mkli's picture

Today I'd like to give you some insights into the topic of Policy Management which is a not so prominent part of what we call "GRC". That is a little bit strange as Policy Management reflects to Governance which is even representing the first letter G in GRC - Governance Risk and Compliance.

Maybe Policy Management is not that much in public focus as this has already been existing before the current GRC boom started with the Sarbanes Oxley Act in the USA. Policies have been the main mean to translate external demands into internal regulations and enrich them by internal demands to the same topics. But it obviously had drawbacks as the big compliance scandals showed so public focus shifted to internal and external assessment: testing, auditing, evaluation.

Now Policy Management gets more attention again as companies see its advantages in efficiently establishing general control over certain compliance topics without overcrowding your processes with specific control points. But Policy Management needs to evolve to the next level as expectations have clearly increased.

Our ideas on a good policy management process are by far further reaching than what companies had established in the past. We see three phases in such a process: Creation or change of a policy, implementation of a policy and lastly evaluation of the design and effectiveness of a policy.

policy management

The first phase is mainly concentrating on a document control workflow and release cycle management. This we support with a very flexible technology to create per click executable processes using ARIS Process Governance.

In the second phase we can offer state of the art policy implementation. Today it is not sufficient to just publish policies in a company’s intranet. We differentiate between levels of criticality for policies. For e.g. a travel policy it is maybe sufficient to be published in the process web intranet with an alert sent to the employees. For a company conduct guideline you may want to get one step further and get an acknowledgement signature by at least the management addressees that they have read, understood and will apply this guideline. And for a work instruction on a pharmaceutical bottling station you even need to ensure that this was trained to everybody working on the respective shop floor. All those activities are supported by our reference process delivered with the ARIS Process Governance.

And more - all those activities concerning Policy Management are documented and can be monitored.

That leads us to the last phase "Testing of Policies". Every policy should be checked with regular frequency if it is still applicable, up to date and covering the objectives or risks it tackles - that's what is called a TOD or Test of Design in modern compliance talk. And latest for those policies with higher criticality you want to run a TOE or Test of Effectiveness: Was this policy really implemented and adhered too? E.g. how many of my managers have signed in to the conduct guidelines issued? In this phase we are back to our classic testing support with the ARCM.

The big chance in such a integrated approach is that a customer can decide for each risk he wants to control or reduce by what means this is done most efficiently: with a policy, a contingency plan, reducing measures or an internal control!

Tags: GRC