Brought to you by

POLICY
MANAGEMENT
BY DESIGN
A Blueprint for Enterprise
Policy & Training Management

STRATEGY PERSPECTIVE

Governance, Risk Management

& Compliance Insight

 April 2019

Policy Management by Design

A Blueprint for Enterprise Policy & Training Management

STRATEGYPERSPECTIVE
Governance, Risk Management & Compliance Insight
 © 2019 GRC 20/20 Research, LLC. All Rights Reserved.

No part of this publication may be reproduced, adapted, stored in a retrieval system or transmitted in any form
by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of
GRC 20/20 Research, LLC. If you are authorized to access this publication, your use of it is subject to the Usage
Guidelines established in client contract.

The information contained in this publication is believed to be accurate and has been obtained from sources
believed to be reliable but cannot be guaranteed and is subject to change. GRC 20/20 accepts no liability
whatever for actions taken based on information that may subsequently prove to be incorrect or errors in
analysis. This research contains opinions of GRC 20/20 analysts and should not be construed as statements
of fact. GRC 20/20 disclaims all warranties as to the accuracy, completeness or adequacy of such information
and shall have no liability for errors, omissions or inadequacies in such information. Although GRC 20/20 may
include a discussion of related legal issues, GRC 20/20 does not provide legal advice or services and its research
should not be construed or used as such.

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 2

 Table of Contents

Policy & Training Management Demands Attention.......................................................... 4

The Foundational Role of Policies in GRC Strategies.......................................................4
Hordes of Policies Scattered Across the Organization......................................................5
Inevitable Failure of Policy & Training Management.........................................................6

Policy & Training Management by Design.......................................................................... 7

Contrasting Policy & Training Management Approaches.................................................7
Policy & Training Management Strategic Plan...................................................................9
Policy & Training Management Architecture....................................................................12
Policy & Training Management Process Architecture..................................................12
Policy & Training Management Information Architecture...........................................16
Policy & Training Management Technology Architecture...........................................17

Benefits of a Policy & Training Management Strategy & Architecture............................ 21

GRC 20/20’s Final Perspective . . ..................................................................................... 22

About GRC 20/20 Research, LLC..................................................................................... 24

Research Methodology..................................................................................................... 24

TALK TO US . . .
We look forward to hearing from you and learning what you think about GRC 20/20
research. GRC 20/20 is eager to answer inquiries from organizations looking to improve GRC
related processes and utilize technology to drive GRC efficiency, effectiveness, and agility.

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 3

Policy Management by Design
A Blueprint for Enterprise Policy & Training Management

Policy & Training Management Demands Attention

The Foundational Role of Policies in GRC Strategies

Policies are critical to the organization as they establish boundaries of behavior for
individuals, processes, relationships, and transactions. Starting at the policy of all policies
– the code of conduct – they filter down to govern the enterprise, divisions/regions,
business units, and processes.

GRC, by definition, is “a capability to reliably achieve objectives [governance] while

addressing uncertainty [risk management] and act with integrity [compliance].”1 Policies
are a critical foundation of GRC. When properly managed, communicated, and enforced
policies:

nn Provide a framework of governance. Policy paints a picture of behavior, values,

and ethics that define the culture and expected behavior of the organization;
without policy there is no consistent rules and the organization goes in every
direction.

nn Identify and treat risk. The existence of a policy means a risk has been identified
and is of enough significance to have a formal policy written which details
controls to manage the risk.
Policies are Governance, Risk Management & Compliance Documents
nn Define compliance. Policies
document compliance in
how the organization meets
requirements and obligations
from regulators, contracts,
and voluntary commitments.

Unfortunately, most organizations

do not connect the idea of policy
to the establishment of corporate
culture. Without policy, there is no
written standard for acceptable
Governance
Define the organization’s governance
culture and structure: Without good
policy as a guide, corporate culture
and control morphs, changes and
takes unintended paths.
Risk Management
Articulate a culture of risk: Policy
addresses risk and establishes risk
responsibility, communication,
appetites, tolerance, and risk
ownership. Without clearly written
policy, risk governance is ineffective.
Compliance
Establish a culture of compliance:
Policy establishes how an
organization meets its obligations and
commitments and how it will stay
within legal, regulatory, and
contractual boundaries.

1 This definition is found in the OCEG GRC Capability Model, http://www.oceg.org/resources/red-

book-3/.

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 4

 and unacceptable conduct — an organization can quickly become something it never
intended.

Policy also attaches a legal duty of care to the organization and cannot be approached
haphazardly. Mismanagement of policy can introduce liability and exposure, and
noncompliant policies can and will be used against the organization in legal (both
criminal and civil) and regulatory proceedings. Regulators, prosecuting and plaintiff
attorneys, and others use policy violation and noncompliance to place culpability.

An organization must establish policy it is willing to enforce — but it also must clearly
train and communicate the policy to make sure that individuals understand what is
expected of them. An organization can have a corrupt and convoluted culture with good
policy in place, though it cannot achieve strong and established culture without good
policy and training on policy.

Hordes of Policies Scattered Across the Organization

Policy and training matter. However, when you look at the typical organization you would
think policies are irrelevant and a nuisance. The typical organization has:

nn Policies managed in documents and fileshares. Policies are haphazardly

managed as document files and dispersed on a number of fileshares, websites,
local hard drives, and mobile devices. The organization has not fully embraced
centralized online publishing and universal access to policies and procedures.
There is no single place where an individual can see all the policies in the
organization and those that apply to specific roles.

nn Reactive and inefficient training programs. Organizations often lack any

coordinated policy training and communication program. Instead, different
departments go about developing and communicating their training without
thought for the bigger picture and alignment with other areas.

nn Policies that do not adhere to a consistent

style. The typical organization has policy Regulatory
that does not conform to a corporate style Change
guide and standard template that would Lack of
Risk Change
require policies to be presented clearly Defensibility
(e.g., active voice, concise language,
eighth-grade reading level).

nn Rogue policies. Anyone can create a Poorly Business

document and call it a policy. As policies Written Change
Policy
establish a legal duty of care, organizations Management
Challenges
face misaligned policies, exposure and
liability, and other rogue policies that were
never authorized.
Lack of Rogue
Ownership Policies

Different Out of Date

Templates Policies

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 5

 nn Out of date policies. In most cases, published policy is not reviewed and
maintained on a regular basis. In fact, most organizations have policies that have
not been reviewed in years for applicability, appropriateness, and effectiveness.
The typical organization has policies and procedures without a defined owner to
make sure they are managed and current.

nn Policies without lifecycle management. Many organizations maintain an ad hoc

approach to writing, approving, and maintaining policy. They have no system for
managing policy workflow, tasks, versions, approvals, and maintenance.

nn Policies that do not map to exceptions or incidents. Often organizations are

missing an established system to document and manage policy exceptions,
incidents, issues, and investigations to policy. The organization has no
information about where policy is breaking down, and how it can be addressed.

nn Policies that fail to cross-reference standards, rules, or regulations. The typical

organization has no historical or auditable record of policies that address legal,
regulatory, or contractual requirements. Validating compliance to auditors,
regulators, or other stakeholders becomes a time-consuming, labor-intensive,
and error-prone process.

Inevitable Failure of Policy & Training Management

Organizations often lack a coordinated enterprise strategy for policy development,
maintenance, communication, attestation, and training. An ad hoc approach to policy
management exposes the organization to significant liability. This liability is intensified by
the fact that today’s compliance programs affect every person involved with supporting
the business, including internal employees and third parties. To defend itself, the
organization must be able to show a detailed history of what policy was in effect, how
it was communicated, who read it, who was trained on it, who attested to it, what
exceptions were granted, and how policy violation and resolution was monitored and
managed.

If policies and training programs don’t conform to an orderly style and structure, use
more than one set of vocabulary, are located in different places, and do not offer a
mechanism to gain clarity and support (e.g., a policy helpline), organizations are not
positioned to drive desired behaviors in corporate culture or enforce accountability.

With today’s complex business operations, global expansion, and the ever changing
legal, regulatory, and compliance environments, a well-defined policy management
program is vital to enable an organization to effectively develop and maintain the wide
gamut of policies it needs to govern with integrity.

The bottom line: The haphazard department and document centric approaches for
policy and training management of the past compound the problem and do not solve
it. It is time for organizations to step back and define a cross-functional and coordinated
team to define and govern policy and training management. Organizations need to wipe
the slate clean and approach policy and training management by design with a strategy

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 6

 and architecture to manage the ecosystem of policies and training programs throughout
the organization with real-time information about policy conformance and how it impacts
the organization.

Policy & Training Management by Design

Organizations need a coordinated cross-department strategy for managing policies and

training programs across the enterprise. The goal is to develop a common framework
and approach so that policies and training are understood and managed as an integrated
whole rather than a dissociated collection of parts.

Policies and training programs that are managed as dissociated documents, data,
systems, and processes leave the organization with fragments of truth that fail to see
the big picture of policy and training across the enterprise and how it supports the
organization’s governance, risk management, and compliance (GRC) responsibilities.
The organization needs to have holistic visibility and situational awareness into
policy and training across the enterprise. Complexity of business and intricacy and
interconnectedness of policies and obligations requires that the organization implement
a policy and training management strategy.

Contrasting Policy & Training Management Approaches

The primary directive of a mature policy and training management program is to
deliver effectiveness, efficiency, and agility to the business in managing the breadth of
GRC. This requires a strategy that connects the enterprise, business units, processes,
transactions, and information to enable transparency, discipline, and control of the
ecosystem of policies and training needs across the extended enterprise.

Organizations have three policy & training management strategies to choose from:

nn Anarchy – ad hoc department silos. This is when you have different departments
doing different yet similar things with little to no collaboration between them.
Distributed and siloed policy and training initiatives never see the big picture
and fail to put policy and training in the context of the rest of the organization.

Distributed Policy Management Federated Policy Management

§ Disconnected departments managing policies in § An integrated approach that balances policy

different ways with little or no collaboration with other management centralization with distributed
departments participation and collaboration

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 7

 The result: complexity, redundancy, and failure. The organization is not thinking
big picture about how policy and training management processes can be
designed to meet a range of needs. An ad hoc approach to policy and training
management results in poor visibility into the organization’s obligations and
values, as there is no framework for managing policies and training consistently.
When the organization approaches policies and training in scattered silos that do
not collaborate with each other, there is no possibility to be intelligent and align
policies and training initiatives to achieve efficiency, effectiveness, and agility.

nn Monarchy – one size fits all. If the anarchy approach does not work then the
natural reaction is the complete opposite: centralize everything and get everyone
to work from one platform and framework. However, this has its issues as well.
Organizations run the risk of having one department be in charge of policy and
training management that does not fully understand the breadth and scope
of the needs across departments. The needs of one area may shadow the
needs of others. From a technology point of view, it may force many parts of
the organization into managing policies and training programs to the lowest
common denominator.

nn Federated – an integrated and collaborative approach. The federated approach

is where most organizations will find the greatest balance between common
policy and training management. It allows for some level of department/business
function autonomy where needed but focuses on a common governance model
and architecture that the various groups in policy and training management
participate in. A federated approach increases the ability to connect, understand,
analyze, and monitor interrelationships and underlying patterns of GRC as it
allows different business functions to be focused on their areas while reporting
into a common governance framework and architecture. Different functions
participate in policy and training management with a focus on coordination and
collaboration through a common core architecture that integrates and plays well
with other systems.

A federated model for policy and training management provides a central coordination
of the policy management lifecycle to ensure consistency in policies across the
organization while there is ownership and management of non-enterprise-wide policies
in distributed areas across the organization that align with the central governance. The
Federated model is the ideal for large global organizations. It allows for policy and
training management to be centrally coordinated, but allows for distributed management
and oversight of the policies to address divisional, legal entity, business unit, and regional
needs. These entities must adhere to all mandated enterprise-wide policies and will
often design their own procedures in a way that makes the policy fit their operations
and supports their compliance with the policy. They may create their own policies and
procedures relating to their specific operations, which may be imposed based on federal,
state, or local laws. These policies and procedures must be written so that they do not
conflict with the overall mission and values of the organization. A federated model often
has layers of policy governance in which a policy steering committee is established
centrally to define the policy process and templates, while “entity” policy committees
oversee the governance of policies within their respective areas.

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 8

 Policy Management Strategy

Policy Management Process

Policy Management Information

Policy Management Technology

Policy & Training Management Strategic Plan
Designing a federated policy and training management program starts with defining
the strategy. The strategy connects key business functions with a common policy and
training governance framework. The strategic plan is the foundation that enables policy
and training transparency, discipline, and control across the ecosystem of the enterprise.

The core elements of the policy and training strategic plan include:

nn Policy & training governance team. Effective policy management and

communication requires policy governance and oversight. The first piece of the
strategic plan is building the cross-organization policy and training governance
team (e.g., committee, group). This team needs to work with policy owners to
ensure a collaborative and efficient oversight process is in place. The goal of this
group is to take the varying parts of the organization that have vested in policy
and training management and get them collaborating and working together on a
regular basis. Various roles involved in the policy and training governance team
are: compliance, ethics, legal, human resources, finance, information technology,
security, audit, quality, health & safety, and business operations. One of the first
items to determine is who chairs and leads the policy and training governance
team. This committee provides the structure and connective tissue to coordinate
and drive consistent policy management. Its team members represent the best
interests and expertise of the different parts of the organization. They leverage
the knowledge, charter and authority of the committee to benefit their business
areas and the whole organization. A large distributed organization may have
layers of policy and training committees for different geographies or business
units. If a layered approach is in place, the organization still needs a central
policy and training governance committee that the rest roll-up to, to enforce
consistency and structure.

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 9

 nn Policy and training management charter. With the initial collaboration and
interaction of the policy and training management team in place, the next step
in the strategic plan is to formalize this with a policy and training management
charter. The charter defines the key elements of the policy and training
management strategy and gives it executive and board authorization. The charter
will contain the mission and vision statement of policy and training management,
the members of the policy and training governance team, and define the overall
goals, objectives, resources, and expectations of enterprise policy and training
management. The key goal of the charter is to establish alignment of policy and
training management to business objectives, performance, and strategy. The
charter also should detail board oversight responsibilities and reporting on policy
and training management. The charter should specifically address:

†† An organized policy & training management committee to govern the

oversight and guidance of policies, and ensure policy collaboration
across the enterprise.

†† An individual assigned to the role of policy & training manager to

assure accountability to the standards, style, and process defined by
the policy management committee. The policy manager does not write
policy, but is the champion of the policy management process; for
ensuring the creation and revision of policies conforms to the policy
management lifecycle defined by the organization.

†† The authorization and allocation of resources for program management

architecture, policy review cycles, executive “tone from the top” on
policy governance, extending policy governance to mergers and
acquisitions, compliance monitoring and assurance activities, and
management reporting and dashboards.

nn Policy management policy (e.g., MetaPolicy, Policy on Policies). The next

critical item to establish in the policy and training management strategic plan is
the writing and approval of the organization’s MetaPolicy (or policies on writing
policies). This sets the policy management structure in place. The policy should
require that an inventory of all policies be maintained with appropriate detail
and approvals. The MetaPolicy is the foundation on which to build an effective
policy and training management program. It defines the critical elements of
the organization’s policy management program. The major components of an
effective MetaPolicy are:

†† Roles and responsibilities. Key organizational roles, responsibilities, and

accountabilities for policy governance and lifecycle and specifically the
scope of governance and influence of the meta-policy itself.

†† Scope of MetaPolicy. Scope of what is and is not under remit/scope

of the MetaPolicy (e.g., internal facing policies, client facing policies,
policies of subsidiaries, and joint ventures).

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 10

 †† Definition of terms. Definitions of specifically— for a given
organization—what a policy is as well as a procedure, standard, and
guideline in addition to other applicable governance documents and
resources.

†† Format and structure guidance. Common structure and content of a

policy with specific reference to what topics are required (e.g., purpose,
scope, accountability, and policy statement) and what is optional
(definitions of key terms/acronyms/abbreviations, authoritative sources/
obligations, and cross-references to other documents) to establish a
policy.

†† Policy writing and layout. Writing style for policies and other documents
as well as the layout of policy documents. Also included by reference
are policy template(s), which are absolutely critical for driving consistency
across policies.

†† Central repository and indexing of policies. Requirements for central

repository as the system of record for policies and related governance
documents. This repository must be accessible to all of the organization’s
employees and contingent workers.

†† Policy approval. Policy governance rules for approving policy creation/

update/retirement, general requirements for exception approval,
and definition of maintenance and review cycles with appropriate
accountability of roles and responsibilities for policy development and
maintenance.

†† Policy assurance and compliance monitoring. Assurance methodologies

to ensure that compliance with the MetaPolicy is in place, that
exceptions to the MetaPolicy are documented and managed
appropriately, and violations are identified and remediated.

†† Style guide. Policy writing that is wordy and confusing damages the
corporate image and costs time and money. Every organization should
have a policy style guide in place to provide clear and consistent
policy. This establishes the language, grammar, and format guidance
to writing policies. It expresses how to use active over passive voice,
avoid complicated language and “legalese”, how to write for impact and
clarity, use common terms, how to approach gender in writing, and even
internationalization considerations.

†† Templates. These are standard templates that the organization can utilize
to write policies and supporting documents/resources that are already in
the standard format and structure conforming to the MetaPolicy.

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 11

 †† Exception/exemption request. Provides a standard template for
documenting an exception/exemption request to a policy or procedure
and how to seek approval for the request.

Critical Elements of an Effective Policy Management Strategy

Policy & Training
Management Architecture ü Defined policy management lifecycle
ü Policy program manager role
The policy and training
ü Top down & bottom up approach for sharing ideas and concerns
management strategy and
ü Delegation of authority from board or executive management via charter
policy is supported and made
ü Common taxonomy & formal templates for policies, procedures, etc.
operational through the policy
and training management ü Central repository of all policies (geographical, functional & retired) and
related policies that all staff can access easily
architecture. The organization
ü Method for communicating policies & supporting procedures to individuals
requires complete situational
and holistic awareness of ü Ability to demonstrate that individuals have read, attested to, or acknowledged
policies
policies and related training
ü Provisions to evaluate & measure staff compliance with the organization’s
across operations, processes, policies
employees, and third party ü Metapolicy codifying roles & responsibilities for achieving the above
relationships to see the big
picture of policy and training performance and risk. Distributed, dynamic, and disrupted
business requires the organization to take a strategic approach to policy and training
management architecture. The architecture defines how organizational processes,
information, and technology is structured to make policy and training management
effective, efficient, and agile across the organization.

There are three areas of the policy and training management architecture:

1. Policy and training management process architecture

2. Policy and training management information architecture

3. Policy and training management technology architecture

It is critical that these architecture areas be initially defined in this order. It is the
process architecture that determines the types of policy and training structures and
information needed, gathered, used, and reported. It is the information architecture
combined with process architecture that defines the organizations requirements for the
technology architecture. Too many organizations put the cart before the horse and start
with selecting technology for policy and training management first, which then dictates
what their process and information architecture will be. This forces the organization
to conform to a technology for policy and training management instead of finding the
technology that best fits their process and information needs.

Policy & Training Management Process Architecture

Policy and training management architecture starts with the process architecture.
Processes are used to manage and monitor the ever-changing business, third party
relationship, risk, and regulatory environments in context of policy and training programs.

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 12

 The policy and training management process architecture is the structural design
of processes, including their components of inputs, processing, and outputs. This
architecture inventories and describes policy and training management processes, each
process’s components and interactions, and how processes work together as well as with
other enterprise and GRC processes.

The core elements of the process architecture are understood as the organization’s
policy management lifecycle. This represents the actual operation and process of
the MetaPolicy in action to develop, manage, and maintain policies throughout their
effective use. Failure to manage policy lifecycles results in policies that are out-of-date,
ineffective, and not aligned to business needs. It also opens the door to liability when an
organization is held accountable for a policy that is not appropriate or properly enforced.

The stages evaluated in the Effective Policy Management are:

1. Determine Need for New Policies or Updates. Policy should be created only
when necessary, such as to establish the values and ethics of the organization,
meet regulatory obligations, and manage potential risk or liability. Without some
requirement for or exposure of the organization, there is no need for a policy.
Too many policies burden the organization and cannot be complied with. Too
few policies introduce significant risk and legal exposure. Organizations need
a defined change management process to monitor changes that impact policy
across the following areas:

†† Corporate environment. Policies change in response to new

strategies, objectives, mergers, and acquisitions. Changes in corporate
commitments, contracts, values, ethics, risk appetite, and social
responsibility statements also drive policy.

†† Risk environment. Ongoing risk intelligence processes are required to

monitor geopolitical, environmental, economic, strategic, relationship,
and operational risk.

†† Regulatory environment. New laws, changing regulations, litigation, and

court rulings (case law) impact organizations and drive policy changes.
Organizations need regulatory change management processes in place
to monitor the changing legal and regulatory environment in jurisdictions
where business is conducted.

2. Policy development and approval. When an organization identifies a change in

the corporate, risk, or regulatory environments and determines a new policy is
needed, or an existing policy must be updated, it enters the policy development
phase. In this stage, policies are drafted, reviewed, and approved. While the
Policy Owner is responsible for managing development and works with the policy
author and stakeholders, the policy manager champions this process to make
sure the policy conforms to corporate style and template requirements and has
referential integrity with the other policies in the Policy Portfolio. The policy
steering committee, other governing committee, or a designated executive

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 13

 approve policy changes once they go through the development workflow and
review process. The policy development steps include:

†† Policy ownership. Every policy in the organization should be assigned

to an individual or business role that owns the policy. The owner ensures
that the policy remains accurate, is appropriately communicated, and
continues to serve the purpose for which it was established. Even if the
policy is applied across the entire organization, such as with a code of
conduct, the owner must oversee its implementation and monitoring.

†† Policy writing. Once an owner is established, the next step is to write

the policy. All policies across the organization should be written in a
consistent style, format, and language while following a defined style
guide. Policies must be clear and easily understood. They must articulate
who the policy applies to, standards, rules, regulations or laws it intends
to address, and what, if any, larger program it is associated with.

†† Policy review and approval. Once the initial draft of the policy is written,
the owner sends the draft policy to identified stakeholders for review and
approval before publication. This phase is iterative, as the stakeholders
may send the policy back with changes before it is approved. Leading
practice includes reviews by the organization’s policy management office,
legal department, and ethics and compliance committee (for policies
mandated by law or regulation).

3. Policy publication and awareness. In this stage, individuals become aware of the
new or changed policy by clear articulation of individual responsibility to comply
with the policy. This includes:

†† Policy publication. After approval, the policy must be published.

This is most effectively done with a centralized policy management
and communication platform. Unfortunately, many organizations
have scattered systems for publishing policies and procedures. This
complicates policy management, as multiple publication methods
means more policies will become outdated and scattered across the
organization. A best practice is to have a single policy system that allows
any individual within the environment to login, see all of the policies
that apply to a specific role in the organization, and receive automated
notification of a changed or new policy.

†† Policy communication and training. Written policy is necessary, but not

good enough on its own. Organizations must actively ensure individuals
are aware of and understand the policy and what is required of them
— appropriate communication and training should be used to facilitate
understanding, such as video, LMS courses, surveys, and testing. It is
important that training and other resources are linked to policies and
are easily accessible. It is also important to preserve records of each

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 14

 individual’s training completion for critical policies so that they are easily
accessible by oversight personnel.

†† Policy attestation. It is necessary for individuals to attest to that they

have read, understood, and will adhere to critical policies. Policies such
as a code of conduct require specific attestation on a regular basis (e.g.,
annually). Attestations should be dated and time stamped, preserved
with the version of the policy, and easily accessible by oversight
personnel.

4. Policy adherence and compliance. In this stage, policies are regularly monitored
to ensure compliance and that exceptions are documented and managed. This
phase involves:

†† Implement procedures and controls. The MetaPolicy states who is

responsible for implementing the appropriate procedures and controls
to ensure effective implementation, usually the Policy Owner. The
procedures and controls should be written using approved templates
and embedded within the business operations and processes.

†† Monitor, test, and assess. Carefully monitor, test, and assess activities to
ensure that the policy, procedures, and controls are being enforced, are
operating as intended, and the business runs efficiently and smoothly
while in compliance. Findings of noncompliance and violations provide
metrics for policy review and improvement. Enforcement policy is critical,
to define levels of infractions and associated actions.

†† Manage exception requests. While policies must be complied with,

there are justifiable business situations in which the organization accepts
noncompliance. These exceptions must be documented and managed.
An exception may be appropriate for a given time period or until a
certain event occurs.

5. Policy metrics and maintenance. Policies should not change frequently, but they
should go through periodic review. A best practice is to follow an annual review
cycle to make sure policies are still appropriate and do not bring unnecessary
exposure or liability upon the organization. Unneeded policies should be retired.
The major activities of this stage include:

†† Review, update, or retirement. Every policy should have a regular

review cycle (ideally annually). During this review, the Policy Owner
and stakeholders assess changes to the internal business and external
regulatory and business environments, look at incidents of policy
noncompliance and approved exceptions, and consider the continued
need for the policy. After this analysis the Policy Owner requests the
policy approver(s) to reauthorize the policy as-is for another management
cycle, to retire it, or to send it back into the Development and Update
stage to revise the policy.

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 15

 †† Policy archives. Every policy and its associated versions must be archived
for reference at a later time. The retention period for superseded
versions and retired policies should be managed in accordance with
the organization’s document and records-retention policies. When
an organization becomes aware of an incident, or a regulator has a
question, it is necessary to have a full view of the accountability history
of a policy: the owner, who read it, who was trained, and who attested
and on what version of the policy at a particular date. This level of detail
is necessary to defend the organization in a situation involving a rogue
employee, where the organization itself is not culpable.

Policy & Training Management Information Architecture

The policy and training management information architecture supports the process
architecture and overall policy and training management strategy. With processes
defined and structured in the process architecture, the organization can now get into the
specifics of the information architecture needed to support policy and training processes.

The policy and training management information architecture involves the structural
design, labeling, use, flow, processing, and reporting of policy and training management
information to support policy and training management processes. Categories of policy
and training management information that organizations often collect and process
include:

nn Master data records. This includes data on individuals and their role and history
of interaction and communication with policies and training.

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 16

 nn Compliance requirements. Listing of compliance/regulatory requirements that
are mapped to policies.

nn Policy and training libraries. The indexing and versions of policies and training.

nn SLAs, KPIs, and KRIs. Documentation and monitoring of service level

agreements, key performance indicators, and key risk indicators for the policy
and training program.

nn Exceptions/exemptions. Documentation of exceptions and exemptions that

have been requested, granted, and/or denied.

nn Forms. The design and layout of information needed for specific policies and
related processes.

nn Incidents & issues. Record of policy violations and details.

Policy and training management fails when information is scattered, redundant, non-
reliable, and managed as a system of parts that do not integrate and work as a collective
whole. Successful policy and training management information architecture will be
able to integrate information across the organization. Successful policy and training
management requires a robust and adaptable information architecture. Policies and
training come together into a unified employee experience where policies are displayed
along with training. Training is more than just playing a video but is interactive, showing
employees are behind their desk engaged in the activity and not off to get a coffee.
Relevant resources are easily accessible and provided in the same interface without
hopping between disconnected systems.

Policy & Training Management Technology Architecture

The policy and training management technology architecture enables and
operationalizes the information and process architecture to support the overall policy
and training management strategy. The goal of the technology architecture is to
operationalize the process and information architecture. The right policy and training
management architecture enables the organization to effectively manage policy and
training performance across the organization and facilitate the ability to document,
communicate, report, and monitor the range of communications, training, documents,
tasks, responsibilities, and action plans.

There can and should be a central core technology platform for policy and training
management that connects the fabric of the policy and training management
processes, information, and other technologies together across the organization. Many
organizations see policy and training management initiatives fail when they purchase
technology before understanding their process and information architecture and
requirements. Organizations have the following technology architecture choices before
them:

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 17

 nn Documents, spreadsheets, and email. Manual spreadsheet and document-
centric processes are prone to failure as they bury the organization in mountains
of data that is difficult to maintain, aggregate, and report on, consuming valuable
resources. The organization ends up spending more time in data management
and reconciling as opposed to active policy communication and training.

nn Department specific point solutions. Implementation of a number of point

solutions that are deployed and purpose built for department or specific risk
and regulatory policy needs. The challenge here is that the organization ends up
maintaining a wide array of solutions that do very similar things but for different
purposes. This introduces a lot of redundancy in information gathering and
communications that taxes the organization and its employees.

nn Enterprise GRC platforms. Many of the leading enterprise GRC platforms have
policy and training management modules. However, these solutions often have
a predominant focus on policy and do not always have complete capabilities in
training.

nn Enterprise policy and training management platform. This can be an enterprise

implementation of point solution dedicated to policy and training management
or an enterprise GRC platform that has the breadth of capabilities needed for
policy and training management. This is a complete solution that addresses the
range of policy management as well as training and communication needs with
the broadest array of built-in (versus build-out) features to support the breadth of
policy and training management processes.

The right policy and training technology architecture choice for an organization often
involves integration into ERP/HRMS systems and other GRC and business solutions to
facilitate the integration, correlation, and communication of information, analytics, and
reporting. Organizations suffer when they take a myopic view of policy and training
management technology that fails to connect all the dots and provide context to
analytics, performance, objectives, and strategy in the real-time business operates in.

A well-conceived technology architecture for policy and training management can enable
a common policy and training framework across multiple entities, or just one entity or
department as appropriate. Business requires a policy management platform that is
context-driven and adaptable to a dynamic and changing environment. Compared to
the ad hoc method in use in most organizations today, an architecture approach to policy
management enables better performance, less expense, and more flexibility. Some of
the core capabilities organizations should consider in a policy and training management
platform are:

nn Integration. Policy and training management is not a single isolated competency

or technology within a company. Policy and training management often requires
information from human resources, vendor management systems and other
sources to automatically maintain a single record. These applications must
integrate with other systems. It needs to integrate well with other technologies

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 18

 and competencies that already exist in the organization – ERP and GRC. So the
ability to pull and push data through integration is critical.

nn Content, workflow, and task management. Content should be able to be

tagged so it can be properly routed to the right subject matter expert to
establish workflow and tasks for review and analysis. Standardized formats for
measuring business impact, risk, and compliance.

nn 360° contextual awareness. The organization should have a complete view of

what is happening with policies and training metrics and processes. Contextual
awareness requires that policy and training management have a central nervous
system to capture signals as changing risks and regulations, analysis, and holistic
awareness in the context of changing and evolving business environment.

nn Organization management. Policies and training apply to something within the

organization, whether it is a business process, a physical asset, an information
asset, a business relationship, or the entire organization. The system must model
the organization and map policies to where they apply.

nn Accessibility. Policies and related training are only of value if they are accessible.
A policy management system must provide a complete system of record any
individual can log into and find policies that apply to their role, along with
required tasks, attestations, and training they must complete. The system should
be available in the official languages recognized by the organization. It should
also support the communication needs of the differently abled (e.g., vision
impaired, etc.).

Policy Management: Critical Capabilities

Solution Area Definition Critical Capabilities

Policy management solutions provide the capability to
mange the development, approval, distribution,
communication, forms, maintenance, and records of
policies, procedures and related awareness activities.
This enables organizations to manage:
§ Policy management process of development, approval,
communication, monitoring, and maintenance. This
includes workflow, task management, and content
management capabilities with version control
§ Policy portal for individuals to be able to access policies
relevant to their role and responsibilities, access related
resources and forms, and complete tasks related to
policies and training.
§ Policy evidence to provide a system of record and audit
trail of all interactions, development, approvals,
communications, training, exception, exemptions
related to policies.
q Manage policy lifecycle from development through
maintenance and policy retirement
q Workflow, task management, and content management
q Integration w/ HR systems & business systems to identify
change where policies/training need to be communicated
q Policy portal for individuals to access policies, training,
forms, and related tasks
q Forms development and management for forms related to
policies
q Editing capabilities and version control of policy content
q Ability to map policies to other GRC content and records
q Regulatory change management to keep policies current
q Exception/exemption management of policies
q Integration of training and LMS capabilities
q Audit trail of evidence of all policy interactions
q Mobility capabilities

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 19

 nn Training management. Training management includes support for classroom,
offsite or vendor training, e-learning programs, recorded presentations, simple
document delivery and attestation, registration, and attendance completions.
The challenge for companies is integrating learning management systems
with policy management systems. This can be done by adopting a policy
management solution that provides training management. In this model, the
courses, scheduling, attestations, and automatic assignment of policies and
training based upon the organization matrix are integrated with workflow, task
management, and monitoring. Mature policy management systems automatically
reschedule training if a policy is updated and assign additional training if a
person is promoted or changes roles. This greatly simplifies administration and
maximizes accountability and measurability.

nn Notifications. The most effective means of providing accountability in policy

management is through notifications. Notifications are delivered when policy
authors receive a new work assignment, when a due date draws near, or when
a task is overdue and an escalation notice must be sent to management. If a
person, or perhaps a whole business unit, needs to read and attest to a revised
policy, reminders and escalation are required. Policy management systems
provide configuration capabilities to customize messages, provide links to tasks,
consolidate notifications, and help enforce goals, plans, and accountability.
Notifications must be able to integrate with the organization’s e-mail system to
deliver messages and drive accountability.

nn Audit trail. If it’s not documented, it’s not done. An audit trail should record
each who, what, where, and when for every document, assignment, person, and
piece of content collected, developed, changed, distributed, archived, surveyed,
trained, notified, and read. This ensures that when an incident occurs, an audit
takes place, or a regulatory exam or investigation happens, you are prepared
with accurate and timely evidence. The level of audit trail required for policy
management cannot be maintained with manual processes and ad hoc systems
spread across an organization.

nn Intuitive interface design. Policy & training management is using leading

concepts in interface design to make user experience of applications simpler,
easy to navigate, aesthetically appealing, and minimizing complexity.

nn Socialization and collaboration. Collaboration and socialization is used to

conduct risk workshops, understand compliance in the context of business, and
get individuals involved in policy and training at all levels of the organization.

nn Gamification. Gamification is used, where appropriate, through interactive

content and incentives to drive the culture of GRC into decision-making. Getting
employees involved through video, comedy, and games to educate on risk,
policy, and compliance. It could be an interactive adventure where employees
choose their path when presented with different ethical options in the context
of business. Games, puzzles, and illustrations help answer questions, develop
skills, and communicate a point. Employees can engage policies and training to
gain points, accomplish levels, earn badges, and recognition of skills achieved.

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 20

 Perhaps an employee has gone through all the health and safety training, has
read and attested to policies and has taken a quiz to validate understanding.
As a result they get a health and safety badge on their corporate profile/avatar.
Recognition can be given when people complete assessments, discover and
report issues, educate others and champion policies in different ways. This is
all linked back to GRC technology to track and promote this activity as well as
broader corporate HR and collaboration technologies.

nn Mobility. A lot of employees do not have computers, and some that did are now
being issued tablets. Policy and training engagement includes delivery of policies
and training on mobile devices. This works particularly well in manufacturing
and retail environments where a tablet could be deployed as the policy and
training kiosk for employees. Effective policy and training is embracing mobile
technology on tablets and other devices to engage employees in their preferred
languages and bring policies to all levels of business operations.

Benefits of a Policy & Training Management Strategy & Architecture

The organization requires a policy and training management architecture that is context-
driven and adaptable to a dynamic and changing environment. Compared to the ad
hoc method in use in most organizations today, a policy and training management
architecture enables better performance, less expense, and more flexibility. Core
technology capabilities to consider a policy management program are the ability to:

nn Provide a consistent policy management framework for the entire enterprise

instead of each department implementing its own policy management system.

nn Manage the policy lifecycle throughout creation, communication, assessment,

monitoring, tracking, maintenance, revision, archiving, and record keeping.

nn Train individuals on what is required of them through links to learning systems,

modules, quizzing, and attestation.

nn Provide easy access to policy and communicate policy in the language of the
reader, as well as to the differently abled.

nn Gather and track edits and comments to policies as they are developed or
revised.

nn Map policies to obligations (e.g., regulatory or contractual requirements), risks,

controls, and investigations so there is a holistic view of policies as they relate to
other areas of GRC.

nn Provide a robust system of record to track who accessed a policy as well as

dates of attestation, certification, and read-and-understood acknowledgments.

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 21

 nn Provide a user-friendly portal for policies in the environment with workflow,
content management, and integration requirements necessary for policy
management.

nn Provide a calendar view to see the policies being communicated to various areas
of the business, and ensure policy communications do not burden the business
with too many tasks in any given month.

nn Provide links to hotlines for reporting policy violations.

nn Publish access to additional resources such as helplines and FAQs.

nn Enable cross-referencing and linking of related and supporting policies and

procedures so users can quickly navigate to what they need to understand.

nn Create categories of metadata to store within policies and display documents by

category so policies are easily catalogued and accessed.

nn Restrict access and rights to policy documents so (a) readers cannot change
them, and (b) sensitive documents are not accessible to those who do not need
to see them.

nn Keep a record of all the versions and histories of each policy so the organization
can refer to them when there is an incident or issue they must defend themselves
against or provide evidence for.

nn Maintain accountable workflows to allow certain people to approve policy

documents and move tasks to others with full audit trails.

nn Deliver comprehensive reporting with an extensive depth and breadth of

reports.

GRC 20/20’s Final Perspective . . .

Effective policy and training management is about delivering value, integration, and
alignment of strategy, process, information, and technology throughout the organization
in the context of GRC. Organizations need to deliver an exceptional end-user
experience: getting employees involved by providing intuitive interfaces into policies
and training that are interactive, engaging, and social. Policy and training solutions need
to instruct, inform, and be easy to use at all levels. It engages employees in policies and
training without leaving them overwhelmed and confused. It is an integration of policy
and training information, processes, and systems to engage employees and agents at all
levels of the organization.

nn Getting questions answered. Employees need to be able to ask questions and

get them answered. This means that policy and training management processes

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 22

 and architecture should provide contextually relevant information as well as
pathways to get questions answered.

nn Provide two-way communication. Employees not only need to be able to ask

questions and get them answered, they also come up with ideas and ways to
improve policies and training. Perhaps it is an idea on a new initiative related to
corporate values, to report a new risk, or make a control more efficient.

nn Sharing information. Getting employees engaged is about sharing information,

like the ability to like a training initiative and share it with others in the
organization. This allows the organization to see what works and keeps
employees engaged. It allows a way for employees to share information they find
relevant and interesting. It provides feedback into what does not work.

nn Connecting the dots through collaboration. Often elements of policies and

training are done in ways that are not ultimately effective. A common problem
is individuals often modify responses based on what they think people want to
hear. This cognitive and behavioral bias has an impact on the accuracy of the
results. Policy and training processes and architecture should bypass stakeholder
interests by using technology to engage individuals in an environment in which
to express true opinion, without fear of consequences. Social and collaborative
technologies provide a way for individuals in a workshop to anonymously enter
thoughts and opinions to captures unbiased information that builds toward
stronger discussions and deeper analysis.

In the end, effective policy and training management is about delivering policy and
training that minimizes the perception of getting in the way of business and instead
becoming a part of business and the culture of the organization. There is an element
to policies that will always be inhibitive, but the right approach overcomes this by
delivering engaging user experiences that align with the needs of employees, integrates
with organization architecture and systems, and delivers relevant content when needed
wherever it is needed.

©2019 GRC 20/20 Research, LLC; Redistribution License Granted to MetaCompliance 23

About GRC 20/20 Research, LLC

GRC 20/20 Research, LLC (GRC 20/20) provides clarity of insight into governance, risk management, and
compliance (GRC) solutions and strategies through objective market research, benchmarking, training, and
analysis. We provide objective insight into GRC market dynamics; technology trends; competitive landscape;
market sizing; expenditure priorities; and mergers and acquisitions. GRC 20/20 advises the entire ecosystem
of GRC solution buyers, professional service firms, and solution providers. Our research clarity is delivered
through analysts with real-world expertise, independence, creativity, and objectivity that understand GRC
challenges and how to solve them practically and not just theoretically. Our clients include Fortune 1000
companies, major professional service firms, and the breadth of GRC solution providers.

Research Methodology

GRC 20/20 research reports are written by experienced analysts with experience selecting and implementing
GRC solutions. GRC 20/20 evaluates all GRC solution providers using consistent and objective criteria,
regardless of whether or not they are a GRC 20/20 client. The findings and analysis in GRC 20/20 research
reports reflect analyst experience, opinions, research into market trends, participants, expenditure patterns, and
best practices. Research facts and representations are verified with client references to validate accuracy. GRC
solution providers are given the opportunity to correct factual errors, but cannot influence GRC 20/20 opinion.

GRC 20/20 Research, LLC

4948 Bayfield Drive
Waterford, WI 53185 USA
+1.888.365.4560
info@GRC2020.com
www.GRC2020.com
www.metacompliance.com