I find that ineffective and unenforced policies are rampant within organi­zations, and are a thorn in the side of compliance and policy managers.

Mismanagement of policy has grown exponentially with the proliferation of documents, collaboration software, file shares, and Websites. Organizations end up with policies scattered on dozens of sites with no defined understanding of what policies exist and how they are en­forced. An ad hoc approach to policy management allows anyone to create a document and call it a policy—exposing the organization to unnecessary liability. Policies end up being written poorly, out of sync, out of date, exceptions are not documented, and the organization has no evidence if the policy is enforced.

Document-centric approaches to poli­cies—that lack technology to manage communication and enforcement—are a recipe for disaster. While it appears easy and cheap to just use documents and send them out via e-mail, or post them in a file-share or Website, the reality is that the cost to the organization is significant in the ex­posure of ineffective policy management.

The following is a checklist you can use to understand if your policy manage­ment system enables effective policy im­plementation and enforcement across the policy lifecycle:

  1. Provide a consistent policy manage­ment framework for the entire enter­prise.
  2. Manage the policy lifecycle of cre­ation, communication, implementa­tion, monitoring, maintenance, revi­sion, and archiving.
  3. Deliver a system to document, ap­prove, monitor, and review excep­tions to policies.
  4. Consistent format for policy assess­ments and surveys to gauge compli­ance and understanding.
  5. Integrated eLearning and training quizzing and attestation.
  6. Provide easy access to policies in the right language and format for the au­dience.
  7. Gather and track comments to poli­cies.
  8. Map policies to obligations, risks, controls, and investigations so there is a holistic view of policies and met­rics.
  9. Provide a robust system of records to track who accessed a policy as well as dates of attestation, training, and read-and-understood acknowledgments.
  10. Provide a user-friendly portal for policies with workflow, content man­agement, and integration to other systems.
  11. Provide a calendar view to see poli­cies being communicated to various areas of the business, and ensure policy communications do not bur­den employees with too many tasks in any given time period.
  12. Provide links to hotlines for report­ing policy violations.
  13. Publish access to additional resources such as helplines, FAQs, and forms.
  14. Enable cross-referencing and link­ing of related and supporting policies and procedures so users can quickly navigate to what is needed.
  15. Create categories of metadata to store within policies, and display docu­ments by category so policies are eas­ily catalogued and accessed.
  16. Restrict access to policy documents so readers cannot change them, and sensitive documents are not acces­sible to those who do not need them.
  17. Keep a record of the versions and in­teractions of each policy so the orga­nization can refer to them when there is an incident or issue to defend the organization or provide evidence for.
  18. Maintain accountable workflows to allow certain people to approve policy documents, and move tasks to others with full audit trails.
  19. Deliver comprehensive metrics and reporting on the status, implemen­tation, understanding, and enforce­ment of policies.

Although you may be able to imple­ment a few of these features using a build-your own or document centric approach, the cost in training, maintenance, and management time, let alone the legal rami­fications due to lack of audit trails, makes it a risky venture for policy management.

Effective Policy Enforcement Across the Enterprise: An OCEG Roundtable

Rasmussen: A policy that is not enforced is really no policy at all—it becomes a guideline if anything. What have you seen as the best practices to ensure that policies are enforced and active in the business environment?

Daiuto: Our last Policy Management Series illustration and roundtable fo­cused on the importance of communi­cation and training. Now we're taking policy management to the next level to address how to enforce policies. Clear expectations and consequences need to be defined and communicated, not only to ensure employees understand the impact of their decisions, but also to set protocols for how to address is­sues of non-compliance in a consistent, legally-sound manner. Consistency in addressing similar investigations is necessary and expected by regulators. Lastly, organizations establish mea­surable controls that can be monitored either manually or automatically that identify weaknesses to address and re­mediate.

Lin: Policy enforcement is much more about the aspect of behavior versus control. While the compliance depart­ment provides oversight and account­ability by ensuring that policies are fol­lowed, the ultimate goal is driving good behavior; otherwise, you're settling for compliance by proxy and a weak “check-box” mentality. Good policy provides a measure to address the issue of behavior, to close the loop so that nothing falls through the cracks, and to show consequences of non-compliance. One way to close the loop is to perform assessments to ensure things are being enforced rather than just looking for incidents and issues that show they are NOT enforced. Compliance is both a monitor of non-compliance behavior and the enforcer of those policies, plus they should connect policies with is­sues and implement any correct action plans that are required.

Campbell: Policies have to provide clear statements of company expectations and must be easily accessible. Track­ing the frequency of employee access to specific policies provides useful data points. The importance of training and ongoing communications about specif­ic policies cannot be overemphasized. Short reminders of key policy points, with practical examples specific to em­ployee populations and links to addi­tional guidance, are effective. Timing can help—sending reminders about gift and entertainment policies as holidays approach or on antitrust policies before key industry events. Provide targeted training for specific managers on com­pany expectations, including enforce­ment. Periodic certifications are impor­tant, for both employees and managers, especially when coupled with periodic assessments to ensure they are getting the message. When policy violations occur, take action—the more visible the better. Talking with managers about violations—and lessons learned—helps ensure policies remain active. Tracking these elements on an ongoing basis is key to measuring success.

Rasmussen: Let's talk about the prob­lem of exceptions—organizations often have no visibility into what ex­ceptions to policies there are in the environment. How do organizations go about documenting and managing exceptions?

OCEG ROUNDTABLE PANELISTS

Michael Rasmussen,
Moderator
Principal Analyst,
GRC 20/20 Research




Colin Campbell,
Global Head
of GRC Product Management,
SAI Global



Leila Daiuto,
Senior Director, Axentis,
Wolters Kluwer
Audit, Risk & Compliance



Jimmy Lin,
VP of Product Management & Corp. Development
The Network



Source:
OCEG.

Campbell: There is a clear movement to adopt automated workflow solutions, providing stakeholders the ability to initiate and manage policy requests across the enterprise, providing alerts, approval steps for each exception and notifications to policy owners for re­view against each version of a specific policy. Automated solutions include the use of hotline and case manage­ment tools and gifts/hospitality, anti-trust and conflict of interest registers. Policy owners then have visibility into the exceptions against each policy and whether policies need to be reevaluated or updated as a result of exceptions. Documentation of exceptions also provides an audit trail should internal & external audit or regulators wish to review.

Daiuto: A lack of insight into policy exceptions is risky, especially with no accountability. To reduce your risk, develop a standard policy exception management process, with clear expec­tations and accountability. Once your program is defined, establish a sys­tematic, workflow-driven method for requesting, reviewing, approving, and documenting all exceptions. Excep­tions typically have date parameters for when the exception expires and/or needs another review and approval. Ensure that your system tracks the sta­tus and deadlines of each exception to easily identify which exceptions are up for expiration and review. Lastly, any changes in policy need to be clearly communicated to the participants in the exception management process, as they may impact their decisions on how to move forward with each excep­tion.

Lin: The approach we favor is to ensure that any and all exceptions are fully documented and associated with spe­cific versions of a policy. There should be a process of reviewing exceptions as new versions of the policy are being de­veloped. This requires a robust version tracking system. Exceptions can then be accounted for and included in the policy. Exceptions have to be included in the approval process as well, to retain approvals for the exceptions as versions of the primary policy are changed. If you find that there are too many ex­ceptions to manage, you may need to re-evaluate your policy; there could be a fundamental change required. Excep­tions need to be tracked just like the policy versions so you have an audit trail and you're defensible.

Rasmussen: The challenge of modern business is that it has no boundaries—business is a web of relationships with partners, suppliers, vendors, outsourc­ers, service providers, consultants, and more. How do you implement and en­force policies in the extended business environment?

Lin: You should take a similar approach to policies as you do to your code of conduct, by extending a version of your code to your suppliers, almost as a matter of contractual agreement. In the spirit of enforcement, be prepared to follow through on that supplier code just as you would your internal code. A supplier/vendor ensures you are as de­fensible with your suppliers as you are with your employees, and your suppli­ers need to be prepared to submit prop­er disclosures and exceptions just as you would require of your workforce. And, just as you would with your em­ployees, survey your suppliers to gauge their understanding of policies and ensure they are abiding by your rules of engagement. Most often, specific policies are an outgrowth of your code, and most business relationships fully understand the need, and the value, of having an ethical, compliance-focused partnership.

Campbell: Organizations, as they do with employees, should adopt simi­lar policy enforcement with any third party that is supplying to or repre­senting the interests of the organiza­tion. This includes extending access of your policy monitoring and track­ing processes to the respective third parties. Organizations should also implement third-party/supplier code of conduct policies that are distrib­uted to external stakeholders to cer­tify and attest to, building awareness of your organization's compliance-focused culture.

Daiuto: As a baseline, everyone work­ing for your company and with your company should understand the basic principles and ethical environment of the company. It is important that indi­viduals, who own third-party relation­ships, and the third parties themselves, have a clear understanding of expecta­tions and changes in those expecta­tions. Recognize that there are many parts of the organization that interact with third parties. A comprehensive, documented third-party compliance program that includes procurement, compliance, legal, and business opera­tions is essential. Next, organizations typically categorize their third parties based on risk, and then communicate the policies, procedures, and controls expected for each third party to miti­gate the risk. Many companies require third parties to complete online assess­ments as evidence that the appropriate practices are in place and effective. Any issues, failed controls, or exceptions are managed and documented appropri­ately. This becomes an iterative process that is repeated typically once a year, especially for those high-risk third par­ties. Any key changes in the relation­ship with the third party, including contract changes, ownership changes, or changes in the type of services pro­vided, should be flagged and reviewed by the appropriate resources to deter­mine if there are new risks and/or new compliance expectations.