So you wrote a policy—now what?  Policies are only effective if you can show that they have been communicated and understood. Having a written policy that no one knows about is just like having no policy at all. You cannot hold people accountable to a policy until you have made them aware of the policy. Unfortunately, many organizations have scattered approaches to publish and communicate policies.

I am on a mission to refocus organizations on how they approach policy management and communication. Not only are businesses failing in consistent and effective policy development and management, they are also behind the times in how they can communicate policies.

The written policy will always be critical as it defines what is allowed and disallowed explicitly in writing.  The difficulty is that the written policy document, while necessary, is no longer good enough.  We work and live in a YouTube world.  Video and interactive content has become critical to every function of the world around us.  Much to my disappointment people do not read as much as they used to.  This is complicated by the fact that organizations have employees with varying learning levels and abilities.  One of my own sons has struggled with dyslexia throughout his childhood; a hard worker but struggles to read.

Question to ponder: How do we ‘effectively' communicate policies in a world where video and interactive content has become the preference of individuals? In other words, how do we communicate policies to a generation of workers that has been raised on YouTube and interactive content?

We have to make sure policies are communicated and understood. This requires that certain policies have training and interactive learning to ensure individuals understand. Survey and testing is an integral part of training to validate that policies are understood.  Other mechanisms for communication involve comedy, e-mail reminders, mention at company meetings, policy-related learning activities, and other media.  Policies do not have to be boring written documents—they can be written actively and use interactive learning to engage the audience.  Even a written document itself can be engaging to read. Proof point: go out and Google for Google's Code of Conduct, very well written and engaging. Combine this with interactive learning to deliver the message and you have a powerful mechanism to guide behavior in the organization.

Effective policy communication requires that the organization has an ability to communicate and train individuals on policies that is easy to use and accessible.  This includes the capabilities where:

1.   Any employee (across geographies and abilities) is able to log into a centralized policy system and be able to find all of the policies that relate to their role in the organization.

2.   Policies are written clearly in a consistent template and style that reflects the culture and tone of the organization and in a way that the average reader can understand (use active voice, remove cluttered language, 8th grade reading level).

3.   Clearly communicate tasks for training or acceptance of policy and it should be apparent how to ask for clarification on policy if the individual has questions.

4.   Critical policies are to have a video or interactive component in which the policy is explained to the individual.  The goal is to leverage interactive content to engage the employee on how to comply with the policy.

A closing comment: Effective policy communication is a critical component of a strong compliance program.  In the Morgan Stanley bribery incident, the U.S. Department of Justice stated that Morgan Stanley had a strong compliance program and was not pursuing further action against the company itself.  Part of what Morgan Stanley was able to demonstrate was how often policies and training were completed by employees.

My point is simple—we need the written document, but we also need to make sure people understand it.  Let's not make this a burden for employees. Write clear policies that are accessible and easy to read, and provide the relevant training and interaction to make sure they are understood.


Approaching Effective Policy Communication: An OCEG Roundtable

Rasmussen: Over the past 20 years we have seen the evolution of policy management in corporate environments. Historically, the focus was on having the right written policies. The past decade we have seen a shift to making sure that policies are properly understood and communicated. What is driving the focus on policy communication and training?

Daiuto: Three key factors have impacted the importance of effective policy communications and training. First, the continued increase in regulations and regulatory scrutiny have driven organizations to recognize that simply posting policies on an Intranet site or handing out a new employee handbook are not effective ways to ensure that employees truly understand the company's guidelines. Nor are they effective in creating an audit trail of defensibility if and when it's needed. Second, globalization has expanded a company's employee population into different cultures, beliefs, and geographies. Reaching these employees and ensuring consistent, effective communication can be complicated. Third, the trend toward outsourcing and the use of third parties has increased many companies' responsibilities and risks of bribery, corruption, and other misconduct. Again, finding ways to reach these resources and effectively communicate to them can be a challenge. All of these factors require organizations to be thoughtful and active in developing effective, deliberate, impactful policy communications and training to reduce risk and ensure defensibility. Ultimately, for most organizations, a strong ethical culture is among the most important values in a company.

Lin: Your workforce is both your greatest asset for compliance as well as the biggest area of risk. We've seen the focus of policies shift away from content and more toward making sure your employees are engaged in the process, so that they really understand policies and how policy affects day-to-day activities. Just having the policy “on the books” isn't going to protect your organization if your employees don't get it. Treat the code of conduct as the foundation and most basic and abiding policy you can have. Then focus on how employees consume policies, with embedded training and multimedia components, to build this employee engagement. When you look at your policy initiatives in that way, you build a level of defensibility and have a much better chance of preventing issues in the first place.

Campbell: The changes in corporate governance have been massive over the last decade or so. First and most obviously, laws and regulations quite often require policies and procedures, and they often play a critical role if and when there is a need to defend against legal or regulatory action. This is especially true in certain industries and in certain key areas. While this is relatively new, failure to comply can lead to significant fines and penalties. But the evolving need goes far beyond simply satisfying legal and regulatory requirements. While a company's Code of Conduct—again, a relatively new mandate—provides general guidelines for employee behavior, it's the policies and procedures that provide specific applications and help employees understand concrete ‘how to' issues as well as abstract issues. And effective policies and procedures are often necessary to achieve efficiency within the business and to generally manage risk. And, finally, they assure consistency throughout globally diverse and far-flung organizations.

Rasmussen: Let's face it—we live in a YouTube generation. As a result, people are focused on video and have short attention spans. How do we effectively manage and communicate policies in a YouTube generation?

Lin: The key is engagement and providing an insightful, educational experience. The theory behind cognitive learning is that people learn faster and retain more when they're presented with the written word and multimedia in close proximity. Visual references provide context for the intent behind the policy. That's how the majority of the workforce gets and consumes information nowadays, in concise, memorable bits that constantly reinforce a common message and, in terms of managing policies, drive desired behavior. Policies are worthless if employees can't understand, retain and apply them.


Michael Rasmussen,Moderator

Principal Analyst,

GRC360° Research

Colin Campbell,

Global Head

of GRC Product Management,

SAI Global

Leila Daiuto,

Senior Director, Axentis,

Wolters Kluwer

Audit, Risk & Compliance

Jimmy Lin,

VP of Product Management & Corp. Development

The Network

Source: OCEG.

Daiuto: The message must be relevant and timely in order for your employees to truly comprehend the information. Despite the different technology available to us today, people learn differently. Education and training is a very individual experience and supporting your employees by offering an integrated approach to training is critical. Some people learn by reading, some people learn by hearing and some people learn by doing. There are lots of technologies and solutions available to help support an integrated approach to training and certification. Regardless of the technology or approach, education and training should always be focused, targeted, and reinforced—all will help improve retention and ultimately improve overall compliance.

Campbell: Just as in other areas of compliance and ethics, different methods of communication are required depending on the risk and audience identified. In many cases, requiring online attestation or certification of policies after they're read online is an effective and recommended strategy. On the other end of the spectrum, policy attestation and certification might not always be necessary and policies can be referenced on an as-needed basis. And, to your point, there are times when a policy can be either very complex, required, or so important that sustained training using different methods is quite integral to the communication plan. This approach could include several different communication methods including Web-based video training courses, short video reminders, e-mail, etc. It's important to know what you're trying to communicate, its importance, and the methods that best achieve your objectives.

Rasmussen: Many organizations tackle policy communication and training in a variety of silos from learning management systems, policy portals, e-mail, to Intranet sites. What is the value of a centralized technology architecture/solution to manage, document, and monitor the policy communication and training process?

Campbell: The introduction of technology allowed corporate policies to be more accessible. However, without centralized management of policies, they were stored in a variety of locations, e.g. corporate Intranets, file directory systems, or even on a local hard drive. This didn't help to ensure that employees were using the current policy version for their role, location and responsibility, and policies were not updated consistently as a result of changes to regulations, laws, and corporate risks. Centralized policy management tools, such as those provided by GRC platforms, offer hope to these dilemmas. Features and benefits of such tools include: version control, multiple policy formats, accessibility, or keyword search. Organizations can also employ a wider range of communication options, and it often makes sense to employ communication methods depending on the risk and audience identified. In many cases, requiring attestation or certification of policies by certain audiences is an effective and recommended strategy. Attestation and certification methods should be flexible based on the geographical location of employees, the relevance of the policy to the individuals role, and—importantly—the learning styles of individuals. These include e-mail announcements to individuals and structured policy certifications via questionnaires or delivered in learning styles as part of a broad compliance and ethics program.

Daiuto: Comprehensive, integrated policy communication and training solutions enable the compliance professional to author, publish, target, distribute, communicate, train, track, and report within a single platform. This creates consistency and efficiencies in the compliance office. In addition, regulators want proof, not just assurance that your compliance program is working. A comprehensive, automated compliance system is much more effective and efficient for implementing an evidence-based approach by storing, organizing, and managing all “evidence of compliance”—policies, training records, certifications, etc. Lastly, hosted systems allow for the organization to not only reach their employees worldwide, but also relevant third parties.

Lin: Integrating communications, training, and policy management systems breaks down those silos, so you can see the connection points rather than the disparities. You can track and analyze compliance data as it relates to your policies and workforce training, such as your attestation or certification rate. You can also incorporate how you manage disclosures, exceptions, and even violations when you integrate your policy and training systems into your incidents database to correlate issues. A centralized solution also drives collaboration as well as the more efficient use of resources to manage how your policies are created, distributed, consumed, and applied, by bringing those functions into closer alignment.