April, 2021 by John Gøtze
Occasionally people ask why policies matter. We must follow laws and regulations, so don't we have enough guidance? And can't we just let managers decide how to run their operations and have case-by-case flexibility and "be agile"? Don't policies create liability when they are not followed? Isn't it just more unnecessary bureaucracy?
The problem is that when an organization fails to establish strong policies, the organization quickly becomes something it never intended. Good policies define the organization's governance posture, corporate culture, behavioral boundaries, and objectives. Without the guidance provided by well-written and effectively managed policies, corporate culture may morph and take the organization down unintended paths. Policies are critical to managing risk, because every policy is a risk document aiming to control behavioral related risks.
Policies set the standard for acceptable and unacceptable conduct by defining boundaries for the behavior of individuals, the operation of business processes, and the establishment of relationships. Starting with a code of conduct defining ethics and values across the organization – and filtering down into specific policies for business units, departments, and individual processes – the organization states what it will and will not accept and defines the culture of integrity and compliance it expects. Policies are part of what can be called governance documents, which also include related standards, procedures, and guidelines. Policies can be understood collectively to encompass both the official policies themselves and the broader collection of governance documents.
Policies, done right, articulate and build the desired corporate culture and drive standards for individual and business conduct. Specifically, three corporate articulations are made by policies:
- Policies articulate the governance culture: Policies address more than how to meet legal requirements; they also drive the organization's performance objectives. Without policies, the organization has not made clear what people or business units may or may not do in seeking to meet those objectives. Individuals are left to make decisions and may take the organization where management does not want it to go. Governance is not taking place. Can you imagine an organization that did not have policies? How could it ever reliably achieve objectives as there would be no consistency in behavior, processes, and transactions?
- Policies articulate the risk culture: This includes establishing risk management responsibilities, communication, appetite, tolerance levels, and risk ownership. Policies reduce bias in decision-making. Every organization takes risks - it is part of the business and sometimes helps get the business where it wants to be. However, without clearly written guidance and ownership, risk governance will be ineffective, and risk decisions will be made by each individual based on his or her personal appetite for risk. Essentially, every policy is a risk document. There would not be a policy if there were not a risk. Further, every policy must be risk-informed; the policy exists in response to a risk or anticipated risk and needs to be understood in that context.
- Policies articulate a culture of compliance: Policies define what is acceptable and unacceptable. This starts with legal and regulatory requirements: communicating how the organization will stay within legal boundaries given the various jurisdictions in which it operates. Policies also establish the values, ethics, commitments, and social responsibility of the organization when it comes to matters of discretion. Policies, particularly policies that are enforced, provide an organization with a defensible position against the actions of rogue employees and demonstrate how the organization meets legal, regulatory, contractual, and other requirements.
In this context, policies are critical to all three aspects of GRC – governance, risk management, and compliance. Policies, and policy management, are a foundation that enables an organization "to reliably achieve objectives [governance] while addressing uncertainty [risk management], and acting with integrity [compliance]." (The official definition of GRC as found in the OCEG GRC Capability Model.) Policies in and of themselves do not ensure the right corporate culture, nor do they resolve all the complex issues that arise in addressing performance, risk, and compliance. Merely creating thousands of policies is not the answer; in the case of policies, often "less is more." Even when well-written policies are issued, the game is not over. An organization can have a wide array of policies that "sit on the shelf" or are not adhered to, and the organization can end up in hot water. We know that an organization may develop a corrupt culture even with the right policies in place, but we also know that it cannot have a strong, effective culture without them.
Issuing well-crafted and appropriately targeted policies is a necessary first step in clearly defining and communicating the organization's boundaries, practices, and expectations. Policies are the vehicles that communicate and define values, goals, and objectives so that culture does not morph out of control. This enables the organization to embed culture into the action and behavior of processes, transactions, relationships, and individuals.
An effective policy management capability, providing consistency in behavior, reduced costs and inefficiencies, and supporting growth and change management produces a strong, embedded culture that leads to higher employee engagement and achievement of objectives.
Policies must be professionally managed so that they are both effective and efficient tools to help the organization stay on the path it chooses.
The Principles of Policy Management
Policy Management is a critical enabling element of the organization's overall GRC capability. It should be built on a solid foundation of principles. There are both universal principles and organization-specific principles established to support the policy management capability. The Policy Management Capability Model lists the universal principles for policy management, and they are:
- Necessary – Effective policy management is necessary to enable governance, risk management, and compliance at every level of the organization. Without policy management, led and supported by senior management, it is difficult to have policies that consistently define organizational goals and values, define risks that must be addressed, and provide a roadmap to adherence.
- Tailored – The policy management capability must be designed to fit the business context, objectives, values, and strategies. There is no one size fits all structure for policy management. It needs to be aligned with the risk appetite and operational model of the organization.
- Integrated – Policy management should be integrated into business operations. While centralized oversight and design of policy management are important, without acceptance of the defined approach and assignment of policy responsibilities within the affected operations, the system will be ineffective.
- People-Centered – At its heart, policy management is people-centered from employees, clients, and even third-party relationships. It is significantly influenced by human conduct and culture – it cannot be automated away. Subject matter experts must develop policies that support the governance, risk concerns, and compliance requirements of the organization, and the audiences for policies must understand and apply them. The ecosystem of individuals impacted by policies must be able to provide input into policies.
- High-Performing – The capability must be designed to fit the organization and its objectives. It must be supported by resources to ensure high performance and embedding of policies into the organization’s culture. Policy management needs to be effective, resilient, efficient, and agile in the organization.
- Standardized – Both policies and the procedures for developing, distributing, and enforcing them should be standardized. Having a consistent approach is key to understanding, enhancing, and developing an audit trail for the defense of the organization.
- Collaborative – Good policy management involves coordination and collaboration across various departments and roles in the organization. It is necessary to engage and collaborate on policy management as well as on individual policy authoring.
- Accessible – Policies, and therefore policy management, need to be accessible at all levels of the organization. At any point in time, the organization should have a complete view of the official policies. Employees should be able to find policies and interact with them readily.
- Engaging – Policies need to be clearly written and understood. This requires policy management processes that conform to consistent writing style and language as well as communication strategies to engage employees.
- Dynamic – The policy management capability must be designed for continual improvement and adjustment as the business objectives and model, operations, and risk profiles change over time.
When developing the policy management capability, it is imperative to consider ways to make these principles evident in the design and operation of policy management.
Principled Performance and GRC
Policies and policy management are a foundational aspect of integrated governance, risk management, and compliance (GRC) and are essential for what OCEG calls Principled Performance.
At the turn of the century, in the early 2000s, scandals rocked the global economy evaporating millions of jobs and trillions of dollars of wealth. At the root of these scandals were siloed, misguided, and ineffective systems intended to address governance, risk, compliance, and ethics. Strategic systems were separate from performance management systems, which were separate from risk management systems, which were separate from compliance management systems, and so on. This siloed nature of business led to a lack of risk visibility, failure to establish adequate controls, and absence of resiliency.
Unfortunately, this "siloed approach" was all too common, and the seeds of future problems continued to grow in this wretched state. OCEG wanted to create a future state that was more effective, more efficient, more agile, and able to address modern challenges. So, with a panel of 100 experts, OCEG invented and innovated the ideas behind Principled Performance and GRC to break down silos between governance, strategy, performance management, risk management, compliance management, internal audit, and other critical roles. After months of analysis, collaboration, and vetting, the first GRC standard was released in 2004. Originally called the Capability Model, the cover was a deep red, and it quickly became known as the OCEG Red Book. After defining GRC and developing high-level concepts, the OCEG community began work on version 2 of the Red Book, officially called the GRC Capability Model. It gained wide adoption with more than 100,000 downloads of the free, open source standards in 2005.
Version 3 of the Model, the current version, was released in 2010, and the same year OCEG ran the first GRC Maturity Survey to evaluate the degree of integration of GRC capabilities and the outcomes of such integration. The GRC Maturity Survey has been conducted a total of five times so far. Over the past decade, the survey has found that there is a steady growth in understanding of the value of integrated GRC and wider adoption of the goal of Principled Performance.
Today's business climate is more complex and more challenging than ever before. Even small businesses, nonprofits, and government agencies face issues that historically affected only the largest international corporations. Internal and external stakeholders demand not only high performance but also transparency into business operations. Contemporary risks and requirements are numerous, ever-changing, and fast, with a high-velocity impact to the organization. The use of third parties, both within the organizational walls and as part of its outside supply chain, is broader and harder to manage. New regulations, business decisions, changing workforces, and evolving technologies are just a few of the many examples of expanding change. As a result, the cost of addressing risks and requirements while managing performance to achieve established objectives is spinning out of control.
Many organizations (both at the enterprise level and within business units) fail to set objectives and strategies based on a complete understanding of performance, risk, and related compliance issues. Many also fail to execute on their strategies, monitor performance, and adjust as necessary. Many fail to comply with regulatory and other requirements, or even stay on top of what requirements apply to them today, and lack awareness of what will be expected of them tomorrow. Even those who do a somewhat adequate job internally often fail to demand or confirm the same for third parties they employ. In all of these cases, there usually is a lack of ongoing, meaningful oversight from the governing body, business confidence is wavering, and operational resilience suffers.
In short, the status quo for many organizations is neither sustainable nor acceptable and lacks a holistic awareness of risk in the context of achieving objectives. In the end, the organization fails to deliver a culture of integrity and consistency.
To address this growing web of issues, forward-thinking organizations have adopted a vision of Principled Performance — a point of view and approach to business that helps organizations reliably achieve objectives while addressing uncertainty and act with integrity. This enables performance while considering both threats and opportunities and honoring mandatory commitments, including legal compliance and voluntary promises found in statements of mission, vision, and values, contracts, and employee agreements. Focusing on Principled Performance at every level of the organization, when planning and executing every project or task, establishes a common goal and culture that supports success.
For the business organization to grow and succeed, there are many functions (each with its own people, processes, technologies, and information) that must operate together; from core business activities such as research, development, production, marketing, sales, logistics, and service; to supporting activities like governance, strategic planning, performance management, risk management, internal control, compliance, legal, finance, human resources, and audit. They all must use much of the same data and contribute to data collection, but in different ways.
Despite the need to coordinate and align in supporting the health and success of the organization, many manage these activities in disparate departments with little, or no, cross-functional communication. Even worse, in some cases, these activities and the information they use are not managed at all; they are literally untouched by modern business process improvement techniques.
Principled Performance, the healthy and vigorous state of being that enables success, can only be achieved by setting common goals, aligning information and core functions, and supporting them with strong communication, effective technology, and the development of the desired culture. It's not enough to aggressively move toward established objectives. To be successful, we must consider the boundaries of laws, social mores, and uncertainties that arise concerning potential risks and rewards. Nor can the management of performance, risk, compliance, and ethical conduct be separated from the objective-seeking activity.
Everything must be brought into alignment and operate through fully integrated governance, risk management, and compliance capabilities.
People talk about business performance and the need to perform against objectives, but that is not a sufficient conversation. The successful attainment of Principled Performance requires coordinated capabilities that address performance against objectives, risk arising from uncertainties, evident opportunities, and compliance with both mandatory and voluntary requirements, each with consideration of the other. These capabilities must include an integrated plan for governance, management, and assurance. Only then will the organization have Principled Performance.
The acronym GRC is a shorthand reference to the collection of critical capabilities that must work together to achieve Principled Performance. GRC denotes governance, risk management, and compliance, but it connotes much more than those three terms simply put together into an acronym. It is important to remember that organizations have been governed, and risk and compliance have been managed for a long time – GRC is nothing new. However, many have not approached these activities in a mature way, nor have these efforts supported each other to enhance the likelihood of achieving organizational objectives. That makes GRC, as we understand it today, totally revolutionary. In a forward-thinking organization, GRC represents a well-coordinated and integrated collection of all of the capabilities necessary to support Principled Performance at every level of the organization. GRC doesn't burden the business; it supports and improves it.
Integrating GRC capabilities does not mean creating a mega-department of GRC and doing away with decentralized or programmatic approaches to risk and compliance management. Nor does it necessarily call for the use of only one GRC technology system. Rather, it is about establishing an approach that ensures the right people get the appropriate and correct information at the right times, that the right objectives are established, and that the right actions and controls necessary to address uncertainty and act with integrity are put in place. When business activities are siloed with their information kept separate, it is likely that wrong or counter-productive objectives will be established, sub-optimal strategies will be selected, and performance will not be optimized.
To have effective integrated GRC capabilities, whether established for enterprise-wide objectives, or for those of particular departments or projects, you need:
- a unified vocabulary and taxonomy for information
- a common repository for data, documents, and information
- standardized policies, procedures, and templates
- regular and consistent communication of policies and expectations between and amongst all relevant roles from the front-office to strategic decision-makers
The Role of Policy Management in GRC
Forward-thinking organizations today are striving to achieve the goal of Principled Performance – that state of being in which an organization can reliably achieve its objectives while addressing uncertainty and acting with integrity. Effectively managing policies is an essential aspect of a GRC capability that drives successful attainment of Principled Performance.
The OCEG GRC Capability Model (the "OCEG Red Book") describes core governance, risk management, and compliance capabilities and processes to ensure the Principled Performance outcome. Overall, the OCEG Red Book sets out processes for successful governance, risk management, and compliance (GRC) capability in four overarching Components. These relate to Policy Management as follows:
- Learn – This Component of the Red Book highlights the importance of examining and analyzing internal and external context, company culture, and stakeholder needs as they change over time. A policy management capability will fail if it is not able to quickly and appropriately respond to changes in internal and external context conditions. This includes examining current and future (e.g., horizon scanning) laws, regulations, and standards. It also requires continuous monitoring and alignment of the corporate mission, vision, values, philosophy, and strategy with employees, stakeholders, clients, and third parties. Consideration must be given to how best to maintain a relevant and timely view of changes that may require a reconsideration of the content of policies as well as the audiences and level of training needed.
- Align – This Component of the Red Book addresses the need for alignment between performance goals, legal requirements, contractual requirements, risks, and controls that may affect the outcome of the organization’s objectives. Policy management must consider the overall entity objectives of the organization – as well as division, department, process, project, or even asset objectives – in determining policies and policy management needs. The design of a policy management capability must be integrated with the organization’s overall risk and compliance management plans.
- Perform – This Component outlines the core actions and controls needed to proactively encourage conduct and events that support objectives while detecting and preventing those that challenge the desired outcomes. Each of these actions and controls, supported by appropriate technology, is essential. The operational aspects of policy management are outlined within this Component of the Red Book in which policies are communicated, training is provided, and monitoring of policy conformance is conducted.
- Review – This Component describes methods for establishing and layering various types of monitoring actions and controls to ensure the performance of the established GRC capability, make changes when needed and provide assurance of both design and operating effectiveness to governing authorities and stakeholders. In policy management, frequent and significant changes in circumstances, both internal and external, demand review and revision of policies regularly, and changes to the management capability may also be indicated from time to time.
While Policy Management is addressed in the OCEG Red Book, primarily within the Perform Component of that model, OCEG prepared the Policy Management Capability Model to provide more specific guidance for designing and operating an effective policy management capability as it involves all four components working together. The GRC Capability Model and the Policy Management Capability Model can work independently of each other, but are best used together as they have a symbiotic relationship. The goal of the Policy Management Capability Model is to provide a strong functioning policy management program that can be an integral part of a broader GRC strategy in the organization.
Anatomy of the Policy Management Capability Model
The Policy Management Capability Model is organized into five components that outline an iterative, continuous improvement process to achieve Principled Performance in policy management. While there is an implied sequence beginning with Govern, components operate concurrently, interactively, and symbiotically once the capability is established. The anatomy is very similar to the classic Deming Wheel known in Quality Management and ISO management system standards such as ISO9001:2015, with the PDCA-loop – Plan-Do-Check-Act. The corresponding OCEG-loop looks like this:
- G – GOVERN – Govern policy management by establishing policy governance and management teams and developing a "Policy on Policies" to guide the design and operation of the Policy Management Capability with standardized forms and processes.
- D – DEVELOP – Establish standard methods for policy development to apply new policies, revise existing ones for broader application, make changes in response to change in the external or internal environment, and retiring out-of-date policies.
- C – COMMUNICATE – Establish a risk-based and ongoing communication and training approach for each policy or category of policy, taking advantage of enabling services with skilled personnel and tools relevant to the design, delivery, attestation, and measurement of outcomes.
- E – ENFORCE – Establish tasks, methods, and processes for implementation, exceptions, enforcement, and assurance of policies.
- I – IMPROVE – Establish methods to periodically review and improve policies, retire policies, and evaluate the policy management capability’s design, effectiveness, and operation.
Each component contains elements that outline key aspects of high-performing integrated policy management capabilities. Each element includes practices that outline specific management actions and controls and address documentation considerations. Elements define the core aspects of effective capabilities and can serve as the starting point for assessing the current state of your organization's approach.
The Policy Management Capability Model is the definitive standard for creating and managing a Policy Management Program within your organization. It is free and open source in e-book format. It is available at https://www.policymanagementpro.com/
Glossary of Selected Terms(source: Policy Management Capability Model)
- Code of Conduct – set of principles and rules of behavior outlining the expectations, conduct, rules, and responsibilities, and/or proper practices of individuals of an organization.
- Compliance – the state of being able to prove the fulfillment of a requirement.
- Control – mechanisms, rules, and procedures implemented by a company to ensure the organization can reliably achieve objectives, manage uncertainty, and act with integrity.
- Exception – an approved deviation from the usual requirement for or relating to a control, policy, standard, or procedure.
- Governance – the act of externally and indirectly guiding, controlling, and evaluating an entity, process, or resource.
- Governing Documents – the collection of documents that govern the organization as it strives to reliably achieve objectives, manage uncertainty, and act with integrity. These include charters, policies, procedures, standards, guidelines, and controls.
- GRC – the capability or integrated collection of capabilities that enables an organization to reliably achieve objectives, address uncertainty and act with integrity; including the governance, assurance and management of performance, risk, and compliance.
- Guideline – guidance that is not mandatory and permissive by nature; "THOU SHOULD" instead of "THOU SHALT;" provides a framework of guidance where policies, standards, and procedures do not govern.
- MetaPolicy – the guiding document (policy) that establishes and governs the policy management process and lifecycle, also known as a Policy on Policies.
- Objective – something that an entity intends to attain or accomplish. To be measurable, objectives must be mapped to indicators, targets and tolerances.
- Policy – provides the "why;" is high level and strategic; sets the tone, context or intent; and changes infrequently.
- Policy Author – the leading subject matter expert that writes a policy.
- Policy Management – the governance of all stages of the policy management lifecycle as established in the Policy on Policies.
- Policy Management Committee – the committee established by charter to govern policies and policy management in the organization, also known as a Policy Steering Committee.
- Policy on Policies – the guiding document (policy) that establishes and governs the policy management process and lifecycle, also known as a MetaPolicy.
- Policy Owner – the individual(s) who are ultimately accountable and responsible for a policy in the organization.
- Policy Program Manager – the individual responsible for the consistent management of policies and the policy lifecycle in the organization in adherence to the Policy on Policies.
- Policy Steering Committee – the committee established by charter to govern policies and policy management in the organization, also known as a Policy Management Committee.
- Principled Performance – The act of reliably achieving objectives while addressing uncertainty and acting with integrity. Principled Performance provides a modern point of view and disciplined approach to business.
- Procedure – Provides the "how to" of policies and guides their implementation; is audience-specific; provides exact instructions that will ensure compliance with a given policy.
- Risk – measure of the negative effect of uncertainty on achieving objectives. The likelihood that an event may occur, how fast the event may impact the entity, and the estimated negative impact that an event may have on objectives.
- Risk Appetite – the level of risk that the organization is willing to accept to achieve objectives.
- Risk Management – the act of managing processes and resources to address risk while pursuing reward.