Best practices in policy management
COMPLIANCE WEEK MAGAZINE
JUNE 2018 ISSUE
A new study from NAVEX Global ranks companies’ management of their policies and procedures in terms of maturity. Jaclyn Jaeger has more.
Ethics and compliance officers have a new resource against which to benchmark their own policy and procedure management program.
That resource is NAVEX Global’s 2018 Ethics & Compliance Policy & Procedure Management Benchmark Report, representing over 1,200 respondents globally who influence or manage their company’s ethics and compliance program. In this year’s report, NAVEX Global ranked each program’s maturity level as either advanced; maturing; basic; or reactive.
In a Webinar discussing the report, Carrie Penman, chief compliance officer of advisory services at NAVEX Global, explained that each company’s program maturity level was rated based on several key criteria: “Do they proactively update and create policies, or do they more reactively update documents when a problem arises? Do they leverage software to automate the policies, track attestations, test for comprehension, and can they easily access audit trails? Do they have systems in place to manage version control and accessibility to key documents?”
According to the report’s findings, 65 percent of respondents have basic or reactive policy and procedure management programs, while 21 percent have a maturing program. Just 14 percent were classified as advanced. “Effective policy management can really impact every area of an ethics and compliance program, starting with the code of conduct,” Penman said.
“Effective policies are required to be kept up to date with new regulations to clearly outline expectations and processes, with the ultimate objective of impacting behavior and ultimately the organizational culture.”
Taking cues from companies with advanced policy and procedure management programs, prudent ethics and compliance officers who are seeking to mature their own programs are advised to consider the following steps:
Be proactive about reviewing policies. Advanced and maturing policy programs are more proactive and sophisticated in their approach to policy management concerning the creation and review of policies. This includes maintaining records and updating policies before issues arise. Reactive programs, in comparison, typically review policies only after an issue arises.
Leverage software tools to automate processes and keep a centralized repository of policies. Companies with advanced policy management programs automate their policy management systems, which ensures that employees can access the latest versions of key policies. Given the rapid clip at which some regulations change, “making sure employees have the most current version of a policy at any time is important,” Penman said.
Reactive programs, in comparison, typically rely on manual processes to perform basic tasks. “This leaves them without audit trails, version control, or consistent metrics to measure program effectiveness,” the NAVEX Global report states. Best practice is to review policies every one to two years and whenever an associated regulation or requirement changes.
Additionally, advanced and maturing policy management programs tend to manage a wider variety of policies, procedures, or other related documents, whereas reactive programs tend to manage fewer. The NAVEX Global report found that 77 percent of respondents, overall, manage 10 or more unique policies, and 83 percent manage 10 or more unique procedures.
Moreover, 23 percent of respondents said they manage more than 100 policies, and 35 percent manage more than 100 procedures. This is particularly true of highly regulated industries—healthcare, finance and insurance, and manufacturing—all of which often manage over 100 procedures. Respondents to the NAVEX Global report cited a wide variety of policies and procedures being managed, but the top four cited were codes of conduct; HR, labor and employment policies; IT/data security; and conflicts of interest.
Finally, companies that use an automated policy management system indicated that they’re more likely to have a dedicated compliance officer (63 percent vs. 47 percent of respondents whose companies don’t use automated software). They are also more likely to conduct a periodic assessment of their risk profile and program (67 percent vs. 57 percent); have anonymous hotline reporting with consistent investigations (75 percent vs. 63 percent); and employ a risk-based due diligence approach for third parties (51 percent vs. 39 percent).
Require some form of attestation or certification. Most respondents (86 percent) said they require all employees to formally attest to at least one policy and nearly half (48 percent) require annual recertification. Additionally, 53 percent of companies with over 5,000 employees said they require third-party attestations, while another 29 percent said they do not, but do require equivalent certifications in vendor contracts. “This is an opportunity to review these practices for organizations who have third parties acting on their behalf,” the NAVEX Global report stated.
Have a ‘policy on policies.’ A policy on policies—documented guidelines for how to create and distribute new policies—is a very important part of a best-in-class policy and procedure management program, Penman said, which 64 percent of all respondents indicated that they have. Having a policy on policies helps to ensure that all policies remain in the same format, making it easier for employees to find essential information, she said.
Make policy management a cross-functional responsibility. Companies with advanced policy management practices tend to involve more departments (three on average) concerning decision-making responsibility for policy and procedure management than basic and mature programs (two on average), and reactive programs (one on average). “Effective policy and procedure management is truly a shared responsibility across the organization,” Penman said. “That was clear in some of the data.” Among all respondents, 44 percent said that compliance and risk is the decision maker in policy and procedure management, followed by HR (39 percent), the board of directors (36 percent), and legal (34 percent).
Leave decision-making authority with management. Although 36 percent of respondents said that their boards act as decision makers on policy management, that is not a recommended best practice. “It’s good that the board is involved, but its role needs to be properly calibrated,” Penman said.
Best practice is for decision-making authority to rest with management, with the board playing an advisory role. “Board members should be influencers on policies and procedures, not the decision-makers or the individuals who run the actual program,” Penman said. Exceptions should only be made for making decisions on the code of conduct and other policies addressing high-risk areas, she said.
Have in place an escalation policy. “In much of the work that I have done with our customers, one of the most important policies that a compliance program needs to have is an escalation policy on what needs to be escalated—whether it be to the board or senior management—and in what timeframe,” Penman said.
Mature and effective policy and procedure management programs ultimately translate into a more robust ethics and compliance program. In fact, companies with advanced policy and procedure management programs rate themselves more highly in every aspect of their overall ethics and compliance program, including in the areas of keeping up-todate with new regulations (81 percent), legal defensibility and governance (79 percent), and board reporting and engagement (77 percent).
Companies with best-in-class policy and procedure management programs, NAVEX Global concludes, are more likely to take a proactive approach to creating, reviewing, and updating policies and procedures; more likely to involve multiple departments in the creation and review of policies; and more likely to track metrics on program effectiveness, with the board in an oversight role. ■
About NAVEX Global, Inc.
NAVEX Global is the worldwide leader in integrated risk and compliance management software and services. Our solutions help organizations manage risk, address complex regulatory requirements and foster an ethical, productive workplace culture.