Policy Management, Part 1: When and How to Write a Policy

Transcript

1. When and How to Write a Policy Policy Management, Part

   1: August 2014 Michael Rasmussen, J.D., GRCP, CCEP The GRC Pundit @ GRC 20/20 Research, LLC OCEG Fellow @ www.OCEG.org

2. 2 © 2014, all rights reserved, www.GRC2020.com . . .

   a capability that enables an organization to reliably achieve objectives while addressing uncertainty and acting with integrity . . . Policy Management in Context

3. 3 © 2014, all rights reserved, www.GRC2020.com Regulatory Change Impacting

   Policies *Note: Tracked activity includes document changes, announcements, and enforcements by regulators Source: Thomson Reuters.

4. 4 © 2014, all rights reserved, www.GRC2020.com Risk Change &

   Business Change Also Impacting Policies

5. 5 © 2014, all rights reserved, www.GRC2020.com Battling the Hydra

   of Ineffective Policy Management

6. 6 © 2014, all rights reserved, www.GRC2020.com … Confusing Policy

   Management User Experience

7. 7 © 2014, all rights reserved, www.GRC2020.com Organization Mishaps in

   Policy Management

8. 8 © 2014, all rights reserved, www.GRC2020.com Having a Well

   Written Document is Not Enough

9. 9 © 2014, all rights reserved, www.GRC2020.com Regulators Tired of

   Paper-Based Programs = Policy Management Critical Morgan Stanley: Case Study in Effetiv e GRC Engagement “Morgan Stanley maintained a system of internal controls meant to ensure accountability for its assets and to prevent employees from offein g, p r om i si n g o r p ayi n g a nythi n g o f v al u e to for ei g n government offic i a l s. M o r gan Stanley’s internal policies, which were updated regularly to refle c t regul a t or y d evel o pm e nt s a nd s peci fic r isk s , prohibited bribery and addressed corruption risks associated with the giving of gifts, business entertainment, travel, lodging, meals, charitable contributions and employment. Morgan Stanley frequently trained its employees on its internal policies, the FCPA and other anti-corruption laws. Between 2002 and 2008, Morgan Stanley trained various groups of Asia-based personnel on anti-corruption policies 54 times. During the same period, Morgan Stanley trained Peterson on the FCPA seven times and reminded him to comply with the FCPA at least 35 times. Morgan Stanley’s compliance personnel regularly monitored transactions, randomly audited particular employees, transactions and business units, and tested to identify illicit payments. Moreover, Morgan Stanley conducted extensive due diligence on all new business partners and imposed stringent controls on payments made to business partners.” Emphasis added to illustrate elements of effe c tiv e GRC management and engagement. Source of this statement is at: http://www.justice.gov/ opa/pr/2012/April/12-crm-534.html.

10. 10 © 2014, all rights reserved, www.GRC2020.com Increasing Regulator Focus

    on Policy Management In a report in November 2012 (p. 57), the DOJ and SEC stated they: “have often encountered companies with compliance programs that are strong on paper but that nevertheless have significant . . . violations because management has failed to effectively implement the program even in the face of obvious signs of corruption.” POINT: Regulators are tired of paper-based compliance programs that look good on paper but fail in operations and employee engagement.

11. 11 © 2014, all rights reserved, www.GRC2020.com Policy Management Challenges

    Regulatory Change Risk Change Business Change Rogue Policies Out of Date Policies Different Templates Lack of Ownership Poorly Written Lack of Defensibility What is Driving Growth in Policy Management

12. 12 © 2014, all rights reserved, www.GRC2020.com Herding Cats –

    Getting Everyone Working Together

13. 13 © 2014, all rights reserved, www.GRC2020.com Policy Lifecycle is

    Not One Size Fits All POLICY COMMITTEE POLICY MANAGER POLICY OWNER(S) POLICY AUTHOR

14. 14 © 2014, all rights reserved, www.GRC2020.com Policy Governance Strategies

    Centralized Policy Management Federated Policy Management Decentralized Balance Balance autonomy, best of breed with centralized reporting, collaboration, etc.

15. 15 © 2014, all rights reserved, www.GRC2020.com Begin by Understanding

    Your Policies

16. 16 © 2014, all rights reserved, www.GRC2020.com Balancing the Right

    Amount of Policy

17. 17 © 2014, all rights reserved, www.GRC2020.com Should We Write

    a New Policy?

18. 18 © 2014, all rights reserved, www.GRC2020.com Determine the Need

    for a New Policy

19. 19 © 2014, all rights reserved, www.GRC2020.com MetaPolicy & Other

    Policy Resources MetaPolicy – the “Policy on Policies” Core components of MetaPolicy include: 9 Roles, responsibilities and accountabilities 9 Scope of what is governed by MetaPolicy 9 Definitions of governance documents and resources. 9 Structure and content 9 Format & style requirements 9 Use of templates 9 Requirements for central policy repository 9 Policy governance rules for creation, approval, retirement, updating/maintenance, and exceptions 9 Assurance methodologies Other Policy Resources Core components of supporting policy resources include: 9 Style guide 9 Document templates 9 Implementation plan template 9 Executive summary template 9 Exception/exemption request template

20. 20 © 2014, all rights reserved, www.GRC2020.com The Policy Development

    Process

21. 21 © 2014, all rights reserved, www.GRC2020.com Designing Policy to

    Templates

22. 22 © 2014, all rights reserved, www.GRC2020.com The Value of

    Clear and Well Written Policies

23. 23 © 2014, all rights reserved, www.GRC2020.com Technology Enables &

    Matures Policy Management

24. Michael Rasmussen, J.D. Chief GRC Pundit & OCEG Fellow [email protected]

    +1.888.365.4560 Some of the content we have evaluated is OCEG content which GRC 20/20 has an established relationship to use. Please do not copy slides or graphics without permission. GRC 20/20 highly recommends you consider OCEG membership at www.OCEG.org. GRC 20/20 Newsletter LinkedIn: GRC 20/20 Blog: GRC Pundit Twitter: GRCPundit LinkedIn: Michael Rasmussen