policy 2.0 · the principle layer
Your policies claim accountability. Policy 2.0 proves it.
Every principle has a named owner, a testable definition of good, and a live mapping to the controls, risks, indicators, and actions that evidence it. The board no longer reviews a document. It reviews a running picture of how the firm is keeping its commitments.
From monolithic documents to a live principle layer.
Built by an operator who has seen these challenges from the auditor's and the regulator's perspective. In production at a UK principal firm running 54 Appointed Representatives.
the structural difference
A policy is not a document. It is a layer of the operation.
The traditional model captures policies as instructions inside discrete documents. The instructions sit on one shelf. The work that evidences them sits on another. Policy 2.0 takes the principles out of the document and lays them directly into the operating layer. The same controls and indicators that the first line is already running become the live evidence that the principles are being met.
the principle layer
Policy Management
-
Every principle has a named owner who can answer for it
-
Each principle carries a testable definition of what good looks like
-
Principles map directly to the controls, risks, indicators, and actions that evidence them
-
A principle is defined once and reused across every policy where it applies
-
A risk event against a mapped control surfaces inside the policy view in real time
Live principle governance
the document layer
Policy Management
-
One senior name signs a 12 to 20 page document once a year
-
Policy intent sits in prose. Compliance is a subjective read
-
Controls, risks, and indicators are managed somewhere else entirely
-
The same principle is restated five times across five policies, inconsistently
-
A risk event breaches a policy commitment and the policy owner finds out at the next review
Annual document review
Relevance
Four symptoms. One root cause. The policy lives in a document.
- 02 -
Update Paralysis
“A single-paragraph regulatory change took eight weeks to cascade through committee approvals, version control, and redistribution. The policy was four weeks behind the rule the day it was published.”
Any change triggers a full document review cycle across the governance chain. The cost of keeping pace with regulation is so high the firm chooses to fall behind.
- 01 -
Single-owner fiction
“The Conduct Risk policy touches claims, HR, distribution, product, and underwriting. It is signed off by one person. In practice, no one of those teams considers themselves accountable for any specific commitment in it.”
The named owner rubber-stamps the document. The people who could actually answer for specific commitments have no visibility. Accountability is theatre.
These are the patterns we hear in discovery, named in the buyer's voice. They are not separate problems with separate fixes. They are the same structural failure showing up in four places. The principles were locked inside the document and never given anywhere else to live.
- 04 -
Update Paralysis
“The same commitment around adequate training appears in five policies. Five owners. Five subtly different definitions. When the regulator asks one question, we give five answers.”
The same principle is restated across policies, inconsistently. The drift is invisible inside any single document. It surfaces as a supervisory question the firm cannot answer cleanly.
- 03 -
Zero operational connection
“The policy says we test the resilience of our business continuity plan. A supplier outage breached that commitment last month. Two weeks later, the policy owner attested everything is fine.”
Policy intent sits in prose. The controls, incidents, and indicators that evidence the intent sit somewhere else entirely. The breach is invisible to the policy owner.
Inside Policy 2.0
Designed for the principle owner, not the policy librarian.
Every feature in Policy 2.0 follows from a single design rule: the principle is the unit of accountability. Three features carry the rule most visibly.
01
A Business Continuity policy touches IT, facilities, supplier management, operations, and HR. No single person owns all of that. Policy 2.0 names the actual owner of each principle. When the regulator asks who is accountable for the impact tolerance on the firm's most critical service, the firm gives a real name. Not the COO.
Principle-level ownership
Name the person. Not the function.
02
When a mapped control fails, a risk event is logged, or an indicator breaches its threshold, the policy view picks it up automatically. The policy owner does not have to chase the second line for an update. The Business Continuity policy already shows that last month's supplier outage hit the resilience principle. The next review starts from operational reality, not from prose.
Failures surface in the policy
Operational reality, visible without a chase.
03
The annual review stops being a roll-forward of stale prose. It becomes a structured check on whether each principle is still the right commitment, whether the mapped risks and controls still apply, and whether the indicators are still telling the truth. The reviewer engages with operational reality instead of with the Word document.
Structured attestation
A review with substance. Not a roll-forward.
delivering context
Every principle carries its evidence. Every breach surfaces where it matters.
Open any principle and the context is already there. The controls evidencing it, the risks behind it, the indicators monitoring it, the actions in flight, and any incidents that have hit the related controls. The policy view is the same view the operator works in. Nothing is stitched together after the fact.
business outcomes
One principle layer. Three views that finally agree.
When the principle layer is the same layer the second line attests against and the board reviews, the three views of policy compliance stop contradicting each other.
for the first line
Reading the policy stops being the job.
Clear commitments. Bite-sized.
The operator no longer has to read a forty-page document to find the three principles that apply to their work. Each principle is named, scoped, and connected to the controls they are already running. The policy stops being an annual ritual the first line learns to ignore.
for the second line
Document maintenance stops being the job.
Live evidence. Real attestation.
The reviewers no longer attest against prose. Every principle carries the controls and indicators that evidence it. Risk events surface inside the policy view in real time. The attestation becomes a structured assessment of what is actually happening, not a rubber stamp on a document.
for the board
Approving the document stops being the job.
Verify the principle. Not the prose.
The board moves from approving fifteen policies in twenty minutes to reviewing the principles. INEDs can see which principles had risk events since the last review and which commitments are not being evidenced. SM&CR accountability lands on the person actually doing the work.