Has your organization established boundaries of behavior for employees, relationships, and procedures/processes? Policies, starting with your organizations code of conduct, are meant to filter down throughout the business to govern the enterprise, divisions/regions, business units, and processes to create the overall corporate culture and standard of ethics.
The definition of GRC is, “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].” Policies are a very important aspect of practicing GRC effectively. When efficiently and effectively managed, communicated, and enforced policies should:
Most organizations, unfortunately, do not make the correlation of policy to the development of corporate culture. Without policy, there is no written standard for acceptable and unacceptable conduct — your organization can quickly become something it never intended.
Your organization needs to develop and implement policies that can and will be enforced, but you also must clearly train and communicate the policy to make sure that employees understand what is expected of them. Your organization may have a corrupt culture with good policies in place, though it cannot achieve strong and established culture without good policy and training on policy.