Corporate policy is often at the heart of the underlying governance, risk, compliance and testing plans within the company, commonly based on high level objectives established by senior management. In addition, in today’s world, formal corporate policies and formal policy management are simply a practical necessity. While there are certainly arguments that many policies are “in place” or “in effect” simply because they are good business practices, “corporate culture” or just good common sense are not enough to demonstrate corporate commitment or protect the firm from legal claims.
In a nutshell, every company needs a formal set of policies and a policy management process.
For smaller companies, the policy management process can be pretty straightforward. A company handbook or bulletin board can be used to communicate the policies; a simple management review confirming everyone has read, understands and agrees to comply can be enough.
Policy management is more challenging in larger firms, with two significant challenges – first, simply managing the logistics of assuring communication, understanding and acknowledgment can become really painful; second, not every policy may be appropriate for every person, which adds complexity to the process.
The other substantive challenge can be “what should our policies be?” Some policies are straightforward for most companies to adopt, such as a code of conduct or compliance with law and regulation. Others require some thought, as they have the potential to shape the corporate culture in potentially undesirable ways. Does your firm really want a culture of “take no risks”? Moreover, when a firm deploys a policy, there is an obligation to enforce that policy. Failure to have a method of reporting violations or dealing with non-compliance can be worse than no policy at all.
In our view, there are three key activities to establishing a meaningful policy management program:
- Figure out what policies you have and what policies you should have. We think the best way to do this is a discussion among senior managers, with information from your Enterprise Risk program and Compliance program. A good understanding of risks and a good understanding of the regulations and laws impacting your firm can be very helpful in identifying needed policies. And, of course, every firm should have a basic code of conduct policy.
- Review the potential policies with four key questions: Is this policy necessary? Is it clear who this policy applies to? Is it clear what we want people to do to assure compliance? Is it clear what will happen in the event of non-compliance?
- Establish processes to periodically review – typically annually – the policies and compliance behavior. Senior managers need to affirm the policies in force are relevant, complete and appropriate. Secondly, management must confirm that all appropriate individuals do, in fact, see the policies, review them and acknowledge their understanding and acceptance of the policies, or, if individuals do not acknowledge and agree to comply, there is formal notification escalating up the appropriate management chain.
The DoubleCheck Suite of GRC tools can be exceptionally helpful in building and maintaining a Policy Management Program. The tools offer a rich set of capabilities to disseminate information, such as policies, and collect attestations of review, understanding and acknowledgment of responsibility.
- The DoubleCheck™ Policy Center provides the vehicle for proposing, vetting and adopting policies.
- Policies can be distributed generally or to specific workgroups. Employees and reporting structures can be identified from a corporate directory or directly input into the system. And, of course, the system can track who has read and accepted the policies.
- Follow-up can be automated with appropriate urgency and escalation; clear management status and reports can be generated.
- Linking of Enterprise Risk Management and Compliance Management to Policy Management is straightforward, making it possible to track the relationships between policy documents and other compliance or risk related items. This linkage allows associates to view policies that are driving particular processes or risk responses and determine what might need to change if a policy changes.
Give us a call and we’d be happy to discuss your policy management needs and how we might help you with a practical and cost effective enterprise or departmental policy management tools.
Questions About Corporate Policy And Governance Solutions?
Don’t hesitate, Contact us today at 1-888-299-3980.