When initially creating a policy, and again when they come up for review or modification, policies should be assessed. This process will be most effective when done as a semiformal procedure that is carried out in a routine way with a brief report to the reviewing body. Policies of any sort can be difficult to assess. There are several criteria you might want to use to review and assess your policies.
We would like policies to cover every situation that might come up, but that is not practical for reasons of cost and because we cannot foresee every possible problem. The best approach is to create a policy that seems complete and then add to it with discretion as problems arise. This is the approach used by the building trades to create building codes and it has served them well. The reviewing body should review any incident reports that bear on the policy and make recommendations about changes to the policy that would have prevented or lessened the severity of any related incident.
To gauge effectiveness, the enterprise must have some goal that they want the overall identity policy suite to accomplish and understand how each policy in the suite contributes to that goal.
This can be difficult to assess, but it's worth at least estimating so that you can make a case for or against a policy or changes to an existing policy. The cost should estimate the cost of compliance with the policy and also the cost of not implementing the policy. Cost estimates should usually be done on policy components rather than the entire policy.
Policies can be hard to compare for relative risk. For example, is a password reset every three weeks with six-character passwords more or less secure that a password reset every two months with eight-character passwords? The best that you can usually do is to make an estimate of risk. The most important thing about evaluating risk is to use the process to build consensus among key players about risk. As a result, everyone will approach policies and their enforcement from a similar perspective.