Building a Policy Program

What I’m describing here really applies to organizations that already have some level of maturity around their policies and standards.

If policies and standards exist but the overall program isn’t very mature, there are two possible paths. One — have a discussion about whether the organization understands the value and wants to invest in maturing the policy program. Or two — if there’s currently no appetite for that, take an honest look at what’s in place. Evaluate whether those policies actually create value.

If they don’t, it may make sense to simplify — keep a smaller, more focused set of documents that are actually used and kept up to date.

The main point is: if you’re going to have policies, do them well. Make sure they achieve their purpose and create value. Because policies that exist but aren’t followed just add overhead, weaken governance, and waste resources.

Policy v/s Standard

Problem Statement

Decentralized Policies and Standards management leads to

• Inconsistent and contradictory document management (different ‘flavors’ and approaches)
• Compliance deficiencies or gaps (missing ‘obvious’, confusing, overstating, contradicting or unaware)
• Higher operating cost (every person engaged in reviews shifting from their primary focus on policy support)

This might result in increased risk of redundancies, points of failure, inaccuracies and policy violations, while impairing compliance and operational efficiency throughout the enterprise

From the perspective of the GRC-Platform, if exists, implementing and maintaining a universally efficient Policy Module would be challenging due to the need to address the diverse demands of various stakeholders

Solution

Implement a centrally managed Enterprise Policies and Standards Management Framework to ensure company-wide process standardization and adoption

Benefits of mature Security Policy Program

• Establishes a consistent lifecycle for policies and standards across the enterprise with predictable outcomes, and defined roles and responsibilities
• Enables better alignment with external Laws, Regulations, Obligations or Industry Best Practices
• Applies consistent terminology
• Provides transparency in governance changes
• Reduces management and contributor overhead
• Reduces time for control design and maintenance
• Enhances auditability and compliance
• Supports operational excellence across the organization (Moneys)

Policy program prerequisites

• Leadership buy-in
  • Obtain support from all areas in the organization
  • Ensure that delegates communicate with their leadership and have merit
  • Establish contacts and manage all relevant stakeholders and SMEs
    
• People/Team
  • Ensure the competencies are aligned with the responsibilities
  • Document Management Experience
  • Ability to handle meeting notes, take-aways and follow-ups
  • Technical writing skills
  • Understanding the breath of the assigned documents and ability to drive discussions and reaching out the consensus

• Organizational Policy Framework
  • Establish Policy on Policies and align with existing processes

• Manage Policy Program centrally
  • Build comprehensive procedures
  • Establish intake for questions
  • Train SMEs

• Enforce adherence to program and its processes
  • Program enforcement
  • Maintain awareness

Program Components

Build a Policy Management Team or a Value Stream

Assess the expected workload: Total Documents x Time Per Document

Build a team

Establish organization-wide process

Develop Procedures

Engage Stakeholders

Work with all Policy Owners to define their roles in the process

Build relationships

Educate on the process

Establish RACI (by area)

Each impacted area must have stakeholders assigned: EA, Products, Infrastructure, Legal etc.

Stakeholders must be aware of their responsibilities and supported by leadership

Each area must have an accountable person for signing off to changes

Each area is responsible for delivering an update on changes to their leadership

Create and Publish a Schedule

Policy review schedule must be published and easily accessible

Stakeholders must have visibility into document review work and plan accordingly

6-Step policy lifecycle

The policy lifecycle follows a clear, repeatable flow.

It starts with Initiation — distributing the document for review according to the RACI.

Then comes Commenting, where all teams provide feedback in a single, centralized document.

Next, during Definition, the working group reviews and refines the proposed changes.

Once that’s done, the document moves to Draft and then Approval, where accountable stakeholders sign off and executives are updated.

Finally, we Conclude by distributing the approved version to all stakeholders for implementation and awareness.

Policy review schedule example

Having a published policy review schedule is extremely helpful.

It lets everyone know when to expect updates and helps reviewers plan their time in advance.

Optionally, you can make the schedule even more effective by including document review coordinators, showing the current status of each policy, and using simple color-coding to flag anything that’s off schedule.

RACI example

The RACI model helps track who’s involved with each policy and in what capacity.

Each department should have one Accountable person — someone who approves final changes, signs off on behalf of their business unit, and communicates with leadership.

Those who are Responsible provide direct input and coordinate with subject-matter experts.

Consulted roles offer expertise and clarifications when needed.

And Informed individuals are simply kept up to date without active involvement.

It’s important to note this RACI supports policy design, not the formal committee approval process.

Swimlane process flow example

This diagram shows a simple example of how the policy review process flows through each lifecycle stage.

It starts with initiation, where the policy is prepared and distributed for review, then moves through commenting, definition, and drafting as subject-matter experts collaborate and refine the content.

Once the draft is finalized, it proceeds to approval, where business unit representatives and the approving body sign off.

Finally, the conclusion stage covers post-approval activities and publication.

The process can always be expanded based on the organization’s maturity — adding more detailed steps or redundancy where needed — but it follows the same six-step framework as the foundation.

Good practices

• Consistent use or terminology (Establish Corporate Glossary)
• Try to avoid negative requirements
• Do not embed exceptions or contradict them
• Avoid adding implementation details (Standards or Procedures) in Policies
• Steer clear of recommendations, notes, guidelines, ‘good to haves’ or FYIs
• Use numbering convention for better references
  • Instead of bullet points for all requirements
  • Using Unique ID’s for all requirements would significantly simplify referencing
• Clearly identify material vs non-material changes for approval
• Do not make an ‘index’ or ‘catalogue’ of other policies or standards within another policy
• Do not write all policies or standards in isolation – always engage SMEs
• List policies/standards on one web page (Enterprise Hub) and describe what they do
• Each requirement must have an owner that is accountable for completeness
• “Tier” policies by their applicability, impact and coverage
• Establish path to compliance
  • Process of Security Exceptions is understood and followed
  • Sunset and/or Sunrise language
  • Multi-year implementation strategies for complex changes