| name | policy-impact-analysis |
| description | Analyze policy, regulatory, compliance, security, privacy, procurement, or internal guidance changes against business workflows, teams, controls, obligations, risks, and required actions. Use when Codex needs to assess policy impact, map affected stakeholders, identify gaps, or prepare implementation guidance. |
Policy Impact Analysis
Workflow
- Identify policy source, effective date, scope, affected entities, and business context.
- Extract obligations, prohibitions, permissions, deadlines, controls, and evidence requirements.
- Map impacts to workflows, teams, systems, vendors, data, customers, and governance forums.
- Identify gaps between current practice and required or recommended practice.
- Produce an action-oriented impact analysis with owners, controls, and review needs.
Output Standard
Use this structure by default:
- Policy Summary: what changed, scope, and effective timing.
- Obligations / Requirements: required actions and evidence needed.
- Affected Areas: workflows, teams, systems, data, vendors, or customers.
- Gap Analysis: current state vs required state.
- Risk Assessment: legal, operational, customer, security, or reputational impact.
- Action Plan: owner, action, priority, deadline, and dependency.
- Human Review Needed: legal, compliance, security, privacy, or leadership review.
Rules
- Do not provide legal advice or final compliance determinations.
- Distinguish explicit policy text from interpretation and operational recommendation.
- Flag missing source text, jurisdiction, dates, definitions, and ownership.
- Preserve auditability by tying actions to source requirements when available.
References
Read references/impact-rubric.md when the user asks for controls mapping, gap analysis, rollout planning, or leadership briefing.