Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

Policy Management Best Practice

Matt Kelly | August 1, 2011

Who knew that compliance officers could get so animated about policy management?

You did, apparently, since Compliance Week had a full house recently when we held our most recent editorial roundtable on that very subject in Boston with co-hosts EthicsPoint. Faithful readers of my column will recall that I'm a recent convert to the importance of policy management, but now I consider it one of the most engrossing challenges compliance officers face. Given the (as usual) excellent discussion at the roundtable the other week, so do you. Let me review some of the highlights here.

First, I was struck by one best practice that sounds like something out of Dilbert, but actually makes much sense: having a policy about policies. More than a few roundtable participants professed to having one, and others all thought it was a good idea.

What does a policy about policies look like? One roundtable participant said she requires all policies to be no longer than two pages. That cut-off focuses the writer of the policy to focus on the core principle or objective he wants to achieve, which is what a compliance officer wants to worry about anyway: whether an employee is acting within the spirit of a rule. The employee, in contrast, wants to worry about the specific facts confronting him—and so long as the objective and principle are clearly stated, you're leaving those details the employees. That makes sense.

And to be sure, even in today's highly regulated world, some companies still need an education on how important policy management is. One roundtable participant confessed that when he first arrived at his employer (several years ago), the company had no policies at all: “we don't believe in policies” was the unwritten corporate motto at the time. That's an extreme example—in fact, on an aesthetic level, you really have to admire that sort of chutzpah—and our roundtable participant has done much to improve that attitude at his employer today. But others at the roundtable admitted that they don't have a policy on policies, or still struggle with training employees on what policies are, and so forth.

Participants also struggled for some time with exactly what a policy is. That previous idea of limiting a policy to only two pages long? Another point in enforcing that cut-off, the participant said, was to separate policies from procedures—longer explanations of how a policy goal should be achieved. One person gave a great example about IT encryption, that she had a pitched battle with the IT department over a policy that “all sensitive customer data must be encrypted” versus “all sensitive customer data must be encrypted in the following manner…” followed by a long technical description.

Our compliance officer friend argued for the shorter version, and I agree with her. We'd all do well to remember that what is a policy to one group in the corporation (say, an IT department) may well sound like a procedure to another (everyone else who doesn't speak IT-ese). Indeed, I see grave risk in passing off procedures as policies: they train employees to follow those steps down to the letter, without the flexibility to interpret a policy goal to fit the facts that confront them.

Rest assured, sooner or later the world will give your employees a set of facts you didn't anticipate, and they'll need to respond. When that happens, one of two thoughts will run through their heads: (1) What's the broad goal I still want to achieve? or (2) I dunno what's happening, so I'm just going to keep doing what I was told to do. Which thought would you rather they follow? Yep, me too.

Lastly we talked about exception requests, the bane of any policy manager's sanity. One person said she routinely sees policies that include instructions on how to ask for exception requests—hardly the sort of thing that encourages people to take a policy seriously. Another participant countered that his approach was never to explain how to submit an exception request, as a subtle pressure to employees that they shouldn't ask for one.

Good ideas and good conversation all around. Look for our full story in next week's edition. Until then, thanks to EthicsPoint for sponsoring our event, and thanks to the roundtable attendees for keeping policy management top of mind, where it needs to be.