By Michael Rasmussen, GRC 20/20
From time to time, people ask why policies matter. After all, they argue, are not the laws and regulations we have to follow enough guidance? Beyond those requirements, can’t we let managers decide how to run their operations and have case-by-case flexibility? Don’t policies create liability when they are not followed? Isn’t it just more unnecessary bureaucracy?
The answer, at its most basic, is that when an organization fails to establish strong policies, the organization quickly becomes something it never intended. Good policies define the organization’s governance posture, corporate culture, behavioral boundaries, and objectives. Without the guidance provided by well-written and effectively managed policies, corporate culture may morph and take the organization down unintended paths. Policies are critical to managing risk, every policy is a risk document that aims to control behavioral related risks.
Good policies define the organization’s governance posture, corporate culture, behavioral boundaries, and objectives.
The longer answer is a bit more complicated. Policies set the standard for acceptable and unacceptable conduct by defining boundaries for the behavior of individuals, the operation of business processes, and the establishment of relationships. Starting with a code of conduct defining ethics and values across the organization—and filtering down into specific policies for business units, departments, and individual processes—the organization states what it will and will not accept and defines the culture of integrity and compliance it expects. Policies are part of what can be called governance documents, which also include related standards, procedures, and guidelines. Policies, in context of this Policy Management Capability Model, can be understood collectively to encompass both the official policies themselves and the broader collection of governance documents.
Policies are part of what can be called governance documents, which also include related standards, procedures, and guidelines.
Policies, done right, articulate and build the desired corporate culture and drive standards for individual and business conduct.
In this context, policies are critical to all three aspects of GRC – governance, risk management, and compliance. Policies, and policy management, are a foundation that enables an organization “to reliably achieve objectives [governance], while addressing uncertainty [risk management], and acting with integrity [compliance].” Policies in and of themselves do not ensure the right corporate culture, nor do they resolve all the complex issues that arise in addressing performance, risk, and compliance. Merely creating thousands of policies is not the answer; in the case of policies, often “less is more.” Even when well-written policies are issued, the game is not over. An organization can have a wide array of policies that “sit on the shelf” or are not adhered to, and the organization can end up in hot water. We know that an organization may develop a corrupt culture even with the right policies in place, but we also know that it cannot have a strong, effective culture without them.
Issuing well-crafted, and appropriately targeted policies is a necessary first step in clearly defining and communicating the organization’s boundaries, practices, and expectations. Policies are the vehicles that communicate and define values, goals, and objectives so that culture does not morph out of control. This enables the organization to embed culture into the action and behavior of processes, transactions, relationships, and individuals. A strong embedded culture is driven by an effective policy management capability that provides consistency in behavior, reduces costs and inefficiencies, and supports growth and change management. This leads to higher employee engagement and achievement of objectives.
Policies are the vehicles that communicate and define values, goals, and objectives so that culture does not morph out of control.
Policies must be professionally managed so that they are both effective and efficient tools to help the organization stay on the path it chooses.