The third webinar we conducted with the Open Compliance and Ethics Group for the “Policy Management Illustrated” series dealt with proper measurement and evaluation. Our previous blogs from this series discussed best practices around policy communication and enforcement. In this series, we’re looking effective policy maintenance through measurement and evaluation. Last time we looked at the value of policy metrics. This time, we’ll discuss how policies should be updated and archived.
So what needs to happen to an old version of a policy when an update occurs? What about any policy data that had been gathered, like the metrics and audit trails around it?
If a policy has ever been on the books, it should be maintained in the system virtually forever. When policies are updated, obsolete versions should be catalogued in the system and retained. If an issue arises that occurred back when an earlier version of a policy was in force, you can find it and see what parameters and attestations existed for that policy at that time. Of course, archived versions of policies should be accessible only to the policy team; the organization at large should only be able to access the version currently in effect.
In a manual, document-based system, this is a nightmare. The old policy is just as important as the updated version. A robust policy management system allows you to track changes and versions to entire policies or even down to the level of specific sections within a policy.
The metrics and auditing information for those obsolete policies, just like attestations for policies now considered outdated, must also be maintained in that same system for the same reasons. Otherwise, you lose context for how that obsolete policy was used and enforced.
Michael Rasmussen summed it up really well in his Compliance Week article: “The audit trail is used to present evidence of effective policy management and communication and includes a defensible history of policy interactions on communications, training, acknowledgments, assessments, and related details needed to show the policy was enforced and operational.”
We really enjoyed working with GRC 20/20 and OCEG on these Policy Management illustrations and the roundtables discussions with the thought leaders in this area of the GRC world. It hopefully serves to inform organizations about the need for better policy management.