Crisis exposes weaknesses in firms' policy management processes

April 8, 2020

By Rachel Wolcott, Editor at Thomson Reuters

Firms have found their policy management apparatuses, often critical to crisis management and communications, can be disorderly and
outdated.

Problems in policy management have come to the fore amid the COVID-19 pandemic as firms seek to change policy to coordinate their responses and communicate consistently with distributed workforces. Business continuity plans are one of the priority policies firms were seeking to update in a consistent and simplified way, said Michael Rasmussen, an analyst at GRC 20/20 Research at Milwaukee, Wisconsin.

Firms have found their policy management apparatuses, often critical to crisis management and communications, can be disorderly and outdated.

Problems in policy management have come to the fore amid the COVID-19 pandemic as firms seek to change policy to coordinate their responses and communicate consistently with distributed workforces. Business continuity plans are one of the priority policies firms were seeking to update in a consistent and simplified way, said Michael Rasmussen, an analyst at GRC 20/20 Research at Milwaukee, Wisconsin.

"We are in the midst of a lot of chaos. Organisations suffer a lot of change — minute-by-minute, second-by-second — there are volumes of regulatory, business and risk change and that's just in the course of normal business. You deal with something like the pandemic and global crisis right now and change is happening at a more rapid pace. As we adjust business processes and work from home policies — there is a lot that has to adapt and change. It's critical that organisations have a structured approach to policy management in normal conditions but even more so under crisis conditions," Rasmussen told ClauseMatch's recent webinar: Policy on writing policies.

Financial services firms along with other large businesses can have thousands of policies in many jurisdictions covering everything from accounting to IT security and every aspect of compliance and risk management. Unfortunately, the COVID-19 crisis has highlighted many flaws in firms approach to policymaking and maintenance such as finding policies are outdated, written unclearly, appear in many formats and styles, inconsistently distributed and stored, contradict other policies, lack a proper audit trail, and are often cumbersome to change or update. Many organisations do not know what policies they have, because no one has a master list. Some firms find rogue policies that employees have created without authorisation, Rasmussen said.

Policies were important risk documents in that often they identify risks and set out policies for managing them, he said; however, he
compared most firms' policymaking and management to the Winchester "Mystery" House.

"The way policy management is today is like the Winchester Mystery House in San Jose. [It] was built in the 1880s. It cost $5.5 million to build. It had 147 different builders. It took 38 years to build, but it had no design and no blueprint and no architect. It has staircases that go up or down to nowhere, doors that open to walls and 20-foot drops, skylights that are in floors instead of ceilings.

"The Winchester Mystery House is most likely your policy management programme in your organization. Over the last 38 years you've had 147 different policy builders, between human resources and accounting, corporate compliance and legal and IT security. You've got all these different departments all doing policy in their own way and it doesn't make sense," he said.

More bad news amid the crisis

Danny Gal, from ClauseMatch, said company communication and wellbeing was the number one focus for firms and therefore policy communication to employees was critical. Firms' mystery house approach to policy management has yielded some unsettling discoveries since business continuity plans were sent in motion in early March.

"Last week at a large U.S. bank, the head of HR and the head of compliance both sent out a policy update which contradicted each other. This example has led to the CEO now demanding a better process of how to deal with policies. That may not be too unfamiliar in some of your organisations — contradictory or duplication of policies," Gal said.

Another example was a European bank that had moved to 100% remote working. "It took them two weeks to be able to access the metapolicies that they needed within the organization," Gal said. Large numbers of core people were unable to do their jobs at a time when they were updating and communicating new policies due to
the current circumstances.

A European-headquartered financial institution was looking at its policies in the light of the need for widespread home working and found
60% of their policies had not been updated in the past two years.
"They have a one-year internal floor for policy updates," Gal said.

Rogue policies

The main policymaking and maintenance challenges are legal, regulatory, and risk change, but rogue policies pose a serious threat to firms.

Anyone can write a document and call it a policy, which could establish a legal duty of care for a company, Rasmussen said. He pointed to a large retailer who has a policy management programme continuing, because it is concerned any store manager can write a document and call it a policy. If an employee or customer is harmed and it is discovered the store manager had a certain policy, that could be used against them.

"These are rogue policies. Policies that are written and are not official policies of an organisation. One financial services firm I talked to found they had their anti-money laundering policy, but it had a division that didn't like it and took out the parts they didn't like and wrote a new policy," Rasmussen said.

Metapolicy and master index required

Rasmussen encouraged firms to begin a policy discovery process to determine what policies they have. He mentioned an example of an international bank that realised it did not have an enterprise view of policy only to find it had 1,200 policies in North America alone.

He then recommended they embark upon a policy management strategy that established a metapolicy — or a policy on policies.

That metapolicy would cover everything about writing policies including who can write them, what that process would entail, include a style guide to ensure consistency, establish where policies would be located and a time frame for review and refreshing.

Firms should create master policy indexes to keep track of their policies, he said.
"I'm encountering organisations that have no clue what their policies they have in their environment and in a time of crisis like right now this becomes critical. Which policies are official policies? What needs to be changed temporarily or permanently as a result of this crisis? It is critical that we have a master index," Rasmussen said.

This article was first published by Thomson Reuters