Profile picture for user mkli

Today I'd like to give you some insights into the topic of Policy Management which is a not so prominent part of what we call "GRC". That is a little bit strange as Policy Management reflects to Governance which is even representing the first letter G in GRC - Governance Risk and Compliance.

Maybe Policy Management is not that much in public focus as this has already been existing before the current GRC boom started with the Sarbanes Oxley Act in the USA. Policies have been the main mean to translate external demands into internal regulations and enrich them by internal demands to the same topics. But it obviously had drawbacks as the big compliance scandals showed so public focus shifted to internal and external assessment: testing, auditing, evaluation.

Now Policy Management gets more attention again as companies see its advantages in efficiently establishing general control over certain compliance topics without overcrowding your processes with specific control points. But Policy Management needs to evolve to the next level as expectations have clearly increased.

Our ideas on a good policy management process are by far further reaching than what companies had established in the past. We see three phases in such a process: Creation or change of a policy, implementation of a policy and lastly evaluation of the design and effectiveness of a policy.

 policy management

The first phase is mainly concentrating on a document control workflow and release cycle management. This we support with a very flexible technology to create per click executable processes using ARIS Process Governance.

In the second phase we can offer state of the art policy implementation. Today it is not sufficient to just publish policies in a company’s intranet. We differentiate between levels of criticality for policies. For e.g. a travel policy it is maybe sufficient to be published in the process web intranet with an alert sent to the employees. For a company conduct guideline you may want to get one step further and get an acknowledgement signature by at least the management addressees that they have read, understood and will apply this guideline. And for a work instruction on a pharmaceutical bottling station you even need to ensure that this was trained to everybody working on the respective shop floor. All those activities are supported by our reference process delivered with the ARIS Process Governance.

And more - all those activities concerning Policy Management are documented and can be monitored.

That leads us to the last phase "Testing of Policies". Every policy should be checked with regular frequency if it is still applicable, up to date and covering the objectives or risks it tackles - that's what is called a TOD or Test of Design in modern compliance talk. And latest for those policies with higher criticality you want to run a TOE or Test of Effectiveness: Was this policy really implemented and adhered too? E.g. how many of my managers have signed in to the conduct guidelines issued? In this phase we are back to our classic testing support with the ARCM.

The big chance in such a integrated approach is that a customer can decide for each risk he wants to control or reduce by what means this is done most efficiently: with a policy, a contingency plan, reducing measures or an internal control!

by HC Lim
Posted on Sat, 07/25/2009 - 10:12

Hi Martin, I am interested to learn more about this policy mgmt.

Where can I find more info or see a demo of it? 

Is it tied to the ARIS business rule designer? 

 

thank you.

HC Lim

0
by Martin Kling Author
Posted on Wed, 07/29/2009 - 11:31

In reply to by ac-admin

Hi HC,

general information on the ARIS Process Governance you can find here:

http://www.ids-scheer.com/en/ARIS/ARIS_Innovations/ARIS_Process_Governance/151394.html

So far there is no standard connection to the Business Rules Designer.

For a demonstration please contact your friendly sales rep ... he or she will arrange a demonstration. We are currently working on flash demos, but this will take some more time.

Regards,

Martin Kling

0
by Miko Matsumura
Posted on Sat, 07/25/2009 - 16:23

I wanted to point out also that the concepts of Policy Management and Governance fall into several domains in the Enterprise, and that GRC (Governance, Risk and Compliance) tends to be in the broader sphere of Corporate Governance.

But in addition to these aspects of Policy Management, the same language can enter into the spheres of IT Governance and SOA Governance...

thanks,

Miko Matsumura

Software AG

0
by Martin Kling Author
Posted on Tue, 07/28/2009 - 17:10

In our understanding the ARIS Solution for GRC is adressing all compliance topics with a common approach and tooling. That's one of the strength' we can offer to our customers. It is not necessary to have different approaches and toolings to tackle IT topics (Risk, Governance, Compliance) or financial topics.

I totally agree that Policy Management should address also the respective topics of IT Governance even if I didn't give examples therefore.

Regards,

Martin

 

0

Featured achievement

Rookie
Say hello to the ARIS Community! Personalize your community experience by following forums or tags, liking a post or uploading a profile picture.
Recent Unlocks

Leaderboard

|
icon-arrow-down icon-arrow-cerulean-left icon-arrow-cerulean-right icon-arrow-down icon-arrow-left icon-arrow-right icon-arrow icon-back icon-close icon-comments icon-correct-answer icon-tick icon-download icon-facebook icon-flag icon-google-plus icon-hamburger icon-in icon-info icon-instagram icon-login-true icon-login icon-mail-notification icon-mail icon-mortarboard icon-newsletter icon-notification icon-pinterest icon-plus icon-rss icon-search icon-share icon-shield icon-snapchat icon-star icon-tutorials icon-twitter icon-universities icon-videos icon-views icon-whatsapp icon-xing icon-youtube icon-jobs icon-heart icon-heart2 aris-express bpm-glossary help-intro help-design Process_Mining_Icon help-publishing help-administration help-dashboarding help-archive help-risk icon-knowledge icon-question icon-events icon-message icon-more icon-pencil forum-icon icon-lock