The Intersection of GRC and Policy Management
Policies matter and policy management matters. Period.
Policies are critical governance documents for every organisation. They set guardrails and parameters of acceptable and unacceptable behaviour for individuals, processes and transactions. When they are managed and enforced properly, policies guide and define corporate culture.
So, why do organisations approach and manage policies so carelessly?
Policies set a duty of care for the organisation, and the wrong or mismanaged policy could expose the entire operation to liability and risk. But, I find that most organisations do not even know what policies they have in place.
Why policies are critical to GRC
Since policies are critical governance documents of the organisation, they require structured management and monitoring. They simply cannot be approached haphazardly, as many organisations do.
Changes to risks and regulations, as well as constant modifications to internal business environments, can quickly make policies out of date, misaligned and irrelevant to the organisation.
As defined by OCEG, GRC is "the integrated collection of capabilities that enable an organisation to reliably achieve objectives, address uncertainty and act with integrity." Dissecting this definition hints at the importance of policies in the context of GRC:
- Policies enable an organisation to reliably achieve objectives (governance—consistent behavior for processes and transactions)
- While addressing uncertainty (risk management—we would not have a policy if risk did not exist)
- And, acting with integrity (compliance—they define and guide organisation behaviour)
Taking control of your policies
If you're just starting out with policy management, it can seem like an arduous task. Here are five key steps to get a handle on your organisation’s policies:
- Discover. Understand what policies your organisation has across departments by building a master index of official and authorised policies.
- Evaluate. Assess these policies to determine if they are relevant and current. Aim to define what is the right balance between too many policies (over-control) versus too few (under-control).
- Assign. Make sure that each policy has established an owner (or owners) that is accountable for the policy.
- Maintain. Establish a life cycle that periodically reviews policies to keep them relevant and current, but also establishes triggers to kick off a policy review between periodic cycles when risk conditions change.
- Ensure. Provide the right resources that ensure that policies are written (e.g., language, tone, format) and managed consistently across the organisation.
Technology: the backbone of policy management
Organizations need a structured process to manage the life cycle of a policy, from authoring to approval to communication to maintenance. That process requires technology—specifically, technology designed to reduce the manual effort of each step of the life cycle.
Managing policies as individual documents and tracking them in spreadsheets and emails leads to the inevitability of failure in policy management. This requires structured accountability and maintenance with audit trails, tasks, workflows, approvals and reporting—across all three lines of defense.
The right technology to manage policies makes these five steps more efficient, effective, and agile for the organisation. Organisations should implement policy management technology that allows for collaborative policy development/authoring, communication, maintenance, reporting and monitoring compliance.
Policy management is a continuous process and not an effort for one point in time. One does not just start a policy project to review and update policies and then put them on the shelf to be ignored. Regulations are changing, risk is changing, the internal business environment is changing—policies need to be kept current in a dynamic environment.
Learn how KeyBank took control of its policy creation and management processes to increase efficiency—download this white paper.
About the Author
Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC)—with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management. With 22+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC,” being the first to define and model the GRC market in February 2002 while at Forrester.