Improving Your Organizations Policy Management Capability

Previously we looked at Why Policies Matter and The Principles of Policy Management from the newly published Policy Management Capability Model that I developed with OCEG for PolicyManagementPro.com. This week we turn our attention to the structure of a strong policy management capability in your organization found in the Policy Management Capability Model (which is free and opensource, but also has a training and certification program for policy management professionals and authors/subject matter experts as a Certified Policy Management Professional (CPMP) . . .

Policy management has been one of the hottest topics in my GRC research for the past few years. When the pandemic hit and lockdowns started in March of 2019, I found my interactions increased even more. Organizations are restructuring their strategy, processes, roles, and a move to the work from home environment found policy management a complete mess to a disaster internally. Several organizations found that they had over 20 policy portals in their environment, and policies looked different, were written in different styles, used terms inconsistently, were out of date. Employees were scrambling to try to find policies in the work from home environment and were very confused.

In an environment this past year organizations found policy management a critical element to address to communicate confidence, ease employees’ frustration and concern, reinforce a strong culture of ethics, and provide stability in the midst of uncertainty. Organizations have been working hard to address consistency in policy management, authoring, and engagement across departments and to deliver a singular portal for policies that engage employees.

I see even more attention to policies and policy management as we come out of the pandemic. Many organizations are maintaining a remote workforce and see the need to have an intuitive and engaging policy portal for employees and consistency in policy management. There is also heightened concern of rogue unauthorized policies that open the doors to legal liability and a duty of care. Particularly if managers at different levels think they are a little smarter than the rest of the organization and writing what they think the COVID-19 related policies should be (e.g., personal safety equipment, vaccine policy). I am seeing a lot of attention being focused on structured policy management programs that provide a singular interface and process into all official and approved policies in the organization to reduce exposure to rogue unauthorized policies.

A structured approach to policy management is found in the Policy Management Capability Model. This is a free and open-source tool that I authored with OCEG and is available at www.PolicyManagementPro.com. This comes from years of experience advising on policy management programs and teaching my Policy Management by Design Workshop around the world. I encourage you to look at this free guidance to what an effective policy management program looks like and adapt it to your environment.

There is a related training and certification program based on the model to become a Certified Policy Management Professional (CPMP). Several organizations are sending dozens of employees (in one case a healthcare organization is looking at sending 300 employees – being all policy management related staff as well as policy authors and subject matter experts) through this training so everyone is on board and shares the same vision of what an effective policy management program is in their organization. The goal in these organizations is to increase consistency and deliver efficiency, effectiveness, and agility in policy management and communications. It is also to define and enhance a culture of integrity in the organization.

There are also professional service firms as well as solution providers sending their staff through this training to better advise and deliver policy management strategies and solutions to their clients. This is a really exciting time for policy management!

Policy Management is a critical enabling element of the organization’s overall GRC capability. It should be built on a solid foundation of principles with a defined capability model that provides consistent processes and engagement on policies in your organization . . .

Anatomy of the Policy Management Capability Model

COMPONENTS

The Policy Management Capability Model is organized into five Components that outline an iterative, continuous improvement process to achieve Principled Performance in policy management. While there is an implied sequence beginning with Govern, once the capability is established, Components operate concurrently, interactively, and also symbiotically.

  • G – GOVERN — Govern policy management by establishing policy governance and management teams and developing a “Policy on Policies” to guide the design and operation of the Policy Management Capability with standardized forms and processes.
  • D – DEVELOP — Establish standard methods for policy development to apply, whether creating new policies, revising existing ones for broader application, making changes in response to change in the external or internal environment, and retiring out-of-date policies.
  • C – COMMUNICATE — Establish a risk-based and ongoing communication and training approach for each policy or category of policy, taking advantage of enabling services with skilled personnel and tools relevant to the design, delivery, attestation, and measurement of outcomes.
  • E – ENFORCE — Establish tasks, methods, and processes for implementation, exceptions, enforcement, and assurance of policies.
  • I – IMPROVE — Establish methods to periodically review and improve policies, retire policies, and evaluate the policy management capability’s design, effectiveness, and operation.

ELEMENTS and PRACTICES

Each Component contains Elements that outline key aspects of high-performing integrated policy management capabilities. Each Element includes Practices that outline specific management actions and controls and address documentation considerations. Elements define the core aspects of effective capabilities and can serve as the starting point for assessing the current state of your organization’s approach.  

This article is from the newly published Policy Management Capability Model and tied to the Certified Policy Management Professional (CPMP) certification @ www.PolicyManagementPro.com that GRC 20/20’s Michael Rasmussen worked on in partnership with OCEG.

https://www.policymanagementpro.com/a/46210/se3Ec7qv

Is Your Organization Lawful Good or Chaotic Evil?

Anyone that knows me knows that I love science fiction and fantasy books and movies. In the 70’s I remember being in 2nd grade and watching the cartoon of J.R.R. Tolkien’s The Hobbit. I instantly devoured the book and read all of The Lord of the Rings and Silmarillion by the 4th grade. I was hooked. I devoured fantasy books. I remember my grandmother coming to visit and taking me to the local Waldenbooks bookstore wanting to buy me a book. I had read every one of them in the fantasy section. I remain a fan. For those of you on video conference calls with me, you can see a medieval sword hanging up behind me and my bookshelves filled with Tolkien books as well as medieval history books.

Loving fantasy books at a young age, I also started playing Dungeons and Dragons. I loved role-playing. To create a character, assign them a personality and capabilities, equip them, and then go on adventures with them to conquer evil. My young mind was continuously inventing new characters and other worlds. I loved it.

One of the things you have to do when creating a character is to give them an alignment. Your character’s alignment defines their moral, ethical, and personal attitudes framework. It is central to developing your character’s identity and personality type. In general, good characters are the protectors of life and evil characters destroy life. Neutral characters are in the middle. But it is more than just good versus evil, it is how you go about accomplishing good or evil. Lawful characters tell the truth and respect authority and structures, whether good or evil. Chaotic characters are more utilitarian and will break rules and go against structures to accomplish what they desire, whether good or evil. There are nine character types across this spectrum, I will adapt those below . . .

This past year given all the focus on ESG, corporate values, ethics, integrity, human rights, and more, has caused me regularly to ponder the alignment of organizations. Is that organization a Lawful Good organization or a Chaotic Good organization? Are they neutral or evil?

Your alignment is more than something on paper, it is more than your code of conduct. Your organization’s alignment is determined by taking a close critical look at the overall actions and behavior of the organization. In a role-playing game, I can state my character’s alignment is good, but if my actions during the game are not good then my real alignment is something else. The same is true for an organization, your alignment is determined by the overall behavior and culture of your organization. Policies, such as a code of conduct, can be fiction or can be a tool to achieving a stronger culture and reality of the integrity and values of the organization.

A lawful organization will have policies and will work to ensure those policies are followed and adhered to (whether they are good or evil). A chaotic organization may or may not have policies, but if it does it really does not focus on enforcing policies as it does not matter if their overall goals, good or evil, are achieved.

Using the nine alignments adapted from Dungeons and Dragons to a corporate profile and not a personal one, I ask you what is your organization’s alignment?

Is your organization . . .

  • Lawful Good. This is the crusader organization. The organization that acts within the boundaries of laws and aims to be a good corporate citizen giving back to the community and making the world a better place. This organization opposes evil and works relentlessly for good. This is an honorable and humane organization. A benevolent organization.
  • Lawful Neutral. This is the organization that acts within laws, traditions, and codes and finds order and organization critical, but does so in a way without being a zealot. This is an honorable and realistic organization.
  • Lawful Evil. This is the dominator of organizations. This organization loves order, structures of accountability, and laws but aggressively pursues its own cause within order and structure without thinking of the good of others. It is an organization acting with honor in self-interest. This is the honorable and determined organization, honor being operating within law and order.
  • Neutral Good. This is a benefactor organization. The organization generally stays within the boundaries of laws and regulations but does not feel strictly beholden to them. It works for good without bias for or against order and structures of authority. This is a practical and humane organization.
  • Neutral. This is the middle of everything, the undecided organization that will allow circumstances to bend it towards lawful or chaotic choices at different times, or good and evil choices at different times. It does not feel strongly one way or another. This is a practical and realistic organization.
  • Neutral Evil. This is the organization that does whatever it can get away with. If it means breaking a rule, law, value . . . then it will if the reward outways the risk. This organization does not love conflict, so avoids sticky situations. It is evil as it pursues its endeavors without honor and will break rules but do so sneakily and cover things up. This is a practical and determined organization.
  • Chaotic Good. This is the rebel with a cause organization. The organization is kind and benevolent but willing to break laws and order to achieve them. Sort of the libertarian organization that prefers to follow its own moral compass, and may not agree with the society around them. This organization has a good heart and a free spirit in its actions. This is an independent and humane organization.
  • Chaotic Neutral. This is very much the free-spirited organization. This organization values its own liberty and choices and does not actively strive to work for or against the liberty of others. They do not intentionally disrupt others and are not motivated by good or evil. This is an independent and realistic organization.
  • Chaotic Evil. This is the organization that actively seeks to destroy and bring others down. It has no motivation by law or order, none at all. It is motivated purely by greed, avarice, and desire. It does not try to even pretend to work within the boundaries of society and laws. This is an independent and determined organization. This is a hedonistic organization.

Taking this back to individuals, Superman would be Lawful Good while Darth Vader and Hitler would be Lawful Evil. While the Joker or Charles Manson are examples of Chaotic Evil. Han Solo is an example of a Neutral alignment.

Organizations are complex, so it is hard to nail this down to a specific alignment. But if you had to honestly measure the culture and behavior (not just the policies but actual behavior) of your organization, what would it be? What would you like it to be or believe that it should be?

Organizations are also made up of individuals. Those individuals have their moral and ethical predispositions/alignment. What is your alignment based on your behavior? What would you like it to be? How should understanding concepts like alignment impact how we evaluate and hire employees? After all, it is the employees that make up the organization and its behavior. As an employee, what alignment of an organization do you want to be part of?

I know it is not a perfect framework, but it is an interesting exercise and discussion. While individuals can be mapped across these alignments, is there a truly 100% lawful good or 100% chaotic evil organization?

Delivering ESG in GRC

ESG – Environmental, Social & Governance – is all the rage and buzzword with investors, regulators, lawmakers, and citizen activists. Pressure is mounting from multiple fronts for organizations to implement ESG reporting in their organizations. In one respect, this is an evolution of sustainability and corporate social responsibility (CSR) efforts of the past. However, ESG is broader with more momentum. Where CSR and sustainability were too often (but not always) pushed from a marketing perspective, ESG has the momentum and force to become a significant measurement of the integrity of the organization. Integrity in that what the organization commits to in its values is a reality throughout the organization and the extended enterprise.

In a previous blog, Tale of Two Futures: Blade Runner or Star Trek?, I pointed out that a lot of GRC (Governance, Risk management, and Compliance) and ERM (Enterprise Risk Management) programs in organizations are unbalanced and do not reflect reality. If you look at these programs you would think the predominant risk to organizations was IT security risk. That is a significant risk, but I point out in the article that environmental risks and health and safety risks were often buried in other departments and not part of the broader ERM and GRC programs and has to be corrected. This blog was a few months before COVID-19 hit the world and validated my point. Organizations need to restructure their approach to GRC (and its components of governance, risk management, and compliance) to embrace and deliver on ESG monitoring and reporting.

One thing to note, ESG is more than the E (environmental). Too often I see organizations seeing that lead E and they have a perception that ESG is just about environmental values and climate change. It is so much more than this. The S (social) and the G (governance) is just as important as the E in ESG. Let’s unpack this, there are many standards and various definitions for ESG, but we can put a comprehensive view together . . .

  • E = Environmental. Measures and reports on the values and commitment of the organization to stewardship of the natural world and environment. It includes reporting and monitoring of the organization’s environmental initiatives for climate change, waste management, pollution, resource use and depletion, greenhouse gasses, and such.
  • S = Social. Measures and reports on the values and commitments and now the company treats people. This includes employee and customer/partner relations, human rights (e.g., anti-slavery), diversity and inclusion, anti-harassment and discrimination, the privacy of individuals (both employees and others), working conditions and labor standards (e.g., child labor, forced labor, health and safety), and how the company participates and gives back to society and the communities it operates within.
  • G = Governance. Measures and reports on the culture and behaviors of the organization in context and alignment to its values and commitment. This includes finance and tax strategies, whistleblower and reporting of issues, resiliency, anti-bribery and corruption, security, board/executive diversity and structure, and overall transparency and accountability.

ESG crosses business boundaries. The modern organization is not defined by brick-and-mortar walls and traditional employees. The modern organization is a web of third-party relationships: vendors, suppliers, outsourcers, service providers, contractors, consultants, temporary workers, intermediaries, agents, partners, and more. To truly deliver on ESG requires monitoring and managing the shared values and integrity throughout the extended enterprise of the organization. Legislation and regulation are focused on this, like the European Union’s Directive on Corporate Due Diligence and Accountability with Germany’s corresponding Due Diligence Act (to name one of many).

THE CHALLENGE: Delivering 360° Situational Awareness of ESG

I am getting a lot of inquiries from organizations looking to integrate and automate their ESG and GRC program. To deliver ESG reporting through their GRC strategy, process, and technology.

The official definition of GRC, found in the OCEG GRC Capability Model, is that GRC is a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]. These are all the effective elements needed to deliver on ESG monitoring and reporting. It starts with the governance and setting the objectives of the organization that are aligned with the values and commitments delivered in ESG statements, from there the organization needs to monitor uncertainty to the objectives and ensure that the organization is acting with integrity to meet these objectives and commitments/values.

However, the technology environment to accomplish this is fragmented. I am getting inquiries from confused organizations that want clarity in who delivers the breadth of true GRC that would include the aspects of ESG. On one side you have platforms that Forrester and Gartner cover in their corresponding Waves and Magic Quadrants. These solutions are more focused on the G in ESG and some aspects of the S, with a predominant focus on information security. Then you have solutions that are covered in the Verdantix Operational Risk Green Quadrant which has a completely different set of solutions covered and these solutions focus more on the E and the other part of the S in ESG. I have been in RFPs where the organization wants a single integrated solution to manage GRC, ERM, ESG, EH&S in one platform . . . to find they have to go with best of breed solutions.

The next generation GRC platform that is going to lead the future is going to bring these worlds together. There will always be best-of-breed specialty risk systems that are integrated into the broader GRC architecture, but organizations need a complete platform that can deliver on 360° situational awareness across GRC areas, including environmental, and health and safety risks and deliver on full ESG monitoring and reporting. The race is on and organizations are looking now.

The Agile (Not Just Resilient) Organization

Agility is a thing of beauty. I love watching acts of agility. Take parkour for example, how these athletes can leverage and use their surroundings to navigate and seem to do the impossible . . . simply amazing. A few years back I was doing a lot of Spartan races. Myself, that was not agility but the more of an awkward ox doing obstacles, but others it was amazing what they could do in the environment given to them.

When I think of agility, my mind immediately goes to Legolas, the elf, in Lord of the Rings. Though I prefer the books, the films were amazing and the agility of Legolas in the midst of battle was amazing. How he can move about the threats and enemies around him and seize opportunities for victory. Gimli, the dwarf, in Lord of the Rings is the embodiment of resiliency. He is built like a tank and simply can withstand the beating and hits as he pummels forward to victory. 

There is a lot of focus right now on business and operational resiliency. Resiliency is the capacity to recover quickly from difficulties/events; the ability of a business to spring back into shape from an event. This is very critical and I see a lot of organizations moving to bring together operational risk management and business continuity management into what is now defined as an operational risk and resiliency program. Business continuity management as a separate function in the organization is a thing of the past and over the next two to three years we will see a mass migration to an integrated operational risk and resiliency program.

However, there is more that needs to happen. Organizations also need to be agile. Agility is the ability of an organization to move quickly and easily; the ability to think and understand quickly. Good risk management is going to clearly understand the objectives of the organization, its performance goals, and strategy, and continuously monitor the environment for 360° situational awareness to be agile. To see both opportunities as well as threats so the organization can think and understand quickly and be prepared to move to navigate to seize opportunities while avoiding threats/exposures to the organization and its objectives. It reminds me of a blog I wrote 11 years back,Everything I Need to Know About Risk Management I Learned in Drivers Education in the IPDE Model (Interpret, Predict, Decide, Execute). Though looking back on this I would add more emphasis on IPDE for opportunities.

In a blog last month, What is Business and Operational Resiliency?, I reviewed the financial services definitions of operational resiliency from the United Kingdom, European Union, United States, and the Basel Committee on Banking Supervision. In that article, I referenced how the United Kingdom’s FCA definition of operational resiliency was superior to the others. Particularly because it was the one that is proactive as it discusses the ability to prevent events. The other definitions were very reactive as the focus is all on the ability to recover from an event. The FCA definition has an element of agility that goes beyond resiliency.

But that is not enough. We need agile organizations to avoid and prevent events, but we also need agility to seize on opportunities and reliably achieve (or exceed) objectives. Agility is not just avoidance of hazards, threats, harms. Agility is also the ability to understand the environment and engage to advance the organization and its goals. Organizations need to be agile and resilient. Risk management needs to be an integrated part of performance, objective, and strategy management to achieve this capability to enable situational awareness for this organization so it can seize on opportunity as well as avoid exposures and threats. 

So today’s modern organization needs enterprise risk and agility that is also supported by operational risk and resiliency. There is a symbiotic relationship between enterprise risk and agility with operational risk and resiliency that organizations need to develop in today’s dynamic, distributed, and disrupted business. This is all how GRC – governance, risk management, and compliance – has been officially defined for over 15 years in the OCEG view of Principled Performance and the GRC Capability Model. This is a capability to reliablY achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].

A CECO SWOT Analysis for 2021: Understanding Your Threats

We are at the final stage in working through a CECO SWOT Analysis to help CECOs develop their strategy in 2021 and into the future. Over the past few weeks, we looked at the STRENGTHSWEAKNESSES, and OPPORTUNITIES of the typical CECO; this week we turn to the THREATS.

As you look to build your strategic compliance and ethics plan in 2021, it is critical to evaluate where you are now in your role, capabilities, and program, and what you need to work on to deliver the leadership and skills to achieve your goals moving forward. To achieve your strategy, it is critical to know the threats that can derail you as you strive to build the culture and integrity of the organization through a compliance and ethics management strategy.

The points below are generalizations, so you may or may not identify with them. But they are good places for discussion, learning, and interaction as the CECO prepares for the future. Here are some threats that can derail the CECO’s strategy if they are left unaddressed:

  • Third party risk and compliance in which . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The Principles of Effective Policy Management

Last week we looked at Why Policies Matter from the newly published Policy Management Capability Model that I developed with OCEG for PolicyManagementPro.com. This week we turn our attention to the principles of policy management for those seeking training and certification as a Certified Policy Management Professional (CPMP) . . .

Policy Management is a critical enabling element of the organization’s overall GRC capability. It should be built on a solid foundation of principles. There are both universal principles and organization-specific principles established to support the policy management capability. Universal principles for policy management are:

  • Necessary – Effective policy management is necessary to enable governance, risk management, and compliance at every level of the organization. Without policy management-led and supported by senior management, it is difficult to have policies that consistently define organizational goals and values, define risks that must be addressed, and provide a roadmap to adherence.
  • Tailored – The policy management capability must be designed to fit the business context, objectives, values, and strategies. There is no one size fits all structure for policy management. It needs to be aligned with the risk appetite and operational model of the organization. 
  • Integrated – Policy management should be integrated into business operations. While centralized oversight and design of policy management are important, without acceptance of the defined approach and assignment of policy responsibilities within the affected operations, the system will be ineffective.
  • People-Centered – At its heart, policy management is people-centered from employees, to clients, and even third-party relationships. It is significantly influenced by human conduct and culture – it cannot be automated away. Subject matter experts must develop policies that support the governance, risk concerns, and compliance requirements of the organization, and the audiences for policies must understand and apply them. The ecosystem of individuals impacted by policies must be able to provide input into policies.
  • High-Performing – The capability must be designed to fit the organization and its objectives. It must be supported by resources to ensure high performance and embedding of policies into the culture of the organization. Policy management needs to be effective, resilient, efficient, and agile in the organization. 
  • Standardized – Both policies and the procedures for developing, distributing, and enforcing them should be standardized. Having a consistent approach is key to enhancing understanding and developing an audit trail for the defense of the organization.
  • Collaborative – Good policy management involves coordination and collaboration across a range of departments and roles in the organization. It is necessary to engage and collaborate on policy management as well as on individual policy authoring.
  • Accessible – Policies, and therefore policy management, need to be accessible at all levels of the organization. At any point in time, the organization should have a complete view of what the official policies are. Employees should be able to readily find policies and interact with them. 
  • Engaging – Policies need to be clearly written and understood. This requires policy management processes that conform to consistent writing style and language as well as communication strategies to engage employees.
  • Dynamic – The policy management capability must be designed for continual improvement and adjustment as the business objectives and model, operations, and risk profiles change over time.

As you are developing the capability, consider ways to make these principles evident in the design and operation of policy management.

This article is from the newly published Policy Management Capability Model and tied to the Certified Policy Management Professional (CPMP) certification @ www.PolicyManagementPro.com that GRC 20/20’s Michael Rasmussen worked on in partnership with OCEG.

https://www.policymanagementpro.com/a/46210/se3Ec7qv

Why Policies Matter

From time to time, people ask why policies matter. After all, they argue, are not the laws and regulations we have to follow enough guidance? Beyond those requirements, can’t we let managers decide how to run their operations and have case-by-case flexibility? Don’t policies create liability when they are not followed? Isn’t it just more unnecessary bureaucracy?

The answer, at its most basic, is that when an organization fails to establish strong policies, the organization quickly becomes something it never intended. Good policies define the organization’s governance posture, corporate culture, behavioral boundaries, and objectives. Without the guidance provided by well-written and effectively managed policies, corporate culture may morph and take the organization down unintended paths. Policies are critical to managing risk, every policy is a risk document that aims to control behavioral related risks.

Good policies define the organization’s governance posture, corporate culture, behavioral boundaries, and objectives.

The longer answer is a bit more complicated. Policies set the standard for acceptable and unacceptable conduct by defining boundaries for the behavior of individuals, the operation of business processes, and the establishment of relationships. Starting with a code of conduct defining ethics and values across the organization—and filtering down into specific policies for business units, departments, and individual processes—the organization states what it will and will not accept and defines the culture of integrity and compliance it expects. Policies are part of what can be called governance documents, which also include related standards, procedures, and guidelines. Policies, in context of this Policy Management Capability Model, can be understood collectively to encompass both the official policies themselves and the broader collection of governance documents. 

Policies are part of what can be called governance documents, which also include related standards, procedures, and guidelines.

Policies, done right, articulate and build the desired corporate culture and drive standards for individual and business conduct.

  • Policies articulate the governance culture: Policies address more than how to meet legal requirements; they also drive the performance objectives of the organization. Without policies, the organization has not made clear what people or business units may or may not do in seeking to meet those objectives. Individuals are left to make decisions and may take the organization where management does not want it to go. Governance is not taking place. Can you imagine an organization that did not have policies? How could it ever reliably achieve objectives as there would be no consistency in behavior, processes, and transactions?
  • Policies articulate the risk culture: This includes the establishment of risk management responsibilities, communication, appetite, tolerance levels, and risk ownership. Policies reduce bias in decision making. Every organization takes risk — it is part of the business and sometimes helps to get the business where it wants to be. Without clearly written guidance and ownership, however, risk governance will be ineffective and risk decisions will be made by each individual based on his or her personal appetite for risk. Essentially, every policy is a risk document. There would not be a policy if there were not a risk. Further, every policy must be risk-informed; the policy exists in response to a risk or anticipated risk and needs to be understood in that context.
  • Policies articulate a culture of compliance: Policies define what is acceptable and unacceptable. This starts with legal and regulatory requirements: communicating how the organization will stay within legal boundaries given the various jurisdictions in which it operates. Policies also establish the values, ethics, commitments, and social responsibility of the organization when it comes to matters of discretion.  Policies, particularly policies that are enforced, provide an organization with a defensible position against the actions of rogue employees and demonstrate how the organization meets legal, regulatory, contractual, and other requirements.

In this context, policies are critical to all three aspects of GRC – governance, risk management, and compliance. Policies, and policy management, are a foundation that enables an organization “to reliably achieve objectives [governance], while addressing uncertainty [risk management], and acting with integrity [compliance].” Policies in and of themselves do not ensure the right corporate culture, nor do they resolve all the complex issues that arise in addressing performance, risk, and compliance. Merely creating thousands of policies is not the answer; in the case of policies, often “less is more.”  Even when well-written policies are issued, the game is not over. An organization can have a wide array of policies that “sit on the shelf” or are not adhered to, and the organization can end up in hot water. We know that an organization may develop a corrupt culture even with the right policies in place, but we also know that it cannot have a strong, effective culture without them.

Issuing well-crafted, and appropriately targeted policies is a necessary first step in clearly defining and communicating the organization’s boundaries, practices, and expectations. Policies are the vehicles that communicate and define values, goals, and objectives so that culture does not morph out of control. This enables the organization to embed culture into the action and behavior of processes, transactions, relationships, and individuals. A strong embedded culture is driven by an effective policy management capability that provides consistency in behavior, reduces costs and inefficiencies, and supports growth and change management. This leads to higher employee engagement and achievement of objectives. 

Policies are the vehicles that communicate and define values, goals, and objectives so that culture does not morph out of control.

Policies must be professionally managed so that they are both effective and efficient tools to help the organization stay on the path it chooses.

This article is from the newly published Policy Management Capability Model and tied to the Certified Policy Management Professional (CPMP) certification @ www.PolicyManagementPro.com that GRC 20/20’s Michael Rasmussen worked on in partnership with OCEG.

https://www.policymanagementpro.com/a/46210/se3Ec7qv

The Policy Management Capability Model

After years of discussion and more than 18 months in development, I am pleased to announce the launch of my latest collaboration with OCEG: Policy Management Pro and the publication of the Policy Management Capability Model

You should already be familiar with the GRC Capability Model, which is in use by organizations of all sizes and types worldwide. Now, we apply the same level of detail and clarity to the critical business need for effective policy management, which presents significant challenges in today’s ever-changing global operating and regulatory environments. 

Policy Management Pro brings policy standards and a professional certification in policy management to the market for the first time.

Our collaboration in this project with OCEG and the highly experienced practitioners in policy management who served on the review committee has led to a set of comprehensive practices that will benefit any organization.

The Certified Policy Management Professional designation indicates a strong understanding of the standard practices set out in the Policy Management Capability Model. Knowing your policy team or any new hires have the CPMP designation should offer peace of mind and confidence that your policy capability is in good hands. As we say on the site, we give you everything you need and nothing you don’t to build and run a strong policy management capability.

Check out what people have to say . . .


 “It was a great pleasure to read this document because of how thorough and well thought out it is. It has been frustrating with no industry standard for organizations to lean on when trying to stand up a policy management program. This really will be a fantastic and extremely valuable tool in helping organizations establish this capability.” 

Jeff Boyer, Governance Lead, Suncor Energy Services, Inc. and review committee member

This document has all the essentials, in sufficient detail, for any practitioner setting up a policy management project. This is virtually a step-by-step guide. I only wish the document was available to me all those years ago when I was in my first compliance role and had to get a new business unit with 150 frontline staff audit ready in 6 months!”

Meng Barnie, Compliance Officer & MLRO, BLOM Bank and review committee member

Take a few minutes to join!  View the Policy Management Pro website, download the Capability Model and check out the free sample lesson from the on-demand training program. Then take advantage of the opening discount offer and sign up today as the first step toward your standing as a Certified Policy Management Pro

Listen to the latest podcast from Tom Fox on PolicyManagementPro . . .

https://www.policymanagementpro.com/a/46210/se3Ec7qv

A CECO SWOT Analysis for 2021: Finding Your Opportunities

We are in the midst of working through a CECO SWOT Analysis to help CECO’s develop their strategy in 2021 and into the future. Over the past few weeks, we looked at the STRENGTHS and WEAKNESSES of the typical CECO, this week we turn to the OPPORTUNITIES.

As you look to build your strategic compliance and ethics plan in 2021, it is critical to evaluate where you are now in your role, capabilities, and program, and what you need to work on to deliver the leadership and skills to achieve your goals moving forward. To achieve your strategy, it is important to look for opportunities to advance compliance and ethics within your organization.

The points below are generalizations, so you may or may not identify with them. But they are good places for discussion, learning, and interaction as the CECO prepares for the future. Here are some opportunities and messages that GRC 20/20 finds strong CECOs leveraging to advance the compliance and ethics agenda in their organization:

  • Focus on integrity, in which the compliance and ethics function . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

What is Business and Operational Resiliency?

Firms globally and across industries are focusing on resiliency. The organization has to maintain operations in the midst of uncertainty and change, and this is becoming a key regulatory requirement in some industries (e.g., financial services). This requires a holistic view into the objectives and performance of the organization in the context of uncertainty and risk. Organizations are striving for business and operational resiliency that requires integration and symbiotic interaction of risk management and business continuity. The organization in 2021 has to be a resilient organization with full situational awareness of the interconnected risk environment that impacts them. 

I am seeing a lot of interest in risk management and resiliency in my research. In this context, I come across the terms business resiliency and operational resiliency. There is a difference between business resiliency and operational resiliency. I see solution providers using these terms as either synonym, or I see some make the mistake thinking that operational resiliency is for financial services and business resiliency is for other industries. This mistake is because of the operational resiliency regulations in the financial services industry. The reality is that all industries have operations and processes and therefore have operational resiliency concerns. All organizations have business resiliency needs as well. There is not one organization that does not have business and operational resiliency needs.

What is the difference?

Business resiliency is broad, it includes the resiliency in the organization’s strategy, liquidity/cash, diversity/hedging, and operations. So operational resiliency is part of business resiliency just as its counterpart operational risk management (ORM) is part of, but not the same as, enterprise risk management (ERM). 

Here is how I differentiate the two and show that business resilience is broader than operational resiliency but also includes operational resilience.

  • Business resilience is focused on the overall resilience of the organization, which includes strategy, liquidity/cash, diversity/hedging, culture/integrity, and operational resilience.
  • Operational resilience is a component of business resilience focused on internal processes, services, people, systems, and relationships.

Let’s Dive Deeper into Operational Resilience

Operational resiliency is not business continuity 2.0. It is much more than that. Operational resiliency is an integrated effort that requires collaboration, processes, and information/technology shared between operational risk management, business continuity management, and even third-party GRC/risk management (for example, the FCA/BoE/PRA guidance on operational resiliency references third-party/vendor risk throughout the document).

As for definitions, let’s look at how the financial regulators define operational resilience and I will give you my opinion which is the best definition:

  • UK FCA: We define operational resilience as the ability of firms and FMIs and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.
  • EU DORA: ‘digital operational resilience’ means the ability of a financial entity to build, assure and review its operational integrity from a technological perspective by ensuring, either directly or indirectly, through the use of services of ICT third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity makes use of, and which support the continued provision of financial services and their quality.
  • US OCC: Operational resilience is the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard. It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions.
  • Basel Committee on Banking Supervision: The Committee defines operational resilience as the ability of a bank to deliver critical operations through disruption. This ability enables a bank to identify and protect itself from threats and potential failures, respond and adapt to, as well as recover and learn from disruptive events in order to minimise their impact on the delivery of critical operations through disruption. In considering its operational resilience, a bank should take into account its overall risk appetite, risk capacity and risk profile.

Granted these definitions are focused on financial services, so let’s evaluate them objectively in a context that crosses industries (strip out the financial services specific language). 

My least favorite definition is the EU’s DORA (digital operational resilience act). This is because it focused specifically and exclusively on digital operational resiliency. Operational resiliency is so much more than the depths and bowels of the IT department, technology, and information. Operational resiliency is also about people, processes, services, and third-party relationships. I also find the definition to be very reactive and not proactive.

Next in my order of least to best definition is the Basel definition. It is stuck in the idea of disruption and recovery, but has a broader view than DORA and does include elements of risk management. It is also another definition that is more reactive than proactive.

The US Office of the Comptroller of the Currency (OCC) definition is better. I like the fact that it specifically leads with operational risk management and takes it out of a pure business continuity context. This is good, but not good enough. I find the definition still a little weak as it is still focused on prepare and recover from disruption, a reactive approach.

The UK Financial Conduct Authority provides the best definition, and I love this definition. It is the shortest definition, but the only one that takes a strong risk management approach to operational resiliency. It is the only definition that mentions PREVENT as organizations can monitor and address situations before they impact the organization (at least in some situations). The idea of PREVENT gives a strong governance focus to this that ties into objectives and strategy to navigate the organization to manage uncertainty, a concept of agility to avoid disruption. The other element I love about this definition is that it references LEARN as well, so the organization learns from events and disruption so it does not repeat the same mistakes.

The United Kingdom wins again. I personally am a fan of regulations that come out of the United Kingdom (and nearly half my interactions are in the UK). The UK brought us principle/outcome-based regulations back in the FSA days (before the FCA), which then became EU better regulatory policy. The UK is leading in accountability regime regulation with the UK SMCR and now we have Australia BEAR, Ireland SEAR, Hong Kong MIC, and Singapore IA that have followed suit. The UK FCA is leading the world in digitizing the rulebook and regulations. More work is going into the UK Modern Slavery Act with greater requirements and enforcement penalties expected. Now I have digressed into other areas . . .

What are your thoughts on business and operational resiliency? How are they different? How are they related? How would you define them?