Policy Management, Part 3: Stewardship and Maintenance
How should you manage and maintain policies? GRC Pundit, Michael Rasmussen discusses the act of keeping policies current in a world of business change, risk change and regulatory change.
Regulatory Change Risk Change Business Change Rogue Policies Out of Date Policies Different Templates Lack of Ownership Poorly Written Lack of Defensibility What is Driving Growth in Policy Management Number of policies Complexity and changing regulations Mergers and acquisitions causing chaos with policies Legal liability and exposure of poor policy management and poor policies Corporate social responsibility Rogue policies being created Culture SharePoint is number one replacement Policies on file shares Policies on intranet sites Right now it is rare for a policy solution to replace another policy solution – most are moving from SharePoint or other non-policy management approach
Management Benchmark – MetaPolicy Governance Lifecycle Policy Management MetaPolicy Technology Operations Resources MetaPolicy – the “Policy on Policies” Core components of MetaPolicy include: Roles, responsibilities and accountabilities Scope of what is governed by MetaPolicy Definitions of governance documents and resources. Structure and content of governance documents Format & style for governance documents Templates for governance documents Requirements for central policy repository Policy governance rules for creation, approval, retirement, updating/maintenance, and exceptions Assurance methodologies
Management Benchmark – Technology Enablement Governance Lifecycle Policy Management MetaPolicy Technology Operations Resources Technology Enablement Core components of technology enablement of policy management include: Consistent policy management framework Enforce policy lifecycle. Communication & training. Attestation Accessibility.. Gather and track edits and comments to policies as they are developed or revised. Map policies to obligations, risks, controls, and investigations. Provide a robust system of record User-friendly portal for policies in the environment.
+1.888.365.4560 Some of the content we have evaluated is OCEG content which GRC 20/20 has an established relationship to use. Please do not copy slides or graphics without permission. GRC 20/20 highly recommends you consider OCEG membership at www.OCEG.org. GRC 20/20 Newsletter LinkedIn: GRC 20/20 Blog: GRC Pundit Twitter: GRCPundit LinkedIn: Michael Rasmussen