From time to time, people ask why policies matter. After all, they argue, are not the laws and regulations we have to follow enough guidance? Beyond those requirements, can’t we let managers decide how to run their operations and have case-by-case flexibility? Don’t policies create liability when they are not followed? Isn’t it just more unnecessary bureaucracy?
The answer, at its most basic, is that when an organization fails to establish strong policies, the organization quickly becomes something it never intended. Good policies define the organization’s governance posture, corporate culture, behavioral boundaries, and objectives. Without the guidance provided by well-written and effectively managed policies, corporate culture may morph and take the organization down unintended paths. Policies are critical to managing risk, every policy is a risk document that aims to control behavioral related risks.
Good policies define the organization’s governance posture, corporate culture, behavioral boundaries, and objectives.
The longer answer is a bit more complicated. Policies set the standard for acceptable and unacceptable conduct by defining boundaries for the behavior of individuals, the operation of business processes, and the establishment of relationships. Starting with a code of conduct defining ethics and values across the organization—and filtering down into specific policies for business units, departments, and individual processes—the organization states what it will and will not accept and defines the culture of integrity and compliance it expects. Policies are part of what can be called governance documents, which also include related standards, procedures, and guidelines. Policies, in context of this Policy Management Capability Model, can be understood collectively to encompass both the official policies themselves and the broader collection of governance documents.
Policies are part of what can be called governance documents, which also include related standards, procedures, and guidelines.
Policies, done right, articulate and build the desired corporate culture and drive standards for individual and business conduct.
- Policies articulate the governance culture: Policies address more than how to meet legal requirements; they also drive the performance objectives of the organization. Without policies, the organization has not made clear what people or business units may or may not do in seeking to meet those objectives. Individuals are left to make decisions and may take the organization where management does not want it to go. Governance is not taking place. Can you imagine an organization that did not have policies? How could it ever reliably achieve objectives as there would be no consistency in behavior, processes, and transactions?
- Policies articulate the risk culture: This includes the establishment of risk management responsibilities, communication, appetite, tolerance levels, and risk ownership. Policies reduce bias in decision making. Every organization takes risk — it is part of the business and sometimes helps to get the business where it wants to be. Without clearly written guidance and ownership, however, risk governance will be ineffective and risk decisions will be made by each individual based on his or her personal appetite for risk. Essentially, every policy is a risk document. There would not be a policy if there were not a risk. Further, every policy must be risk-informed; the policy exists in response to a risk or anticipated risk and needs to be understood in that context.
- Policies articulate a culture of compliance: Policies define what is acceptable and unacceptable. This starts with legal and regulatory requirements: communicating how the organization will stay within legal boundaries given the various jurisdictions in which it operates. Policies also establish the values, ethics, commitments, and social responsibility of the organization when it comes to matters of discretion. Policies, particularly policies that are enforced, provide an organization with a defensible position against the actions of rogue employees and demonstrate how the organization meets legal, regulatory, contractual, and other requirements.
In this context, policies are critical to all three aspects of GRC – governance, risk management, and compliance. Policies, and policy management, are a foundation that enables an organization “to reliably achieve objectives [governance], while addressing uncertainty [risk management], and acting with integrity [compliance].” Policies in and of themselves do not ensure the right corporate culture, nor do they resolve all the complex issues that arise in addressing performance, risk, and compliance. Merely creating thousands of policies is not the answer; in the case of policies, often “less is more.” Even when well-written policies are issued, the game is not over. An organization can have a wide array of policies that “sit on the shelf” or are not adhered to, and the organization can end up in hot water. We know that an organization may develop a corrupt culture even with the right policies in place, but we also know that it cannot have a strong, effective culture without them.
Issuing well-crafted, and appropriately targeted policies is a necessary first step in clearly defining and communicating the organization’s boundaries, practices, and expectations. Policies are the vehicles that communicate and define values, goals, and objectives so that culture does not morph out of control. This enables the organization to embed culture into the action and behavior of processes, transactions, relationships, and individuals. A strong embedded culture is driven by an effective policy management capability that provides consistency in behavior, reduces costs and inefficiencies, and supports growth and change management. This leads to higher employee engagement and achievement of objectives.
Policies are the vehicles that communicate and define values, goals, and objectives so that culture does not morph out of control.
Policies must be professionally managed so that they are both effective and efficient tools to help the organization stay on the path it chooses.
This article is from the newly published Policy Management Capability Model and tied to the Certified Policy Management Professional (CPMP) certification @ www.PolicyManagementPro.com that GRC 20/20’s Michael Rasmussen worked on in partnership with OCEG.