Best practices in policy management

Ethics and compliance officers have a new resource against which to benchmark their own policy and procedure management program.

That resource is NAVEX Global’s 2018 Ethics & Compliance Policy & Procedure Management Benchmark Report, representing over 1,200 respondents globally who influence or manage their company’s ethics and compliance program. In this year’s report, NAVEX Global ranked each program’s maturity level as either advanced; maturing; basic; or reactive.

In a Webinar discussing the report, Carrie Penman, chief compliance officer of advisory services at NAVEX Global, explained that each company’s program maturity level was rated based on several key criteria: “Do they proactively update and create policies, or do they more reactively update documents when a problem arises? Do they leverage software to automate the policies, track attestations, test for comprehension, and can they easily access audit trails? Do they have systems in place to manage version control and accessibility to key documents?”

According to the report’s findings, 65 percent of respondents have basic or reactive policy and procedure management programs, while 21 percent have a maturing program. Just 14 percent were classified as advanced.

“Effective policy management can really impact every area of an ethics and compliance program, starting with the code of conduct,” Penman said. “Effective policies are required to be kept up to date with new regulations to clearly outline expectations and processes, with the ultimate objective of impacting behavior and ultimately the organizational culture.”

Taking cues from companies with advanced policy and procedure management programs, prudent ethics and compliance officers who are seeking to mature their own programs are advised to consider the following steps:

“Effective policy and procedure management is truly a shared responsibility across the organization. That was clear in some of the data.”
Carrie Penman, CCO, Advisory Services, NAVEX Global

Be proactive about reviewing policies. Advanced and maturing policy programs are more proactive and sophisticated in their approach to policy management concerning the creation and review of policies. This includes maintaining records and updating policies before issues arise. Reactive programs, in comparison, typically review policies only after an issue arises.

Leverage software tools to automate processes and keep a centralized repository of policies. Companies with advanced policy management programs automate their policy management systems, which ensures that employees can access the latest versions of key policies. Given the rapid clip at which some regulations change, “making sure employees have the most current version of a policy at any time is important,” Penman said.

Reactive programs, in comparison, typically rely on manual processes to perform basic tasks. “This leaves them without audit trails, version control, or consistent metrics to measure program effectiveness,” the NAVEX Global report states. Best practice is to review policies every one to two years and whenever an associated regulation or requirement changes.

Additionally, advanced and maturing policy management programs tend to manage a wider variety of policies, procedures, or other related documents, whereas reactive programs tend to manage fewer. The NAVEX Global report found that 77 percent of respondents, overall, manage 10 or more unique policies, and 83 percent manage 10 or more unique procedures.

Moreover, 23 percent of respondents said they manage more than 100 policies, and 35 percent manage more than 100 procedures. This is particularly true of highly regulated industries—healthcare, finance and insurance, and manufacturing—all of which often manage over 100 procedures.

Respondents to the NAVEX Global report cited a wide variety of policies and procedures being managed, but the top four cited were codes of conduct; HR, labor and employment policies; IT/data security; and conflicts of interest.

Finally, companies that use an automated policy management system indicated that they’re more likely to have a dedicated compliance officer (63 percent vs. 47 percent of respondents whose companies don’t use automated software). They are also more likely to conduct a periodic assessment of their risk profile and program (67 percent vs. 57 percent); have anonymous hotline reporting with consistent investigations (75 percent vs. 63 percent); and employ a risk-based due diligence approach for third parties (51 percent vs. 39 percent).

Maturity level for policy & procedure management

Note: This year we measured program maturity by the various tactics and techniques organizations employed. This is different from last year where respondents self-selected their program maturity level. We will use this maturity model throughout this report to draw attention to best practices for policy management programs.
Findings: For those respondents who have policy management as part of their responsibilities:
A sizeable number of organizations are operating at basic or reactive levels when it comes to policy and procedure management (65%). While about one in five organizations is maturing (21%), only a small percentage (14%) can be classified at a more advanced stage.
Smaller organizations and government or not-for-profit organizations are more likely to be classified as reactive in their policy management processes.
An organization’s annual revenue does not appear to be strongly associated with higher levels of maturity.
There does, however, appear to be an association between the number of employees in an organization and maturity level, with larger organizations being more mature in their formal practices than smaller organizations.
Analysis:
Advanced programs are more proactive when it comes to creating and reviewing their policies. They leverage software tools to automate their processes and keep a centralized repository of key documents.
Reactive programs are more likely to review policies after an issue comes up, and rely on manual processes and manpower to perform the most basic practices. This leaves them without audit trails, version control or consistent metric 21% 20% 14

Source: NAVEX Global

Require some form of attestation or certification. Most respondents (86 percent) said they require all employees to formally attest to at least one policy and nearly half (48 percent) require annual recertification. Additionally, 53 percent of companies with over 5,000 employees said they require third-party attestations, while another 29 percent said they do not, but do require equivalent certifications in vendor contracts. “This is an opportunity to review these practices for organizations who have third parties acting on their behalf,” the NAVEX Global report stated.

Have a ‘policy on policies.’ A policy on policies—documented guidelines for how to create and distribute new policies—is a very important part of a best-in-class policy and procedure management program, Penman said, which 64 percent of all respondents indicated that they have. Having a policy on policies helps to ensure that all policies remain in the same format, making it easier for employees to find essential information, she said.

Make policy management a cross-functional responsibility. Companies with advanced policy management practices tend to involve more departments (three on average) concerning decision-making responsibility for policy and procedure management than basic and mature programs (two on average), and reactive programs (one on average).

“Effective policy and procedure management is truly a shared responsibility across the organization,” Penman said. “That was clear in some of the data.” Among all respondents, 44 percent said that compliance and risk is the decision maker in policy and procedure management, followed by HR (39 percent), the board of directors (36 percent), and legal (34 percent).

Leave decision-making authority with management. Although 36 percent of respondents said that their boards act as decision makers on policy management, that is not a recommended best practice. “It’s good that the board is involved, but its role needs to be properly calibrated,” Penman said.

Best practice is for decision-making authority to rest with management, with the board playing an advisory role. “Board members should be influencers on policies and procedures, not the decision-makers or the individuals who run the actual program,” Penman said. Exceptions should only be made for making decisions on the code of conduct and other policies addressing high-risk areas, she said.

Have in place an escalation policy. “In much of the work that I have done with our customers, one of the most important policies that a compliance program needs to have is an escalation policy on what needs to be escalated—whether it be to the board or senior management—and in what timeframe,” Penman said.

Mature and effective policy and procedure management programs ultimately translate into a more robust ethics and compliance program. In fact, companies with advanced policy and procedure management programs rate themselves more highly in every aspect of their overall ethics and compliance program, including in the areas of keeping up-to-date with new regulations (81 percent), legal defensibility and governance (79 percent), and board reporting and engagement (77 percent).

Companies with best-in-class policy and procedure management programs, NAVEX Global concludes, are more likely to take a proactive approach to creating, reviewing, and updating policies and procedures; more likely to involve multiple departments in the creation and review of policies; and more likely to track metrics on program effectiveness, with the board in an oversight role.