How to Avoid Policy Management Pitfalls

Sea view from a steep cliff.

Written by: Anthony Matar

Reviewed by:
Updated: September 07, 2023

Table of contents

So, you’ve been mulling over our three principles of policy management from part one of this blog series as part of your own organization’s efforts to make your process more efficient and effective. Amazing. But what’s next?

Although we at LogicGate love being thought leaders in the “philosophy” of GRC, we aren’t in the business of navel-gazing! With Risk Cloud, we love taking the abstract into the real world even more. My name is Anthony and I am a Senior Information Security Analyst at LogicGate and I have been building Applications within LogicGate’s Risk Cloud to support several of our internal risk management processes. Very meta, I know! In part two of this blog series, I’m going to share how the team at LogicGate has used the Policy and Procedure Management Application in Risk Cloud to eliminate the common pitfalls found in policy management. 

Common Pitfalls of Policy Management

The desperate need for a GRC record management tool to facilitate policy management is—unfortunately—painfully obvious to the seasoned risk professional. Without the technical scaffolding of a policy management system, a series of pitfalls often arise. Below are three common pitfalls that I have seen fallen into myself in terms of managing assorted policy documents.

  1. Rogue and duplicate policies
  2. Needing to hunt down policy owners (and their updates)
  3. Disconnect from the organization’s risk program

Fortunately, the use of the Policy and Procedure Management Application elevates our risk team beyond these common stumbling blocks. 

Rogue and duplicate policies? Create the source of truth.

“Is that the most current version of that procedure?” “Can we send this policy to our client?” “Which one is the ‘real’ policy we are using?”

Admit it, you have uttered one of these questions (in some shape or form) in the past 12 months. You haven’t? You must be using Risk Cloud’s Policy Management Application! At LogicGate, our use of the Policy Management Application helps relieve the difficulties found in simply not knowing what policies are current by providing a fenced-off “source of truth” for end-users.

No longer do you have to use random shared folders, E-mail attachments, or the dreaded (but all too frequently utilized) local desktop as the home for your organization’s governing documents. No, within Risk Cloud a document repository exists that can provide read access to the users of your choice. This source of truth becomes the 24/7 reference point for all current and historical policies and procedures. As part of the policy management flow, new or updated documents make their way through an approval bottleneck to be given the green-light by the appropriate risk teams (e.g., Legal, InfoSec). This gives the risk organization tighter control over the source of truth and an easy reference point. 

Hunting down policy owners? Automate it!

If you’ve nailed Principle 1:Roles & Responsibilities from part one of this blog series, you’ll have that document owner codified as part of your policy. But how do you get that person to update the document for your annual obligations (e.g., SOC 2)? If you’re anything like me, you’ve spent too many hours doing virtual gymnastics to get policy owners to make updates and submit them in the right place. 

Using Risk Cloud you can set up automated alerts to be sent out to designated policy owners (even through Slack or Jira using available integrations) to remind them of their annual update obligations. While there will always be the human element of working with policy owners, system codified cadences and alerting allows the focus to be less on reminding owners of their responsibilities and keeping them on schedule, and more so about helping them with the actual content of their policies.

Disconnect from the organization’s risk program? Link it!

In an ideal world, our governing policies and procedures are tightly knit with the entirety of our risk management program. In reality, our policy documents (and supporting language) are loosely tied to the controls we abide by and the risks we have reported. Yes, on a theoretical level, our control frameworks map to policies, but this abstract connection lacks the tangibility that makes it easy to connect the dots and reference when an auditor comes around.

Using Risk Cloud, we can link workflows across Applications (say, our Enterprise Risk Management Application and Policy Management Application) so that we can visibly see what controls are related to a given policy and what policies relate to certain controls. Risk process linking is a clear advantage of a GRC solution but becomes even more evident when looked at in the context of policy management.

Policy Management and Beyond

LogicGate is in the business of making software for risk professionals. For me, it’s a funny situation to be in as an InfoSec professional since I actively use the same software my company is bringing to the marketplace. We use Risk Cloud for policy management, but I am happy to say that it's not the only thing we use it for. Although Risk Cloud’s Policy Management Application helps us avoid common pitfalls, we know these aren’t the only pitfalls in this space. The configurable nature of Risk Cloud allows us to continuously iterate and improve our Applications and workflows to meet an ever-evolving list of use cases and challenges!

If you’re new to LogicGate’s Risk Cloud, we’d recommend you start off watching this short video to get a high-level understanding of our extremely flexible and easy-to-use GRC solution. 

Although Risk Cloud is infinitely configurable (think Legos!) and your team can build GRC Applications from scratch, we also don’t recommend re-inventing the wheel. That’s why we created Risk Cloud Exchange (RCX). 

RCX is essentially the entire ecosystem of Risk Cloud centralized in one, easy-to-use place. Risk Cloud Exchange lets you explore every Application, integration, standard, and framework available in Risk Could, but in terms of structuring and automating aspects of policy management, the Policy and Procedure Management Application has what you need and I hope you’ll be able to use this information to avoid future pitfalls. 

About Anthony Matar

As the Senior Information Security Analyst, Anthony helps foster a security-conscious culture at LogicGate that sees its responsibility to enterprise risk management as “part and parcel” with the organization’s objectives. Prior to LogicGate, Anthony spent time in cyber risk consulting, working with numerous Fortune 1000 companies in the realm of application security, infrastructure security, and security strategy. In his own words, “a GRC tool like LogicGate would have been an absolute game-changer during my spreadsheet-heavy years in the consulting industry.”

SOC 1®, SOC 2® and SOC 3® are registered trademarks of the American Institute of Certified Public Accountants in the United States. The AICPA Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is copyrighted by the Association of International Certified Professional Accountants. All rights reserved.


Further Reading

GRC Insights Delivered to your Inbox