The need for a new policy is generally initiated in response to a new regulatory compliance standard or industry framework, or because of a mandate from the business which requires some degree of guidance over a new initiative. Approaching policy creation in this reactive manner often results in an excessive number of documents that are narrow in scope and don’t address the underlying risk. Policies lag behind changing business and technology demands and compliance requirements. Employees complain that policies restrict them from doing their job. Critical Insight Manage your policies like a portfolio; focus your efforts on policies that mitigate your greatest risks. Impact and Result Find the right balance between operational efficiency and risk mitigation by managing your policies like a portfolio. The need for policies should be driven by risks and their impact on your processes. You don’t need a policy for everything; focus your efforts on policies that mitigate your greatest risks. Your policies should be consistent with one another and provide adequate coverage of your greatest risks without becoming redundant or overwhelming to the user population.