With the increasing awareness of companies for the topics of Governance, Risk & Compliance also policy management is an upcoming subject. Lately also Michael Rasmussen, Risk & Compliance Lecturer, Writer and Advisor, wrote some really interesting blog entries about it. This all leads to the fact that we here at Software AG started to discuss that topic again, too.

But what does policy management really mean? What is a policy? And how can we manage them? Let me share some of our thoughts about it with you.

Most of us know policies in our companies (even if you work in a smaller company, there are policies but they might not be written down). If I have a look around here in Software AG there are so many policies for nearly everything like using your company email account, for installing software on your company laptop, for traveling (which hotel your are allowed to book, which car you are allowed to rent) and many of them even changed in the last years. I have to admit that I don’t know all our company policies since many of them don’t concern me or my work. So for me as an employee it is important that I know and understand what I am allowed to do and what not and that I know where to find our policies if I need to look something up.

But what is important for companies? The risks for an organization which has policies that are outdated, ineffective or just not compliant with legal requirements are severe. Not only a loss in productivity and a reduced quality could be a consequence but it’s also a matter of liability e.g. in case of violation of privacy. So companies need to manage the lifecycle of policies. In general this lifecycle consist of four main phases:

1. Definition of policies

The definition phase starts with the need of a new policy and the definition of a policy owner. After the policy is written in a comprehensive form, an approval process should follow before it can be communicated.

2. Communication of policies

The approved policy should then be published so that everybody can have access to the ones that concern him or her. For some policies it might be necessary that the employee attests that he/she read and understood the policy or even that he/she participated in an associated training.

3. Monitoring of policies

An established policy needs an ongoing management. Companies need to set up special controls to check the compliance and document failures for a next review.

4. Review of policies

At least annually (or according to a defined review cycle) a policy should be reviewed and checked for its up-to-dateness. Then either the policy stays as it is, is updated or will be archived for retention.

To support this lifecycle by software offers many advantages. E.g. it makes sure that everybody follows a predefined process including review cycles which keep policies up-to-date and stored in one place. The accountability and audit trail is another important point. Only when there are clear responsibilities and a system that tracks the attestation (who read and understood it) and the failure of policies, it is really possible to check if people actually work in compliance with them.

But so far this is only our view on it and now I am also interested in your experience with policy management. How much of that lifecycle do you cover and how? What is needed and what is not needed in your opinion? If you like, just share it with us and I would be happy to read your input.

Tags: GRC