Take a Portfolio Approach to Policy Management

Find the right balance between risk mitigation and operational efficiency.


This content requires an active subscription.

Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.

Speak With A Representative Sign In
or Call: 1-888-670-8889 (US) or 1-844-618-3192 (CAN)

Your Challenge

  • The need for a new policy is generally initiated in response to a new regulatory compliance standard or industry framework, or because of a mandate from the business which requires some degree of guidance over a new initiative.
  • Approaching policy creation in this reactive manner often results in an excessive number of documents that are narrow in scope and don’t address the underlying risk.
    • Policies lag behind changing business and technology demands and compliance requirements.
    • Employees complain that policies restrict them from doing their job.

Our Advice

Critical Insight

  • Manage your policies like a portfolio; focus your efforts on policies that mitigate your greatest risks.

Impact and Result

  • Find the right balance between operational efficiency and risk mitigation by managing your policies like a portfolio.
    • The need for policies should be driven by risks and their impact on your processes.
    • You don’t need a policy for everything; focus your efforts on policies that mitigate your greatest risks.
    • Your policies should be consistent with one another and provide adequate coverage of your greatest risks without becoming redundant or overwhelming to the user population.


  • Illir Azizi, Manager, Ministry of the Attorney General, Ontario
  • Doug Leone, Information Security Officer, CA Department of Toxic Substances Control
  • Brandon Pinzon, VP, Senior IT Policy & Compliance Officer, Capital Farm Credit 
  • One Anonymous Director of Technology, Financial Services. Due to the sensitivity of the information, this contributor requested confidentiality. 

Want to Participate in Our Research?

  • Analyst Interviews: Share your best practices, opinions, tools or templates with your peers.
  • Webinars: Interactive session to keep us focused on topics you want to tackle.
  • Upcoming Workshops: Accelerate your project with an onsite, expert analyst to facilitate a workshop for you. Contact us for more details.

Become a Participant

Get the Complete Storyboard

See how all the steps you need to take come together, with tools and advice to help with each task on your list.

Download Now

Get to Action

  1. Establish policy governance processes

    Establish a working group to govern policy management and define its scope, purpose, and roles and responsibilities.

  2. Assess IT’s risk landscape

    Identify and assess IT’s risks, which will determine content within policies and the priority of policy development.

  3. Create a policy action plan

    Identify gaps, inconsistencies, and redundancies in your current policy portfolio and create a plan to remediate them.

  4. Develop policies

    Draft clear, consistent policies that will effectively mitigate the risks of your organization.

  5. Communicate policies to end users

    Plan your communication of policies to ensure high levels of policy awareness and compliance.

  6. Monitor and reassess the portfolio

    Monitor and reassess the policy portfolio on a regular basis to ensure continued coverage against your organization’s changing risk landscape.

Guided Implementation icon Guided Implementation

This guided implementation is a five call advisory process.

    Guided Implementation #1

  • Call #1: Review policy governance processes

    Our expert advisors will discuss the purpose, scope, and mandate of your IT Policy Working Group and review any amendments made to an IT Steering Committee Charter addressing the governance of policy management.

  • Guided Implementation #2

  • Call #1: Review risk assessment

    We will review your simplified risk register and discuss strategies to ensure you have a comprehensive view of your IT organization’s risk landscape.

  • Guided Implementation #3

  • Call #1: Review policy action plans

    Our advisors will discuss the assessment of the effectiveness of your policies and review your policy action plans.

  • Guided Implementation #4

  • Call #1: Review policy development and communication

    We will review your policy drafts and discuss best practices for communicating changes in policy to your end users.

  • Guided Implementation #5

  • Call #1: Monitoring the portfolio

    We will review the trends in your key performance indicators and assist you in determining the root cause of any non-compliance or exception-related trends.

Onsite Workshop

Module 1: Launch the Project & Assess your Risk Landscape

The Purpose

  •  Establishment of high-level policy management goals.
  • Creation of a policy management working group.
  • Definition of the policy management governance processes.
  • Identification and assessment of IT risks.

Key Benefits Achieved

  • Defined scope and purpose of the policy management working group.
  • Defined policy development process.
  • IT risks identified and assessed.

Activities: Outputs:
1.1 Getting started and identifying areas for improvement.
  • List of issues and pain points for policy management
1.2 Identifying key opportunity areas.
  • Set of six to ten goals for policy management
1.3 Establishing policy governance.
  • Amended Steering Committee Charter
  • RACI Chart
1.4 Documenting the process.
  • Documented policy development process
1.5 Identifying risk scenarios.
  • Ranked list of IT’s risk scenarios
1.6 Identifying risk events.
  • List of risks
1.7 Assessing risks.
  • Prioritized list of IT risks (simplified risk register)

Module 2: Create a Policy Action Plan

The Purpose

  • Map current and required policies to risk events.
  • Assess policy effectiveness.
  • Create a plan that identifies the required action, responsible party, required resources, and timelines.

Key Benefits Achieved

  • Policies are evaluated for their effectiveness.
  • A plan is created to address policy deficiencies.

Activities: Outputs:
2.1 Mapping policies to risks.
2.2 Assessing policies.
2.3 Creating an action plan.
  • Policy Action Plan

Module 3: Develop & Communicate Policies

The Purpose

  • Define the policy audience, constraints, and in-scope and out-of-scope requirements.
  • Draft policies.
  • Create a policy communication plan.

Key Benefits Achieved

  • Drafted policies.
  • A plan is created to communicate policies.

Activities: Outputs:
3.1 Drafting policies.
  • Drafted policies
3.2 Communicating.
  • Communication plan

Module 4: Monitor & Reassess the Portfolio

The Purpose

  • Select KPIs to provide insight into policy effectiveness.
  • Gain an understanding of how to drill down to the root cause of the problems when evaluating KPIs over time.

Key Benefits Achieved

  •  KPIs selected.
  • Knowledge gained on root cause analysis.

Activities: Outputs:
4.1 Selecting KPIs.
  • KPI tracking log
4.2 Evaluating trends in KPIs.

Workshop Icon Book Your Workshop

Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.

Book Now

Hide Details

Search Code: 75057
Published: June 10, 2014
Last Revised: December 11, 2014

GET HELP Contact Us
VL Methodology