Take a Portfolio Approach to Policy Management

Find the right balance between risk mitigation and operational efficiency.


This content requires an active subscription.

Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.

Speak With A Representative Sign In
or Call: 1-888-670-8889 (US) or 1-844-618-3192 (CAN)

Your Challenge

  • The need for a new policy is generally initiated in response to a new regulatory compliance standard or industry framework, or because of a mandate from the business which requires some degree of guidance over a new initiative.
  • Approaching policy creation in this reactive manner often results in an excessive number of documents that are narrow in scope and don’t address the underlying risk.
    • Policies lag behind changing business and technology demands and compliance requirements.
    • Employees complain that policies restrict them from doing their job.

Our Advice

Critical Insight

  • Manage your policies like a portfolio; focus your efforts on policies that mitigate your greatest risks.

Impact and Result

  • Find the right balance between operational efficiency and risk mitigation by managing your policies like a portfolio.
    • The need for policies should be driven by risks and their impact on your processes.
    • You don’t need a policy for everything; focus your efforts on policies that mitigate your greatest risks.
    • Your policies should be consistent with one another and provide adequate coverage of your greatest risks without becoming redundant or overwhelming to the user population.

Take a Portfolio Approach to Policy Management


Establish policy governance processes

Establish a working group to govern policy management and define its scope, purpose, and roles and responsibilities.


Assess IT’s risk landscape

Identify and assess IT’s risks, which will determine content within policies and the priority of policy development.


Create a policy action plan

Identify gaps, inconsistencies, and redundancies in your current policy portfolio and create a plan to remediate them.


Develop policies

Draft clear, consistent policies that will effectively mitigate the risks of your organization.


Communicate policies to end users

Plan your communication of policies to ensure high levels of policy awareness and compliance.


Monitor and reassess the portfolio

Monitor and reassess the policy portfolio on a regular basis to ensure continued coverage against your organization’s changing risk landscape.

Info-Tech Academy

Get Info-Tech Certified

Train your staff and develop a world class IT team.

New to Info-Tech Academy? Learn more here

IT Management & Policies Course

Find the right balance between risk mitigation and operational efficiency.
This course makes up part of the Strategy & Governance Certificate.

Now Playing: Executive Brief

Course information:

Title: IT Management & Policies Course
Number of Course Modules: 5
Estimated Time to Complete: 2-2.5 hours

David Yackness, Sr. Research Director, CIO Practice
James Alexander, SVP of Research and Advisory, CIO Practice

Onsite Workshop

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Launch the Project & Assess your Risk Landscape

The Purpose

  •  Establishment of high-level policy management goals.
  • Creation of a policy management working group.
  • Definition of the policy management governance processes.
  • Identification and assessment of IT risks.

Key Benefits Achieved

  • Defined scope and purpose of the policy management working group.
  • Defined policy development process.
  • IT risks identified and assessed.



Getting started and identifying areas for improvement.

  • List of issues and pain points for policy management


Identifying key opportunity areas.

  • Set of six to ten goals for policy management


Establishing policy governance.

  • Amended Steering Committee Charter
  • RACI Chart


Documenting the process.

  • Documented policy development process


Identifying risk scenarios.

  • Ranked list of IT’s risk scenarios


Identifying risk events.

  • List of risks


Assessing risks.

  • Prioritized list of IT risks (simplified risk register)

Module 2: Create a Policy Action Plan

The Purpose

  • Map current and required policies to risk events.
  • Assess policy effectiveness.
  • Create a plan that identifies the required action, responsible party, required resources, and timelines.

Key Benefits Achieved

  • Policies are evaluated for their effectiveness.
  • A plan is created to address policy deficiencies.



Mapping policies to risks.


Assessing policies.


Creating an action plan.

  • Policy Action Plan

Module 3: Develop & Communicate Policies

The Purpose

  • Define the policy audience, constraints, and in-scope and out-of-scope requirements.
  • Draft policies.
  • Create a policy communication plan.

Key Benefits Achieved

  • Drafted policies.
  • A plan is created to communicate policies.



Drafting policies.

  • Drafted policies



  • Communication plan

Module 4: Monitor & Reassess the Portfolio

The Purpose

  • Select KPIs to provide insight into policy effectiveness.
  • Gain an understanding of how to drill down to the root cause of the problems when evaluating KPIs over time.

Key Benefits Achieved

  •  KPIs selected.
  • Knowledge gained on root cause analysis.



Selecting KPIs.

  • KPI tracking log


Evaluating trends in KPIs.

Search Code: 75057
Published: June 10, 2014
Last Revised: December 11, 2014