Striking the right balance between risk mitigation and the commercial demands of the business is an essential skill, which must be adapted according to the nature of your industry and the size, culture and risk appetite of your organization. This role needs to have clear ownership at senior management level.
Organizations need to take a systematic and proactive approach to risk mitigation if they are to be better prepared to satisfy evolving legal and regulatory requirements, manage the costs of compliance and realize competitive advantage.
Achieving and maintaining policy compliance becomes more difficult to sustain as organizations grow, become more geographically dispersed and more highly regulated. But, it doesn't have to be this way.
The Purpose of Policies and Procedures
Policies and procedures establish guidelines to behaviour and business processes in accordance with an organization's strategic objectives. While typically developed in response to legal and regulatory requirements, their primary purpose should be to convey accumulated wisdom on how best to get things done in a risk-free, efficient and compliant way.
Here are some of the most common grounds for policy non-compliance:
So, what is the secret for effective policy management?
Six Steps to Policy Excellence
Step One: Create and Review
External factors that affect policies are evolving all the time. For example, technology advances may lead to information security policies and procedures becoming obsolete. Additionally, changes in the law or industry regulations require operational policies to be frequently adjusted. Some policies, such as Payment Card Industry DSS compliance, have to be re-presented and signed up to on an annual basis.
Typically, most "policy" documents are lengthy, onerous and largely unreadable. Many are written using complex jargon, and most contain extraneous content that would be better classed as procedures, standards, guidelines and forms. Such documents should be associated with the policy. Documents must be written using language that is appropriate for the target audience and should spell out the consequences of non-compliance. Smaller, more manageable documents are easier for an organization to review and update, while also being more palatable for the intended recipients. Inadequate version control and high production costs can be reduced by automating the entire process using an electronic system.
Step Two: Distribute
Step Three: Achieve Consent
A process needs to be implemented that monitors users' response to policies. Policy distribution should be prioritised, ensuring that higher risk policies are signed off earlier by users than other lower risk documents. For example, an organization may want to ensure that a user signs up to their Information Governance policy on the first day that they start employment, whilst having up to two weeks to sign up to the Travel & Expense Policy. Systems need to in place to grant a user two weeks to process a particular document, after which the system should automatically force the user to process it.
Step Four: Understanding
Step Five: Auditability
Step Six: Reporting
Being able to quickly drill down for specific details in areas of poor policy compliance dramatically improves management's ability to understand and address underlying issues.
Bringing It All TogetherTo check the level of policy compliance that exists within your organization you need to periodically answer the following questions:
For those organizations that are serious about staff reading, understanding and signing up to policies, they should consider adopting automated policy management software. This raises standards of policy compliance and provides managers with practical tools to improve policy uptake and adherence.
Ultimately, policy compliance is about getting people to do the right thing, in the right way, every time. Ensuring everyone understands what is expected of them and how they are required to carry out their jobs according to corporate policies and procedures is not a new practice. Embedding an automated policy management solution into an organization is really the only viable way to create and sustain a culture of compliance, where people understand their responsibilities and the importance of adhering to corporate standards.
Doing so empowers people to do their jobs within an acceptable governance framework rather than constrained by a rigid set of unenforceable rules. By effectively handling the policy management lifecycle you can create a firm foundation for effective risk mitigation and governance. Automation helps the benefits of policy compliance for board members, line managers and the general workforce get to grips with policy compliance and puts forward a cost-efficient approach for achieving policy excellence.
Share This Article
© Copyright 2011 Auerbach Publications