The case for policy audits

Public and private sector organizations are coming under increasing pressure to provide accountability for both their security and financial operations. Whether it is the Auditor General’s reports or PIPEDA — the Personal Information Protection and Electronic Documents Act — governments in Canada are increasingly expected to demonstrate good management and transparent accountability over their operations. Similarly, in the United States, the Enron and WorldCom scandals have led to the Sarbanes-Oxley Act. In all this activity of accountability and rigorous tracking, it is easy to forget the one aspect of government that is central to their existence: policy.

Policy is central to all levels of government and defines how they operate: The separation of the legislative and executive branches of government is nothing more than the separation of policy creation and policy implementation. Law is, at its barest level, simply policy, and all the data and money governments manage is, in the end, subservient to the policies that the money and data support. In the modern “information age,” these policies have to be turned into IT support systems; he policy analysts and the IT directors sit on either side of a wall and each take part in a never-ending dance of changing policy and implementing the changes. But while the wall works well in ensuring fairness, it also imposes efficiency and financial costs on the operation of government.

The chief problem is that, in most cases, there is no overall tracing of how policies are implemented across an organization. When a policy does change — and that is, after all, the business of government — it is generally impossible to tell exactly where or how that policy is currently implemented in the IT support systems. Even if you know generally where it is, the contractors that were hired to develop that system are long gone. Where are the policies implemented? How long will it take to update them? How much will it cost? How can you be sure your systems are all updated and synchronized? Do you know that there is no duplication across the systems?

Organizations, private and public, have developed a sophisticated understanding of data management and financial accounting. The same cannot be said for policy management. IT department are not rewarded for tracking policy implementation information and are under a constant crunch to solve short-term issues. They have neither the resources nor the mandate to look at the bigger picture. On the other side of the wall, policy makers set policies and are not trained to look at the management side of policy tracking. Both sides see policy management as the responsibility of the other. Trying to break through this “assignment of responsibility” issue is one of the biggest challenges in itself.

The good news is that, once the problem is acknowledged, there are things that can be done about it, for both new and existing systems.

1. Acknowledge the problem. Going hand-in-hand with point three, you need to ensure that at least one sponsor from each side of “the wall” understands the issue.

2. Perform an audit of the current situation so that the current state of policy tracking and management is understood.

3. Educate your senior managers and IT architects. Articles, seminars or tutorials can be used to highlight the issues and possible approaches to key personnel.

4. Analyze your policy management needs. Depending on the complexity of your systems, the rate of policy change, the need for rapid implementation and the resource budget, different approaches are appropriate. The first step is to do an overall analysis of both your current situation and your requirements.

5. Develop an appropriate policy management road map. For some situations, a parallel tracking database of policy implementations may be the most appropriate architecture, while for other systems with higher policy management needs, a more integrated policy “engine” may be best.

6. Start small. Build a proof-of-concept system. This will validate the chosen architecture and give staff and architects experience on a manageable level.

7. Develop an implementation plan. Once the architectural roadmap has been laid out and a proof-of-concept implemented, a plan must be developed for rolling out the policy management architecture across the organization in a feasible and practical way.

Time, money and pragmatism dictate that there is no optimal solution to the policy management issue. For new architectures, there are architectural solutions that can be leveraged, while for legacy systems it may be more appropriate to collect and manage policy metadata using a parallel system.

Governments at all levels are responsible for creating and implementing policies to support public programs and institutions, and as policy complexity increases and government becomes more networked and automated, the pressure to track, audit and manage public policy implementations will only increase.

Richard Deadman ( is a founding partner of Agile Web Services of Ottawa.

Related Download
3 reasons why Hyperconverged is the cost-efficient, simplified infrastructure for the modern data center Sponsor: Lenovo
3 reasons why Hyperconverged is the cost-efficient, simplified infrastructure for the modern data center
Find out how Hyperconverged systems can help you meet the challenges of the modern IT department. Click here to find out more.
Register Now