ESG – Environmental, Social, Governance – is a dominant focus in organizations right now getting board-level scrutiny and attention. Organizations around the world and across industries are challenged to define, implement, and report on ESG. These pressures are coming from all directions: investors, customers, employees, regulators, and activists. The reality is that ESG has teeth, and organizations must do something about it. The goal is to be an organization of integrity to ensure that the values, ethics, statements, commitments, relationships, and transactions are a reality in practice, process, relationships, and transactions.

The most unforgiving aspect of ESG is the S – Social . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE ISOMETRIX BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

In GRC 20/20’s upcoming 2022 State of the GRC Market Research Briefing, one of the changes I am doing to my market models is the integration of the former Business Continuity Management segment into the Risk Management segment to become Risk & Resiliency Management. This is further referenced in the recent GRC 20/20 Research paper – Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration – and the forthcoming paper on Risk & Resiliency Management by Design paper. 

I have been stating for nearly 20 years, “Why does business continuity operate in a tactical function, too often buried in the bowels of the organization, and not as part of enterprise and operational risk management?” The two symbiotically support each other. The pandemic and regulators are finally changing this. The Office of the Comptroller of the Currency (OCC) in the USA states, “Operational resilience is . . . the outcome of effective operational risk management.” 

However, resilience is not enough. We also need to be agile. The ability to see what is coming at us and navigate the organization to seize opportunities as well as avoid/mitigate the hazards and harms. That is true risk management. U.S. President Teddy Roosevelt stated, “Risk is like fire, if controlled it will help you if uncontrolled it will rise up and destroy you.” Judge Mervyn King of South Africa (King 1, 2, 3, and 4 reports on corporate governance) stated, “Enterprise is the undertaking of risk for reward.” Risk management is a strategic enabler and tool of the organization to navigate the chaos of the modern world and leverage it for greater return and performance while navigating the organization to also avoid and minimize the hazards, harms, losses. 

How are you doing risk management in your organization? Is it a strategic enabler? Is it delivering resiliency? Have you gone beyond this to Level 5 in the maturity model to be agile?

Now let’s get to a tactical frustration of mine that impacts, trips, and causes issues in risk management. There is so much we can talk about today, but one point of contention is heat maps. 

I have not been a big fan of heat maps for a long time. Over 15 years back I published a critique of them in my Forrester days. You cannot plot risk on a two-dimensional map as a single point. Risk is a distribution and involves a lot of scenarios (I am primarily discussing this as risk as a negative outcome as this is how these are used, with full acknowledgment that this is just one side of risk management). If you are plotting a human virus risk, like COVID-19, on a heatmap there are risks of a virus that is localized, global, endemic, pandemic, or even a plague. There is a distribution of this risk with different impacts on the organization and its objectives (and even potential opportunities for the organization in the face of this event). Same thing with a computer virus. It could be an incident that takes out one laptop, an office, a data center, the whole organization, or multiple organizations and critical infrastructure.

The other issue with heatmaps is the plotting is often subjective and not objective. Are you guessing, or do you have quantifiable data to back up where risk is plotted?

If organizations have risks plotted in the upper right of a heatmap, I question it. Organizations do not have a lot of high impact and high likelihood events, that means they are out of business. And some of the most significant risks to bring down organizations are high impact and low likelihood events. These are often not plotted red on the colors of a heatmap and do not get a lot of attention, but those are the ones that destroy organizations. 

Three things organizations need to improve risk management . . . 

1. First, we need to manage risk in the context of the objectives, performance, and strategy of the organization. Risk management done right is a tool to be agile, and not just resilient (level 5 on the maturity model). This allows the organization to do horizon scanning, have full situational awareness of risk, make the right decisions for greater performance of the organization, and navigate the environment to avoid and mitigate the downside of risk. 
2. Second, scenario analysis is critical. To be resilient and agile requires modeling scenarios of risk and the impact on the organization. Risk is a distribution of potential impacts, and the organization needs to understand this. We need to get past ridiculous heatmaps that bring misconceptions of risk to good scenario analysis. This is where business continuity moving into risk management provides value in being able to define scenarios, and even do things such as table-top exercises of risk. And risk management adds value through doing quantifiable analysis of risk to these scenarios as with monte carlo analysis and other risk modeling techniques. 
3. Third, we need to think creatively and not just logically about risk management. Good risk management involves both left-brain and right-brain thinking. Left-brain risk thinking involves defining risk models and potential scenarios, distribution, and quantification of risk. Right-brain risk thinking knows that models never accurately represent the real world as there are too many variables and inputs, it is here that we think about what is wrong with risk models and what can happen that they do not anticipate. Too often risk management has been stuck with left-brain risk thinkers and needs a good balance of right-brain risk thinkers. We need the ability to think inside the box (left-brain models) as well as outside the box (right-brain creative and intuition). 

So where is your risk management program? Are you stuck in heat maps and a tick-box compliance exercise of risk management? Or are you using risk management as an effective enabler to strategic decision-making and operations to reliably achieve objectives while managing uncertainty (risk)?

BTW . . . this is the topic of the next GRC Red Flag Series: Moving Beyond Risk Resiliency to Agility.

Here are some thoughts on how to mature a policy management strategy from the recent GRC 20/20 research report, Strategy Perspective: Policy Management Maturity Model.

Mature policy management is a seamless part of governance and operations. It requires a top-down view of policies starting with the code of conduct and filtering down into division, department, process, and asset-related policies as well as the risks, regulations, standards, procedures, and controls mapped to those policies. Mature policy management will be consistently led by the executives and the board and become an integrated part of the fabric of business operations and processes – not an unattached obscure layer of scattered documents on file shares and internal websites. It also means bottom-up participation, where business functions understand policies in the context of their roles and responsibilities. GRC 20/20 has developed the Policy Management Maturity Model to articulate maturity in the policy management processes and provide organizations with a roadmap to support acceleration through their maturity journey. 

There are five stages to the model:

1. Ad Hoc
2. Fragmented
3. Defined
4. Integrated
5. Agile

2: Fragmented

The Fragmented stage sees departments with some structure and focuses on policy management within respective functions, but they are disconnected and not working together. Information and processes are highly redundant, manual, document-centric, and lack integration. With siloed approaches to policy management, the organization is still very document-centric. Processes are manual and they lack standardization, making it hard to manage policies in a way that is efficient, effective, and agile.

Characteristics of the Fragmented Maturity stage are:

• Tactical siloed approach to policy management in different departments
• Starting to determine a lifecycle and structure for policy management, with pockets of good practice emerging
• Basic policy management tasks risk in place, and some standardization and qualification of a policy management lifecycle
• Policy management lifecycle and framework loosely defined but not automated
• Policy monitoring and governance and processes not fully embedded
• Processes are defined at the department level
• Some areas of policy management are in place but are not approached in an integrated or structured way
• No integration or sharing of policy management processes between functions
• Reliance on fragmented technology and lots of documents
• Measurement and trending on policies and policy management is difficult

Key elements that identify an organization is at the Fragmented stage are:

• Pockets of good practice emerging. The program has some pockets of good practice emerging, but they need maturing and integration across departments/functions for consistency.
• Blind-spots. Businesses at this stage are still subject to blind spots, especially across the organization as so much policy information exists in departmental silos and different portals.
• Inefficient. The department can all be working hard to address policies in silos, but without a full picture of enterprise policies there is duplication of efforts.
• Disconnected. Policy management is still being addressed in a disconnected way in different departments. Disconnected across departments, disconnected across policy domains and disconnected across systems. Not only is this inefficient, but it also means policy management can be confusing as it is not understood and addressed consistently across the enterprise.
• Manual. With little technology support in place and a reliance on documents and email, policy management processes fail to be consistent. This can slow your progress, with little ability to audit programs and activities.
• Hard to measure and monitor. While some data is beginning to emerge, it’s in disparate systems and incomplete.

Organizations in the Fragmented stage of maturity answer many of the following questions affirmatively:

• Are policy management activities tactical, disconnected from each other, and siloed? 
• Does the organization lack an integrated policy management approach across the organization?
• Is policy information scattered across various documents and technology sources?
• Is it difficult and time-consuming to track and trend policy information and reporting?

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Policy Management Maturity Model.

We are at a critical point in history, a point that can lead to two very different outcomes. The decisions organizations make today and how they manage environmental, health and safety risks set all of us on a path for our world in the future.

In my keynotes and presentations, I ask the question: What is our future?

Are we, as a global society, that our organizations are part of, headed toward a Blade Runner future or a Star Trek future? In Blade Runner, you have a dark dystopia of social, ethical, and environmental disasters. In Star Trek, you see a green and prospering world where the environment and society thrive, and there is great social diversity and cooperation across galactic races.

My issue is that many enterprise risk management programs, and the technology they utilize to manage risk, are limited in scope. If you look at these programs you would think that IT risk (e.g., cyber risk, digital risk) is the greatest concern. My point of view is that IT/information risk is a great concern, but environmental and health and safety risks, are a GRAVE concern. And I mean that term literally. Environmental and health and safety risks need to be a critical part of the organization’s enterprise risk, operational risk, integrated risk, and supporting technology agendas.

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE ISOMETRIX BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

ESG – Environmental, Social, Governance – received a lot of attention in 2021. Organizations across industries and around the world have had to respond to investor, stakeholder, regulator, customer, employee, and activist demands to address ESG. The pressure is on, organizations are being held accountable and it is now time for the organization to build a strategic ESG plan for reporting in 2022.

In 2021 we saw a lot of discussions and growing regulatory and investor pressure on ESG. This caused organizations, starting with the board and senior executives, to determine what ESG means in their context and put it on the organization’s agenda from the board level down into operations. This next year, 2022, will move ESG programs in their maturity as organizations move from thinking about ESG and how to approach it to execute on ESG in the context of ongoing organization strategy and operations. 

GRC 20/20 has four key tips to implementing ongoing and sustainable ESG reporting in 2022, these are . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE ISOMETRIX BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Creating a defensible compliance process is not only good for risk management. It provides organisations with mitigation should unforeseen breaches occur.

The Chief Ethics and Compliance Officer (CECO) role is about being the Chief Integrity Officer of the organisation. With the Environmental, Social and Governance (ESG) accountability handed to corporate compliance and ethics teams, this role of integrity is becoming more critical.

Integrity underpins defensibility

Integrity is a mirror. What the organisation communicates . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE SKILLCAST BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

2021 was a year of resiliency as we ride the waves of the pandemic with a focus on ingrity as the world turns to a focus on ESG within organizations. 2022 will continue these themes of resiliency and integrity but will bring in agility. How can organizations not only be resilient but also agile while maintaining integrity amidst change and uncertainty (risk).

While it has been a roller coaster that moves on into 2022 now, it certainly had a lot of impact on governance, risk management, and compliance (GRC) strategies, processes, and technology. Organizations are seeking to increase organizational integrity that they live up to their ethics, values, commitments, and obligations in the midst of uncertainty. They are also looking to increase business and operational resiliency and agility.

Below is a summary of the research blogs and papers that GRC 20/20 has published throughout 2021 organized by topic area.

The top research areas of interest by organizations (by volume of inquiries and GRC 20/20 publication) are:

• Corporate Compliance & Ethics
• Third Party GRC/Risk Management
• Policy & Training Management
• Risk & Resiliency Management
• ESG Management
• Enterprise GRC (which also includes all the elements above)

As always, you can ask GRC 20/20 Research questions in the context of governance, risk management, and compliance strategies and processes, as well as solutions available in the market we cover in our objective market research through the inquiry process. Every week GRC 20/20 is answering between 15 and 20 inquiries from organizations looking for advice on solutions and services to engage as they navigate the hundreds of solutions av ailable in the GRC market . . .

Enterprise GRC and the Broad GRC Market

Research Reports

• Alyne: An Integrated 360° View of Risk, Resiliency & Integrity
• 2021 Trends: Governance, Risk Management & Compliance (GRC)
• 2021: An Integrated Focus on Business Integrity & Resiliency

Blogs

• ES-G-RC – The Role of GRC in Delivering ESG
• Integrating a Top-Down Board View of GRC With a Bottom-Up Operational View of GRC
• The Board’s Role in Leading and Enabling GRC
• Delivering ESG in GRC
• The Agile (Not Just Resilient) Organization
• GRC 2021: ESG, Risk Management, Compliance . . . Driving GRC Maturity
• GRC 20/20’s 2020 Research Year in Review
• Why Spreadsheets, Documents & Emails Fail for GRC

Corporate Compliance & Ethics Management

Research Reports

• Policy Management Maturity Model
• Policy & Training Management by Design
• Regulatory Change Management

Blogs

• Delivering Agile Compliance
• GRC 20/20’s Regulatory Change Management Maturity Model
• Regulatory Change RFP/Solution Capabilities
• GRC Architecture to Manage Regulatory Change
• Defining a Regulatory Change Management Strategy & Process
• Broken Process and Insufficient Resources to Manage Regulatory Change
• A Tsunami of Regulatory Change Overwhelms Organizations
• There is a new CIO in town . . . the Chief Ethics and Compliance Officer (CECO)
• Where Should Compliance & Ethics Report?
• Is Your Organization Lawful Good or Chaotic Evil?
• A CECO SWOT Analysis for 2021: Understanding Your Threats
• A CECO SWOT Analysis for 2021: Finding Your Opportunities
• A CECO SWOT Analysis for 2021: Identifying Your Weaknesses
• A CECO SWOT Analysis for 2021: Knowing Your Strengths
• Lessons Learned in Compliance Management in 2020

ESG – Environmental, Social, Governance

Research Reports

• Prevalent: Managing ESG Risks Across the Extended Enterprise

Blogs

• ESG – It’s Time to Up Your Game
• The Foundation of ESG is in Policy Management
• ES-G-RC – The Role of GRC in Delivering ESG
• ESG is about to ROCK the Third-Party Risk World
• A Quick Guide to ESG and Risk Management in the Extended Enterprise
• Is Your Organization Lawful Good or Chaotic Evil?
• Delivering ESG in GRC

Risk & Resiliency Management

Research Reports

• Alyne: An Integrated 360° View of Risk, Resiliency & Integrity
• Refinitiv Connected Risk: Operational Resilience
• Acuity Risk Management STREAM

Blogs

• Hybrid Working: What About the Risk?
• Risk Management Lessons from Denmark
• Are You Headed to a Risk Management Clusterf***?
• Putting $$$ to It: Can You Quantify Your Risk?
• Doctor Strange: Chief Risk Officer in the Multiverse of Uncertainty
• James Bond 007 and Risk Situational Awareness
• Integrating a Top-Down Board View of GRC With a Bottom-Up Operational View of GRC
• The Agile (Not Just Resilient) Organization
• What is Business and Operational Resiliency?
• The Resilient Organization: From Business Resilience down into Operational Resilience

Policy Management

Research Reports

• Policy Management Maturity Model
• Policy & Training Management by Design

Blogs

• Foundation of a Policy Management Strategy
• 360° Visibility into Policies and Policy Management
• Have You Done your Policy Enforcement Push-ups?
• Policy Management Maturity: Journey to an Agile Policy Management Program
• The Foundation of ESG is in Policy Management
• Managing & Communicating Policies in the “NEW NORMAL”
• Shadow Policies: Increasing Legal Exposure & Liability
• Becoming a Policy Management Pro with a New Online Resource
• The Second Wave of the Policy Management Pandemic
• Improving Your Organizations Policy Management Capability
• The Principles of Effective Policy Management
• Why Policies Matter
• The Policy Management Capability Model

Third-Party (e.g, Vendor/Supplier) GRC Management

Research Reports

• Prevalent: Managing ESG Risks Across the Extended Enterprise
• Relationship Trouble – Enterprise Risk Magazine 2021-06-10
• Third-Party GRC Management by Design
• 2021 Trends: Third-Party GRC Management

Blogs

• Information & Technology Enables Third-Party GRC
• Understanding the Third-Party GRC Process Lifecycle
• Critical Elements of a Third-Party GRC Strategic Plan
• Vendor Performance & SLA Management: A Quick Guide
• Defining Third-Party GRC Management
• The Extended Enterprise Demands Attention
• Relationship Trouble: The Pandemic’s Web of Interconnected Risks
• Modern Slavery Risk Assessments in the Extended Enterprise: A Quick Guide
• A Quick Guide to Anti-Bribery & Corruption (ABAC) Risk in the Extended Enterprise
• ESG is about to ROCK the Third-Party Risk World
• A Quick Guide to ESG and Risk Management in the Extended Enterprise
• 2021 Trends in Third-Party Governance, Risk Management & Compliance (GRC)
• Third-Party GRC: Looking Back on 2020, What Was Learned ?

Legal GRC Management

Research Reports

• Exterro: An Integrated 360° View of Legal Governance, Risk & Compliance

Blogs

• Legal GRC in Contrast to Legal’s Role in Enterprise GRC
• Architecting a New Paradigm in Legal Governance
• The Role of Legal & Legal Processes is Changing

Privacy Management

Research Reports

• Pathlock for Privacy & Data Protection

Internal & Automated Control Management

Research Reports

• Exterro: An Integrated 360° View of Legal Governance, Risk & Compliance

Blogs

• ControlPanelGRC: Providing 360° Contextual Awareness of Access Risk & Controls
• Carlisle Construction Materials: Agility Achieved in Access Control & Segregation of Duties
• Continuous Control Monitoring with SAP Process Control

IT GRC Management

Research Reports

Here are some thoughts on how to mature a policy management strategy from the recent GRC 20/20 research report, Strategy Perspective: Policy Management Maturity Model.

Mature policy management is a seamless part of governance and operations. It requires a top-down view of policies starting with the code of conduct and filtering down into division, department, process, and asset-related policies as well as the risks, regulations, standards, procedures, and controls mapped to those policies. Mature policy management will be consistently led by the executives and the board and become an integrated part of the fabric of business operations and processes – not an unattached obscure layer of scattered documents on file shares and internal websites. It also means bottom-up participation, where business functions understand policies in the context of their roles and responsibilities. GRC 20/20 has developed the Policy Management Maturity Model to articulate maturity in the policy management processes and provide organizations with a roadmap to support acceleration through their maturity journey. 

There are five stages to the model:

1. Ad Hoc
2. Fragmented
3. Defined
4. Integrated
5. Agile

1: Ad Hoc 

Organizations at the Ad Hoc stage of policy management maturity have ad hoc reactive approaches to policy management at the department level. Businesses at this stage do not actively manage policies; few if any resources are allocated to policy management. The department addresses policy management in a reactive mode — writing policies when forced to. There is no ownership or monitoring of policies, and certainly no integration of policy information and processes in the context of objectives, strategy, performance, and business change. 

Key elements that identify an organization is at the Ad Hoc stage are:

• Blind-spots. Businesses at this stage are subject to many blind spots. Writing and monitoring of policies is disconnected with no defined structure or approach.
• Reactive. The organization addresses policies in a reactive, firefighting mode e.g., writing policies when forced to.
• Lack of ownership or accountability. No one has been appointed to take control of policies or policy management.
• Lack of process. There are no defined or consistent processes, lifecycle, or methodologies for managing policies.
• Under resourced. Few resources are allocated to policy management and governance.
• Manual. With little technology support in place and a reliance on documents, file shares, and email, policy management processes fail to be consistent.

Organizations in the Ad Hoc stage are very much in reactive mode and are likely to answer many of the following in the affirmative:

• Does the policy management program lack clear owners and accountability within departments and disconnected from each other?
• Are policies written and put in place after the fact, when the organization realizes it is exposed or someone is insisting on them?
• Is policy management largely undocumented, or trapped in silos of emails and documents?
• Does the organization lack any process, information and technology architecture to support policy management?
• Does the department or business function have no ability to report and trend on policies and policy management over time?

Characteristics of the Ad Hoc stage are:

• Siloed and ad hoc policy management practices
• No structured and ongoing policy management program
• No skills and resourcing dedicated to policy management
• No defined policy management roles and responsibilities
• No policy governance structure or matrix in place
• No defined policy management program 
• Policies are written to put out a fire
• Ad hoc and reactive policy authoring and maintenance 
• Document-centric approaches
• Ad hoc reactive approach that addresses policies as issues arise
• Little to no technology in place for policy management
• No visibility, trending, or analytics of policies or policy management
• No board or senior management sponsorship of policy management

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Policy Management Maturity Model.

Already today I have had three inquiries from organizations discussing their policy management strategy and the appropriate solutions to address their enterprise policy management and training needs for a holistic approach to policy management. Here are some thoughts on how to build a policy management strategy from the recent GRC 20/20 research report, Strategy Perspective: Policy Management Maturity Model.

Organizations need a coordinated cross-department strategy for managing policies across the enterprise. The goal is to develop common principles, framework components, strategies, processes, and architectures so that policy management is consistent and managed as an integrated whole rather than a dissociated collection of parts. 

Policy management programs that are managed as disconnected and disassociated departments, documents, data, systems, and processes leave the organization with fragments of truth. They fail to see the big picture of policy management across the enterprise and how it supports the organization’s governance, risk management, and compliance responsibilities, and hinders the achievement of corporate culture and integrity. The organization needs to have holistic visibility and situational awareness into policy management across the enterprise. The complexity of business and the intricacy and interconnectedness of policies and obligations requires that the organization implement a policy management maturity journey.

Principles of Policy Management

Policy Management is a critical enabling element of the organization’s overall GRC capability. It should be built on a solid foundation of principles. There are both universal principles and organization-specific principles established to support the policy management capability. Universal principles for policy management found in the Policy Management Capability Model (found at www.PolicyManagementPro.com) are: 

• Necessary. Effective policy management is necessary to enable governance, risk management, and compliance at every level of the organization. Without policy management-led and supported by senior management, it is difficult to have policies that consistently define organizational goals and values, define risks that must be addressed, and provide a roadmap to adherence.
• Tailored. The policy management capability must be designed to fit the business context, objectives, values, and strategies. There is no one size fits all structure for policy management. It needs to be aligned with the risk appetite and operational model of the organization. 
• Integrated. Policy management should be integrated into business operations. While centralized oversight and design of policy management are important, without acceptance of the defined approach and assignment of policy responsibilities within the affected operations, the system will be ineffective.
• People-Centered. At its heart, policy management is people-centered from employees, to clients, and even third-party relationships. It is significantly influenced by human conduct and culture – it cannot be automated away. Subject matter experts must develop policies that support the governance, risk concerns, and compliance requirements of the organization, and the audiences for policies must understand and apply them. The ecosystem of individuals impacted by policies must be able to provide input into policies.
• High-Performing. The capability must be designed to fit the organization and its objectives. It must be supported by resources to ensure high performance and embedding of policies into the culture of the organization. Policy management needs to be effective, resilient, efficient, and agile in the organization. 
• Standardized. Both policies and the procedures for developing, distributing, and enforcing them should be standardized. Having a consistent approach is key to enhancing understanding and developing an audit trail for the defense of the organization.
• Collaborative. Good policy management involves coordination and collaboration across a range of departments and roles in the organization. It is necessary to engage and collaborate on policy management as well as on individual policy authoring.
• Accessible. Policies, and therefore policy management, need to be accessible at all levels of the organization. At any point in time, the organization should have a complete view of what the official policies are. Employees should be able to readily find policies and interact with them. 
• Engaging. Policies need to be clearly written and understood. This requires policy management processes that conform to a consistent writing style and language as well as communication strategies to engage employees.
• Dynamic. The policy management capability must be designed for continual improvement and adjustment as the business objectives and model, operations, and risk profiles change over time.

Components of a Policy Management Capability 

The Policy Management Capability Model (found at www.PolicyManagementPro.com), which defines the goals of a mature policy management program, is organized into five components that outline an iterative, continuous improvement process to achieve maturity in policy management. While there is an implied sequence beginning with Govern, once the capability is established, components operate concurrently, interactively, and symbiotically. The components of a mature policy management program, as found in the Policy Management Capability Model, are:

• Govern. Govern policy management by establishing policy governance and management teams and developing a “Policy on Policies” to guide the design and operation of the Policy Management Capability with standardized forms and processes.
• Develop. Establish standard methods for policy development to apply, whether creating new policies, revising existing ones for broader application, making changes in response to change in the external or internal environment, and retiring out-of-date policies.
• Communicate. Establish a risk-based and ongoing communication and training approach for each policy or category of policy, taking advantage of enabling services with skilled personnel and tools relevant to the design, delivery, attestation, and measurement of outcomes.
• Enforce. Establish tasks, methods, and processes for implementation, exceptions, enforcement, and assurance of policies.
• Improve. Establish methods to periodically review and improve policies, retire policies, and evaluate the policy management capability’s design, effectiveness, and operation.

Policy Management Strategy, Process & Technology Architecture

Policy management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole in strategy, process, information, and technology. The organization requires complete situational and holistic awareness of policies across operations, processes, employees, and transactions to see the big picture of policy performance. Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to policy management. The architecture defines how organizational processes, information, and technology are structured to make policy management effective, efficient, and agile across the organization.

Organizations need to be intelligent about the policy management processes and technologies they deploy. A sustainable and mature policy management strategy means keeping policies current in the midst of continuous regulatory, risk, and organizational change. With increased exposure to regulations and scrutiny, how does an organization keep policies current? 

The primary directive of a mature policy management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of policies across the organization. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of policies throughout the enterprise. The framework components of a policy management architecture are (more detail on the framework for a policy management architecture is found in GRC 20/20’s Policy Management by Design research paper):

• Policy Management Strategic Plan. Designing a federated policy management program starts with defining the strategy. The strategy connects key business functions with a common policy governance framework. The strategic plan is the foundation that enables policy management transparency, discipline, and control across the ecosystem of the enterprise. The core elements of the policy management strategic plan include:
  • Policy governance team. The first piece of the strategic plan is building the cross-organization policy governance team (e.g., committee, group). This team needs to work with policy owners to ensure a collaborative and efficient oversight process is in place.  
  • Policy management charter. With the initial collaboration and interaction of the policy management team in place, the next step in the strategic plan is to formalize this with a policy management charter. The charter defines the key elements of the policy management strategy and gives it executive and board authorization. 
  • Policy on Policies (e.g., MetaPolicy). This sets the policy management structure in place. The policy should require that an inventory of all policies be maintained with appropriate detail and approvals. The policy on policies is the foundation on which to build an effective policy management program. It defines the critical elements of the organization’s policy management program. 
• Policy Management Process Architecture. Policy management is enabled through defined policy management processes. Processes are used to manage and monitor the ever-changing business, third-party relationship, risk, and regulatory environments in the context of policies. The policy management process architecture is the structural design of processes, including their components of inputs, processing, and outputs. This architecture inventories and describes policy management processes, each process’s components and interactions, and how processes work together. The core elements of the process architecture are understood as the organization’s policy management lifecycle. This represents the actual operation and process of the Policy on Policies in action to develop, manage, and maintain policies throughout their effective use. Parts of an effective policy management process architecture include: 
  • Determine need for new policies or updates
  • Policy development and approval 
  • Policy publication, communication, training, and awareness
  • Policy adherence and compliance
  • Implement related procedures and controls
  • Monitor, test, and assess policy adherence/conformance
  • Manage and document policy exceptions 
  • Policy metrics and reporting
  • Review, update, or retirement of policies 
  • Policy archives of past versions with audit trail of history and interactions
• Policy Management Information Architecture. The information architecture supports the process architecture and overall policy management strategy. With processes defined and structured in the process architecture, the organization can now get into the specifics of the information architecture needed to support policy management processes. The policy management information architecture involves the structural design, labeling, use, flow, processing, and reporting of policy management information to support policy management processes. 
• Policy Management Technology Architecture. The policy management technology architecture enables and operationalizes the information and process architecture to support the overall policy management strategy. The goal of the technology architecture is to operationalize the process and information architecture. The right policy management technology enables the organization to effectively manage policy management performance and engagement across the organization and facilitates the ability to document, communicate, report, and monitor the range of communications, training, documents, tasks, responsibilities, and action plans. There can and should be a central core technology platform for policy management that connects the fabric of the policy management processes across the organization. Organizations suffer when they take a myopic view of policy management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operations. Business requires a policy management platform that is context-driven and adaptable to a dynamic and changing environment that enables better performance, less expense, and more agility in policy management and engagement. Some capabilities organizations should consider in a policy management platform are:
  • Integration with other business systems
  • Collaborative policy authoring
  • Content, workflow, and task management
  • Regulatory change management and mapping
  • Cognitive technologies/artificial intelligence for policy and regulatory mapping 
  • Policy portal and accessibility
  • Notifications
  • Audit trail and system of record
  • Intuitive interface design
  • Mobility

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Policy Management Maturity Model.

In business, change is inevitable. The compliance landscape is also constantly evolving. Agile compliance ensures businesses move with these changes.

Business today is dynamic. It is changing minute-by-minute and second-by-second. Employees, processes, technology, transactions, interactions, even business relationships are in a continuous state of movement.

At the same time, the regulatory and risk environment is constantly changing. There are 257 regulatory change events every business day in financial services coming from 1,217 regulators worldwide.

The challenge for compliance professionals is becoming agile. An organisation needs an agile compliance program to . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE SKILLCAST BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]