Where Policy Management Fits in the GRC Ecosystem

Survival of the Fittest: Policy Management’s Place in the GRC Ecosystem

In 1993, Academic James Moore authored a Harvard Business Review article introducing the concept of the “business ecosystem.”[1] Moore, a leadership expert who studies changes in large-scale systems, defined his new phrase as “an economic community supported by a foundation of interacting organizations and individuals – the organisms of the business world.”

In the ensuing decades, the analogy expanded beyond its original description of external marketplace dynamics to make sense of the inner workings of organizations -- their integrated networks of business activities, structures and technology that form a symbiotic system of mutual support and co-development.

Through that organizational lens, Moore’s ecosystem model remains just as relevant today, especially when applied to the complex nature of GRC. While discrete governance, risk management and compliance structures comprise the foundational elements of organizational resilience, policy management fulfills a crucial connective role by integrating and constantly interacting with all GRC activities to ensure they are performed in a standardized and unified manner.

“Without an integrated GRC ecosystem, an organization cannot act with the agility, resiliency and confidence it needs to thrive in today’s complex business environment,” notes Mike Rost, Vice-President at Workiva, a leading GRC solution provider.

Without a fully GRC-integrated policy management program, the efficacy of governance, risk management and compliance activities are at risk of unexpected culture and control detours, taking on unacceptable risk exposures and compliance failures.

The Biology of Business

Any assessment of an organization’s GRC ecosystem begins by identifying the various parts of the business that share an environment and how those areas can interact for the greater good of all stakeholders.

In a biological ecosystem, no organism can exist in isolation. Each will have many different interactions of different types that contribute to the life of the organism and to the well-being of the ecosystem overall. The same holds true in the GRC ecosystem, which hosts countless interactions that are critical to driving the overall health of the business. Consider the professionals who specialize in different roles, the processes they operate and the technology they use -- unless those ecosystem participants share current GRC information regarding changes in governance structure, risk appetites, regulatory requirement and the like, the business cannot survive.

The GRC ecosystem also connects all aspects of high-level objective-setting, strategic planning, and the numerous mechanisms through which those plans are executed throughout the business in pursuit of stated objectives. Those mechanisms include all business processes (e.g., risk management, workforce management, sales, etc.), supporting technology systems, individual decisions, and interactions, and more.

Within the GRC ecosystem, the role of policy management is to help ensure that all of the organization’s processes, technologies, decisions, and behaviors are conducted within the guardrails that GRC requirement provide, notes Rost. Current policies (an important qualifier given that policies change in response to changing business and regulatory conditions) support and guide leaders, managers, and professionals in their daily work. Providing this support requires policy information to continually flow throughout the GRC ecosystem while ensuring that all employees receive the right level and volume of relevant policy information.

5 Crucial Connections

A GRC ecosystem begins with a central focus on the objectives of the organization. It expands to include continual monitoring of the internal and external business environments to identify possible threats to the objectives as well as opportunities that may arise. The ecosystem further expands to include the business operations and what those operations due to meet the objectives while mitigating risks. This activity is supported by a number of business units or activities that help keep the organization on track to meet its objectives while addressing the uncertainty from risks and staying within the boundaries – both mandatory and voluntary – of acceptable conduct. These supportive parts of the GRC ecosystem include human resources, communications, and training, legal, finance, change management and related areas.

Various types of technology are also part of the GRC ecosystem and must be connected with each other in a way that enables the sharing and use of consistent information. These systems include applications that identify and track outcomes for objectives, monitor and assess risks, maintain budgets and requests for resources, track employee responsibilities and related access rights, and train employees on requirements and procedures.

Policies are statements that guide conduct to support the achievement of the defined objectives. They also provide the framework for the establishment of specific procedures that are implemented throughout the organization. In this way, policies connect all aspects of the GRC ecosystem. Rost suggests five important connections that must be present for an effective policy management program:

1. Objectives: Policies must be mapped to the objectives they support. Changes in objectives or strategies should trigger notifications to policy owners calling for reviews and potential revisions.
2. Systems: The policy management system must be connected to systems that track internal and external changes to determine when those shifts necessitate a change in policy and procedure, or even a change in objectives. While a change in procedural fraud prevention regulations would naturally require a change in policy, a steep and sudden economic downturn might require a similar policy change (because some sales professionals could become more likely to engage in bribery while struggling to meet their targets in the a challenging selling climate).
3. Risks: Policy management must connect with risk management systems. As risks become more significant, or as new risks arise that threaten the achievement of objectives, policies should change in response. A higher-level risk to a critical objective may necessitate a policy that addresses certain forms of conduct and that is accompanies by new training requirements. The policy management structure should quickly identify risk assessment changes that require these types of modifications.
4. People: Policy management must connect to human resource systems to identify when individuals begin new roles or move on so that appropriate communications on relevant policies can be delivered. To be clear, employees should only receive policy information and any related training that are relevant to their roles and activities. Mapping policies to the specific tasks assigned to each role helps optimize the effectiveness, efficiency and timeliness of policy communications.
5. Compliance: Policy management must connect with other compliance aspects of the GRC ecosystem. Investigations and enforcement activities require the ongoing maintenance of a complete history of policy and procedure changes over time. Compliance actions and/or other civil lawsuits often allege noncompliance with regulations and policies that were in force sometime in the past. Having a complete record of policy changes, and concurrent changes to communication and training, is necessary to mount a stout defense.

When these types of connections are present, a GRC ecosystem becomes more integrated with policy management. That connectivity helps all members of the ecosystem collaborate in ways that strengthen GRC capabilities, making the organizational organism more agile, more resilient and more confident in its ability to achieve its objectives.

[1] “Predators and Prey: A New Ecology of Competition,” by James F. Moore, Harvard Business Review, May–June 1993 Issue: https://hbr.org/1993/05/predators-and-prey-a-new-ecology-of-competition.