use common terms, how to approach gender in writing, and even internationalization considerations.
- Templates. These are standard templates that the organization can utilize to write policies and supporting documents/resources that are already in the standard format and structure conforming to the MetaPolicy.
- Exception/exemption request. Provides a standard template for documenting an exception/exemption request to a policy or procedure and how to seek approval for the request.
This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Policy Management by Design: a Blueprint for Enterprise Policy & Training Management
Have a question about Policy & Training Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
Engage GRC 20/20 to facilitate and teach the Policy Management by Design Workshop in your organization.
Looking for Policy Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 400 requirements for policy management solutions.
GRC 20/20’s Policy & Training Management Research includes:
Register for the upcoming Research Briefing presentation:
Access the on-demand Research Briefing presentation:
Strategy Perspectives (written best practice research papers):
- Policy Management by Design: A Blueprint for Enterprise Policy & Training Management
- Regulatory Change Management: Effectively Managing Regulatory Change in Financial Services
- Benchmarking Your Policy Management Program
- Policies, The Last Mile of Risk Management: The Relationship Between Risk and Policies
Solution Perspectives (written evaluations of solutions in the market):
- RegEd CODE™: Enabling an Integrated Compliance Lifecycle
- NAVEX Global’s Agile Code of Conduct
- MetaCompliance: Effectively Managing & Communicating Policies
- HITEC’S PolicyHub: Streamlining Policy Management
Case Studies (written evaluations of specific strategies and implementations within organizations):