Dynamic, Disrupted & Distributed Business Requires Policies
Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, employees, partners, technology, and business data encumbers organizations of all sizes. Keeping business strategy, performance, uncertainty, complexity, and change in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business.
The interconnectedness of governance, risk management, compliance, and the integrity of the organization requires 360° visibility into the organization’s policies. Organizations need to see the intricate relationships of policies across the organization’s operations. It requires holistic visibility and intelligence into policies and policy management and how it impacts organizational integrity and culture. The complexity of business necessitates that the organization implements a strategic approach to policy management.
The Foundational Role of Policies in GRC Strategies
Policies are critical to the organization in establishing boundaries of behavior for individuals, processes, relationships, and transactions. When an organization fails to establish strong policies, the organization quickly becomes something it never intended. Good policies define the organization’s governance posture, corporate culture, behavioral boundaries, and objectives. Without the guidance provided by well-written and effectively managed policies, corporate culture may morph and take the organization down unintended paths. Policies are critical to managing risk; every policy is a risk document that aims to control behavioral related risks.
Policies set the standard for acceptable and unacceptable conduct by defining boundaries for the behavior of individuals, the operation of business processes, and the establishment of relationships. Starting with a code of conduct defining ethics and values across the organization—and filtering down into specific policies for business units, departments, individual processes, and assets —the organization states what it will and will not accept and defines the culture of governance, integrity, risk management, and compliance it expects. Policies are part of what can be called governance documents, which also include related standards, procedures, and guidelines. Policies can be understood collectively to encompass both the official policies themselves and the broader collection of governance documents. Policies, done right, articulate and build the desired corporate culture and drive standards for individual and business conduct.
GRC, by definition, is “a capability to reliably achieve objectives [governance], address uncertainty [risk management], and act with integrity [compliance].” Policies are a critical foundation of GRC. When properly managed, communicated, and enforced policies:
- Policies articulate the governance culture. Policies address more than how to meet legal requirements; they also drive the performance objectives of the organization. Without policies, the organization has not made clear what people or business units may or may not do in seeking to meet those objectives. Individuals are left to make decisions and may take the organization where management does not want it to go. Governance is not taking place. Imagine an organization that did not have policies. How could it ever reliably achieve objectives as there would be no consistency in behavior, processes, and transactions?
- Policies articulate the risk culture. This includes the establishment of risk management responsibilities, communication, appetite, tolerance levels, and risk ownership. Policies reduce bias in decision making. Every organization takes risk — it is part of the business and sometimes helps to get the business where it wants to be. Without clearly written guidance and ownership, however, risk governance will be ineffective and risk decisions will be made by each individual based on his or her personal appetite for risk. Essentially, every policy is a risk document. There would not be a policy if there were not a risk. Further, every policy must be risk-informed; the policy exists in response to a risk or anticipated risk and needs to be understood in that context.
- Policies articulate a culture of compliance. Policies define what is acceptable and unacceptable. This starts with legal and regulatory requirements: communicating how the organization will stay within legal boundaries given the various jurisdictions in which it operates. Policies also establish the values, ethics, commitments, and ESG (environmental, social, governance) commitments of the organization. Policies, particularly policies that are enforced, provide an organization with a defensible position against the actions of rogue employees and demonstrate how the organization meets legal, regulatory, contractual, and other requirements.
In this context, policies are critical to all three aspects of GRC – governance, risk management, and compliance. Policies in and of themselves do not ensure the right corporate culture, nor do they resolve all the complex issues that arise in addressing performance, risk, and compliance. Merely creating thousands of policies is not the answer; in the case of policies, often “less is more”. Even when well-written policies are issued, the game is not over. An organization can have a wide array of policies that “sit on the shelf” or are not adhered to, and the organization can end up in hot water. An organization may develop a corrupt culture even with the right policies in place, but it cannot have a strong, effective culture without them.
Issuing well-crafted and appropriately targeted policies is a necessary first step in clearly defining and communicating the organization’s boundaries, practices, and expectations. Policies are the vehicles that communicate and define values, goals, and objectives so that culture does not morph out of control. This enables the organization to embed culture into the action and behavior of processes, transactions, relationships, and individuals. A strongly embedded culture is driven by an effective policy management capability that provides consistency in behavior, reduces costs and inefficiencies, and supports growth and change management. This leads to higher employee engagement and achievement of objectives. Policies must be governed, managed, monitored, and enforced so that they are both effective and efficient tools to help the organization stay on the path it chooses.
The Challenge: Hordes of Policies Scattered Across the Organization
Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that policies affect every person involved with supporting the business, including internal employees and third parties.
Many organizations struggle with:
- Policies are managed in documents and file shares. Policies are haphazardly managed as document files and dispersed on several file shares, websites, local hard drives, and mobile devices. The organization has not fully embraced centralized online publishing and universal access to policies and procedures. There is no single place where an individual can see all the policies in the organization and those that apply to specific roles.
- Reactive and inefficient policy training programs. Organizations often lack any coordinated policy training and communication program. Instead, different departments go about developing and communicating their training without thought for the bigger picture and alignment with other areas.
- Policies that do not adhere to a consistent style. The typical organization has policy that does not conform to a corporate style guide and standard template that would require policies to be presented clearly (e.g., active voice, concise language, eighth grade reading level).
- Rogue policies. Anyone can create a document and call it a policy. As policies establish a legal duty of care, organizations face misaligned policies, exposure and liability, and other rogue policies that were never authorized.
- Out of date policies. In most cases, a published policy is not reviewed and maintained on a regular basis. In fact, most organizations have policies that have not been reviewed in years for applicability, appropriateness, and effectiveness. The typical organization has policies and procedures without a defined owner to make sure they are managed and current.
- Policies without lifecycle management. Many organizations maintain an ad hoc approach to writing, approving, and maintaining policy. They have no system for managing policy workflow, tasks, versions, approvals, and maintenance.
- Policies that do not map to exceptions or incidents. Often organizations are missing an established system to document and manage policy exceptions, incidents, issues, and investigations to policy. The organization has no information about where a policy is breaking down, and how it can be addressed.
- Policies that fail to cross-reference standards, rules, or regulations. The typical organization has no historical or auditable record of policies that address legal, regulatory, or contractual requirements. Validating compliance to auditors, regulators, or other stakeholders becomes a time-consuming, labor-intensive, and error-prone process.
If policies do not conform to an orderly style and structure, use more than one set of vocabulary, are located in different places, and do not offer a mechanism to gain clarity and support (e.g., a policy helpline), organizations are not positioned to drive desired behaviors in corporate culture or enforce accountability. To be an organization of integrity and defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.
Delivering 360° Policy Management Visibility
With today’s complex business operations, global expansion, and the ever-changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.
Organizations need complete 360° situational awareness and visibility into policies that govern the organization’s processes, operations, transactions, regulatory requirements, ethics/values, and risks. What complicates this is the exponential effect of change on the organization. Businesses operate in a world of chaos, and even a small change can cascade, develop, and influence what ends up being a significant risk exposure for the organization. Dissociated siloed approaches to policy management leave the organization with fragments of culture and control that fail to see, guide, and direct the enterprise in the midst of change. The organization needs visibility into policies and policy management consistency across the entire organization. Organizational complexity and change require that the organization implements an enterprise view of policies and policy management.
The Bottom Line: Successful policy management requires the organization to provide an integrated strategy, process, information, and technology architecture to consistently govern policies across the organization. The goal is to give comprehensive, straightforward insight into policy management to identify, analyze, manage, and monitor policies in the context of operations, processes, transactions, and roles. It requires the ability to continuously monitor change and capture changes in the organization’s policies. As a result, organizations are measuring their current state and planning toward a future state of increased policy management maturity in the organization.
This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Policy Management Maturity Model.