In my experience, policy management processes are in disarray when operating autonomously, introducing risk in today's complex, dynamic, and distributed business environment. The typical organization lacks a structured means of policy development and governance with an inconsistent maze of templates and processes. Inconsistency in policy management means processes, partners, employees, and systems that behave like leaves blowing in the wind. Organizations struggle with policies that are out-of-date, ineffective, and not aligned to business needs. Policy inconsistency opens the doors of liability, as an organization may be held accountable for policy that is not appropriate or complied with.

Organizations require a consistent governance process to develop and maintain policies and procedures. Policies articulate culture, they establish a duty of care, define expectations for behavior, and establish how the organization is going to comply with obligations. Accountability in policy governance is made possible by three policy governance functions:

Policy Lifecycle Management. Policy Lifecycle Management is the process of managing and maintaining policies throughout their effective use within the organization. Implementation of Policy Lifecycle Management requires process and technology that is rich in content, workflow, process, and task management with a robust audit trail.

Policy Management Committee. The Policy Management Committee governs the oversight and guidance of policies to ensure policy collaboration across the enterprise and provide the structure and connective tissue to coordinate and drive consistency. It is comprised of team members that represent the best interest and expertise of the different parts of the organization.

Policy Manager. An individual should be assigned to the role of Policy Manager to assure accountability across the policy lifecycle to the standards, style, and process defined by the Policy Management Committee.

Critical to the success of policy governance is a “policy on writing policies” supported by a policy style guide and templates. Organizations are not positioned to drive desired behaviors or enforce accountability if policies are not consistent. Policy writing that is wordy and confusing is damaging to the corporate image and costs time and money. Every organization should have a structure in place to provide for clear and consistent policies. A significant shortcoming in policy management is the failure to define a policy style guide. A style guide for policies defines standardized:

Taxonomy. Policies are to have a logical relationship to each other following a hierarchical categorization taxonomy.

Format. Policies are to have a consistent look and feel. Anyone should be able to see a policy and recognize that it is a corporate policy by the consistent format.

Structure. Related to format, policies are to have a consistent structured arrangement of the headings/sections.

Language. Policies are to have consistent language. Good policies are written in the active voice and easy to read.

Definitions. Terms used in policies are to be used consistently across the organization with a common understanding of what they mean.

Process. The style guide should outline roles and responsibilities for writing, editing, and approving policies.

Policy lifecycle management that addresses accountability brings integrity and value to policy management. It provides accountability to policy management processes that are often scattered across the organization. It enables policy management to work in harmony across organization functions delivering efficiency, effectiveness, and agility. Well-governed and written policies aid in improving performance, producing predicable outcomes, mitigate compliance risk, and avoid incidents and loss.

Making Policies Consistent: An OCEG Roundtable

Rasmussen: Organizations are struggling to get a handle on policies. Rogue unauthorized policies are popping up on file shares and intranet sites, which can lead to liability and exposure to the organization. What do you recommend that organizations do to get a handle on policies scattered throughout the enterprise and create a consistent process for development and approval of policies?

Tietjen: Unfortunately, if policy creation becomes an uncontrolled exercise, managers and supervisors throughout the organization may begin to deem it their right to create new rules and regulations that they perceive as necessary to keep their departments in order. Although the intent may be well-meaning, it can often lead to contradictory and possibly illegal practices. The sad part is, it is not the manager that authored the document that must be arraigned for its content in court, but rather the corporate governing body. All policy should be controlled and receive approval by appropriate administrators before being communicated to employees. And the employee needs some form of verification that the policy was approved by those parties for current use.

Marobella: The first step to reducing unauthorized policies is to create a formalized policy management program and communicate the program to the appropriate people across the organization. As part of the program, developing a policy framework in which policies are mapped to a library of applicable regulatory requirements or compliance topics will help get visibility into what policies exist, where you have coverage from a compliance and governance perspective, and what gaps exist. Rogue policies are often created with good intentions but done so because there was a lack of awareness of the proper process or because the process doesn't meet their business needs. The policy program should be created with an understanding that different parts of the business may have unique needs and requirements in terms of the policy template or approval processes. If the program is thoughtfully created with flexibility that allows for the unique needs across the business, people will be more apt to follow it.

Karrer: Reining in rogue policy activities can take time. Let's play devil's advocate for a minute: Which is worse, rogue policies that are operationally effective, officially sanctioned policies that aren't followed, or the absence of policies altogether? It's an interesting topic to debate at your next compliance social event. Like most things, the answer probably depends. A truly diligent organization would take the time to write its policies down. What seems to hold true both operationally and in audits is that organizations with official policies that nobody follows usually fare worse than those who have a decentralized (yet functioning) control environment. Whatever the situation, the best foothold toward policy centralization begins with a tone-at-the-top mandate to sanction and support a structured process with defined ownership. This foothold is further strengthened by identifying an official system of record and distribution channel for policy activities. As we learned above however, follow through is key.

Rasmussen: Organizations of all sizes and industries have policies and face challenges of keeping them relevant, current, and consistent. What approaches have you seen in place to provide governance over policies? Are there central policy committees or roles that an organization should have in place?

Karrer: The most successful enterprise-wide policy program will have roles clearly defined. The environment and culture usually dictate the best arrangement, be it a defined committee or a dedicated role empowered to recruit key stakeholders. Once ownership is established across a unified front, a good next step is to reach out to disparate policy practitioners and include them in the project. Often they can be great champions when rolling out a new policy program and motivating others to participate, especially when they feel like their contributions are valued. In terms of keeping policies relevant, the folks in the trenches almost always have a good handle on day-to-day operational risks. Anyone who's undertaken the daunting challenge of standing up a policy program will attest to the benefit of grassroots support toward getting buy-in across the enterprise. And with a purpose-built policy management solution in place, integrating their work with the corporate standard and driving awareness is a snap.


Michael Rasmussen,Moderator

Principal Analyst,

GRC360° Research

Mason Karrer,

Sr. Product Manager,


Security Division of EMC

Julie Marobella,

Senior Product Manager,


Robert Tietjen,

Vice President, Policy Management,

NAVEX Global

Source: OCEG.

Tietjen: Each policy should have “one” owner. Without designating one individual to take responsibility for the content, review, approval, distribution, and communication of the policy, no one will. If there are multiple owners, all of them will assume that the other will take care of the annual review, or the communication throughout the organization. There must only be “one” for the system to work. He can solicit feedback from relevant stakeholders, but the burden must fall on them to pursue the process. However, there are tools that you can provide the policy owner to help maintain the relevancy of the document. Excel spreadsheets and Outlook calendar reminders can only go so far before the process becomes unwieldy, and timelines start to crumble. A software tool that continually monitors review dates, slipping review tasks, and outdated links can go a long way to ensure your documents are up-to-date and applicable.

Marobella: One of the biggest challenges organizations face today is keeping up with the ever-changing regulatory landscape. Existing legislation is being amended and new regulatory requirements are being introduced—both of which can have a direct impact on internal policies. As these changes occur, organizations need a programmatic approach to understand, track, and communicate the regulatory changes. In addition, if an organization's policy program includes a framework like I mentioned earlier where policies are mapped to regulatory requirements or compliance topics, policy owners can easily identify which of their policies may be impacted by a regulatory change and should go through a review process. Software systems that enable companies to manage their regulatory change management process and policy management lifecycle in an integrated environment can help to significantly automate this process.

Rasmussen: In the past few years I have seen a number of organizations ask what other organizations have implemented on a “policy on policies” with a style guide for the authoring of policies. What are some of the critical components that are part of the policy on policies and accompanying style guide?

Marobella: I see three key ingredients to implementing “policy on policies” and they are (1) standard policy templates, (2) formalized review and approval processes, and (3) a policy framework that maps policies into other GRC processes. Policy templates are absolutely critical for driving consistency across policies. This not only includes an outline of the required sections but also guidance on what information should be included in each section and how the information should be organized and presented to the broad audience. The technique that I've seen that works best is to have standardized templates, all of which have a core set of sections, but then additional sections that account for unique content requirements. This approach ensures consistency across all of the policies within a given business area and provides a baseline standardization across the organization. With that said, the look, feel, and presentation across policy templates should be as consistent as possible.

Karrer: This is an area where being a stickler for consistency can really pay off. Official documents should follow the same format, be concise and grammatically correct, written in the same voice, and generally look professional. These documents are executive mandates—and need to be enforceable, auditable, and in many cases, discoverable. They should look the part. The most important thing is to choose a single style and stick to it. Consider enlisting the help of the marketing and graphics design folks. They're in the business of grabbing attention through communication. They often rack up a lot of policy exceptions—maybe they'll be more compliant if their expertise is reflected in the policy design. A flexible policy management solution can apply corporate branding templates automatically to keep things on track. Bottom line: If you make policies consistent, easy to read, portable, and reflective of the culture and leadership they represent, they will be taken seriously.

Tietjen: I believe your “policy on policies” should state clearly that all policy should be based on a standardized template. If your policies have varying sections, or differing orders or locations, it becomes difficult for the employee to find relevant information quickly. I also believe there needs to be a disclaimer on all policies stating something to the effect of, “Any printed versions of this document should be used for immediate reference only. Please refer to the latest electronically approved version.” Finally, a very important, oft forgotten element of a policy is the Change History. Unless you have a software tool that automatically tracks the history of the document, you need to include a table at the bottom of your policy that shows at a minimum: the title of each subsequent version of the document, their version numbers, and a summary of what changes were made to each version.