Policy Management, Part 3: Stewardship and Maintenance

Transcript

1. Stewardship & Maintenance Policy Management, Part 3 August 2014 Michael

   Rasmussen, J.D., GRCP, CCEP The GRC Pundit @ GRC 20/20 Research, LLC OCEG Fellow @ www.OCEG.org

2. 2 © 2014, all rights reserved, www.GRC2020.com Policy Management Challenges

   Regulatory Change Risk Change Business Change Rogue Policies Out of Date Policies Different Templates Lack of Ownership Poorly Written Lack of Defensibility What is Driving Growth in Policy Management  Number of policies  Complexity and changing regulations  Mergers and acquisitions causing chaos with policies  Legal liability and exposure of poor policy management and poor policies  Corporate social responsibility  Rogue policies being created  Culture  SharePoint is number one replacement  Policies on file shares  Policies on intranet sites  Right now it is rare for a policy solution to replace another policy solution – most are moving from SharePoint or other non-policy management approach

3. 3 © 2014, all rights reserved, www.GRC2020.com Sustaining Policy Management

4. 4 © 2014, all rights reserved, www.GRC2020.com Roles in Policy

   Management

5. 5 © 2014, all rights reserved, www.GRC2020.com Implementing Policies Involves

   Integrated Controls & Processes

6. 6 © 2014, all rights reserved, www.GRC2020.com Roles in Ongoing

   Policy Management

7. 7 © 2014, all rights reserved, www.GRC2020.com Managing Policy Exceptions

   and Exemptions

8. 8 © 2014, all rights reserved, www.GRC2020.com Ensuring There is

   a Defined Audit Trail

9. 9 © 2014, all rights reserved, www.GRC2020.com Measurement and Metrics

   of Policy Management

10. 10 © 2014, all rights reserved, www.GRC2020.com GRC 20/20’s Effective

    Policy Management Lifecycle

11. 11 © 2014, all rights reserved, www.GRC2020.com Factors That May

    Indicate a Policy Needs to be Revised

12. 12 © 2014, all rights reserved, www.GRC2020.com Metrics for Policy

    Management

13. 13 © 2014, all rights reserved, www.GRC2020.com Example Metrics to

    Monitor

14. 14 © 2014, all rights reserved, www.GRC2020.com Regulatory Intelligence Metrics

15. 15 © 2014, all rights reserved, www.GRC2020.com Integrated Information Architecture

    Drives Effective Policy Management REGULATIONS & OBLIGATIONS RISK & ANALYSIS OBJECTIVES & GOALS INCIDENTS & ISSUES ASSETS & RELATIONSHIPS POLICIES & TRAINING CONTROLS & ASSESSMENT ROLES & RESPONSIBILITIES

16. 16 © 2014, all rights reserved, www.GRC2020.com Technology Enables Effective

    Policy Management

17. 17 © 2014, all rights reserved, www.GRC2020.com Effective Policy Management

    Benchmark Governance Lifecycle Policy Management MetaPolicy Technology Operations Resources

18. 18 © 2014, all rights reserved, www.GRC2020.com GRC 20/20 Policy

    Management Benchmark – Policy Governance Policy Governance Core components of policy governance include:  Policy Management Architecture  Policy Review Cycles  Executive “Tone from the Top”  Policy Governance in Mergers and Acquisitions  Policy Monitoring and Assurance Activities  Management Reporting and Dashboards Governance Lifecycle Policy Management MetaPolicy Technology Operations Resources

19. 19 © 2014, all rights reserved, www.GRC2020.com GRC 20/20 Policy

    Management Benchmark – MetaPolicy Governance Lifecycle Policy Management MetaPolicy Technology Operations Resources MetaPolicy – the “Policy on Policies” Core components of MetaPolicy include:  Roles, responsibilities and accountabilities  Scope of what is governed by MetaPolicy  Definitions of governance documents and resources.  Structure and content of governance documents  Format & style for governance documents  Templates for governance documents  Requirements for central policy repository  Policy governance rules for creation, approval, retirement, updating/maintenance, and exceptions  Assurance methodologies

20. 20 © 2014, all rights reserved, www.GRC2020.com GRC 20/20 Policy

    Management Benchmark – Policy Resources Governance Lifecycle Policy Management MetaPolicy Technology Operations Resources Policy Resources Core components of supporting policy resources include:  Style guide.  Document templates.  Implementation plan template.  Executive summary template.  Exception/exemption request template

21. 21 © 2014, all rights reserved, www.GRC2020.com GRC 20/20 Policy

    Management Benchmark – Policy Lifecycle Governance Lifecycle Policy Management MetaPolicy Technology Operations Resources Policy Management Lifecycle Core components of policy management lifecycle include:  Determine Need for New Policies or Updates.  Develop and Approve New Policy or Policy Updates.  Publication, Communication & Training.  Implement and Enforce Supporting Procedures, Processes and Controls.  Measure Policy Effectiveness, Re-Evaluate and Maintain Periodically.

22. 22 © 2014, all rights reserved, www.GRC2020.com GRC 20/20 Policy

    Management Benchmark – Operational Effectiveness Governance Lifecycle Policy Management MetaPolicy Technology Operations Resources Operational Effectiveness Core components of policy management operational effectiveness include:  Adherence to the MetaPolicy  Adherence to the Policy Management Lifecycle  Policy Compliance Metrics  Implementation planning and execution  Training effectiveness  Communication effectiveness

23. 23 © 2014, all rights reserved, www.GRC2020.com GRC 20/20 Policy

    Management Benchmark – Technology Enablement Governance Lifecycle Policy Management MetaPolicy Technology Operations Resources Technology Enablement Core components of technology enablement of policy management include:  Consistent policy management framework  Enforce policy lifecycle.  Communication & training.  Attestation  Accessibility..  Gather and track edits and comments to policies as they are developed or revised.  Map policies to obligations, risks, controls, and investigations.  Provide a robust system of record  User-friendly portal for policies in the environment.

24. Michael Rasmussen, J.D. Chief GRC Pundit & OCEG Fellow [email protected]

    +1.888.365.4560 Some of the content we have evaluated is OCEG content which GRC 20/20 has an established relationship to use. Please do not copy slides or graphics without permission. GRC 20/20 highly recommends you consider OCEG membership at www.OCEG.org. GRC 20/20 Newsletter LinkedIn: GRC 20/20 Blog: GRC Pundit Twitter: GRCPundit LinkedIn: Michael Rasmussen