By Cherie M. Fairburn

Part 1 of this series discussed the driving forces behind the burgeoning growth of policies and procedures and their imperative nature. Part 2 discusses an approach to developing a taxonomy for these variant drivers that is scalable to each business unit within the enterprise, regardless of source.

PolicyManager Information Architecture

The challenge for any enterprise to manage its growing portfolio of Policies and Procedures is to devise a classification scheme that links them with regulatory standards, where applicable, and also optimizes retrievability and usability. If the information architecture is not intuitive and user-friendly, users will avoid it, and the system will not be maintained over time. Foremost, the framework for storing these Policies and their associated Processes and Procedures must be rationally organized so that it is both conveniently accessible and easily usable with a minimal level of uncertainty.

In considering how to organize the data, the only meaningful classification structure is one that is standardized so as to extend application to the broadest reach possible. The information structure and presentation scheme must serve the needs of multiple users across the business areas, whatever their specific engagement.

A model information architecture classification scheme that meets these criteria might be structured as follows:

BCBSLA
    Enterprise (corporate)
    Business Units
        - a
        - b
        - c
    Operations
REGULATORY STANDARDS & BENCHMARKS
    COBIT
        - 1
        - 2
    HIPAA
        - 1
        - 2
    ISO 9000
        - 1
        - 2
    SOX (Sarbanes-Oxley)
        - 1
        - 2
    Other Compliance
        - Federal
        - State
        - Local

Nomenclature and Numbering

Document suites are created in our web-based policy and procedure management tool, Policy and Procedure Manager^®, a product developed by PolicyTech International. To the maximum extent possible, they are numbered and filed according to their controlling governing standards. The convention for document numbering established is as follows:

Interpreting this document number is a simple matter with the key provided:

1)	IT	Originator/Owner group
2)	COB	the controlling regulation/compliance standard/recommended benchmark
3)	ME	the "Monitor/Evaluate" category of COBIT (Domain 4) IT governance standard
4)	4.2	the individual benchmark of the category
5)	F	the 6th document/document suite associated with the ME-4.2 benchmark
6)	2	a 2nd-level document (Process)

Policy, Process, and Procedure Templates

BCBSLA templates for policies and procedures also integrate the processes out of which procedures flow so that users can consider the underlying relationships between these three document types and apprehend them as they should be understood--an interlocking system.

Policy states the objective to be accomplished and other relevant authorizations.

From a given policy, one or several processes may be operative. Process describes a workstream consisting of several activities. The Process template:

• identifies the roles and responsibilities of the participants in a given process,
• marks the entrance and exit criteria,
• distinguishes among possible variations (as provided for in the Tailoring Guidelines section),
• identifies the assets (artifacts, materials, tools to be used, e.g., a particular checklist, spreadsheet, or formula),
• and establishes the metrics by which achievement of objectives is to be measured.

A single process may control multiple procedures. Procedure provides the step-by-step directions associated with a given task.