GRC Policy Management Best Practices
How to solve a critical piece of your governance, risk, and compliance strategy.
- Different approaches to GRC policy management.
- Developing a policy strategy.
- Policy-writing process best practices.
Mapping your business operations to your organization’s vision, mission, and goals serves as a good first step toward your company’s success. But you must also factor in adhering to ever-changing government rules, standards, and regulations while also following industry guidelines – and doing it all with integrity and transparency.
All this adds to the complexity of managing your governance, risk, and compliance (GRC) program. In essence, you want to do the right thing, follow the law, keep your company out of trouble, turn a profit – and still compete in the marketplace. So, where do you even begin?
Policy management sets the foundation for any good GRC strategy. It serves as the front-line defense and paves the way to ensure consistency and excellence across the organization. Creating policies to guide your operations and then integrating these standards with your company’s goals, government rules and regulations, and industry guidelines can prove challenging – and overwhelming.
That’s why it helps to look at GRC policy management best practices to guide your efforts.
Different Approaches to GRC Policy Management
To effectively manage your GRC program, your company must marry corporate goals with regulatory compliance throughout the entire organization, relying on an efficient policy management approach to get the job done. Most organizations follow one of these three common GRC program approaches.
This policy management approach focuses on waiting to create (or update) policies until an issue or problem arises and needs to be addressed. When time and resources are in short supply, this becomes the default system, as overworked staff or tight budgets dictate what fire needs to be put out first.
Obviously, this is not a great strategy since it creates uncertainty among employees, lacks a collaborative approach, fosters redundancy, and isn’t forward-thinking. Without having a consistent GRC policy management strategy and framework to guide the process, this can lead to inconsistent and siloed policies. The result? A GRC program riddled with holes.
Another common approach to governance, risk, and compliance relies on a centralized system where only a handful of people make all the decisions, even though they might not clearly understand the differing needs of each division or department.
They seek little to no input from others, particularly managers and employees who work the systems every day. While this can be highly efficient and consistent, it can also lead to non-compliance by employees – especially when they feel they are not being heard or that the decision-makers are out of touch with day-to-day operations.
Plus, it can take a long time to review and update policies since it puts the burden on such a small group of people to do all the work. Again, not an ideal way to handle governance, risk, and compliance.
This inclusive GRC policy management system follows a guiding strategy to policy decisions that takes appropriate input from all levels of the organization. It’s a collaborative, proactive approach that considers the needs across divisions and departments while still allowing for some level of autonomy.
Moreover, this comprehensive approach maps GRC program efforts to critical legal and compliance standards, thus producing consistent policies.
Because it’s forward-thinking and integrated, this policy management approach improves governance, reduces risk, and boosts compliance.
Develop a Policy Strategy
Before you start plowing through policies and initiating an overhaul of your entire GRC program, step back and think through any organizational issues that need to be solved first.
Failing to identify and handle these potential snags at the beginning will lead to siloed and inconsistent policies and sabotage your GRC program.
Form a policy and governance team
If your organization is like many others, you already have a compliance or governance team, which may or may not be tasked specifically with policies. This team should be a cross-functional one that might include people from HR, compliance, risk, legal, and upper management. It should also include subject-matter experts who can be rotated depending on what policies the team is discussing.
Depending on the complexity of your company or the policies that you are developing, the size of your team can vary from really small to very large.
In some cases, you might only need to consult certain members (like legal) in the final stages rather than include them from start to finish. Other times, you might need to include supervisors or employees throughout the entire GRC policy management process to better understand technical elements or procedural specifics. It really depends entirely on your situation.
Regardless of your team’s size, the goal should be working together with intentionality, with all members contributing their unique experience, knowledge, and perspective.
Get a policy mandate
For your GRC policy management strategy to really have some teeth, your company leaders or board of directors need to leverage their authority by issuing a policy mandate. They also need to set parameters on what the team can approve on its own and what needs sign-off from above.
Plus, they should outline the ultimate goals of the policy management process so everyone is on the same page. Finally, they must allocate the appropriate budget and resources to allow the team to operate effectively.
Agree on a policy management process
You don’t want to get mired down in the GRC policy management process because of vague direction at the beginning. Agree ahead of time how the process will work. Pinpoint who is responsible for specific tasks.
Clearly explain the specific deliverables expected throughout the process, including key milestones that might need to be hit before other steps can be taken. Identify specific timelines so deadlines are clearly communicated to everyone involved. Outline the scope of the process so participants know beforehand what they’re really tasked with accomplishing.
If you don’t already have one, you should also come up with a standard policy format and structure for consistency and clarity. Plus, you need a single system where you can store and distribute your policies.
Using a policy and procedure management software like PowerDMS makes it easy to create, store, modify, and distribute policies – all from one centralized, secure location.
With so many other key issues to deal with when it comes to governance, risk, and compliance, don’t let your process get bogged down in the smaller details. Tap into technology to organize, streamline, and automate your GRC program so you can focus on the big issues.
Learn More About Policy Management
Sign up to get more resources and best practices right in your inbox.
You will receive our next newsletter in your inbox soon.
Identify and prioritize policies
Sometimes it can be hard to determine which policies should be your top priority, especially when there are so many moving parts to your GRC program.
It might be fairly obvious which ones to focus on if you are facing a compliance or regulatory issue. But if not, start by collecting the list of existing (or needed) policies. This will help bring clarity to the scope of any problems and can identify areas where policies contradict each other or are redundant.
As a result, rectifying these issues will make compliance much easier.
Policy Writing Process Best Practices
With a solid policy strategy in place, your next step should be to look at policy management best practices for guidance. While not every section below will be relevant for every company, these best practices outline a good process and serve as a great starting point for most.
Start with the end in mind
Determine what you specifically want or need to happen as a result of each particular policy. Make sure that the result is clear from the beginning and refer back to that goal often, as it will be your guiding star throughout the policy management process.
It’s also important to be clear about expectations early in the process. Again, establishing a good policy strategy first will start this process off on the right foot for everyone involved and, in the end, enhance your GRC program.
Designate a policy owner
It will make sense for certain people and policies to align in terms of who should handle what in this process. That is why you designate a policy owner – the one person ultimately responsible for the creation, implementation, and long-term management of a specific policy.
Choose people with both knowledge and authority in their respective areas and make them part of the policy committee (or at least involved for the duration of the portion involving their policy.)
A word of caution: Designating policy owners does not mean they are charged with writing the policy alone or doing all the work. Rather, they serve as a point person much like a project manager or coordinator.
Collect all appropriate information
The complexity of governance, risk, and compliance dictates that you must gather the information you need from all necessary sources. This includes legal requirements, regulatory or accreditation standards, input from managers and employees, and any subject-matter experts (both internal and possibly external to the company).
You can interview people, observe them in action, research regulations, or work with outside consultants and advisors. Regardless of your method, the key is to make this comprehensive effort.
Consolidate information into an initial policy draft
With all this data in hand, you can now transform it into a reviewable draft. Having the policy owner involved, as well as that guiding goal and outcome, are imperative to this step. Remember, this is just a draft and doesn’t need to be perfect at this stage.
However, it does need to have enough specificity so others can accurately review it. For policy best practices, this means the draft should be in a standard format and should also include any necessary procedures and a training plan.
Again, it is in draft mode, so don’t expect perfection when mapping out procedures or training. However, it does need to provide enough information so others can review and discuss it. To ensure better understanding and consistency, err on the side of too much detail – you can always edit it later in your policy and procedure software.
Send draft out for review
In the review phase, you will need constructive feedback of your draft to improve your final policy. Again, this depends on the complexity of your organization and the specific policy that needs review and input. For smaller organizations, this might only need one or two rounds of review. But others might need to send the policy draft to many different people and teams for approval before it is ready to proceed onto the next step in the process.
For example, the department head might need to sign off on the draft before it goes to the head of HR or before legal sees it.
To follow policy management best practices, make sure you document all of your team members’ feedback and changes. Don’t rely on your memory! To avoid any communication gaps, especially across departments, keep a history of everyone’s input, similar to an audit trail. This can help provide context for the “why” behind decisions.
Rather than getting lost in the details of alerting everyone when they need to act or spending time tracking changes, take advantage of policy software like PowerDMS.
Our workflow feature comes into play here handling (and automating) these administrative details with ease, freeing up your time to focus on the critical content of your GRC program policies. Plus, you avoid the process grinding to a halt because one person didn’t complete an assignment by the appointed deadline.
Final edits and approval
Don’t make the mistake of only submitting polices out for review to your leadership and board members, which still does need to happen. But loop into the review process someone close to the situation who can go over the policy for comprehension and understandability.
For example, if you are fine-tuning your cash-handling policy, best practices here would mean asking people who actually handle cash to read the policy and make sure they understand what is being asked of them.
Policy enforcement would be difficult if employees do not understand the policy expectations in the first place.
Distribute the policy and obtain signatures
With a completed, approved final policy, don’t think you are now ready to simply send it off and assume everyone reads and understands it.
A good policy management strategy involves tracking who has signed off on receiving the policy – another robust feature of PowerDMS. Many who manage GRC programs even take it a step further and attach comprehension tests at the end to ensure high-risk policies are truly understood.
While managing your governance, risk, and compliance program is certainly a complex undertaking, adopting a good strategy and incorporating GRC policy management best practices will pave the way towards consistency and effectiveness.