Policy lifecycle management – the lowdown

Sword GRC Blog

Policy lifecycle management - the lowdown

Whether they are corporate, risk, or regulatory orientated, they provide guiding principles or set out the latest legislative requirements, policies are part and parcel of corporate life. Yet without effective management, policies can soon become outdated, ineffective, or no longer suitable for changing business needs. In this blog, we explore what the term ‘policy lifecycle’ encompasses, why managing the entire lifecycle is important and how policy management software can make processes more efficient, effective, and agile.

The success of policies and procedures often relies upon an organization’s approach to policy development, the publication of policy documentation, the adoption of policies, and their continual review – the process collectively known as managing the policy ‘lifecycle’.

According to Michael Rasmussen, The GRC Pundit*, most organizations ‘fail to manage the lifecycle of policies’ and this ‘opens the doors of liability as an organization may be held accountable for the policies it has in place but are not appropriate or it is not compliant with.’ Certainly, a key challenge for businesses today is the ability to demonstrate compliance and best practice to auditors and regulators. This being the case, effective policy management should ‘start with a lifecycle approach to managing policies. This is the process of managing and maintaining policies throughout their effective use within the organization’.


From policy development to review and maintenance

As a summary, policy lifecycle management can be broken down into the following key phases:

Policy creation – policies may be required for a number of reasons; to meet regulatory requirements, to fulfill business partner obligations, to ensure best practice, to instill corporate values to name but a few. Once the need for a policy is defined, businesses can go on to assign policy owners who will take on the role of implementing policies and monitoring them within the organization. Next, policy writing: The goal is to ensure that policies are clear and easy to understand, ideally consistent in format, style, and language to others. Once written, the policy will undergo approval by respective stakeholders before going into circulation. Policy creation is typically an iterative process before consensus is reached that the policy is right for the business.

Policy communication – The GRC Pundit suggests that this phase should include three sub-phases: publication, training, and attestation.  When it comes to publication, ‘many organizations have scattered systems to publish policies and procedures without a single authoritative source.’ Not only does this make policy management difficult, it means that more policies become out-of-date. Best practice suggested is to have policy management software, ‘a single policy publication engine in which any individual within the organization can log in and see all the policies that apply to his/her specific job role.’

Training is important as businesses must be able to actively show that people understand a policy and what is asked of them. Having read a policy and undertaken training, attestation to the policy – proof of adherence to it – should be tracked.

Policy management – this phase of the policy lifecycle will include monitoring policy compliance on an ongoing basis. Any instances of non-compliance or policy violation should be logged and considered when the policy comes up for review. If an organization grants non-compliance to a policy for a defined period of time, again, ideally this should be documented.

Policy maintenance – the final phase, in which policies are regularly reviewed against the business objectives driving the policy. Is it still effective, does it need to be reviewed in any way, or is it to be retained and reauthorized as it stands? Best practice is to archive every policy or version of a policy for future reference. ‘When an organization becomes aware of an incident or a regulator has a question it is necessary to have a full view of the history of the policy – the owner, who has read it, who was trained, who attested, and on what version of the policy.’


An agile solution? Policy management software

Taking an ad hoc approach to policy management can leave a business vulnerable to liability. The solution? Sword GRC’s fully integrated administrative tool enables the control of an organization’s policies and procedures lifecycle-long, to ensure good governance and full compliance.

Sword Policy Manager provides a full methodology to develop, implement and improve policies, including attestation.

At-a-glance benefits

  • Reliably achieve objectives
  • Manage and control uncertainty
  • Safeguard the workplace
  • Protect the organization from unnecessary risk
  • Ensure consistent operations
  • Uphold ethical values
  • Address compliance obligations
  • Defend the organization should it land in turbulent legal and regulatory waters

Learn more about Sword Policy Manager or book a demo.

*Defining a Policy Management Lifecycle | GRC 20/20 Research, LLC