Unlike kitchens, messy approaches to policy management do not signal happiness. More organizations ought to take this truth to heart. If you’re unsure of the state of your company’s policy management hygiene, here’s a revealing question: How many policies exist within your organization?
Unless your response is swift and accurate, your policy design and improvement processes likely need a large serving of standardization. If so, your company is hardly alone. An OCEG Fellow speaking at a recent compliance conference asked how many of the 200 GRC managers and executives in the audience could identify the number of policies within their company. Following an uncomfortable silence, a total of two hands were raised. While that survey result is decidedly anecdotal, its message rings true across the vast majority of companies.
That’s a problem because companies of all sizes are struggling to communicate, train and engage employees and other stakeholders with policies designed to help mitigate potentially serious risks to the business. A key challenge stems from the sheer volume of organizational policies -- a number that routinely can be in the thousands in globally operating companies.
Before policy management teams can strengthen their communications and awareness plans as well as related training activities, they should get a firm grasp on how many policies exist and how many remain relevant given the steady pace of change to the risk environment, regulatory requirements, internal organizational priorities and structures, and external business conditions.
Achieving that clarity requires a close look at the processes by which policies are authored, issued and approved. It requires that the right team, technology, and standard processes (and templates) are in place.
Many, if not most, organizations rely on a fragmented, scattered approach to policy creation -- one that has developed in a decidedly ad hoc manner over time. Policies exist in different templates and formats. Policies are accessible via numerous different portals across the organization. Rules governing how policies are authored and approved either do not exist or vary by department. Worse, many organizations have no mechanism for accessing all of their policies; as a result, these companies cannot determine if policies remain relevant years after their issuance and/or whether policies conflict with each other.
It’s difficult to find a similar lack of standardization in almost any other area of the business. Picture a warehouse with no inventory system. Imagine an HR department that doesn’t know how many employees work for the company -- or where those people are located. Consider an accounting function that cannot categorize expenses. If any of those scenarios existed, confusion would flourish, and chaos would follow; fulfilling business objectives eventually would become impossible.
Like other aspects of compliance, policies tend to materialize in response to specific requirements or needs that are narrow in scope and/or applicable to only parts of the organization. This uneven process may have relatively few side effects within small companies with a handful of different departments. In those companies, employees may even bristle at “overly bureaucratic” approaches that enable standardization, such as adherence to a policy-issuance decision-making process or the use of approved policy templates. Without those and other standardization enablers in place, even small companies can become overwhelmed by policy tangles over time, especially as they grow in size.
Policies are the cornerstone of compliance in organizations of all sizes. Policies establish the guidance that must be followed when establishing procedures and engaging in the day-to-day operations of the business. Policies demand adherence to applicable laws and regulations and also set out the mandates the organization’s leadership establishes and deems necessary to support its values and objectives.
It’s true that a global bank with thousands of policies in 20 languages addressing operations in 30 countries will have a more complex program than a small retailer operating in one country. However, both organizations will benefit greatly from enhancing their policy management planning and using standard templates, processes and technologies.
There are three primary steps involved in establishing a standardized approach to policy issuance and ongoing management:
Beyond serving as a central repository for policies (including the history of each policy’s development and ongoing evolution,) policy management technology can serve as an enforcement mechanism to ensure that the policy on policies is followed, Likhoded notes.
While the master policy defines tasks and requirements for each role, the portal calendars the due dates or meeting dates and confirms that they have been met. When there is a template, the portal system will not allow publishing of a final policy until it has progressed through all required drafting steps, received stakeholder feedback and received committee approval, with each of those milestones logged into the system.
Further, certain sections in the policy are inherited from the template and they cannot be changed. For example, every policy needs to have a purpose, scope, and section headings. If those headings are changed in the template, they are also automatically changed in every policy that has been drafted via that template. By maintaining standard components and consistent visual style, employees and stakeholders can quickly and easily recognize what is – or isn’t – an official policy of the organization.
Mapping regulatory changes to policies within a policy management system helps determine if a policy must be reviewed to assess if it is still appropriate for the organization when a regulation changes, Likhoded points out. If a specific clause of a regulation is mapped to a number of related policies, when that clause changes, all relevant policy owners will be notified that policies mapped to that clause need to be reviewed.
The volume of work and communications involved in that mapping activity can reach staggering levels. If 50,000 regulatory changes affect a banking organization every year, for example, requiring review of 30,000 controls and several thousand policies (containing a combined number of clauses that stretch into the millions), it is impossible to perform that mapping without supporting technology. The technology should track workflows and proactively validate any new content, comparing it to any existing content, and then determining whether the content is related. A change also might occur within internal procedures or business operations, so the system should trigger an alert for the need to review the new content (whether it is from an external or internal source) and suggest appropriate action.
This capability demonstrates to regulators, external auditors, law enforcement and/or opposing counsel in a lawsuit that the organization has effectively managed and maintained policies even as regulations and business operations changed over time. Those overseers want to know what the policy looked like on the date when the regulatory violation allegedly occurred.
In those instances, regulatory and legal investigators want to know what the policy was then, who was aware of that policy, how it was kept current to satisfy relevant risk and regulatory requirements at the time and any other factors that can help clarify the audit trail.
This history is needed to defend the organization and prove that is keeping policies current and relevant to the environment even as the environment continually evolves. That type of clarity requires a standardization of policy development and a spotless approach to policy management.