From time to time, to my surprise, I still hear people asking why policies matter. After all, they argue, aren’t the laws and regulations we have to follow enough guidance? Beyond those requirements, can’t we let managers decide how to run their own operations and have case-by-case flexibility? Don’t policies create liability when they aren’t followed? Isn’t it just more unnecessary bureaucracy?
My answer, at its most basic, is that when an organization fails to establish strong policies, the organization quickly becomes something it never intended. Good policies define the organization’s governance culture and objectives. Without the guidance provided by well-written and effectively managed policies, corporate culture may morph and take the organization down unintended paths.
The longer answer is a bit more complex. Policies set the standard for acceptable and unacceptable conduct by defining boundaries for the behavior of individuals, the operation of business processes, and the establishment of relationships. Starting with a code of conduct defining ethics and values across the organization—and filtering down into specific policies for business units, departments, and individual processes— the organization states what it will and will not accept and defines the culture of integrity and compliance it expects.
Policies, done right, articulate and build the desired corporate culture and drive standards for individual and business conduct. . . .
This is the start of a six part series (once a month) on the topic of Effective Policy Management and the Policy Management lifecycle. To access the first installment please click on the following link: Effective Policy Management
There is an associated webinar with this article as well as the rest of the six articles in the series. You can access the registration for the webinars at the links below:
- 7/19: Policy Management Part One: An Effective Policy Management System Design
- 9/6: Policy Management Part Two: Tracking Changes That Affect Policies
- 10/4: Policy Management Part Three: Authoring Policies
- 10/25: Policy Management Part Four: Policy Communication & Training
- 11/15: Policy Management Part Five: Policy Enforcement
- 12/13: Policy Management Part Six: Policy Maintenance
Additionally, I have been appointed to chair the Policy Management Council at OCEG. OCEG is a non-profit organization with over 30,000 members aimed at helping companies reliably achieving objectives while addressing uncertainty and acting with integrity. You can see how policy management is critical to this mission. We already have over 30 large enterprise organizations on the Policy Management Council. The goal is to develop and maintain the OCEG Policy Management Guide to be the defining framework for managing policies within organizations. Once the first version is published later this year we will be working on a policy management certification for the role of the internal policy manager within organizations to help establish and define this critical role. Other projects are to build templates for a style guide, policy documents, and other related items. The OCEG Policy Management Council is open to internal policy manager roles within organizations with a premium individual OCEG membership. Professional service firms, technology vendors, and others that offer services and content around policies can join but it requires the organization to be a GRC Solutions Council member of OCEG (please email me if interested in the GRC Solutions Council membership).
I look forward to hearing your comments and thoughs on Effective Policy Management . . .