Policy management is a crucial element of effective corporate compliance—which means, of course, that organizations struggle with it all the time.
At the abstract level, policy management helps a company bring uniformity to how it handles operations across the enterprise: how to interact with employees, what favors you can do for customers, who books vacation time first, and much more. Policy management assures consistency in those guidelines to employee conduct; hence it’s instrumental to effective corporate compliance.
Moreover, policy management is becoming more important in today’s business climate. Thank coronavirus, forcing so much improvisation and change so quickly; or thank social media, which dissects every misstep in corporate behavior so mercilessly. Consistency in policy organization can be invaluable against both of these corporate threats.
What else should compliance professionals know about policy management? Lots.
What Is Policy Management?
A formal definition of policy management: how an organization creates, communicates, and manages the policies and procedures it uses. It’s how an organization governs the creation and distribution of policies, so various parts of the enterprise don’t create their own policies that might undermine or contradict objectives from senior executives.
For example, the single most important policy a company has is its Code of Conduct. The Justice Department’s guidelines for evaluating compliance programs even say:
As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees.
Now imagine a business that didn’t develop its Code of Conduct in any disciplined way. Perhaps the Code mentions anti-discrimination in some places but contradicts its non-discrimination clauses in others. Maybe the engineering team follows one Code and the marketing team another. Would a document like that ever pass muster with the guidelines quoted above? Nope.
We could say the same for any other policy, from anti-discrimination to fair labor to revenue recognition, and countless more. Policy management assures that the organization develops its policies in a consistent way, so employees understand what they’re supposed to do.
What Does Policy Management Achieve?
Foremost, effective policy management achieves uniformity and consistency in policies the company uses. Sometimes that uniformity might seem a bit abstract: all policies refer back to the company’s business objectives and core values. Other times that uniformity might be practical: all policies include an explanation of how to request an exception or are translated into all languages that employees speak.
Policy management also lays the groundwork for other elements of an effective compliance program, such as training, data analytics, or internal control remediation. For example, a global organization can’t roll out appropriate anti-bribery training if the Americas region and the European region have different policies, while the Africa region has none at all. The compliance program can’t test the effectiveness of that program and remediate weak spots if employees are following different routines and creating multiple sets of data that can’t be assessed equally.
More broadly, policies puts an organization’s ethical values and business priorities into practice. If the enterprise says it wants to emphasize diversity and inclusion, then it should have a consistent approach to policies for hiring, promotion, and compensation that addresses those issues. Or if a retailer wants to maximize sales, it might want a policy that spells out how much discretion local managers have for product displays.
For all three points above, the theme is that policy management allows senior executives to direct the whole enterprise—which might involve many thousands of people, working in hundreds of locations, across dozens of countries—toward certain ends. Even if that end is flexibility (as with our retailer example), effective policy management allows everyone to see those broad objectives and the steps they should take to pursue those goals.
Why Is Policy Management Important?
A better way to understand the importance of policy management is to imagine the organization without policy management. All manner of trouble can follow.
First, inconsistency in policy or business practice invites litigation risk. Employees, consumers, or business partners might claim that inconsistent treatment is the result of discrimination—and without disciplined policy management, and the documentation that policy management can provide, those groups could tie up your company in court.
Weak policy management can also invite regulatory enforcement. For example, if one division of a bank implements fair-lending laws vigorously but another doesn’t, at the least that bank would face more scrutiny during a regulatory examination. At worst, widespread inconsistency might suggest a problem with how seriously senior executives take fair-lending compliance, which becomes a much more expensive and time-consuming issue to address.
We should remember here that regulatory or litigation risk can arise not just from deliberate misconduct, but also due to ignorance of the law. If important policies are outdated, absent, confusing, or contradictory, employees will naturally try to devise their own course of action. Even with the best intentions, they might make mistakes with costly results.
Even aside from regulatory compliance and litigation risk, policy management just makes good business sense because it encourages efficiency in operations. Imagine, for example, the money squandered on reimbursing employees for travel or office expenses if every office tracks expense reports in its own way. Policy management encourages consistency in conduct and operations. That consistency can be a crucial driver for business performance.
How Do You Manage Policies in Practice?
1. Assign responsibility for policies to a specific person
Typically this will be the chief compliance officer, since she or he is also responsible for compliance risk assessments and other parts of the compliance program, and all those elements should work together toward the goal of a strong culture of compliance.
2. Evaluate the technology you want to use for policy management
Once upon a time, for example, corporations could use policies written in Microsoft Word and distributed via email; or compiled all policies into one printed manual that employees had to read and sign. Neither approach will be much help for global corporations today.
Corporations should strive for a technology that allows them to keep all policies in one central repository, where they can be managed by the CCO in a global manner. The solution should also have the ability to view all changes to policies over time, or to delete a policy across the whole enterprise when it becomes obsolete.
3. Map policies to risks and business objectives
This assures that every business risk has a policy about how that risk should be addressed; and that every policy you have exists in support of a stated business objective. It also allows you to eliminate duplicative policies or policies that don’t address any risk or business objective at all and to identify gaps in your compliance program where policy needs to be written.
4. Draft a policy about policies
Not every policy needs to be drafted or controlled by the chief compliance officer or others in corporate headquarters (a policy about when to clean the office refrigerator, for example); but managers do need guidance on what policies they can or can’t adopt themselves, as well as what structure that policy should have (explaining exception requests or how the policy should be posted, for example). A policy about policies offers that guidance—so as meta as the idea might sound, it’s a good one.
5. Policy management should govern the whole lifecycle of policies
A policy about policies helps you with the start of a policy. Policy management should also help with the rest of a policy’s natural lifespan. For example, your policy deployment solution should track changes made to the policy over time (the policy’s youth and middle age, so to speak), as well as the policy’s removal once its purpose no longer exists.
Global corporations are already at the limit of what manual processes and desktop technology can do to support policy management. So consider how, from strong leadership to better technology, you can pull your policy management capability into the modern era. As corporate conduct continues to grow more and more regulated, that capability will only become more important.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.