Once upon a time, I met a compliance officer who told me her boss didn’t believe in having policies. Or phrased another way, he didn't understand the purpose of policies.
"If we have no policies,” that CEO had reasoned, “we can’t be accused of violating policy. We have more discretion to act as we see fit.”
So, um—that’s not how it works.
To be clear, the compliance officer who recounted this tale knew that’s not how it works. She’d even told her story at a compliance roundtable discussing the importance of policy development and management.
Still, this story serves a reminder that other executives—especially those in operating roles and even senior management—might not understand the purpose of policies in the workplace. Let’s unpack those reasons, and consider how compliance officers can use them to push for a strong policy management program.
What Is the Purpose of Policies and Procedures?
The purpose of policies and procedures is to bring uniformity to corporate operations and therefore reduce the risk of an unwanted event. That’s the formal definition, at least. To win over colleagues and employees so they support policy and procedure, we need to be a bit more practical in our language and examples.
First, policy and procedure bring order to operations. They tell employees what to do and how to do it. With that consistency, the business can run more efficiently. More efficiency means more growth, more revenue, more money to spend on corporate needs that can range from better IT to better beer for department happy hours.
You get the idea. Policies and procedures mobilize the organization’s human talent to help the business to evade obstacles and hit goals. Not every policy and procedure will be easy or fun, but over the long term, having policies and procedures benefits the organization in all sorts of ways.
Why Do We Need Policies in the Workplace?
Another way to explain the need for policies and procedures is to explore the converse: an organization without policies and procedures.
In the same way that policy and procedure bring order to operations, their absence invites chaos. Employees and operating units are left to devise their own methods for how to make the organization run, and the result is a mess. The organization will spend more time trying to understand what’s going on, rather than directing that action.
The result is less efficiency and less growth—and as a result, those “unwanted outcomes” will start happening all over the place.
For example, imagine a business that has no policy or procedure for submitting expense reports. Employees and managers will spend more time trying to figure out what they should do. Accounting employees will either send out reimbursement checks willy-nilly, or chase employees for receipts; the former is a fraud or corruption risk, the latter a surefire way to exasperate employees.
Meanwhile, management has no sense of how to budget for employee expenses, so the CFO and audit committee are stuck wondering at end-of-quarter where all the money went.
Or imagine an organization with no policies about workplace harassment and no procedures for how to investigate a complaint. We don’t even need to describe the litigation risks and other potential disruptions in that scenario; just pick up a business newspaper and skim the headlines.
None of this is to say that policies and procedures will make all those risk challenges vanish—but they will make those risk challenges diminish.
The Benefits of Policies and Procedures
Those risk challenges will diminish because policies and procedures bring consistency to employee behavior. That’s the benefit a business gains by having them.
At the least, the company will have defensible standards that it can cite should compliance, litigation, or reputation risks arise. It can point to its policies and procedures and declare: “This was our preferred standard of conduct. We wrote it down and showed it to employees. We were trying to avoid this adverse event that has everyone in a tizzy.”
Along those lines, also remember that policies and procedures are fundamental to effective compliance programs. The U.S. Sentencing Guidelines tell companies “to communicate periodically and in a practical manner its standards and procedures.” The Justice Department’s guidelines for an effective compliance program devote an entire section to policies and procedures. The European Union’s General Data Protection Regulation, industry regulators such as FINRA, state regulators such as the New York Department of Financial Services—they all require policies and procedures for issues within their domains.
So not only are policies and procedures useful to codify good business practice; they’re a fundamental requirement for effective ethics and compliance programs. You can’t have an effective program without them.
What Policies and Procedures Are Not
An important point to remember is that policies and procedures are not informal practices that employees follow simply because others say, “That’s how things are done around here.” Policies and procedures exist in written form. Indeed, many regulations specify that policies and procedures should be written down.
Why? Because written policies and procedures convey a permanence and formality that supports the goal of consistent behavior. When employees are confused, they can refer back to the written documents. When employees misbehave, management can point to pre-existing, written policies and say, “You were told what to do, and you didn’t do it.”
Without written policies, the company only has a collection of practices and customs. Those are more subject to interpretation, and can be misunderstood more easily. (“I think this is what we’re supposed to do, it’s been a while since this problem came up…”)
Moreover, should regulators or plaintiff lawyers come knocking, the company will have more difficulty defending itself, because you’ll have less evidence that the company tries to conduct itself in a certain manner.
Another thing that policies and procedures are not: they are not optional. Employees and third parties don’t get to choose whether they’ll follow a policy or procedure. Compliance is required, which means policies and procedures should be tied to disciplinary action for not following them.
How to Implement Effective Policies
Compliance officers have two primary considerations when implementing policies and procedures.
First, where do your policies and procedures come from? You can find model policies online or from advisory firms, or work with other leaders in the business to devise policies and procedures from scratch. Either way, you should strive to assure that those policies and procedures make sense for your business.
Few things are as irritating to employees as policies that make no sense, or procedures that seem only to make their jobs more difficult. That is not how compliance officers win over employees so they embrace a strong culture of compliance.
Second, how do you roll out policies and procedures to employees? Once upon a time companies plopped an employee handbook in front of new hires and had them sign the last page. Technically that approach might meet minimal expectations, but the damage of a policy failure can still be severe. For example, an employee who violates policy and causes a data breach still leaves you an expensive problem—signed page, or not.
So consider how to educate employees about the new policies, too. Training is one easy example; an interactive policy solution that lets employees study at their own pace is another. Policies and procedures are an important part of the corporate compliance program, but they are only one part. You need every part of the program to support every other.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.