360° Visibility into Risk & Resilience

Here are some thoughts on how to mature a policy management strategy from the recent GRC 20/20 research report, Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration

Dynamic, Disrupted & Distributed Business is Difficult to Control

The complexity of business – combined with the intricacy and interconnectedness of risk and objectives – necessitates that the organization implements a strategic approach to business and operational risk and resilience.

Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping changes to business strategy, operations, and processes in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business. The interconnectedness of objectives, risks, resilience, and integrity require 360° contextual awareness of risk and resiliency. Organizations need to see the intricate relationships and impacts of objectives, risks, processes, and controls. It requires holistic visibility and intelligence into risk and resiliency. 

What Have We Learned from 2020 and 2021?

2020 and 2021 brought organizations lots of disruption to objectives, operations, processes, and employees. It has been a risk and resiliency rollercoaster. Some industries and organizations failed, while others were held firm and navigated events with agility. But there are lessons to be learned. These lessons showed us:

  • Interconnected risk. Organizations face an interconnected risk environment and risk, and resilience cannot be managed in isolation. What started with a health and safety risk became a global pandemic and had downstream risk impacts on information security, bribery and corruption, fraud, business and operational resilience, human rights, and other risk areas.
  • Objectives became dynamic. As the pandemic unfolded, it had a specific impact on business objectives. Adapting to the crisis, businesses had to modify their strategies, departments, processes, and project objectives in reaction to changes in risk exposure. 
  • Disruption. Business is easily disrupted from international to local events. Organizations had to respond to disruption from the pandemic, political protests and unrest, economic uncertainty, change in business models and a work from home environment, human rights and discrimination protests, environmental disasters (particularly wildfires), and information security breaches (e.g., SolarWinds, Colonial Pipeline).
  • Dependency on others. No organization is an island. The past two years have shown us that disruption and the interconnectedness of risk and resilience impacts more than traditional employees and brick-and-mortar business, but also the range of third-party relationships in the extended enterprise that the organization depends upon. 
  • Dynamic and agile business. Businesses had to react quickly to stay in business. This required agility in changing employees, reduced staff with more responsibilities, and shifting to work from home environments. All this introduced new risks, as well as a demand for engaging employees and maintaining a strong corporate culture amid global uncertainty. 
  • Values were defined and tested. Organizations had to react to what their core values were and how they practiced those values. From treating employees and customers fairly during a crisis, to how they address human rights.

The past two years have taught organizations that to be resilient requires a 360° view of objectives, risk, processes, and services within the organization and the extended enterprise.

The Risk Challenge to Boards, Executives, and Management

Organizations take risks all the time but fail to monitor and manage this risk effectively in an environment that demands agility. Too often risk management is seen as a compliance exercise and not truly integrated with the organization’s strategy, decision-making, and objectives. It results in the inevitable failure of risk management, providing case studies for future generations on how poor risk and resiliency management leads to the demise of organizations – even those with strong brands. 

Keeping risk, complexity, and change in sync is a significant challenge for boards, executives, and management professionals throughout all levels of the organization. This challenge is even greater when risk management is buried in the depths of departments and approached from a compliance or audit angle, and not as an integrated discipline of decision-making that has a symbiotic relationship on performance and strategy. This further is compounded when business continuity programs are completely disconnected and not part of risk management. Organizations need to understand how to monitor risk-taking, measure that the associated risks being taken are the right risks, and review whether the risks are managed effectively to ensure the resilience of the organization.

Risk and resiliency management in the modern organization is challenging because the organization is:

  • Distributed. Even the smallest of organizations can have distributed operations complicated by a web of global relationships. The traditional brick-and-mortar business with physical buildings and conventional employees has been replaced with an interconnected mesh of relationships and interactions which define the organization.  Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy.
  • Dynamic. Organizations are in a constant state of flux as distributed business operations and relationships grow and change. At the same time, the organization is trying to remain competitive with fluctuating strategies, technologies, and processes while keeping pace with change to risk. The multiplicity of risk environments that organizations must monitor span regulatory, geopolitical, market, credit, and operational risks. Managing risk and business change on numerous fronts bury the organization when managed in silos.
  • Disrupted. Organizations are attempting to manage high volumes of structured and unstructured risk data across multiple systems, processes, and relationships to see the big picture of performance, risk, and resiliency. The velocity, variety, veracity, and volume of risk data are overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.
  • Accountable. There is a growing awareness among executives and directors that risk management needs to be taken seriously. It is part of their fiduciary obligations to oversee risk management as an integrated part of business strategy and execution. 

Integrated Risk & Resilience is the Way Forward

The ecosystem of business objectives, uncertainty/risk, and integrity is complex, interconnected, and requires a holistic contextual awareness of the organization – rather than a dissociated collection of processes and departments. Change in one area has cascading effects that impact the entire ecosystem.

This interconnectedness of business is driving demand for 360° contextual awareness in the organization’s risk and resilience processes to reliably achieve objectives, address uncertainty, and act with integrity. Organizations need to see the intricate intersection of objectives, risks, and boundaries across the business. 

Firms globally and across industries are focusing on integrating their risk management resilience (historically business continuity/disaster recovery) programs. This is becoming a key regulatory requirement in some industries. Delivering this requires a holistic view of the objectives and processes of the organization in the context of uncertainty and risk and the symbiotic interaction of risk management and business continuity. 

Business or Operational Resilience?

Business resilience is broader than operational resilience but also includes operational resilience. Consider the following . . . 

  • Business resilience is focused on the overall resilience of the organization, which includes strategy, liquidity/cash, diversity/hedging, culture/integrity, and operational resilience.
  • Operational resilience is a component of business resilience focused on business processes, services, people, systems, and relationships.

Operational resilience is not business continuity 2.0. It is much more than that. Operational resilience is an integrated effort that requires collaboration, processes, and information/technology shared between operational risk management, business continuity management, and even third-party risk management.

Providing 360° Integrated Awareness of Risk and Resilience

Organizations need complete 360° situational awareness and visibility into their processes, operations, objectives, and risks. What complicates this is the exponential effect of risk on the organization. The business operates in a world of chaos, and even a small event can cascade, develop, and influence what ends up being a significant issue. Dissociated siloed approaches to risk and resilience management that do not span processes and systems can leave the organization with fragments of truth that fail to see the big picture across the enterprise, as well as how it impacts their strategy and objectives. The organization needs visibility into objective and risk relationships across processes. The complexity of business and intricacy, as well as the interconnectedness of risk data, requires that the organization implement an enterprise view of risk and resilience monitoring, automation, and enforcement. 

Successful risk and resilience management requires the organization to provide an integrated strategy, process, information, and technology architecture. The goal is a comprehensive straightforward insight into risk and resilience management to identify, analyze, manage, and monitor risk in the context of operations, processes, and services. It requires the ability to continuously monitor changing contexts and capture changes in the organization’s risk profile from internal and external events as they occur that can impact objectives. As a result, organizations are measuring their current state and planning toward a future state of increased risk and resilience maturity in the organization.

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration.

BTW . . . this is the topic of the next GRC Red Flag Series: Moving Beyond Risk Resiliency to Agility.

https://www.grcworldforums.com/grc/the-grc-red-flag-series/red-flag-themes/moving-beyond-risk-resiliency-to-risk-agility

How to Build your GRC Strategy in an ESG Era

Looking for a path to environmental, social and governance (ESG) insights in a forest of GRC data

The last two years have shone a light on GRC – governance, risk management, compliance – processes and shifted many attitudes towards risk. Yet many organizations are left with many questions: What are the best practices to identify, analyze, monitor, and manage risks specific to your organization? Do these risk activities support future business growth, and should you implement ESG controls or reporting?   

2021 was a year of resiliency as we rode the waves of the pandemic while facing surmounting pressures to address ESG – environmental, social, governance – within organizations. 2022 will continue these themes of resiliency and integrity but brings in agility.

Firms globally and across industries are focusing on . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE SAI360 BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Ways to Enhance Your Social Accountability/Sustainability Program

ESG – Environmental, Social, Governance – is a dominant focus in organizations right now getting board-level scrutiny and attention. Organizations around the world and across industries are challenged to define, implement, and report on ESG. These pressures are coming from all directions: investors, customers, employees, regulators, and activists. The reality is that ESG has teeth, and organizations must do something about it. The goal is to be an organization of integrity to ensure that the values, ethics, statements, commitments, relationships, and transactions are a reality in practice, process, relationships, and transactions.

The most unforgiving aspect of ESG is the S – Social . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE ISOMETRIX BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Got Risk Management? You Think You Do . . .

In GRC 20/20’s upcoming 2022 State of the GRC Market Research Briefing, one of the changes I am doing to my market models is the integration of the former Business Continuity Management segment into the Risk Management segment to become Risk & Resiliency Management. This is further referenced in the recent GRC 20/20 Research paper – Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration – and the forthcoming paper on Risk & Resiliency Management by Design paper. 

I have been stating for nearly 20 years, “Why does business continuity operate in a tactical function, too often buried in the bowels of the organization, and not as part of enterprise and operational risk management?” The two symbiotically support each other. The pandemic and regulators are finally changing this. The Office of the Comptroller of the Currency (OCC) in the USA states, “Operational resilience is . . . the outcome of effective operational risk management.” 

However, resilience is not enough. We also need to be agile. The ability to see what is coming at us and navigate the organization to seize opportunities as well as avoid/mitigate the hazards and harms. That is true risk management. U.S. President Teddy Roosevelt stated, “Risk is like fire, if controlled it will help you if uncontrolled it will rise up and destroy you.” Judge Mervyn King of South Africa (King 1, 2, 3, and 4 reports on corporate governance) stated, “Enterprise is the undertaking of risk for reward.” Risk management is a strategic enabler and tool of the organization to navigate the chaos of the modern world and leverage it for greater return and performance while navigating the organization to also avoid and minimize the hazards, harms, losses. 

How are you doing risk management in your organization? Is it a strategic enabler? Is it delivering resiliency? Have you gone beyond this to Level 5 in the maturity model to be agile?

Now let’s get to a tactical frustration of mine that impacts, trips, and causes issues in risk management. There is so much we can talk about today, but one point of contention is heat maps. 

I have not been a big fan of heat maps for a long time. Over 15 years back I published a critique of them in my Forrester days. You cannot plot risk on a two-dimensional map as a single point. Risk is a distribution and involves a lot of scenarios (I am primarily discussing this as risk as a negative outcome as this is how these are used, with full acknowledgment that this is just one side of risk management). If you are plotting a human virus risk, like COVID-19, on a heatmap there are risks of a virus that is localized, global, endemic, pandemic, or even a plague. There is a distribution of this risk with different impacts on the organization and its objectives (and even potential opportunities for the organization in the face of this event). Same thing with a computer virus. It could be an incident that takes out one laptop, an office, a data center, the whole organization, or multiple organizations and critical infrastructure.

The other issue with heatmaps is the plotting is often subjective and not objective. Are you guessing, or do you have quantifiable data to back up where risk is plotted?

If organizations have risks plotted in the upper right of a heatmap, I question it. Organizations do not have a lot of high impact and high likelihood events, that means they are out of business. And some of the most significant risks to bring down organizations are high impact and low likelihood events. These are often not plotted red on the colors of a heatmap and do not get a lot of attention, but those are the ones that destroy organizations. 

Three things organizations need to improve risk management . . . 

  1. First, we need to manage risk in the context of the objectives, performance, and strategy of the organization. Risk management done right is a tool to be agile, and not just resilient (level 5 on the maturity model). This allows the organization to do horizon scanning, have full situational awareness of risk, make the right decisions for greater performance of the organization, and navigate the environment to avoid and mitigate the downside of risk. 
  2. Second, scenario analysis is critical. To be resilient and agile requires modeling scenarios of risk and the impact on the organization. Risk is a distribution of potential impacts, and the organization needs to understand this. We need to get past ridiculous heatmaps that bring misconceptions of risk to good scenario analysis. This is where business continuity moving into risk management provides value in being able to define scenarios, and even do things such as table-top exercises of risk. And risk management adds value through doing quantifiable analysis of risk to these scenarios as with monte carlo analysis and other risk modeling techniques. 
  3. Third, we need to think creatively and not just logically about risk management. Good risk management involves both left-brain and right-brain thinking. Left-brain risk thinking involves defining risk models and potential scenarios, distribution, and quantification of risk. Right-brain risk thinking knows that models never accurately represent the real world as there are too many variables and inputs, it is here that we think about what is wrong with risk models and what can happen that they do not anticipate. Too often risk management has been stuck with left-brain risk thinkers and needs a good balance of right-brain risk thinkers. We need the ability to think inside the box (left-brain models) as well as outside the box (right-brain creative and intuition). 

So where is your risk management program? Are you stuck in heat maps and a tick-box compliance exercise of risk management? Or are you using risk management as an effective enabler to strategic decision-making and operations to reliably achieve objectives while managing uncertainty (risk)?

BTW . . . this is the topic of the next GRC Red Flag Series: Moving Beyond Risk Resiliency to Agility.

https://www.grcworldforums.com/grc/the-grc-red-flag-series/red-flag-themes/moving-beyond-risk-resiliency-to-risk-agility

Policy Management Maturity: Level 2 – Fragmented

Here are some thoughts on how to mature a policy management strategy from the recent GRC 20/20 research report, Strategy Perspective: Policy Management Maturity Model.

Mature policy management is a seamless part of governance and operations. It requires a top-down view of policies starting with the code of conduct and filtering down into division, department, process, and asset-related policies as well as the risks, regulations, standards, procedures, and controls mapped to those policies. Mature policy management will be consistently led by the executives and the board and become an integrated part of the fabric of business operations and processes – not an unattached obscure layer of scattered documents on file shares and internal websites. It also means bottom-up participation, where business functions understand policies in the context of their roles and responsibilities. GRC 20/20 has developed the Policy Management Maturity Model to articulate maturity in the policy management processes and provide organizations with a roadmap to support acceleration through their maturity journey. 

There are five stages to the model:

  1. Ad Hoc
  2. Fragmented
  3. Defined
  4. Integrated
  5. Agile

2: Fragmented

The Fragmented stage sees departments with some structure and focuses on policy management within respective functions, but they are disconnected and not working together. Information and processes are highly redundant, manual, document-centric, and lack integration. With siloed approaches to policy management, the organization is still very document-centric. Processes are manual and they lack standardization, making it hard to manage policies in a way that is efficient, effective, and agile.

Characteristics of the Fragmented Maturity stage are:

  • Tactical siloed approach to policy management in different departments
  • Starting to determine a lifecycle and structure for policy management, with pockets of good practice emerging
  • Basic policy management tasks risk in place, and some standardization and qualification of a policy management lifecycle
  • Policy management lifecycle and framework loosely defined but not automated
  • Policy monitoring and governance and processes not fully embedded
  • Processes are defined at the department level
  • Some areas of policy management are in place but are not approached in an integrated or structured way
  • No integration or sharing of policy management processes between functions
  • Reliance on fragmented technology and lots of documents
  • Measurement and trending on policies and policy management is difficult

Key elements that identify an organization is at the Fragmented stage are:

  • Pockets of good practice emerging. The program has some pockets of good practice emerging, but they need maturing and integration across departments/functions for consistency.
  • Blind-spots. Businesses at this stage are still subject to blind spots, especially across the organization as so much policy information exists in departmental silos and different portals.
  • Inefficient. The department can all be working hard to address policies in silos, but without a full picture of enterprise policies there is duplication of efforts.
  • Disconnected. Policy management is still being addressed in a disconnected way in different departments. Disconnected across departments, disconnected across policy domains and disconnected across systems. Not only is this inefficient, but it also means policy management can be confusing as it is not understood and addressed consistently across the enterprise.
  • Manual. With little technology support in place and a reliance on documents and email, policy management processes fail to be consistent. This can slow your progress, with little ability to audit programs and activities.
  • Hard to measure and monitor. While some data is beginning to emerge, it’s in disparate systems and incomplete.

Organizations in the Fragmented stage of maturity answer many of the following questions affirmatively:

  • Are policy management activities tactical, disconnected from each other, and siloed? 
  • Does the organization lack an integrated policy management approach across the organization?
  • Is policy information scattered across various documents and technology sources?
  • Is it difficult and time-consuming to track and trend policy information and reporting?

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Policy Management Maturity Model.

How EHS Software Facilitates Risk Data Collection, Improves Data Accuracy & Streamlines Reporting 

We are at a critical point in history, a point that can lead to two very different outcomes. The decisions organizations make today and how they manage environmental, health and safety risks set all of us on a path for our world in the future.

In my keynotes and presentations, I ask the question: What is our future?

Are we, as a global society, that our organizations are part of, headed toward a Blade Runner future or a Star Trek future? In Blade Runner, you have a dark dystopia of social, ethical, and environmental disasters. In Star Trek, you see a green and prospering world where the environment and society thrive, and there is great social diversity and cooperation across galactic races.

My issue is that many enterprise risk management programs, and the technology they utilize to manage risk, are limited in scope. If you look at these programs you would think that IT risk (e.g., cyber risk, digital risk) is the greatest concern. My point of view is that IT/information risk is a great concern, but environmental and health and safety risks, are a GRAVE concern. And I mean that term literally. Environmental and health and safety risks need to be a critical part of the organization’s enterprise risk, operational risk, integrated risk, and supporting technology agendas.

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE ISOMETRIX BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

GRC 2020’s Key Tips for ESG Reporting in 2022 

ESG – Environmental, Social, Governance – received a lot of attention in 2021. Organizations across industries and around the world have had to respond to investor, stakeholder, regulator, customer, employee, and activist demands to address ESG. The pressure is on, organizations are being held accountable and it is now time for the organization to build a strategic ESG plan for reporting in 2022.

In 2021 we saw a lot of discussions and growing regulatory and investor pressure on ESG. This caused organizations, starting with the board and senior executives, to determine what ESG means in their context and put it on the organization’s agenda from the board level down into operations. This next year, 2022, will move ESG programs in their maturity as organizations move from thinking about ESG and how to approach it to execute on ESG in the context of ongoing organization strategy and operations. 

GRC 20/20 has four key tips to implementing ongoing and sustainable ESG reporting in 2022, these are . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE ISOMETRIX BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Providing Compliance Defensibility

Creating a defensible compliance process is not only good for risk management. It provides organisations with mitigation should unforeseen breaches occur.

The Chief Ethics and Compliance Officer (CECO) role is about being the Chief Integrity Officer of the organisation. With the Environmental, Social and Governance (ESG) accountability handed to corporate compliance and ethics teams, this role of integrity is becoming more critical.

Integrity underpins defensibility

Integrity is a mirror. What the organisation communicates . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE SKILLCAST BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

GRC 20/20’s 2021 Research Year in Review

2021 was a year of resiliency as we ride the waves of the pandemic with a focus on ingrity as the world turns to a focus on ESG within organizations. 2022 will continue these themes of resiliency and integrity but will bring in agility. How can organizations not only be resilient but also agile while maintaining integrity amidst change and uncertainty (risk).

While it has been a roller coaster that moves on into 2022 now, it certainly had a lot of impact on governance, risk management, and compliance (GRC) strategies, processes, and technology. Organizations are seeking to increase organizational integrity that they live up to their ethics, values, commitments, and obligations in the midst of uncertainty. They are also looking to increase business and operational resiliency and agility.

Below is a summary of the research blogs and papers that GRC 20/20 has published throughout 2021 organized by topic area.

The top research areas of interest by organizations (by volume of inquiries and GRC 20/20 publication) are:

  • Corporate Compliance & Ethics
  • Third Party GRC/Risk Management
  • Policy & Training Management
  • Risk & Resiliency Management
  • ESG Management
  • Enterprise GRC (which also includes all the elements above)

As always, you can ask GRC 20/20 Research questions in the context of governance, risk management, and compliance strategies and processes, as well as solutions available in the market we cover in our objective market research through the inquiry process. Every week GRC 20/20 is answering between 15 and 20 inquiries from organizations looking for advice on solutions and services to engage as they navigate the hundreds of solutions av ailable in the GRC market . . .

Enterprise GRC and the Broad GRC Market

Research Reports
Blogs

Corporate Compliance & Ethics Management

Research Reports
Blogs

ESG – Environmental, Social, Governance

Research Reports
Blogs

Risk & Resiliency Management

Research Reports
Blogs

Policy Management

Research Reports
Blogs

Third-Party (e.g, Vendor/Supplier) GRC Management

Research Reports
Blogs

Legal GRC Management

Research Reports
Blogs

Privacy Management

Research Reports

Internal & Automated Control Management

Research Reports
Blogs

IT GRC Management

Research Reports

  • Acuity Risk Management STREAM
  • Policy Management Maturity: Level 1 – The Ad Hoc

    Here are some thoughts on how to mature a policy management strategy from the recent GRC 20/20 research report, Strategy Perspective: Policy Management Maturity Model.

    Mature policy management is a seamless part of governance and operations. It requires a top-down view of policies starting with the code of conduct and filtering down into division, department, process, and asset-related policies as well as the risks, regulations, standards, procedures, and controls mapped to those policies. Mature policy management will be consistently led by the executives and the board and become an integrated part of the fabric of business operations and processes – not an unattached obscure layer of scattered documents on file shares and internal websites. It also means bottom-up participation, where business functions understand policies in the context of their roles and responsibilities. GRC 20/20 has developed the Policy Management Maturity Model to articulate maturity in the policy management processes and provide organizations with a roadmap to support acceleration through their maturity journey. 

    There are five stages to the model:

    1. Ad Hoc
    2. Fragmented
    3. Defined
    4. Integrated
    5. Agile

    1: Ad Hoc 

    Organizations at the Ad Hoc stage of policy management maturity have ad hoc reactive approaches to policy management at the department level. Businesses at this stage do not actively manage policies; few if any resources are allocated to policy management. The department addresses policy management in a reactive mode — writing policies when forced to. There is no ownership or monitoring of policies, and certainly no integration of policy information and processes in the context of objectives, strategy, performance, and business change. 

    Key elements that identify an organization is at the Ad Hoc stage are:

    • Blind-spots. Businesses at this stage are subject to many blind spots. Writing and monitoring of policies is disconnected with no defined structure or approach.
    • Reactive. The organization addresses policies in a reactive, firefighting mode e.g., writing policies when forced to.
    • Lack of ownership or accountability. No one has been appointed to take control of policies or policy management.
    • Lack of process. There are no defined or consistent processes, lifecycle, or methodologies for managing policies.
    • Under resourced. Few resources are allocated to policy management and governance.
    • Manual. With little technology support in place and a reliance on documents, file shares, and email, policy management processes fail to be consistent.

    Organizations in the Ad Hoc stage are very much in reactive mode and are likely to answer many of the following in the affirmative:

    • Does the policy management program lack clear owners and accountability within departments and disconnected from each other?
    • Are policies written and put in place after the fact, when the organization realizes it is exposed or someone is insisting on them?
    • Is policy management largely undocumented, or trapped in silos of emails and documents?
    • Does the organization lack any process, information and technology architecture to support policy management?
    • Does the department or business function have no ability to report and trend on policies and policy management over time?

    Characteristics of the Ad Hoc stage are:

    • Siloed and ad hoc policy management practices
    • No structured and ongoing policy management program
    • No skills and resourcing dedicated to policy management
    • No defined policy management roles and responsibilities
    • No policy governance structure or matrix in place
    • No defined policy management program 
    • Policies are written to put out a fire
    • Ad hoc and reactive policy authoring and maintenance 
    • Document-centric approaches
    • Ad hoc reactive approach that addresses policies as issues arise
    • Little to no technology in place for policy management
    • No visibility, trending, or analytics of policies or policy management
    • No board or senior management sponsorship of policy management

    This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Policy Management Maturity Model.