Policy management is a critical component of a governance, risk, and compliance (GRC) strategy because it describes the desired practices and behaviors of the company under specific circumstances. Too often, the organizational approach to managing corporate policies and procedures is in complete disarray and chaos. The breadth and depth of the voluminous increase in relevant laws and regulations can’t be grasped in the manner enterprise behaviors are currently directed and coordinated.

The typical organization suffers with ineffective policy structures, content, coordination, lifecycle management, accessibility, accountability, and communication. As a result, organizations have:

• Policies scattered across dozens of places: There is no single authoritative source where policies and procedures are consolidated, maintained, and managed. No single portal exists where an individual can see the policies that apply to their role, structured to support efficient access.
• Policies bound by paper: With numerous printed policy manuals, the typical organization has not fully embraced online publishing and ubiquitous access to policies and procedures.
• Policies grossly out of date: In most cases, a published policy is not reviewed and maintained on a regular basis. In fact, many organizations have policies that have not been reviewed in years for applicability, appropriateness, and effectiveness.
• Policies have no owner: The typical organization has numerous policies and procedures that lack an owner responsible for managing them and keeping them current.
• Policies lack lifecycle management: Most organizations maintain an ad hoc approach to writing, approving, and maintaining policy with no defined system for managing the workflow, tasks, versions, approval, and maintenance processes.
• Policies do not map to exceptions or incidents: Typically, an established system to document and manage exceptions to policy is missing. Further, there is a lack of a structure to map incidents, issues, and investigations to policy — the organization is unaware of where policy is breaking down.
• Policies do not map to standards, rules, or regulations: The typical organization does not have the ability to define and maintain a record of policies that address legal, regulatory, or contractual requirements. The organization does not have the ability to easily assess the impact of new or changing regulations that affect policy.
• Policies lack adherence to a consistent style guide: The organization has policy that does not conform to corporate style and templates. Policies use complex language, excessive legalese, and are often written in the passive voice, making it difficult to read.

I would love to hear your thoughts on the chaos, disarray, and hordes of policies you see scattered across organizations and corresponding GRC policy management strategies to address this issue.

Policy, done right, articulate corporate culture, the boundaries of individual and business behavior, and personal conduct. Consider that:

• Policies articulate the governance culture and structure: Without policies there are no written standards about acceptable and unacceptable conduct. Without good policy, culture morphs, changes, and takes unintended paths without a compass to guide its way.
• Policies articulate a culture of risk: This includes risk responsibilities, communication, appetite, tolerance levels, and risk ownership. Every organization takes risk — it is part of business. Without clearly written guidance and ownership, risk governance policy will be ineffective.
• Policies articulate a culture of compliance: Policies define what is acceptable and unacceptable. This starts with legal and regulatory requirements:  communicating how the organization will stay within legal boundaries given the various jurisdictions in which it operates. Policies establish the values, ethics, commitments, and social responsibility of the organization, when it comes to matters of discretion.

It is important to be clear: Policy does not provide corporate culture, nor does it resolve the issues of  governance, risk or compliance (GRC). An organization can have a wide array of policies that are not adhered to, and end up in very hot water. However, policies are a necessary means to clearly define, articulate, and communicate the organization’s boundaries, practices, and expectations. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot have a strong and established culture without it. The right policy is necessary to define and communicate what the organization is about.

Policies are the vehicle that communicates and defines culture so culture does not morph out of control. This requires policy to be adhered to at every level, exceptions to policy be governed, and violations be dealt with consistently and responsively. Because policy can establish liability, mismanagement of policy can introduce liability to the organization as a policy establishes a duty of care for the organization. Reliance upon policy violation as a duty of care can be used by regulators, prosecuting and plaintiff attorneys, and others to place culpability on an organization. It is paramount for an organization to establish policy it is willing to enforce – but also necessary to closely manage and monitor the policies that are in place.

I would love to hear your thoughts on Why Policies Matter and corresponding GRC strategies.

Hordes of regulation bear down on the organization

Business is under siege by legion of laws and regulations. Compliance itself has become difficult as business is bombarded with thousands of new regulations in addition to changes to existing regulations each year.

At the U.S. Federal level alone (not U.S State or local jurisdictions; not other countries) there were over 3,500 new regulations issued last year. This brings the total number of regulations issues since 1995 to nearly 60,000 (from the Competitive Enterprise Institute’s 10,000 Commandments). In addition to that, there are another 4,000 regulations pending – waiting for approval. You add in the breadth of State laws in addition to the laws in other countries that business has to comply with and the sheer volume is staggering.

The Open Compliance and Ethics Group, in compiling its guidance on common requirements across employment labor laws at the U.S. Federal, State, and local jurisdiction level, sifting through more than 3,000 employment/labor laws and regulations across the U.S.

The problem is not just a U.S. problem. A leading Brazilian bank has catalogued over 80,000 regulatory requirements that impact its operations around the world.

Organizations are in a complex environment of regulatory risk. When the organization approaches regulatory risk management and compliance in scattered silos that do not collaborate with each other there is no possibility to be intelligent, let alone wise, about risk decisions that could impact business execution or strategy.

Lack of regulatory intelligence

Organizations suffer from a lack of regulatory intelligence. The typical organization does not have adequate processes in place to monitor regulatory change, determine impact on business processes, prioritize and make changes to policies, procedures, and controls – particularly in an environment under siege by an ever changing regulatory and legal landscape. New regulations, pending legislation, changes to existing rules, or even court proceedings all can have a significant impact on the organization.

Information itself is not enough – organizations are overwhelmed by data through legal and regulatory newsletters, websites, emails, journals, and content aggregators. In fact, the overwhelming amount of information and duplication of information is part of the problem. Organizations fail in regulatory monitoring itself, which is the first step towards regulatory intelligence. The organization needs regulatory intelligence – getting the right information to the right person to be able to decide how and when, the organization needs to process regulatory change. Organizations need to grasp the breadth of regulatory data and transform this information to intelligence which then brings knowledge that can be acted upon in a measurable and consistent manner.

Regulatory intelligence is about enabling accountability and reliability of changes in the legal and regulatory environment that the business operates in. The primary directive is to alert the organization to regulatory and legal conditions that can impact their business. It is part of a broader risk intelligence strategy that monitors external and internal changes to the business environment, and alert the organization to risk conditions (e.g., geo-political, economic, natural disaster) that can impact their business.

The corporate compliance and legal roles struggle with monitoring a growing array of regulations, legislation, regulator findings/rulings, and case law. Regulatory intelligence systematically streamlines monitoring by using an automated process with workflow, task management and accountability documentation that results in meaningful information to consistently manage regulatory change. The challenge is for organizations to develop processes to harness internal and external information to be intelligent about their risk and regulatory environments across different parts of the business from so many external sources and be able to exhibit their process and state of complying.

The Bottom Line: Organizations need to move ad hoc monitoring and execution of regulatory changes to a regulatory intelligence process.

I would love to hear your thoughts on Regulatory Intelligence and corresponding organizations strategies. Please feel free to comment on this blog.

When you think you have heard everything . . .

From the SCCE:

In the recent Corporate Integrity Agreement between Pfizer and the Office of the Inspector General of the Department of Health and Human Services, Pfizer agreed that its Chief Compliance Officer will report directly to the CEO; will neither be nor be subordinate to the General Counsel or CFO; and will make periodic reports to the Audit Committee of the Board. Does it negatively impact a compliance program when the GC is also the head of ethics and compliance? To whom should the chief compliance and ethics officer report? And how can a company create the right level of independence for the compliance function?

In order to gather valuable benchmarking data for our members, the SCCE has compiled 9 short questions regarding compliance officer positioning. Please take a minute to answer the survey, then check back to view the valuable benchmarking data. Thanks very much for your participation and your important contribution to compliance and ethics benchmarking research.

Thank you very much for providing your valuable input.
http://scce.informz.net/z/cjUucD9taT00OTEzMTImcD0xJnU9MTAwNzkwOTEwOCZsaT0xODExMTE4/index.html

Besides taking the survey – please post your comment on this LinkedIN group.

Most GRC software as well as GRC implementations are more like RC (without the G). Or just R or just C. Or perhaps Rc or rC. . .

My position for this discussion – we cannot adequately state we are doing the G in GRC unless we are also taking into account business objectives, strategy, and performance. That is what corporate governance is about. Staying within boundaries for compliance, and managing risk plays into this. But the GRC solutions and initiatives do not really do the G.

Thoughts?

“. . .the measure of the likelihood of something happening that will have an effect on achieving objectives; most importantly, but not exclusively, an adverse effect. Thus, Risk Management is the systematic application of processes and structures that enable an organization to identify, evaluate, analyze, optimize, monitor, improve, or transfer risk while communicating risk and risk decisions to stakeholders. The overriding goal of risk management is to realize potential opportunities while managing adverse effects of risk.”