Skip to main content

The Intersection of GRC and Policy Management

Internal Controls
Internal Audit
The Intersection of GRC and Policy Management
3 min read
Michael Rasmussen
Speaker, Author, and Advisor
Published: September 23, 2019
Last Updated: August 10, 2023

Policies matter, and policy management matters. Period.

Policies are critical governance documents for every organization. They set guardrails and parameters of acceptable and unacceptable behavior for individuals, processes, and transactions. When they are managed and enforced properly, policies guide and define corporate culture.

Three Lines of Defense: Enabling High-Performing Organizations

So, why do organizations approach and manage policies so carelessly?

Policies set a duty of care for the organization, and the wrong or mismanaged policy could expose the entire operation to liability and risk. But, I find that most organizations do not even know what policies they have in place.

Since policies are critical governance documents of the organization, they require structured management and monitoring. They simply cannot be approached haphazardly, as many organizations do.

Changes to risks and regulations, as well as constant modifications to internal business environments, can quickly make policies out of date, misaligned, and irrelevant to the organization.

As defined by OCEG, GRC is "the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity." Dissecting this definition hints at the importance of policies in the context of GRC:

  • Policies enable an organization to reliably achieve objectives (governance—consistent behavior for processes and transactions)
  • While addressing uncertainty (risk management—we would not have a policy if risk did not exist)
  • And, acting with integrity (compliance—they define and guide organization behavior)

If you're just starting out with policy management, it can seem like an arduous task. Here are five key steps to get a handle on your organization’s policies:

  1. Discover. Understand what policies your organization has across departments by building a master index of official and authorized policies.
  2. Evaluate. Assess these policies to determine if they are relevant and current. Aim to define what is the right balance between too many policies (over-control) versus too few (under-control).
  3. Assign. Make sure that each policy has established an owner (or owners) that is accountable for the policy.
  4. Maintain. Establish a life cycle that periodically reviews policies to keep them relevant and current, but also establishes triggers to kick off a policy review between periodic cycles when risk conditions change.
  5. Ensure. Provide the right resources that ensure that policies are written (e.g., language, tone, format) and managed consistently across the organization.

Organizations need a structured process to manage the life cycle of a policy, from authoring to approval to communication to maintenance. That process requires technology—specifically, technology designed to reduce the manual effort of each step of the life cycle.

Managing policies as individual documents and tracking them in spreadsheets and emails leads to the inevitability of failure in policy management. This requires structured accountability and maintenance with audit trails, tasks, workflows, approvals, and reporting—across all three lines of defense.

The right technology to manage policies makes these five steps more efficient, effective, and agile for the organization. Organizations should implement policy management technology that allows for collaborative policy development/authoring, communication, maintenance, reporting, and monitoring compliance.

Policy management is a continuous process and not an effort for one point in time. One does not just start a policy project to review and update policies and then put them on the shelf to be ignored. Regulations are changing, risk is changing, the internal business environment is changing—policies need to be kept current in a dynamic environment.

Learn how KeyBank took control of its policy creation and management processes to increase efficiency—download this white paper.

About the Author
Michael Rasmussen
Michael Rasmussen

Speaker, Author, and Advisor

Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC)—with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management. With 22+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC,” being the first to define and model the GRC market in February 2002 while at Forrester.

Online registration is currently unavailable.

Please email events@workiva to register for this event.

Our forms are currently down.

Please contact us at

Our forms are currently down.

Please contact us at