Policies are critical to organizations as they establish boundaries of behavior for individuals, processes, relationships, and transactions. An organization must establish policy it is willing to enforce – but it also must clearly train and communicate the policy to ensure that individuals understand what is expected of them.
GRC, by definition, is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].” [note: this definition is from the GRC Capability Model at www.OCEG.org] Policies are a critical foundation of GRC. When properly managed, communicated, and enforced, policies accomplish the following:
Provide a framework of governance. Policy defines the organization’s governance culture and structure. Without good policy as a guide, corporate culture and control morphs, changes, and takes unintended paths.
Identify and treat risk. Policy articulates a culture of risk. Policy addresses risk and establishes risk responsibility, communication, appetites, tolerance, and risk ownership. Without clearly written policy, risk governance is ineffective.
Define compliance. Policy establishes a culture of compliance. Policy details how an organization meets its obligations and commitments and how it will stay within legal, regulatory, and contractual boundaries to avoid exposure to liabilities.
Hordes of Policies Scattered Across the Organization
Policies matter. However, the way the typical organization manages policies would leave the impression they are irrelevant and considered a nuisance. The typical organization has:
Policies managed in documents and fileshares. Policies are haphazardly managed as document files are dispersed on a number of fileshares, websites, local hard drives, and mobile devices. The organization has not fully embraced centralized online publishing and universal access to policies and procedures.There is no single place where an individual can see all the policies in the organization and those that apply to specific roles – thus, limiting defense of legal liability.
Policies that fail to cross-reference standards, rules, or regulations. The typical organization has no historical or auditable record of policies that address legal, regulatory, or contractual requirements. Validating compliance to auditors, regulators, or other stakeholders becomes a time-consuming, labor-intensive, and error-prone process.
Rogue policies. Anyone can create a document and call it a policy. As policies establish a legal duty of care, organizations face exposure and liability with any misaligned, mismanaged, and unauthorized rogue policies.
Out-of-date policies. In most cases, published policy is not reviewed and maintained on a regular basis. In fact, most organizations have policies that have not been reviewed in years for applicability, appropriateness, and effectiveness.The typical organization has policies and procedures without a defined owner to make sure they are managed and current.
Policies that do not adhere to a consistent style. The typical organization has policies that do not conform to a corporate style guide and standard template that would require policies to be presented clearly (e.g. active voice, concise language, and reading level).
Policies without lifecycle management. Many organizations maintain an ad-hoc approach to writing, approving, and maintaining policy. They have no system for managing policy workflow, tasks, versions, approvals, and maintenance.
Policies that do not map to exceptions or incidents. Often organizations are missing an established system to document and manage policy exceptions, incidents, issues, and investigations. The organization has no information about where policy is breaking down or how it can be addressed.
Reactive and inefficient training programs. Organizations often lack any coordinated policy training and communication program. Instead, different departments go about developing and communicating their training without thought for the bigger picture and alignment with other areas.
Inevitable Failure of Policy ManagementExposes the Organization to Significant Liability
Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved in supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.
With today’s complex business operations, global expansion, and the ever-changing legal, regulatory, and compliance environments, a well-defined policy management program is vital. It enables an organization to effectively develop and maintain the wide scope of policy it needs to govern with integrity and limit corporate liability.
The Bottom Line: The haphazard department and document-centric approaches for policy management of the past compound the problem and do not solve it. It is time for organizations to step back and implement a centralized strategy and approach to authoring, approving, maintaining, and communicating policies across the organization.