A Basic Approach to Managing Policies
As Sam Abadir wrote in NAVEX Global’s Top 10 Risks & Compliance Trends for 2020, “risk has changed. It’s not simply forceful. It’s fluid. It’s subtle. It’s malicious.”
How can you manage today’s risk that’s forceful, fluid, subtle, and malicious? What we’ve seen so far is ever-increasing complex approaches to risk management. We see value in mastering policy management’s foundational elements. Applying the 80-20 rule, executing on the fundamentals (20 percent) would accomplish 80 percent of today’s risk management.
That’s why today we’re kicking off the monthly blog series, Risk Management: Back to Basics. Over the next five months, we’ll feature a core pillar of risk management and share practical tips you can implement right away.
Today’s topic: policy management.
The purpose of policies
Policies govern people and processes, which help protect workers, the company, and the bottom line.
For example, safety policies lower the risk of workplace injuries and assist the company in managing the risk of litigation from unsafe operations. Another example is a code of conduct, a policy designed to guide employees on proper behavior while at the same time instilling corporate culture and helping prevent issues. In short, policies help manage risk.
As Michael Rasmussen with GRC 20/20 who frequently blogs about policy management, states:
“Policies are critical governance documents for every organization. They set guardrails and parameters of acceptable and unacceptable behavior for individuals, processes, and transactions. When they are managed and enforced properly, policies guide and define corporate culture.”
“Managed” and “enforced” should be emphasized. Policies don’t do well with a “set it and forget it” approach. Rasmussen articulates what often happens to policies over time and without oversight makes them less effective.
“Changes to risks and regulations, as well as constant modifications to internal business environments, can quickly make policies out of date, misaligned, and irrelevant to the organization.”
Get back to the basics
Basic policy management equips you to do what’s necessary to keep critical policies current and serving their purpose. There are four key strategies.
Prioritize your most important policies
In a perfect world, you’d review all policies annually. The reality is there isn’t time for that. Take a savvier approach and categorize your universe of policies based on criticality to business operations. This NAVEX Global whitepaper features 20 questions you can ask that aid in prioritizing policies.
Prioritization makes reviewing policies more manageable. Leverage criticality to determine the frequency of policy reviews. For the most critical policies, opt for quarterly, less critical semi-annually, non-critical annually. By doing this, you can lower your odds of an incident involving a policy failure. That’s risk management.
Review policies with a committee
Policy management may be your primary responsibility. However, when conducting policy reviews, a committee makes more sense. A policy review committee helps ensure a diversity of viewpoints and offers a representative view of the employee base.
Your committee should be composed of employees from different departments. NAVEX Global’s Definitive Guide to Policy & Procedure Management also offers another reason for multiple department representatives. “The committee ensures alignment with the organization’s vision, mission, and values at the heart of its business.”
The policy overview committee’s work entails not only reviewing policies but also updating policies and drafting new policies to address critical gaps. Their efforts assist in managing risk to employees and the organization.
Communicate policies and updates to the workforce
The last thing you want to hear after an incident is, “I had no idea that was the policy.” Employees not knowing critically important policies is as bad as lacking policies. Another flash point is policies that have been updated, but the news isn’t widely known.
It’s imperative that you communicate new policies and policy updates to employees. Don’t just stop with the tried and true like email notifications. Develop a catchy theme to make the news memorable. Put posters up in break rooms and common hallways and place table-top cards in conference rooms. Also, you should require attestations to prove employees received the policy or change and then for added measure, test their comprehension. Do they know it? Challenge them with a quiz.
Communicate policies and updates to third parties
The same importance placed on employee policy communications also applies to third parties like vendors, partners, and affiliates. Additionally, these entities may require specific policies for engaging with the company.
During the contracting process, it’s important to ensure third parties are aware of and understand policies that pertain to them. To accomplish this and manage risk, request policy attestations and test comprehension of every third party. An opportune time to communicate policies to third parties is when you onboard new third parties and when you perform your regular assessments.
Organizational policies help manage risk that’s forceful, fluid, subtle, and malicious. However, many organizations lack the time and resources to follow all the best practices of policy management. You need a basic approach that focuses on the most critical policies that impact employees, the company, and third parties.
Next month we’ll focus on another Risk Management: Back to Basics—frameworks.
While the coronavirus has dominated news cycles, other notable events occurred around a number of new rules, regulations and guidance, from California’s data privacy regulation to NIST data privacy framework and SEC guidance on cybersecurity for financial service firms.
We see a trend that would unify compliance and risk management under the same umbrella and help address the new risk landscape. It’s a principled, ethical approach to governance. Good governance guides organizations to do the right thing.
UK banks must now comply with the Senior Managers and Certification Regime, known as SMCR. Learn SMCR’s major requirements, top challenges, and best practices for compliance.