Action

Rationalizing this state of affairs was a complex undertaking. Working closely with the client’s security team, we helped (1) draft an initial Table of Contents organized by security domain, (2) identify existing source documents and (3) prescriptively map this content to the emerging framework. Then complexity set in, at the enterprise level. “Is this to be a physical document or a dynamically maintained manual on the company’s Intranet?” we asked. “Is the scope merely the domains ‘owned’ by the Security Department – or all security-related policies published within the company including those owned by other departments such as HR, IT, Compliance, Risk Management or the legal team? And how do you manage exceptions?” As we burrowed into internal documents and intended outcomes, key issues with major long-term implications continued to unfold.

Impact

With policy centralization and standardization comes new awareness and internal efficiencies. A few months later, this company’s handful of business divisions, scores of managers and thousands of employees were able to visit one site on the company’s intranet. There, depending on their access privileges, they were able to view, learn, comment on and contribute to a common set of global security policies. And, for the first time in many years, this company’s governance, risk and compliance executives were able to review and assess the company’s exposure to security-related processes and protocols – and take action to better manage the company’s risk.