If you want your organization to be more agile and resilient, it is critical to have well written, communicated, and enforced policies.
Your policies define how your organization should operate. They set standards of behavior for your staff. And, most importantly, they show regulators you're serious about making compliance an integral part of your organization's culture.
In our latest webinar — Why everything starts with policies — governance, risk, and compliance expert Michael Rasmussen explained:
● Why clear, appropriately targeted, easily accessible policies have never been more critical
● How to manage your policies more effectively in a constantly shifting landscape
Here are some highlights . . .
'Policies,' begins Rasmussen, 'can be a huge asset to an organization.' When policies are kept up to date, and communicated and enforced properly, they promote accountability, make compliance easier, and boost employee engagement.
The problem is that organizations are operating in an ever more chaotic environment. This is making policy management more challenging than ever before.
Organizations are having a tough time coping with the volume of regulation for years. Covid-19 has now made matters worse by heightening exposure to a wide range of risks.
Lockdowns and other restrictions have forced the vast majority of employees to work from home — where conduct is much harder to monitor — at a time when bribery, corruption, and cybercrime have spiked.
Exploring some of these increased risks, Rasmussen states:
'In a work from home environment,' observes Rasmussen, 'there are IT security issues everywhere... If there's some type of trojan or vulnerability in one of the dozens of devices that are connected to the internet, it can compromise the whole network. Organizations have developed or revised home office IT security policies in response to this.'
And internet security is just one of many serious risks.
'Because of the economic conditions, good employees might feel pressured to commit fraud, so it is necessary to communicate internal control and fraud related policies. You've got all Zoom calls where people are in their home offices and saying things that would never be allowed in the office, some of which might cross the line into harassment or discrimination. It has not become critical to remind employees of harassment and discrimination policies.
'And then, you've got branch managers writing mask-wearing policies or vaccination policies, which can get very tricky. These are often rogue policies, and not official policies of the organization that can introduce legal exposure to your organization. Then there are out of date policies that were written 10 years ago and never looked at again until now.'
The challenges created by Covid-19, says Rasmussen, have forced many organizations to reassess their approach to policy management.
'A policy can create legal issues even if it isn't the official policy. If it's been communicated as a policy, it can place a legal duty of care on the organization.'
If that weren't enough, rules like the UK's SMCR regime have made senior management personally accountable for regulatory breaches, putting them at risk for fines and jail time. And guidance from the US Department of Justice and the UK's Serious Fraud Office has made it clear that organizations must go beyond tick-box exercises and prove the effectiveness of their compliance programs.
Given these developments, it's not surprising that more and more organizations are starting to think about centralizing their policy management function to exercise better oversight.
'If you have too many documents, 20 different portals, and manual approaches, this creates what I call the inevitability of failure... nobody has a singular view ... [and] there's no system of record or audit trail.'
Regulatory implications aside, a piecemeal approach simply isn't efficient.
'Harmonizing policies in today's dynamic, distributed, and disrupted environment is a significant challenge organizations face... Organizations can no longer afford to have a linear, manual approach where a policy takes six months to get reviewed and approved. We need a better way.'
According to Rasmussen, an efficient and effective policy management system has three hallmarks.
Firstly, individual policies must be communicated, understood, and enforced.
'The focus is more and more on the integrity of organizations...and the foundation of good governance is in our policies. It cannot be smoke and mirrors... Policies have to be lived and breathed.'
Policies have a role in influencing behavior and culture — from how staff go about doing their work to the way they treat customers. So, organizations need to ensure everyone knows exactly what is expected of them.
As Rasmussen puts it: 'A strong culture means policies aren't just pretty documents. They're actually going to be communicated ... We assign the right resources, we make them accessible, and we measure their effectiveness.'
Secondly, you should be able to have a birds' eye view of your policies.
Policies are rules of conduct. But they're also risk documents. 'The fact you have a policy,' notes Rasmussen. 'means you've identified a risk that was significant enough you had to write something down about controlling it...'
These risks are bound to change over time, and new risks will also emerge. You need to be able to understand whether you have the right policies in place, whether there are any gaps, and also whether your policies are still relevant when changes happen or new risks emerge.
'We need to continuously monitor our environment to see what's changing. That triggers a review of a policy or maybe triggers the need to write a new policy that we don't have already...'
Lastly, effective policy management requires consistency.
'A consistent process for writing, approving, disseminating, and attesting policies using consistent language enables an organization to have strong reporting, proper enforcement... and ensure employees understand their role in the organization.'
This consistency, in turn, also ensures consistency. 'The right policies help us have consistent behavior, processes, and transactions, so we can reliably achieve our objectives...'
Could you imagine ordering at Starbucks and not knowing what size coffee you'll get, because it's up to the barista on shift?
Or having your mortgage approval left to the discretion of an individual?
Written standards of conduct are what cements a business' reputation and ensures it thrives. They crystallize your values and principles. They protect customers. But, most of all, they make it easier to reach your goals even as your organization grows.
And that's why it's critical to monitor your policies, keep them up to date, and ensure their continued effectiveness.
With a robust policy management system in place, 'we can be responsive to issues, and contain them before they become big... we can be agile... more competitive... and more resilient. So when unforeseen events like Covid-19 emerge, we can quickly bounce back.'
Want to learn more about the importance of having well-written policies and a robust policy management system in place?
Watch the full webinar — Why everything starts with policies — for free.