Policy Management

What can you expect from your Policies?

All companies have rules and principles – some are written and some are general knowledge, handed down through the ages. These rules and principles are in today’s terms, policies. These policies are intended to make everyone aware of what is expected of them so that, within the scope of the policy, certain behaviors or results can be expected when relevant circumstances arise.

So it is this basic concept of communicating expected behaviors and principles that we have policies.

With the rise in demand both internally and externally for increasing the number of policies, many laws now require much more than just written policy.

My personal experience in having participated in countless internal and external audits, market conduct exams and litigation, made it quite clear that you should expect much more from your policies than just having them.

Here are some of my key policy expectations:

Version Control – You must have version control on policies to know what practices were in place at any given time.

Available – Policies must be readily available and accessible by the workforce; also think about disaster recovery when you may have different resources temporarily performing new duties or your normal systems are not available.

Consistent format – With so many policies and procedures being read by so many people, a consistent look and feel will aid the reader in finding what they need to know – use a company policy template.

Consistent terminology – Maintain a company standard or definitions policy that explains questionable, company specific, industry specific and legal terms that are used in your policies to improve individuals interpretation and use of the policies – use company speak, not legalese.

Concise – Don’t go on tangents, stick to the point.

Simple – Keep the number of requirements being addressed to a minimum and combine similar requirements within the same policy.

Policy Development –Push requirements to a consistent group or development committee for finalizing the draft policies. They should take into consideration all the elements above as well as existing policies. They will also be representing the company's various business units/departments so you want input and feedback from their staff during the development process - to be sure that their local expertise and perspective, as well as a sense of ownership and support, get built in.

Policy Approval – The final draft policies that have already been through business unit review during development need to be approved by the executive management of the company. This should be your Enterprise Compliance Committee or equivalent that would also approve the definitions, standards/formats, etc.

Security – Your company policies are costly to develop and maintain and in some sense may be considered intellectual property. Take reasonable and appropriate steps to protect them as you would other documents in a like classification.


The difference between policies and procedures

Here's how I think of it: Your policies are the “what” and “why” of your practices. Your procedures are the “how,” “when” and “who” of your practices.

There are several key advantages to separating the content of policies and procedures into two separate documents and relating them together. First, this allows you to apply the same policies enterprisewide with assured consistency.

Secondly, it allows different parts of the company in different situations to have different procedures.

The third advantage is that you will be well positioned to distribute training according to individual’s roles across the enterprise.

By first developing and approving the policy, the business units now know what they must comply with. As the business units work to develop and approve their procedures, they tend to leverage (a nice word for "copy") the work done by other business units. This further promotes consistency across the enterprise, not to mention efficiencies. It also makes it very easy to know which areas have not addressed relevant compliance requirements.

Recap

Here is a recap of what it takes to better align your expectations with external expectations and get the most out of your policy management process.

1. See how well you can apply my list of expectations

2. Use the same document management tool for all of your policies, procedures, forms and standards and make sure it has the ability to relate documents.

3. Use the same repository of documents to push your role-based training. For security reasons, it should be aligned with both security access and your organization, so this should become simple and very effective once you lay the foundation. You will have documented evidence of who was trained on what and when.

These concepts and this approach has worked very well for me in practice and I hope that it provides some practical guidance that you can apply in your organization.