Every day, organizations across all industries have to deal with an ever-changing regulatory environment. With 257 change events happening daily, driven by 1,217 global regulators, companies need to be on the ball. If they don’t evolve and adapt, their policies quickly become outdated, flawed and even open to criminal behavior.
But it’s not just about regulation. As technology advances and shifts, companies will need to as well. The introduction of social media, tech devices, Internet of Things and AI in the workplace means that new policies should be incorporated and addressed, and outdated policies need to be reviewed. Geopolitical, economic, and environmental shifts pose additional risks to industry practices. And with all the movement in personnel – entry, exit, and internal – further challenges mount for a company’s policy makers.
The risks are significant, and whilst policy management often results in long, difficult, and tedious processes lasting months or even years, it doesn’t have to be this way. Companies need to remain current in a very dynamic and disrupted business environment. To do that they need an agile policy management process.
In our latest webinar on Policy Management Maturity, Michael Rasmussen, internationally recognized pundit on governance, risk management, and compliance (GRC), discussed how to evaluate your company’s policy management, what a strong system and processes look like and how to implement them into your business.
Covid-19 reignited the policy management discussion on a global scale. Suddenly, businesses needed to adjust the way they do business, and this has had a direct impact to their policies. With major adjustments to personnel, cultural risks and employee responsibilities, they needed to adapt, and quickly.
The interconnected environment was additionally called into question. With so many people working remotely, could their home network - including TV, home tech, mobile phone, exercise machines and even kitchen appliances – compromise the security of the data on their work laptops? IT security, and the policies relating to it, needed to be addressed as the risk scenario became tougher and more complex to navigate.
The pandemic brought up the risk of fraud and corruption policies – under uncertain circumstances, good employees may inadvertently do the wrong thing if they don’t know what they’re doing. The risk of bribery and corruption escalated, resulting in the need for the introduction or update of other policies, including those for entertainment and hospitality, political contributions, facilitated payments or restrictions on government import and export.
The impact of Covid-19 reminded us that the policy environment is totally interconnected and needs addressing. Working in policy silos can be an ever-growing source of risk for your company, when the world is changing so quickly.
With so many changes both inside and outside the company, keeping policies updated can be tough. Compliance professionals need to keep policies consistent and current across all regulatory and business changes. This doesn’t mean simply adding policy after policy to your business. Hundreds or thousands of policies for one organization (yes, many do have this) is not what’s required and just creates more chaos.
All businesses should aim for:
One design, with one process and one blueprint of what policy management should look like across their organization.
Anything else just results in confusion.
Policies influence and shape attitude, behavior and culture – with each impacting the other. And given that a corporate culture can be destroyed overnight as a result of a bad incident, despite having taken years to build and refine, polices are essential to guide and protect the firm too.
Having a well-written document is important, but enforcing the right policies is critical in shaping and guiding culture as well as preventing its deterioration.
First, let’s review the different types of policies:
1. Governance Documents: They define the firm’s governance structure, culture, and behavior to reliably achieve objectives.
2. Risk Management Documents: They address uncertainty. There would not be a policy if there was no risk of exposure to uncertainty. How do the policies map back to risk?
3. Policy Management Documents: Effective policy management results in timely issuance or revision when required, along with standardization of policy development, distribution, enforcement, and review.
4. Compliance Documents: They help us maintain the integrity of the organization.
We understand that clear and current policy documents are crucial for all businesses, but often management needs encouragement to implement or update them to a higher level of maturity.
You should establish a strategy and start by building a business case to the management team. Begin to understand your current state and how effective it is before thinking about your goals for a future state. Given that the Ethics and Compliance teams, as well as Human Resources often drive policy management strategies, get these teams on board and working together to define a policy framework to garner support.
Read our next blog post to learn more about how to plan the next steps of your policy management.
In the meantime, check our post on how to convince you executive team to purchase RegTech.