Policies define boundaries for behavior of business processes, relationships, systems, and individuals. At the highest level, policies start with the Code of Conduct, laying forth ethics and values that extend across the enterprise. These filter down into specific policies at the enterprise level, into the business unit, department, and individual business processes. Expectations of conduct are written into policies, so individuals know what is acceptable and unacceptable.
Policy, done right, articulate corporate culture, the boundaries of individual and business behavior, and personal conduct. Consider that:
- Policies articulate the governance culture and structure: Without policies there are no written standards about acceptable and unacceptable conduct. Without good policy, culture morphs, changes, and takes unintended paths without a compass to guide its way.
- Policies articulate a culture of risk: This includes risk responsibilities, communication, appetite, tolerance levels, and risk ownership. Every organization takes risk — it is part of business. Without clearly written guidance and ownership, risk governance policy will be ineffective.
- Policies articulate a culture of compliance: Policies define what is acceptable and unacceptable. This starts with legal and regulatory requirements: communicating how the organization will stay within legal boundaries given the various jurisdictions in which it operates. Policies establish the values, ethics, commitments, and social responsibility of the organization, when it comes to matters of discretion.
It is important to be clear: Policy does not provide corporate culture, nor does it resolve the issues of governance, risk or compliance (GRC). An organization can have a wide array of policies that are not adhered to, and end up in very hot water. However, policies are a necessary means to clearly define, articulate, and communicate the organization’s boundaries, practices, and expectations. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot have a strong and established culture without it. The right policy is necessary to define and communicate what the organization is about.
Policies are the vehicle that communicates and defines culture so culture does not morph out of control. This requires policy to be adhered to at every level, exceptions to policy be governed, and violations be dealt with consistently and responsively. Because policy can establish liability, mismanagement of policy can introduce liability to the organization as a policy establishes a duty of care for the organization. Reliance upon policy violation as a duty of care can be used by regulators, prosecuting and plaintiff attorneys, and others to place culpability on an organization. It is paramount for an organization to establish policy it is willing to enforce – but also necessary to closely manage and monitor the policies that are in place.
I would love to hear your thoughts on Why Policies Matter and corresponding GRC strategies.