During our recent webinar, we provided an in-depth tour through the findings of our 2015 Ethics and Compliance Policy Management Benchmark Report.
Webinar attendees asked a number of valuable questions on policy management best practices. Below are ten of the top audience questions answered.
1. Is there any best practice information on how often existing policies/procedures should be formally reviewed?
A schedule for reviewing and updating policies should be agreed to and established by policy stakeholders, then followed and audited. To determine the right schedule for policy review, consider your organization’s risk factors and create a cohesive plan. Policies related to higher risk areas will need more frequent review than low risk areas. Generally speaking, an annual review plan is a good practice.
2. What is a typical number of policies or documents that a medium-sized company should have for an E&C program?
There is truly no one-size fits all approach. The number of polices you need must be determined by your organization’s risk assessment. For example, a medium-sized healthcare organization may need a very different number and array of policies than a medium-sized retail organization. A bare minimum should mirror the risks identified in your code of conduct.
3. Do organizations have policy review committees that cut across departments/functions?
Yes, and in fact, this is best practice for policy management. We recommend that organizations form a Policy Oversight Committee comprised of senior leaders and other key policy stakeholders across departments. The Committee is responsible for developing and implementing policies, procedures, and controls throughout an organization. This approach helps ensure alignment with the organization’s vision, mission, and values, and helps set a tone of enterprise wide respect for policy practice by making policy management a priority worthy of time and resources. For more on how to build and organize a Policy Oversight Committee, see pages 8-10 of our Definitive Guide to Policy & Procedure Management.
4. Do you foresee any negative legal implications with the implementation of policies? For example, if a policy is created but not effectively monitored or utilized, could this be even more detrimental than no policy?
Having no policy poses the highest risk. Without policies, each employee is left to their own devices and an organization can never say that an employee “violated policy.” Also the Federal Sentencing Guidelines for Organizations and other compliance guidance always require that an organization have policies and standards and that it effectively communicate these policies or standards.
5. How does third party risk management play into policy management?
Third parties must also attest to an organization’s policies, as the legal risk of misconduct from third party vendors and employees is comparable. The ability to show that third parties have read and attested to policies is a critical legal defense. For more on this, see our blog post, “Waking Up to Massive Third Party Risk Exposure.”
6. We are looking at reducing the number of policies we currently have, taking a “less is more” mentality. Do you recommend this practice?
As a rule of thumb, policies are necessary when they define organizational values or mandates, address regulatory obligations or manage potential risk or liability. Too many policies burden the organization—too few expose it to unnecessary risk. See page 20 of our Definitive Guide to Policy & Procedure Management for a list of questions that can be helpful in determining which policies are necessary. And, as always, policies need to be based on a risk assessment for your unique organization.
7. Is on-boarding the best time to train employees on policies?
It is a great time, but it is not the only time. For many new employees, on-boarding can include so much information that some messages may be lost or diluted. As a result, employees should be periodically re-trained on policies to ensure they remain top of mind. The frequency of re-training should be determined by a risk assessment and your Policy Oversight Committee. In addition, if an employee changes roles or moves to a different geographic location, additional policy training may be needed at that time.
8. If an organization has not routinely reviewed its policies in several years and wishes to revamp its program, should the organization develop a paper process before acquiring a policy management system?
Establishing a process for sound policy management is important, but it is not critical that a “paper-based” approach come first. The decision to automate the process using policy management software would provide significant energy and focus for establishing workflows and processes necessary for a best-practice program. For more on starting an effective policy management program, see our Definitive Guide to Policy & Procedure Management.
9. Are there best practices for policy exceptions? How do other businesses log policy violations?
As a best practice, policy exceptions and violations should be logged and tracked in an incident management system and followed up on, whether through a formal investigation or by other means. All actions related to the policy exception or violation should be documented. Of course, exceptions can be tracked in a number of ways, but the more automated the process is, the easier it will be to ensure that each exception has been properly reviewed. Failing to follow up on a reported exception creates real risk for the organization.
10. In the survey and in your consulting work, do you differentiate between E&C policies and operational policies (HR, finance, security, IT systems access, etc.)?
No differentiation was made in the survey. In our consulting practice we tend to see policies, procedures, SOPs and departmental guidelines. In terms of policy management, an organization needs to define for itself which kinds of documents require a specific workflow and approval process. This is often contained in a “policy on policies.” Any document which is identified as a policy should be reviewed and vetted by all critical stakeholders. Procedures, SOPs and guidelines should be clearly identified, but may be subject to differing levels of review and approval.