Policies are a specialized type of control that is often treated separately from other controls. Policies define what the organization must do and why (i.e. to meet the organization's obligations).
Policies are usually written to align with, encompass, and address all related obligations. Policies can be connected to other system resources (including related policies) in many-to-many relationships (n:n).
A policy can have multiple sub-policies but a sub-policy can only have one parent (1:n relationship). Multiple levels of sub-policies can be created.
Policy Details Screen
The Policy Details screen shares much of its structure with the Obligation Details screen, with key additions:
Summary Section
Version — Optional text field for version tracking
Policy Category — Categorize policies using admin-defined categories
Policy Document — Attach hyperlinks to external policy documents
Policy Management Section
This is a key feature for compliance managers. It supports scheduling recurring reviews and managing the policy approval lifecycle.
Status Tab:
Field | Description |
Policy Status | Mirrors the record status. Shows "Active and Published" when set to Active. |
Reviewers | One or more users who will receive review notifications. Must be compliance users with portfolio access (Admin or Standard). |
Who Must Review | "Any reviewer" (default) or "All reviewers" — determines whether one or all reviewers must respond for a review to be considered complete. |
Review Start Date | The anchor date for calculating recurring reviews. For example, if January 1 is set as the start date and the review period is set to semi-annually, recurring review tasks will be due on July 1 and January 1 of each year going forward. |
Review Period | None, Monthly, Quarterly, Semi-annually, Annually, Every 18 months, or Every 2 years. |
Next Scheduled Review Due | Auto-calculated from Start Date + Review Period. |
Notifications | Number of days before the due date to notify reviewers. |
Review Status | Current review status (Waiting for Reviews, Complete, or Incomplete) |
Last Review Completed | Date of the most recent completed review |
Key Actions:
Mark Reviewed — Visible to Admin users and assigned Reviewers. Records a review immediately
Request Review — Sends an ad hoc review request to selected reviewers with a custom due date
Policy Activation Rule: When reviewers are assigned, a policy must be reviewed before it can be set to Active (Published) status.
Review Requests Tab:
Shows a table of all review requests (both scheduled and ad hoc) with:
Request Date, Due Date, Reviewers (with response status icons ✅/❌), and Review Status
Associations
Shows linkages between the obligation and its related frameworks and themes. Click Manage Associations to create or break these linkages.
Compliance Status Box
Displays the overall compliance status of the policy, calculated automatically based on its attached key resources (AKRs): sub-policies and must-have controls. Also shows:
% of compliant active must-have controls
% of compliant active sub-policies
Users can manually override the auto-calculated status using the "set value" link, and reset it back to the automatic calculation at any time.
Sub-Sections
Sub-Policies — Parent-child hierarchy (like sub-obligations)
Related Policies — Separate n:n relationships between policies (different from sub-policies)
Obligations, Controls, Risks, Incidents, Action Plans, Notes — Configurable sub-sections
Compliance Status
Works the same as obligations but is based on must-have controls and sub-policies as its attached key resources (AKRs).