Building a strategic framework for policy governance

Given the growing importance of risk management and compliance, many companies are embracing the idea of a “policy on policies” 

Gbemi Yusuff
Senior Counsel, OneTrust
May 10, 2023

Overhead view of 2 colleagues speaking in office hallway

In every organization, policies represent one of the key tools for getting things done effectively, efficiently, and consistently. If your company’s anything like mine, you have policies on everything from the day-to-day necessities of managing the workforce to vital issues related to human resources, technology, and security. Policies are how you create and communicate expected standards of behavior and ways of doing business across the organization. 

To cite a few examples:

  • Policies from human resources ensure companies foster equal opportunity and fair treatment when it comes to hiring, firing, promotion, and compensation. 
  • IT departments make policies to govern critical needs like data security and privacy protection. 
  • Procurement and purchasing policies help companies source raw materials, parts, and human resources fairly and responsibly — and ensure that third-party suppliers do the same.
  • And, of course, legal and compliance teams implement policies to ensure employees and the enterprise comply with relevant regulatory and legal requirements, as well as ethics-driven initiatives. 

Want to make day-to-day operations easier for employees and help workers in under-resourced departments effectively manage and understand corporate policies? Download our policy on policies template.


Policies empower, educate, and align employees and third parties 

Policies provide employees and stakeholders with clarity and guidance about how your organization wants to conduct its business. They codify values and culture in tangible ways that reinforce positive behaviors and, in turn, help you build a strong brand reputation. 

Good policies also help you mitigate risk and demonstrate compliance. A policy on bribery and corruption, for example, not only establishes your company’s stance on ethical business but also lays the foundation for establishing procedures that help employees comply with related laws and regulations. 

Policies function as guardrails to keep employees and suppliers on the right path. And they’re particularly important in today’s global marketplace, with regulation coming from many jurisdictions and directed at many aspects of how organizations work: data privacy, whistleblowing, anti-corruption, and corporate transparency, to name a few. 

As regulatory burdens increase and rules and guidelines proliferate across a company, managing policies has become increasingly more challenging.


The need for a policy framework: A policy on policies 

Historically, corporate policies have been established by individual departments or functions that create, deploy, update, and enforce them — a situation that can lead to interdepartmental inconsistencies and conflicts (HR says one thing and legal says another). Adding complexity to the policy landscape is the fact that some policies focus on best practices while others are mandated by law. And, of course, policies must reflect the laws and regulations of multiple jurisdictions.  

To ensure compliance — and success — in this new reality, organizations need a new approach to managing policies. Forward-thinking companies should consider a framework for policy governance — a global, enterprise-wide strategy for the creation and management of policies that are consistent, continuously monitored for compliance, and easily adjusted to the requirements of a changing world. You might think of policy governance as a “policy on policies.”

When you create an intentional and organized policy governance framework, one backed by technological solutions that make it easier to ensure acceptance and compliance, your organization will be more effective and efficient at creating and managing policies. And that can lead to improved compliance and lower risk.


Best practices for policy governance

Here are five best practices for an effective policy governance framework: 

  • Explicitly spell out policy ownership: In today’s enterprise, policies have multiple stakeholders: Personnel-centric policies, for example, generally require input and oversight from HR, legal, and compliance teams. Privacy issues can involve legal, IT, information security, and compliance. A policy governance framework should make clear the roles and responsibilities for policy creation and management.
  • Provide a framework for the consistent structure for your policies: No matter what the subject, your policies will benefit by having consistent format, style, and tone so the recipients immediately recognize it as a company policy and can easily understand and digest the policy. When training is required as part of the policy implementation, include the purpose and scope of the policy, in addition to the consequences of nonadherence.
  • Account for jurisdictional and functional requirements: Regulations vary from region to region and policies must take this into account. Does a policy apply to one country or an entire region? One singular function or for every employee around the world? Where possible, policies should be global to avoid confusion and inefficiencies. However, this is not always practical or achievable. An intentional and thoughtful policy governance framework can help your policy owners and drafters keep such issues top of mind and provide guidance on policy application and scope. 
  • Articulate the policy approval process: A policy governance framework should also spell out how policies are approved and by whom. Some can be approved at a departmental or functional level; others may require CEO or even board approval. 
  • Enable version control and deployment management: Policies, of course, change. Organizational and regulatory changes will necessitate frequent policy reviews. Corporate realities evolve — just think of the massive policy changes that had to be made in the wake of the pandemic or how policies might need to change when your company reorganizes or adopts a new strategy. A global repository of policies and the populations they impact can automate distribution to all relevant stakeholders and document that they’ve received and accepted the most current version. Automation plays a critical role in your capacity to demonstrate compliance. A signed photocopy of a policy document stuffed in a drawer or saved as a PDF might seem sufficient, but it will require a lot of effort to convince auditors or regulators that every person in an organization has agreed to an important policy.


The power of a strategic policy on policies

Good policy governance helps your company mitigate the risk of penalties, fines, legal actions, and reputation damage. But above all, good policies — particularly those surrounding best practices and good corporate citizenship — are good business. Companies that behave ethically tend to outperform the competition

Policy governance — a policy on policies — gives you an opportunity to think through and rationalize your existing policy process. And technology solutions can make enterprise policy management and compliance more scalable and automated. Ultimately, a robust policy governance framework is about making day-to-day operations easier for employees, helping workers in under-resourced departments to more effectively manage and understand corporate policies.


You can learn more about the power and importance of policy governance by downloading our policy on policies template.

You may also like


Third-Party Due Diligence

Sanctions and export controls: Ensuring compliance

Watch our live expert webinar on understanding global sanctions and export controls and how to reduce your organiztion's risk exposure and ensure compliance.

June 29, 2023

Learn more


Third-Party Due Diligence

A shortcut to third party due diligence fundamentals

In this webinar, we examine the scope of third-party due dilligence, best practices, and industry trends driving greater scrutiny on third parties.

June 20, 2023

Learn more


Third-Party Risk

Unpacking the third-party risk regulatory landscape in the Nordic region and beyond

In this live webinar, our expert panel discuss emerging third-party risk regulatory trends in the Nordic region and show how OneTrust can help your business stay complaint.

May 30, 2023

Learn more