Today I'd like to give you some insights into the topic of Policy Management which is a not so prominent part of what we call "GRC". That is a little bit strange as Policy Management reflects to Governance which is even representing the first letter G in GRC - Governance Risk and Compliance.
Maybe Policy Management is not that much in public focus as this has already been existing before the current GRC boom started with the Sarbanes Oxley Act in the USA. Policies have been the main mean to translate external demands into internal regulations and enrich them by internal demands to the same topics. But it obviously had drawbacks as the big compliance scandals showed so public focus shifted to internal and external assessment: testing, auditing, evaluation.
Now Policy Management gets more attention again as companies see its advantages in efficiently establishing general control over certain compliance topics without overcrowding your processes with specific control points. But Policy Management needs to evolve to the next level as expectations have clearly increased.
Our ideas on a good policy management process are by far further reaching than what companies had established in the past. We see three phases in such a process: Creation or change of a policy, implementation of a policy and lastly evaluation of the design and effectiveness of a policy.
The first phase is mainly concentrating on a document control workflow and release cycle management. This we support with a very flexible technology to create per click executable processes using ARIS Process Governance.
In the second phase we can offer state of the art policy implementation. Today it is not sufficient to just publish policies in a company’s intranet. We differentiate between levels of criticality for policies. For e.g. a travel policy it is maybe sufficient to be published in the process web intranet with an alert sent to the employees. For a company conduct guideline you may want to get one step further and get an acknowledgement signature by at least the management addressees that they have read, understood and will apply this guideline. And for a work instruction on a pharmaceutical bottling station you even need to ensure that this was trained to everybody working on the respective shop floor. All those activities are supported by our reference process delivered with the ARIS Process Governance.
And more - all those activities concerning Policy Management are documented and can be monitored.
That leads us to the last phase "Testing of Policies". Every policy should be checked with regular frequency if it is still applicable, up to date and covering the objectives or risks it tackles - that's what is called a TOD or Test of Design in modern compliance talk. And latest for those policies with higher criticality you want to run a TOE or Test of Effectiveness: Was this policy really implemented and adhered too? E.g. how many of my managers have signed in to the conduct guidelines issued? In this phase we are back to our classic testing support with the ARCM.
The big chance in such a integrated approach is that a customer can decide for each risk he wants to control or reduce by what means this is done most efficiently: with a policy, a contingency plan, reducing measures or an internal control!
Hi HC,
general information on the ARIS Process Governance you can find here:
http://www.ids-scheer.com/en/ARIS/ARIS_Innovations/ARIS_Process_Governance/151394.html
So far there is no standard connection to the Business Rules Designer.
For a demonstration please contact your friendly sales rep ... he or she will arrange a demonstration. We are currently working on flash demos, but this will take some more time.
Regards,
Martin Kling
I wanted to point out also that the concepts of Policy Management and Governance fall into several domains in the Enterprise, and that GRC (Governance, Risk and Compliance) tends to be in the broader sphere of Corporate Governance.
But in addition to these aspects of Policy Management, the same language can enter into the spheres of IT Governance and SOA Governance...
thanks,
Miko Matsumura
Software AG
In our understanding the ARIS Solution for GRC is adressing all compliance topics with a common approach and tooling. That's one of the strength' we can offer to our customers. It is not necessary to have different approaches and toolings to tackle IT topics (Risk, Governance, Compliance) or financial topics.
I totally agree that Policy Management should address also the respective topics of IT Governance even if I didn't give examples therefore.
Regards,
Martin