Effective policy management is a continuous lifecycle, not a one-time event. Option C accurately captures the essential, ongoing activities required to ensure policies are effective and relevant. This includes deploying the policy (implementation), ensuring stakeholders are aware of it (communication), taking action for non-compliance (enforcement), and regularly reviewing its performance and suitability (auditing). This cycle ensures that policies translate into desired behaviors and outcomes, adapting to changes in the business environment and regulatory landscape, which is a core tenet of the OCEG GRC Capability Model.

A. Internal audit's primary function is to provide independent assurance. Designing policies would create a conflict of interest and impair the objectivity required to later audit those same policies.

B. While business units are accountable for policy adherence, completely delegating policy management leads to inconsistency and fragmentation. A centrally coordinated or federated approach is essential for enterprise-wide GRC.

D. Technology is an enabler, not the practice itself. Relying solely on pre-populated templates without tailoring them to the organization's specific context, culture, and risk appetite is ineffective.

1. OCEG GRC Capability Model 3.5 (The "Red Book"):

For Correct Answer (C): Section 4.3.3, "Design & Implement Controls," and Section 4.4, "Monitor," describe the lifecycle of developing, communicating, implementing, and monitoring policies and controls to ensure they operate as intended. The entire model is predicated on this continuous loop of activity.

For Incorrect Answer (A): Section 2.3, "GRC Roles and Responsibilities," distinguishes between management's responsibility to establish controls (like policies) and the assurance functions' (like internal audit) role to independently review them.

For Incorrect Answer (B): Section 2.2, "Organize and Oversee," emphasizes the need for integrated and coordinated GRC capabilities, which contradicts the idea of completely delegating policy management without central oversight.