Why Policies, and Policy Management, Matters
It is finally here! For the past year, I have been working hard with OCEG on the Policy Management Illustrated eBook. I have spent countless hours behind Adobe Illustrator working hard on doing the design, layout, concepts, and process of policy management in these illustrations in collaboration with OCEG and many other firms. Below is my lead article in the eBook (which you can download for free). Please enjoy the Illustrations I have labored on in my passion for policy management. I look forward to hearing your thoughts as you go through these.
Michael Rasmussen
Policies are critical to the organization as they establish boundaries of behavior for individuals, processes, relationships, and transactions. Starting with the policy of all policies – the code of conduct – they filter down to govern the enterprise at all levels.
GRC, by definition, is “a capability to reliably achieve objectives while addressing uncertainty and acting with integrity.”
OCEG GRC Capability model
Policies are a critical foundation of GRC. When properly managed, communicated, and enforced, policies:
- Provide a framework of governance. Policy paints a picture of behavior, values, and ethics that define the culture and expected behavior of the organization. Without a policy, there are no consistent rules and the organization goes in every direction.
- Identify and treat risk. The existence of a policy means a risk has been identified and is of enough significance to have a formal policy written which details controls to manage the risk.
- Define compliance. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments.
Unfortunately, most organizations do not connect the idea of policy to the establishment of the corporate culture. Without a policy, there is no written standard for acceptable and unacceptable conduct — an organization can quickly become something it never intended.
A policy also attaches a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policy can introduce liability and exposure, and non-compliant policies can and will be used against the organization in legal (both criminal and civil) and regulatory proceedings. Regulators, prosecutors, and plaintiff attorneys use policy violations and noncompliance to place culpability.
An organization must establish a policy it is willing to enforce — but it also must clearly train and communicate the policy to make sure that individuals understand what is expected of them. An organization can have a corrupt and convoluted culture with good policy in place, but it cannot achieve a strong and established culture without good policy and training on policy.
Hordes of Policies Scattered Across the Organization
Despite the value of policy, many organizations have:
- Policies managed in documents and fileshares
- Reactive and inefficient training programs
- Policies that do not adhere to a consistent style
- Rogue and out of date policies
- Policies without lifecycle management
- Policies that do not map to exceptions or incidents
- Policies that fail to cross-reference standards, rules, or regulations
Inevitable Failure of Ad Hoc Policy Management
Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed. If policies and training programs don’t conform to an orderly style and structure, use more than one set of vocabulary, are located in different places, and do not offer a mechanism to gain clarity and support (e.g., a policy helpline), organizations are not positioned to drive desired behaviors in corporate culture or enforce accountability.
With today’s complex business operations, global expansion, and the ever-changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.
The haphazard department and document-centric approaches for policy and training management of the past compound the problem. It is time for organizations to step back and define a cross-functional and coordinated team to define and govern policy and training management. Organizations need to wipe the slate clean and approach policy and training management by design with a strategy and architecture to manage the ecosystem of policies and training programs throughout the organization with real-time information about policy conformance and how it impacts the organization.