Policy Domain
The Policy domain establishes rules, guidelines, and standards governing operations and decision-making. Policies are structured as dynamic elements within business architecture, directly influencing execution across capabilities, value streams, and information domains.
Schema Version: 2.1
Schema Location: /schemas/policy.schema.json
Specification: JSON Schema Draft-07
Overview
What is a Policy?
A policy represents a formal statement of principles, rules, or guidelines that govern behavior and decision-making within an organization. Policies provide the framework for:
- Operational governance — Rules for how work is performed
- Compliance management — Adherence to regulations and standards
- Risk mitigation — Controls to reduce organizational risk
- Decision frameworks — Guidelines for consistent decision-making
The domain emphasizes operationalization of policies by linking them to specific processes, capabilities, and workflows to ensure active enforcement and alignment.
Purpose and Value
The Policy domain enables architects and planners to:
- Document governance frameworks with consistent structure
- Link policies to operations through capability and process connections
- Track compliance via metrics and monitoring
- Manage policy lifecycle including reviews and updates
- Support audits through traceability and evidence
For Data Engineers
The Policy domain maps directly to data governance concepts:
- Policy → Data Governance Policy /Data Quality Rule
- Requirements → Data quality checks /Validation rules
- Compliance Metrics → Data quality scores /Compliance dashboards
- Review Frequency → Policy refresh cycles
- Related Policies → Policy dependencies and hierarchies
Core Components
The Policy domain includes essential elements:
- Policy Statement: Core rules and guidelines being established
- Requirements: Specific conditions or criteria to be met
- Compliance Metrics: Measures to ensure adherence
- Approval Chain: Individuals or groups who approve the policy
- Related Policies: Connected or dependent policies
Domain Attributes
Core Attributes
| Attribute | Type | Description | Required |
|---|---|---|---|
title | String | Name or title of the Policy | ✓ |
description | String | Detailed explanation of what the Policy entails | ✓ |
purpose | String | Intended purpose or function within the Organization | ✓ |
owner | String | Individual or team responsible for the Policy | ✓ |
orgUnitTitle | String | Organization unit(s) to which the Policy is linked | |
policyCategory | Enum | Category of policy | |
policyType | Enum | Type of policy | |
scope | String | Scope of policy application | |
effectiveDate | Date | When the policy becomes effective | |
expirationDate | Date | When the policy expires (if applicable) | |
version | String | Policy version number | |
requirements | String | Specific conditions or criteria to be met | |
complianceMetrics | String | Measures to ensure adherence to policies | |
reviewFrequency | Enum | How often the Policy is reviewed and updated | |
approvals | String | Individuals or groups that must approve the Policy | |
relatedPolicies | String | Policies that are related or linked | |
complianceAndStandards | Array[Enum] | Regulatory requirements and standards | |
enforcement | String | How the policy is enforced | |
exceptions | String | Documented exceptions to the policy | |
risks | String | Potential risks associated with the Policy | |
riskCategories | Array[Enum] | Categories of risks | |
improvementOpportunities | String | Areas for enhancement | |
strategicAlignment | String | Alignment with strategic goals | |
affectedCapabilities | Array[String] | Capabilities governed by this policy | |
affectedProcesses | Array[String] | Processes governed by this policy | |
trainingRequirements | String | Training needed for policy compliance | |
documentationLinks | Array[String] | Links to supporting documentation |
Enumeration Values
Policy Category (policyCategory)
| Value | Description | Example |
|---|---|---|
Operational Policy | Day-to-day operational rules | Work procedures, safety protocols |
Governance Policy | Organizational governance | Decision rights, authority levels |
Compliance Policy | Regulatory compliance | Data protection, financial reporting |
Security Policy | Security and access control | Access management, encryption |
Data Policy | Data management and usage | Data quality, retention, privacy |
HR Policy | Human resources | Employment, conduct, benefits |
Financial Policy | Financial management | Spending limits, approvals |
Technology Policy | Technology usage | Acceptable use, architecture standards |
Risk Policy | Risk management | Risk tolerance, mitigation |
Quality Policy | Quality standards | Quality assurance, testing |
Policy Type (policyType)
| Value | Description | Example |
|---|---|---|
Standard | Mandatory requirements | Must-follow rules |
Guideline | Recommended practices | Best practice guidance |
Procedure | Step-by-step processes | How-to instructions |
Framework | Structural approach | Governance framework |
Rule | Specific constraint | Business rule |
Directive | Authoritative instruction | Executive directive |
Review Frequency (reviewFrequency)
| Value | Description | Example |
|---|---|---|
Monthly | Reviewed monthly | High-change policies |
Quarterly | Reviewed quarterly | Compliance policies |
Semi-Annual | Reviewed twice yearly | Operational policies |
Annual | Reviewed yearly | Standard policies |
Biennial | Reviewed every two years | Stable policies |
As-Needed | Reviewed when triggered | Event-driven review |
Compliance and Standards (complianceAndStandards)
| Value | Description |
|---|---|
Federal Regulations | Federal government regulations |
State Regulations | State/provincial regulations |
Industry Standards | Industry-specific standards |
Internal Standards | Organization-specific standards |
Quality Standards | Quality management standards (ISO) |
Safety Standards | Safety regulations and standards |
Privacy Regulations | Data privacy regulations (GDPR, CCPA) |
Security Standards | Security standards (SOC2, ISO 27001) |
Financial Regulations | Financial compliance (SOX, Basel) |
Risk Categories (riskCategories)
| Value | Description | Example |
|---|---|---|
Compliance Risk | Regulatory non-compliance | Fines, sanctions |
Operational Risk | Operational failures | Process breakdowns |
Security Risk | Security vulnerabilities | Data breaches |
Reputational Risk | Reputation damage | Public trust loss |
Financial Risk | Financial impact | Cost overruns |
Legal Risk | Legal exposure | Litigation |
Domain Relationships
The Policy domain integrates with other metamodel domains:
| Target Domain | Relationship Type | Description |
|---|---|---|
| Organization | Ownership | Organization units own and enforce policies |
| Capabilities | Governance | Policies govern capability execution |
| Value Stream | Compliance | Value streams comply with relevant policies |
| Information | Protection | Policies protect information assets |
| Services | Standards | Policies set service delivery standards |
| Products | Quality | Policies define product quality requirements |
| Performance | Measurement | Policies measured through compliance metrics |
| Initiatives | Alignment | Initiatives comply with policy constraints |
| Stakeholder | Accountability | Stakeholders accountable for policy adherence |
| Technology | Control | Policies control technology usage |
Examples
Example 1: Track Safety Standards Policy
{
"title": "Track Safety Standards Compliance Policy",
"description": "Comprehensive framework for ensuring compliance with FRA track safety standards across all rail classifications and operational territories",
"purpose": "Maintain consistent track safety standards across all rail classifications to ensure safe operations",
"owner": "Director of Track Safety Standards",
"orgUnitTitle": "Track and Rail Infrastructure Division",
"policyCategory": "Compliance Policy",
"policyType": "Standard",
"scope": "All track infrastructure across the national rail network",
"effectiveDate": "2024-01-01",
"version": "3.2",
"requirements": "Daily track inspections for Class 4-5 track, bi-weekly for Class 1-3. All defects documented within 4 hours. Critical defects addressed within 24 hours.",
"complianceMetrics": "Inspection completion rate: 99.4%, Documentation accuracy: 98.7%, Defect resolution time: 95% within SLA",
"reviewFrequency": "Annual",
"approvals": "FRA Administrator, Chief Safety Officer, Regional Directors",
"relatedPolicies": "Track Inspector Qualification Policy, Track Maintenance Standards, Emergency Response Procedures",
"complianceAndStandards": ["Federal Regulations", "Safety Standards"],
"enforcement": "Automated inspection tracking system, supervisor audits, third-party verification",
"exceptions": "Weather-related delays documented and approved by Regional Director",
"risks": "Documentation gaps, inspection delays, resource constraints",
"riskCategories": ["Compliance Risk", "Operational Risk", "Safety Risk"],
"improvementOpportunities": "Implement digital inspection records, streamline approval process, automate compliance reporting",
"strategicAlignment": "Supports zero-accident goal through systematic inspection procedures",
"affectedCapabilities": ["Track Inspection", "Maintenance Management", "Safety Monitoring"],
"trainingRequirements": "Annual certification for all track inspectors, quarterly updates on regulation changes"
}
Example 2: Data Governance Policy
{
"title": "Enterprise Data Governance Policy",
"description": "Establishes standards and procedures for data management, quality, security, and usage across the organization",
"purpose": "Ensure data is managed as a strategic asset with appropriate quality, security, and compliance controls",
"owner": "Chief Data Officer",
"orgUnitTitle": "Data and Analytics Division",
"policyCategory": "Data Policy",
"policyType": "Framework",
"scope": "All enterprise data assets and data processing activities",
"effectiveDate": "2024-01-01",
"version": "2.0",
"requirements": "All data assets must have assigned owners. Data quality scores must exceed 95%. Sensitive data must be classified within 30 days of creation. Data lineage must be documented for all analytical assets.",
"complianceMetrics": "Data ownership coverage: 98%, Average data quality score: 96.2%, Classification compliance: 99.1%",
"reviewFrequency": "Quarterly",
"approvals": "Chief Data Officer, Data Governance Council, Legal Review",
"relatedPolicies": "Data Classification Policy, Data Retention Policy, Privacy Policy, Access Control Policy",
"complianceAndStandards": ["Privacy Regulations", "Internal Standards", "Industry Standards"],
"enforcement": "Automated data quality monitoring, access audits, governance dashboard reviews",
"risks": "Data quality degradation, unauthorized access, compliance violations",
"riskCategories": ["Compliance Risk", "Security Risk", "Operational Risk"],
"improvementOpportunities": "Implement automated data cataloging, enhance self-service governance tools",
"strategicAlignment": "Enables data-driven decision making and supports digital transformation initiatives",
"affectedCapabilities": ["Data Management", "Analytics", "Reporting", "Data Integration"],
"trainingRequirements": "Data steward certification, annual data governance awareness training"
}
Example 3: Information Security Policy
{
"title": "Information Security Policy",
"description": "Defines security requirements for protecting organizational information assets from unauthorized access, disclosure, modification, or destruction",
"purpose": "Protect information assets and maintain confidentiality, integrity, and availability",
"owner": "Chief Information Security Officer",
"orgUnitTitle": "Information Security Division",
"policyCategory": "Security Policy",
"policyType": "Standard",
"scope": "All information systems, data, and personnel",
"effectiveDate": "2024-01-01",
"version": "4.1",
"requirements": "Multi-factor authentication required for all systems. Encryption required for data at rest and in transit. Security assessments quarterly. Incident response within 1 hour.",
"complianceMetrics": "MFA adoption: 99.8%, Encryption coverage: 100%, Security assessment completion: 100%",
"reviewFrequency": "Semi-Annual",
"approvals": "CISO, CTO, Legal Counsel, Audit Committee",
"relatedPolicies": "Access Control Policy, Incident Response Policy, Acceptable Use Policy",
"complianceAndStandards": ["Security Standards", "Privacy Regulations", "Industry Standards"],
"enforcement": "Automated security monitoring, penetration testing, compliance audits",
"risks": "Data breaches, unauthorized access, system compromise",
"riskCategories": ["Security Risk", "Compliance Risk", "Reputational Risk"],
"strategicAlignment": "Protects organizational assets and maintains stakeholder trust"
}
Implementation Guidelines
Policy Management Best Practices
- Clear ownership — Assign accountable owners for each policy
- Regular review — Establish and follow review schedules
- Operational linkage — Connect policies to processes and capabilities
- Measurable compliance — Define quantifiable compliance metrics
- Exception management — Document and track approved exceptions
Policy Lifecycle
Policy Hierarchy
Policies should be organized in a logical hierarchy:
OpenMetadata Integration
For Data Platform Teams
When integrating with OpenMetadata, map Policy entities as follows:
| Orthogramic Element | OpenMetadata Entity | Notes |
|---|---|---|
| Data Policy | Glossary + Tags | Policy definitions as terms |
| Requirements | Data Quality Tests | Policy rules as tests |
| Compliance Metrics | Test Results | Compliance tracking |
| Policy Category | Classification | Policy categorization |
| Related Policies | Related Terms | Policy relationships |
# Example: Create policy-based data quality tests
def create_policy_tests(policy):
"""
Map Orthogramic Policy to OpenMetadata data quality tests
"""
tests = []
# Parse requirements into testable rules
requirements = policy.get("requirements", "").split(".")
for i, req in enumerate(requirements):
if req.strip():
test = {
"name": f"{policy['title'].lower().replace(' ', '_')}_rule_{i+1}",
"displayName": f"{policy['title']} - Rule {i+1}",
"description": req.strip(),
"testDefinition": {
"name": "policyComplianceTest",
"description": f"Tests compliance with: {req.strip()}"
},
"testSuite": f"{policy['policyCategory'].replace(' ', '')}Compliance",
"owner": {
"name": policy["owner"],
"type": "user"
},
"tags": [
{"tagFQN": f"PolicyCategory.{policy['policyCategory']}"},
{"tagFQN": f"ReviewFrequency.{policy.get('reviewFrequency', 'Annual')}"}
]
}
tests.append(test)
return tests
# Example: Create policy glossary term
def create_policy_term(policy):
"""
Create OpenMetadata glossary term for policy
"""
return {
"name": policy["title"].lower().replace(" ", "_"),
"displayName": policy["title"],
"description": policy["description"],
"glossary": "enterprise_policies",
"tags": [
{"tagFQN": f"PolicyType.{policy['policyType']}"},
{"tagFQN": f"PolicyCategory.{policy['policyCategory']}"}
],
"owner": {"name": policy["owner"], "type": "user"},
"relatedTerms": [
p.lower().replace(" ", "_")
for p in policy.get("relatedPolicies", "").split(",")
if p.strip()
],
"synonyms": [],
"references": [
{"name": std, "endpoint": ""}
for std in policy.get("complianceAndStandards", [])
]
}
Schema Reference
- Repository:
Orthogramic/Orthogramic_Metamodel - Schema Location:
/schemas/policy.schema.json - Version: 2.1
- Specification: JSON Schema Draft-07
- License: Creative Commons Attribution-ShareAlike 4.0 (CC BY-SA 4.0)
Previous: Initiatives Domain | Next: Value Stream Domain