How 2nd Line Assurance and Public Policy share a common experience

By Stephen Hermanson

I recently came across a very insightful piece on Risk Management and Assurance by John Sinden (Vodafone Group). I recognised the context and situation immediately, which has lessons for Public Policy too.

Public Policy teams are facing similar challenges, so allow me to borrow from John Sinden’s excellent framing to illustrate the point.


There’s a moment most people in a Public Policy role may recognise. You’re in a meeting, the business is moving fast, decisions are already forming, timelines are tight — then you speak up.

Not to block. Not to control. But to ask what contribution is being made to government and regulatory agendas, what public policy and regulatory barriers might dilute or negate business outcomes, what intelligence should we gather to assess the likelihood and impact, what political incentives are we responding to, which parties and alliances are supporting and opposing our plans, what asks would we place on government or regulators, what evidence can we offer to substantiate our case, what solutions or mitigations might we propose, what narrative are we using to convey a holistic corporate position, what are the trade-offs (for us and others) if the business plan doesn’t succeed.

You get the gist — how can we test and prepare the ground politically, diplomatically (for international considerations such as global supply chains and multinational customers) and how do we provide researched and proportionate public policy recommendations to achieve outcomes that matter.

You don’t have a mandate to write or decide the business strategy or opine on how the business should operate. You’re not truly “in” the business. But you’re not separate either. You sit somewhere in the middle — close enough to understand, but distant enough to challenge — and provide the voice of government, regulators, communities and geopolitics at the table (and explain the merits of the business plan to these same stakeholders and other stakeholders as may appear).

This may also mean dealing with hostility, disinformation and misunderstanding. Public Policy teams will want to get ahead of the arguments with a clear, accurate and timely narrative that can bring parties together and resolve differences. Where opposition remains, what strategy is required to manage this politically and through institutions that could influence the debate.

And every day, you’re trying to get that balance right. The Public Policy intent is rarely what people think it is.

It’s not about creating barriers, being pedantic or playing politics.
It’s about making decisions stronger.
It’s about helping teams see around corners.
It’s about avoiding the conversations no one wants to have “later”.

Too often, Public Policy teams are required to fight a rearguard action when it suddenly transpires that the business plan is facing political opposition, legal/regulatory constraints or barriers on trade. Politics and geopolitics can change suddenly and unexpectedly. Be that as it may, there are respected and established principles for taking into account the political, geopolitical and economic environments to understand the risks that might present themselves. Public Policy teams will be applying this lens to help the business navigate these waters. This may require policy change and the political appetite to support it. Some of this may need months of persistent and careful engagement to frame arguments, coalesce allies, build independent evidence and devise compromises. When Public Policy teams ask questions, they are thinking ahead to this moment and calculating what is essential to understand now.

Security and defence sectors are particularly sensitive to this. Where the business plan, political and policy risk, and economic stakes touch on national security considerations, the stakes get higher still. Public Policy teams will take a calm, measured and evidence-based approach when activating relationships and access to warn of political or policy missteps that might have unintended consequences — in extreme cases causing harms to both industry and national security. Security Public Policy is increasingly on the agenda as governments seek to respond to national and economic security objectives. This cadre in the Public Policy team will understand the stakes, the trade-offs and the formula for charting a way through.

When delivery pressure is high, challenge can feel like friction. When momentum is building, pause can feel like delay. When you hold the line, it can feel like you’re pushing back rather than helping forward.

And so, Public Policy teams walk a constant tightrope:

  • Be commercial, but don’t dilute standards
  • Be close, but don’t lose objectivity
  • Be pragmatic, but don’t become irrelevant
  • Be firm, but don’t become “the police”

It’s not an easy role. And often, the better you do it, the less visible it is.

  • The political and public policy risk that doesn’t materialise.
  • The external stakeholder issue that gets fixed early.
  • The narrative that gets sharpened before it lands.

Those rarely get called out but, that’s where the real value is — bringing clarity, perspective, and calm thinking when it’s needed most. When that balance is right, Public Policy teams are no longer seen as the people who slow things down. We’re the people who help things navigate the political and public policy sphere — which no critical national infrastructure business can ignore.

Over the last two and a half years my previous team and I designed and built Security Influence — an integrated Threat Intelligence, Government Engagement, Business Engagement and Public Policy team to provide the Security Public Policy cadre.

Some lessons from the journey:

  • Strategy before tactics. Is this the fight to have at this time and place (and if so, how would we elect to fight and what resources are available to sustain it — including the political will internally). What does the strategy look like when modelled with an analysis of competing hypotheses? The purpose is to double-check assumptions, objectives, constraints and resist the temptation to respond until the threat/risk is clear.
  • CxO patronage. This provides reliable, regular and trusted access to the Executive Committee (ExCo) and Board, confidence to speak truth to power, and space to play the long game. If/when you decide to activate, you’ll need the ExCo to follow you over the parapet.
  • Also create a strategic communications and engagement plan for internal stakeholders. Public Policy teams will be expert at designing and implementing external communications and engagement plans. However, you’ll need to bring everyone in the business with you (don’t assume the merits and achievements are obvious to everyone).
  • Step outside the bubble. We spent at least 25% of our time engaging externally, beyond the organisation and sector. Perspective, context and comparison count for a lot but, internal communications and engagement are essential to package the message (so what; and then what), and CxO patronage provides the access and agenda space.
  • The Public Policy mandate overlaps with Corporate/External Affairs, Strategy, Risk and Corporate Communications. In the end, some parts were absorbed by these functions and other parts remained with us. Pin down an operating model and RACI as soon as you can (and test it in practice and with ExCo). Keep sight of the holistic view (golden thread) which is often lost when the model is over complicated or contested. See my blog for an entry on the special alliance between Security, Corporate Affairs and Compliance. This can easily be extended to incorporate Strategy and Risk.
  • Technology, Security and Operations will have subject matter experts that will often need to support content reviews, consultation responses and participate in engagements. This access needs to be reliable, authoritative and sustained. The biggest danger is a bottom-up approach that meets general resistance such as AI can do this, external agencies can do this, the SMEs can do it themselves, there’s no point as we can’t influence outcomes, this is not our fight, and so forth. Be prepared for this. If the ExCo isn’t batting for it, then reset.
  • Sceptics are inevitable. Resist the pressure to reduce everything to metrics. Measures of value in government relations and public affairs are often more nuanced. What counts is business appetite to engage (and belief in the Public Affairs mission and purpose), business appetite to play the long game (and invest in policy research and think-tanks) and ultimately the level of risk tolerance and knowing when that threshold is near. Public Policy is a social science — certainties are rare and your biggest critics will be those that struggle with ambiguity and the probability yardstick.

References

Sinden J. June 2026. LinkedIn.

Posted in , ,

Leave a comment