GRC 20/20’s Effective Policy Management Process Lifecycle
The policy and training management strategy and policy is supported and made operational through the policy and training management architecture. The organization requires complete situational and holistic awareness of policies and related training across operations, processes, employees, and third party relationships to see the big picture of policy and training performance and risk. Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to policy and training management architecture. The architecture defines how organizational processes, information, and technology is structured to make policy and training management effective, efficient, and agile across the organization.
There are three areas of the policy and training management architecture:
- Policy and training management process lifecycle architecture
- Policy and training management information architecture
- Policy and training management technology architecture
It is critical that these architecture areas be initially defined in this order. It is the process architecture that determines the types of policy and training structures and information needed, gathered, used, and reported. It is the information architecture combined with process architecture that defines the organizations requirements for the technology architecture. Too many organizations put the cart before the horse and start with selecting technology for policy and training management first, which then dictates what their process and information architecture will be. This forces the organization to conform to a technology for policy and training management instead of finding the technology that best fits their process and information needs.
Policy & Training Management Process Architecture
Policy and training management architecture starts with the process architecture. Processes are used to manage and monitor the ever-changing business, third party relationship, risk, and regulatory environments in context of policy and training programs.
The policy and training management process architecture is the structural design of processes, including their components of inputs, processing, and outputs. This architecture inventories and describes policy and training management processes, each process’s components and interactions, and how processes work together as well as with other enterprise and GRC processes.
The core elements of the process architecture are understood as the organization’s policy management lifecycle. This represents the actual operation and process of the MetaPolicy in action to develop, manage, and maintain policies throughout their effective use. Failure to manage policy lifecycles results in policies that are out-of-date, ineffective, and not aligned to business needs. It also opens the door to liability when an organization is held accountable for a policy that is not appropriate or properly enforced.
The stages evaluated in the Effective Policy Management are:
- Determine Need for New Policies or Updates. Policy should be created only when necessary, such as to establish the values and ethics of the organization, meet regulatory obligations, and manage potential risk or liability. Without some requirement for or exposure of the organization, there is no need for a policy. Too many policies burden the organization and cannot be complied with. Too few policies introduce significant risk and legal exposure. Organizations need a defined change management process to monitor changes that impact policy across the following areas:
- Corporate environment. Policies change in response to new strategies, objectives, mergers, and acquisitions. Changes in corporate commitments, contracts, values, ethics, risk appetite, and social responsibility statements also drive policy.
- Risk environment. Ongoing risk intelligence processes are required to monitor geopolitical, environmental, economic, strategic, relationship, and operational risk.
- Regulatory environment. New laws, changing regulations, litigation, and court rulings (case law) impact organizations and drive policy changes. Organizations need regulatory change management processes in place to monitor the changing legal and regulatory environment in jurisdictions where business is conducted.
- Policy development and approval. When an organization identifies a change in the corporate, risk, or regulatory environments and determines a new policy is needed, or an existing policy must be updated, it enters the policy development phase. In this stage, policies are drafted, reviewed, and approved. While the Policy Owner is responsible for managing development and works with the policy author and stakeholders, the policy manager champions this process to make sure the policy conforms to corporate style and template requirements and has referential integrity with the other policies in the Policy Portfolio. The policy steering committee, other governing committee, or a designated executive approve policy changes once they go through the development workflow and review process. The policy development steps include:
- Policy ownership. Every policy in the organization should be assigned to an individual or business role that owns the policy. The owner ensures that the policy remains accurate, is appropriately communicated, and continues to serve the purpose for which it was established. Even if the policy is applied across the entire organization, such as with a code of conduct, the owner must oversee its implementation and monitoring.
- Policy writing. Once an owner is established, the next step is to write the policy. All policies across the organization should be written in a consistent style, format, and language while following a defined style guide. Policies must be clear and easily understood. They must articulate who the policy applies to, standards, rules, regulations or laws it intends to address, and what, if any, larger program it is associated with.
- Policy review and approval. Once the initial draft of the policy is written, the owner sends the draft policy to identified stakeholders for review and approval before publication. This phase is iterative, as the stakeholders may send the policy back with changes before it is approved. Leading practice includes reviews by the organization’s policy management office, legal department, and ethics and compliance committee (for policies mandated by law or regulation).
- Policy publication and awareness. In this stage, individuals become aware of the new or changed policy by clear articulation of individual responsibility to comply with the policy. This includes:
- Policy publication. After approval, the policy must be published. This is most effectively done with a centralized policy management and communication platform. Unfortunately, many organizations have scattered systems for publishing policies and procedures. This complicates policy management, as multiple publication methods means more policies will become outdated and scattered across the organization. A best practice is to have a single policy system that allows any individual within the environment to login, see all of the policies that apply to a specific role in the organization, and receive automated notification of a changed or new policy.
- Policy communication and training. Written policy is necessary, but not good enough on its own. Organizations must actively ensure individuals are aware of and understand the policy and what is required of them — appropriate communication and training should be used to facilitate understanding, such as video, LMS courses, surveys, and testing. It is important that training and other resources are linked to policies and are easily accessible. It is also important to preserve records of each individual’s training completion for critical policies so that they are easily accessible by oversight personnel.
- Policy attestation. It is necessary for individuals to attest to that they have read, understood, and will adhere to critical policies. Policies such as a code of conduct require specific attestation on a regular basis (e.g., annually). Attestations should be dated and time stamped, preserved with the version of the policy, and easily accessible by oversight personnel.
- Policy adherence and compliance. In this stage, policies are regularly monitored to ensure compliance and that exceptions are documented and managed. This phase involves:
- Implement procedures and controls. The MetaPolicy states who is responsible for implementing the appropriate procedures and controls to ensure effective implementation, usually the Policy Owner. The procedures and controls should be written using approved templates and embedded within the business operations and processes.
- Monitor, test, and assess. Carefully monitor, test, and assess activities to ensure that the policy, procedures, and controls are being enforced, are operating as intended, and the business runs efficiently and smoothly while in compliance. Findings of noncompliance and violations provide metrics for policy review and improvement. Enforcement policy is critical, to define levels of infractions and associated actions.
- Manage exception requests. While policies must be complied with, there are justifiable business situations in which the organization accepts noncompliance. These exceptions must be documented and managed. An exception may be appropriate for a given time period or until a certain event occurs.
- Policy metrics and maintenance. Policies should not change frequently, but they should go through periodic review. A best practice is to follow an annual review cycle to make sure policies are still appropriate and do not bring unnecessary exposure or liability upon the organization. Unneeded policies should be retired. The major activities of this stage include:
- Review, update, or retirement. Every policy should have a regular review cycle (ideally annually). During this review, the Policy Owner and stakeholders assess changes to the internal business and external regulatory and business environments, look at incidents of policy noncompliance and approved exceptions, and consider the continued need for the policy. After this analysis the Policy Owner requests the policy approver(s) to reauthorize the policy as-is for another management cycle, to retire it, or to send it back into the Development and Update stage to revise the policy.
- Policy archives. Every policy and its associated versions must be archived for reference at a later time. The retention period for superseded versions and retired policies should be managed in accordance with the organization’s document and records-retention policies. When an organization becomes aware of an incident, or a regulator has a question, it is necessary to have a full view of the accountability history of a policy: the owner, who read it, who was trained, and who attested and on what version of the policy at a particular date. This level of detail is necessary to defend the organization in a situation involving a rogue employee, where the organization itself is not culpable.
This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Policy Management by Design: a Blueprint for Enterprise Policy & Training Management
Have a question about Policy & Training Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
Engage GRC 20/20 to facilitate and teach the Policy Management by Design Workshop in your organization.
Looking for Policy Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 400 requirements for policy management solutions.
GRC 20/20’s Policy & Training Management Research includes:
Register for the upcoming Research Briefing presentation:
Access the on-demand Research Briefing presentation:
Strategy Perspectives (written best practice research papers):
- Policy Management by Design: A Blueprint for Enterprise Policy & Training Management
- Regulatory Change Management: Effectively Managing Regulatory Change in Financial Services
- Benchmarking Your Policy Management Program
- Policies, The Last Mile of Risk Management: The Relationship Between Risk and Policies
Solution Perspectives (written evaluations of solutions in the market):
- RegEd CODE™: Enabling an Integrated Compliance Lifecycle
- NAVEX Global’s Agile Code of Conduct
- MetaCompliance: Effectively Managing & Communicating Policies
- HITEC’S PolicyHub: Streamlining Policy Management
Case Studies (written evaluations of specific strategies and implementations within organizations):