Already today I have had three inquiries from organizations discussing their policy management strategy and the appropriate solutions to address their enterprise policy management and training needs for a holistic approach to policy management. Here are some thoughts on how to build a policy management strategy from the recent GRC 20/20 research report, Strategy Perspective: Policy Management Maturity Model.
Organizations need a coordinated cross-department strategy for managing policies across the enterprise. The goal is to develop common principles, framework components, strategies, processes, and architectures so that policy management is consistent and managed as an integrated whole rather than a dissociated collection of parts.
Policy management programs that are managed as disconnected and disassociated departments, documents, data, systems, and processes leave the organization with fragments of truth. They fail to see the big picture of policy management across the enterprise and how it supports the organization’s governance, risk management, and compliance responsibilities, and hinders the achievement of corporate culture and integrity. The organization needs to have holistic visibility and situational awareness into policy management across the enterprise. The complexity of business and the intricacy and interconnectedness of policies and obligations requires that the organization implement a policy management maturity journey.
Principles of Policy Management
Policy Management is a critical enabling element of the organization’s overall GRC capability. It should be built on a solid foundation of principles. There are both universal principles and organization-specific principles established to support the policy management capability. Universal principles for policy management found in the Policy Management Capability Model (found at www.PolicyManagementPro.com) are:
- Necessary. Effective policy management is necessary to enable governance, risk management, and compliance at every level of the organization. Without policy management-led and supported by senior management, it is difficult to have policies that consistently define organizational goals and values, define risks that must be addressed, and provide a roadmap to adherence.
- Tailored. The policy management capability must be designed to fit the business context, objectives, values, and strategies. There is no one size fits all structure for policy management. It needs to be aligned with the risk appetite and operational model of the organization.
- Integrated. Policy management should be integrated into business operations. While centralized oversight and design of policy management are important, without acceptance of the defined approach and assignment of policy responsibilities within the affected operations, the system will be ineffective.
- People-Centered. At its heart, policy management is people-centered from employees, to clients, and even third-party relationships. It is significantly influenced by human conduct and culture – it cannot be automated away. Subject matter experts must develop policies that support the governance, risk concerns, and compliance requirements of the organization, and the audiences for policies must understand and apply them. The ecosystem of individuals impacted by policies must be able to provide input into policies.
- High-Performing. The capability must be designed to fit the organization and its objectives. It must be supported by resources to ensure high performance and embedding of policies into the culture of the organization. Policy management needs to be effective, resilient, efficient, and agile in the organization.
- Standardized. Both policies and the procedures for developing, distributing, and enforcing them should be standardized. Having a consistent approach is key to enhancing understanding and developing an audit trail for the defense of the organization.
- Collaborative. Good policy management involves coordination and collaboration across a range of departments and roles in the organization. It is necessary to engage and collaborate on policy management as well as on individual policy authoring.
- Accessible. Policies, and therefore policy management, need to be accessible at all levels of the organization. At any point in time, the organization should have a complete view of what the official policies are. Employees should be able to readily find policies and interact with them.
- Engaging. Policies need to be clearly written and understood. This requires policy management processes that conform to a consistent writing style and language as well as communication strategies to engage employees.
- Dynamic. The policy management capability must be designed for continual improvement and adjustment as the business objectives and model, operations, and risk profiles change over time.
Components of a Policy Management Capability
The Policy Management Capability Model (found at www.PolicyManagementPro.com), which defines the goals of a mature policy management program, is organized into five components that outline an iterative, continuous improvement process to achieve maturity in policy management. While there is an implied sequence beginning with Govern, once the capability is established, components operate concurrently, interactively, and symbiotically. The components of a mature policy management program, as found in the Policy Management Capability Model, are:
- Govern. Govern policy management by establishing policy governance and management teams and developing a “Policy on Policies” to guide the design and operation of the Policy Management Capability with standardized forms and processes.
- Develop. Establish standard methods for policy development to apply, whether creating new policies, revising existing ones for broader application, making changes in response to change in the external or internal environment, and retiring out-of-date policies.
- Communicate. Establish a risk-based and ongoing communication and training approach for each policy or category of policy, taking advantage of enabling services with skilled personnel and tools relevant to the design, delivery, attestation, and measurement of outcomes.
- Enforce. Establish tasks, methods, and processes for implementation, exceptions, enforcement, and assurance of policies.
- Improve. Establish methods to periodically review and improve policies, retire policies, and evaluate the policy management capability’s design, effectiveness, and operation.
Policy Management Strategy, Process & Technology Architecture
Policy management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole in strategy, process, information, and technology. The organization requires complete situational and holistic awareness of policies across operations, processes, employees, and transactions to see the big picture of policy performance. Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to policy management. The architecture defines how organizational processes, information, and technology are structured to make policy management effective, efficient, and agile across the organization.
Organizations need to be intelligent about the policy management processes and technologies they deploy. A sustainable and mature policy management strategy means keeping policies current in the midst of continuous regulatory, risk, and organizational change. With increased exposure to regulations and scrutiny, how does an organization keep policies current?
The primary directive of a mature policy management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of policies across the organization. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of policies throughout the enterprise. The framework components of a policy management architecture are (more detail on the framework for a policy management architecture is found in GRC 20/20’s Policy Management by Design research paper):
- Policy Management Strategic Plan. Designing a federated policy management program starts with defining the strategy. The strategy connects key business functions with a common policy governance framework. The strategic plan is the foundation that enables policy management transparency, discipline, and control across the ecosystem of the enterprise. The core elements of the policy management strategic plan include:
- Policy governance team. The first piece of the strategic plan is building the cross-organization policy governance team (e.g., committee, group). This team needs to work with policy owners to ensure a collaborative and efficient oversight process is in place.
- Policy management charter. With the initial collaboration and interaction of the policy management team in place, the next step in the strategic plan is to formalize this with a policy management charter. The charter defines the key elements of the policy management strategy and gives it executive and board authorization.
- Policy on Policies (e.g., MetaPolicy). This sets the policy management structure in place. The policy should require that an inventory of all policies be maintained with appropriate detail and approvals. The policy on policies is the foundation on which to build an effective policy management program. It defines the critical elements of the organization’s policy management program.
- Policy Management Process Architecture. Policy management is enabled through defined policy management processes. Processes are used to manage and monitor the ever-changing business, third-party relationship, risk, and regulatory environments in the context of policies. The policy management process architecture is the structural design of processes, including their components of inputs, processing, and outputs. This architecture inventories and describes policy management processes, each process’s components and interactions, and how processes work together. The core elements of the process architecture are understood as the organization’s policy management lifecycle. This represents the actual operation and process of the Policy on Policies in action to develop, manage, and maintain policies throughout their effective use. Parts of an effective policy management process architecture include:
- Determine need for new policies or updates
- Policy development and approval
- Policy publication, communication, training, and awareness
- Policy adherence and compliance
- Implement related procedures and controls
- Monitor, test, and assess policy adherence/conformance
- Manage and document policy exceptions
- Policy metrics and reporting
- Review, update, or retirement of policies
- Policy archives of past versions with audit trail of history and interactions
- Policy Management Information Architecture. The information architecture supports the process architecture and overall policy management strategy. With processes defined and structured in the process architecture, the organization can now get into the specifics of the information architecture needed to support policy management processes. The policy management information architecture involves the structural design, labeling, use, flow, processing, and reporting of policy management information to support policy management processes.
- Policy Management Technology Architecture. The policy management technology architecture enables and operationalizes the information and process architecture to support the overall policy management strategy. The goal of the technology architecture is to operationalize the process and information architecture. The right policy management technology enables the organization to effectively manage policy management performance and engagement across the organization and facilitates the ability to document, communicate, report, and monitor the range of communications, training, documents, tasks, responsibilities, and action plans. There can and should be a central core technology platform for policy management that connects the fabric of the policy management processes across the organization. Organizations suffer when they take a myopic view of policy management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operations. Business requires a policy management platform that is context-driven and adaptable to a dynamic and changing environment that enables better performance, less expense, and more agility in policy management and engagement. Some capabilities organizations should consider in a policy management platform are:
- Integration with other business systems
- Collaborative policy authoring
- Content, workflow, and task management
- Regulatory change management and mapping
- Cognitive technologies/artificial intelligence for policy and regulatory mapping
- Policy portal and accessibility
- Notifications
- Audit trail and system of record
- Intuitive interface design
- Mobility
This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Policy Management Maturity Model.