I find that ineffective and unenforced policies are rampant within organizations, and are a thorn in the side of compliance and policy managers.
Mismanagement of policy has grown exponentially with the proliferation of documents, collaboration software, file shares, and Websites. Organizations end up with policies scattered on dozens of sites with no defined understanding of what policies exist and how they are enforced. An ad hoc approach to policy management allows anyone to create a document and call it a policy—exposing the organization to unnecessary liability. Policies end up being written poorly, out of sync, out of date, exceptions are not documented, and the organization has no evidence if the policy is enforced.
Document-centric approaches to policies—that lack technology to manage communication and enforcement—are a recipe for disaster. While it appears easy and cheap to just use documents and send them out via e-mail, or post them in a file-share or Website, the reality is that the cost to the organization is significant in the exposure of ineffective policy management.
The following is a checklist you can use to understand if your policy management system enables effective policy implementation and enforcement across the policy lifecycle:
- Provide a consistent policy management framework for the entire enterprise.
- Manage the policy lifecycle of creation, communication, implementation, monitoring, maintenance, revision, and archiving.
- Deliver a system to document, approve, monitor, and review exceptions to policies.
- Consistent format for policy assessments and surveys to gauge compliance and understanding.
- Integrated eLearning and training quizzing and attestation.
- Provide easy access to policies in the right language and format for the audience.
- Gather and track comments to policies.
- Map policies to obligations, risks, controls, and investigations so there is a holistic view of policies and metrics.
- Provide a robust system of records to track who accessed a policy as well as dates of attestation, training, and read-and-understood acknowledgments.
- Provide a user-friendly portal for policies with workflow, content management, and integration to other systems.
- Provide a calendar view to see policies being communicated to various areas of the business, and ensure policy communications do not burden employees with too many tasks in any given time period.
- Provide links to hotlines for reporting policy violations.
- Publish access to additional resources such as helplines, FAQs, and forms.
- Enable cross-referencing and linking of related and supporting policies and procedures so users can quickly navigate to what is needed.
- Create categories of metadata to store within policies, and display documents by category so policies are easily catalogued and accessed.
- Restrict access to policy documents so readers cannot change them, and sensitive documents are not accessible to those who do not need them.
- Keep a record of the versions and interactions of each policy so the organization can refer to them when there is an incident or issue to defend the organization or provide evidence for.
- Maintain accountable workflows to allow certain people to approve policy documents, and move tasks to others with full audit trails.
- Deliver comprehensive metrics and reporting on the status, implementation, understanding, and enforcement of policies.
Although you may be able to implement a few of these features using a build-your own or document centric approach, the cost in training, maintenance, and management time, let alone the legal ramifications due to lack of audit trails, makes it a risky venture for policy management.
Effective Policy Enforcement Across the Enterprise: An OCEG Roundtable
Rasmussen: A policy that is not enforced is really no policy at all—it becomes a guideline if anything. What have you seen as the best practices to ensure that policies are enforced and active in the business environment?
Daiuto: Our last Policy Management Series illustration and roundtable focused on the importance of communication and training. Now we're taking policy management to the next level to address how to enforce policies. Clear expectations and consequences need to be defined and communicated, not only to ensure employees understand the impact of their decisions, but also to set protocols for how to address issues of non-compliance in a consistent, legally-sound manner. Consistency in addressing similar investigations is necessary and expected by regulators. Lastly, organizations establish measurable controls that can be monitored either manually or automatically that identify weaknesses to address and remediate.
Lin: Policy enforcement is much more about the aspect of behavior versus control. While the compliance department provides oversight and accountability by ensuring that policies are followed, the ultimate goal is driving good behavior; otherwise, you're settling for compliance by proxy and a weak “check-box” mentality. Good policy provides a measure to address the issue of behavior, to close the loop so that nothing falls through the cracks, and to show consequences of non-compliance. One way to close the loop is to perform assessments to ensure things are being enforced rather than just looking for incidents and issues that show they are NOT enforced. Compliance is both a monitor of non-compliance behavior and the enforcer of those policies, plus they should connect policies with issues and implement any correct action plans that are required.
Campbell: Policies have to provide clear statements of company expectations and must be easily accessible. Tracking the frequency of employee access to specific policies provides useful data points. The importance of training and ongoing communications about specific policies cannot be overemphasized. Short reminders of key policy points, with practical examples specific to employee populations and links to additional guidance, are effective. Timing can help—sending reminders about gift and entertainment policies as holidays approach or on antitrust policies before key industry events. Provide targeted training for specific managers on company expectations, including enforcement. Periodic certifications are important, for both employees and managers, especially when coupled with periodic assessments to ensure they are getting the message. When policy violations occur, take action—the more visible the better. Talking with managers about violations—and lessons learned—helps ensure policies remain active. Tracking these elements on an ongoing basis is key to measuring success.
Rasmussen: Let's talk about the problem of exceptions—organizations often have no visibility into what exceptions to policies there are in the environment. How do organizations go about documenting and managing exceptions?
OCEG ROUNDTABLE PANELISTS
GRC 20/20 Research
of GRC Product Management,
Senior Director, Axentis,
Audit, Risk & Compliance
VP of Product Management & Corp. Development
Campbell: There is a clear movement to adopt automated workflow solutions, providing stakeholders the ability to initiate and manage policy requests across the enterprise, providing alerts, approval steps for each exception and notifications to policy owners for review against each version of a specific policy. Automated solutions include the use of hotline and case management tools and gifts/hospitality, anti-trust and conflict of interest registers. Policy owners then have visibility into the exceptions against each policy and whether policies need to be reevaluated or updated as a result of exceptions. Documentation of exceptions also provides an audit trail should internal & external audit or regulators wish to review.
Daiuto: A lack of insight into policy exceptions is risky, especially with no accountability. To reduce your risk, develop a standard policy exception management process, with clear expectations and accountability. Once your program is defined, establish a systematic, workflow-driven method for requesting, reviewing, approving, and documenting all exceptions. Exceptions typically have date parameters for when the exception expires and/or needs another review and approval. Ensure that your system tracks the status and deadlines of each exception to easily identify which exceptions are up for expiration and review. Lastly, any changes in policy need to be clearly communicated to the participants in the exception management process, as they may impact their decisions on how to move forward with each exception.
Lin: The approach we favor is to ensure that any and all exceptions are fully documented and associated with specific versions of a policy. There should be a process of reviewing exceptions as new versions of the policy are being developed. This requires a robust version tracking system. Exceptions can then be accounted for and included in the policy. Exceptions have to be included in the approval process as well, to retain approvals for the exceptions as versions of the primary policy are changed. If you find that there are too many exceptions to manage, you may need to re-evaluate your policy; there could be a fundamental change required. Exceptions need to be tracked just like the policy versions so you have an audit trail and you're defensible.
Rasmussen: The challenge of modern business is that it has no boundaries—business is a web of relationships with partners, suppliers, vendors, outsourcers, service providers, consultants, and more. How do you implement and enforce policies in the extended business environment?
Lin: You should take a similar approach to policies as you do to your code of conduct, by extending a version of your code to your suppliers, almost as a matter of contractual agreement. In the spirit of enforcement, be prepared to follow through on that supplier code just as you would your internal code. A supplier/vendor ensures you are as defensible with your suppliers as you are with your employees, and your suppliers need to be prepared to submit proper disclosures and exceptions just as you would require of your workforce. And, just as you would with your employees, survey your suppliers to gauge their understanding of policies and ensure they are abiding by your rules of engagement. Most often, specific policies are an outgrowth of your code, and most business relationships fully understand the need, and the value, of having an ethical, compliance-focused partnership.
Campbell: Organizations, as they do with employees, should adopt similar policy enforcement with any third party that is supplying to or representing the interests of the organization. This includes extending access of your policy monitoring and tracking processes to the respective third parties. Organizations should also implement third-party/supplier code of conduct policies that are distributed to external stakeholders to certify and attest to, building awareness of your organization's compliance-focused culture.
Daiuto: As a baseline, everyone working for your company and with your company should understand the basic principles and ethical environment of the company. It is important that individuals, who own third-party relationships, and the third parties themselves, have a clear understanding of expectations and changes in those expectations. Recognize that there are many parts of the organization that interact with third parties. A comprehensive, documented third-party compliance program that includes procurement, compliance, legal, and business operations is essential. Next, organizations typically categorize their third parties based on risk, and then communicate the policies, procedures, and controls expected for each third party to mitigate the risk. Many companies require third parties to complete online assessments as evidence that the appropriate practices are in place and effective. Any issues, failed controls, or exceptions are managed and documented appropriately. This becomes an iterative process that is repeated typically once a year, especially for those high-risk third parties. Any key changes in the relationship with the third party, including contract changes, ownership changes, or changes in the type of services provided, should be flagged and reviewed by the appropriate resources to determine if there are new risks and/or new compliance expectations.