With increased exposure to anti-corruption laws and investigations, and defined anti-corruption practices, how does an organization go about using technology to manage anti-corruption compliance?

Compliance needs to be an active part of the organization and culture to prevent and detect corruption, bribery, and fraud. This continuous and ongoing process must be monitored, maintained, and nurtured. The challenge is establishing corruption prevention and detection activities that move the organization from a reactive fire-fighting mode to one that actively manages, monitors, prevents, and detects risk. This requires the organization to implement technology to manage anti-corruption compliance.

• Compliance program management: The organization needs a 360-degree view of compliance activities and reporting. This requires an end-to-end system for managing compliance activities, metrics, and reports. From this system the organization should be able to produce reports and metrics relevant to the board of directors and executives, to assure them they are meeting fiduciary obligations to have a compliance program for anti- corruption in place. All compliance management personnel and employees should be able to access the system and see contextually relevant tasks and items.

• Regulatory intelligence and change management: The integration of regulatory content feeds and technology enables the compliance program to monitor changes in anti-corruption laws, requirements, and cases to determine how new developments impact the business. The organizations must use technology to take in legal and regulatory feeds and route them to the correct subject matter expert for review and business impact analysis.

• Compliance risk assessment: Risk assessments are mandatory for compliance initiatives. The organization needs a technology platform to manage risk surveys, assessments, and related risk information and report, analyze and model risk.

• Policy and procedure management: A core process of a compliance program is the ability to document policies and procedures to maintain a state of compliance. All relevant policies related to anti-corruption should be documented, maintained, communicated, and attested to within a technology platform with a robust audit trail and content management capability. This includes code of conduct, anti-corruption, and other related policies.

• Training and communication: It is not enough to make written policies available — the organization also needs to train individuals on policies. Organizations are increasingly using the economies of online training to deliver courses on anti-corruption, and to test employee understanding of policies and requirements.

• Third-party management: Central to an anti-corruption compliance program is the ability to manage the risk of third-party entities you interact and do business with. Technology, and the integration of content feeds, enables the ongoing due diligence effort to monitor and score vendor/third-party risk, communicate policies to vendors, track attestations, and deliver surveys and assessments.

• Forms processing and automation: A critical component of an anti-corruption program is the ability to process and automate forms related to compliance policies and procedures. Interactions for contributions, gift, entertainment, and facilitated payments should be managed through online forms and workflow for approval or disapproval.

• Investigations management: Technology enables the organization to manage and monitor issues and incidents, and collaborate and document investigations. This includes the ability to record the range of issues reported from hotlines and other mechanisms, what actions were taken, and the results of the investigation.

Organizations that approach policy without clear accountability face significant risk to their business. This accountability applies to policy owners for their ongoing review and maintenance of policy, the process of granting exceptions, monitoring incidents and violations of policies and extends to policy governance to track reading, acceptance, and training on an individual basis.

When the organization is under a microscope, having a detailed trail of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, what other incidents violated the policies all provide grounds for defending the organization. An ad hoc “dust in the wind” approach to policy management may expose the organization to significant liability. This liability is further exacerbated by the fact that today’s compliance programs affect every person involved in supporting the business both internally, and for third parties. If policies look different, use words with different meanings, are located in different places and don’t offer a mechanism to gain clarity (e.g., a policy helpline), organizations are not positioned to drive desired behaviors or enforce accountability which aid in improving performance, producing predicable outcomes, mitigate compliance risk, and avoid incidents and loss.

Most organizations fail to manage the lifecycle of policy, resulting in policies that are out-of-date, ineffective, and not aligned to business needs. It opens the doors of liability, as an organization may be held accountable for policy in place that is not appropriate or properly enforced. Organizations require a consistent process to develop, communicate, monitor, and maintain corporate policy and procedures. This requires collaboration across business roles with clear accountability throughout the process.

1. A well designed Policy Lifecycle Management process.
2. An organized Policy Management Committee to govern the oversight and guidance of policies and ensure policy collaboration across the enterprise.
3. An individual assigned to the role of Policy Manager to assure accountability across the policy lifecycle to the standards, style, and process defined by the Policy Management Committee.

Policy Lifecycle Management is the process of managing and maintaining policies throughout their effective use within the organization. It involves defined stages of monitoring business change for policy development, communication, and maintenance. Implementation of Policy Lifecycle Management requires a technology architecture that is rich in content management, workflow management, process management, task management, notifications, and has a robust accountability audit trail. The lifecycle is defined in five primary stages: Environment Change, Policy Development, Policy Communication, Policy Management, and Policy Maintenance.

The Policy Management Committee provides the structure and connective tissue to coordinate and drive consistency across the organization and is comprised of team members that represent the best interest and expertise of the different parts of the organization. They leverage the knowledge, charter and the authority of the committee to benefit their business areas and, at the same time, benefit other business areas and the organization as a whole.

Policy lifecycle management that addresses accountability brings integrity and value to policy management. It provides accountability to policy management processes that are often scattered across the organization. It enables policy management to work in harmony across organization functions delivering efficiency, effectiveness, and agility. In today’s environment, ignoring a accountability in policy management means processes, partners, employees, and systems that behave like leaves blowing in the wind. Policy management processes are constantly in disarray when operating autonomously, introducing risk in today’s complex, dynamic, and distributed business environment. Organizations require an enterprise view of policy accountability and collaboration that not only brings together silos, but integrates them into a common policy-management process.

Policy management is a critical component of a governance, risk, and compliance (GRC) strategy because it describes the desired practices and behaviors of the company under specific circumstances. Too often, the organizational approach to managing corporate policies and procedures is in complete disarray and chaos. The breadth and depth of the voluminous increase in relevant laws and regulations can’t be grasped in the manner enterprise behaviors are currently directed and coordinated.

The typical organization suffers with ineffective policy structures, content, coordination, lifecycle management, accessibility, accountability, and communication. As a result, organizations have:

• Policies scattered across dozens of places: There is no single authoritative source where policies and procedures are consolidated, maintained, and managed. No single portal exists where an individual can see the policies that apply to their role, structured to support efficient access.
• Policies bound by paper: With numerous printed policy manuals, the typical organization has not fully embraced online publishing and ubiquitous access to policies and procedures.
• Policies grossly out of date: In most cases, a published policy is not reviewed and maintained on a regular basis. In fact, many organizations have policies that have not been reviewed in years for applicability, appropriateness, and effectiveness.
• Policies have no owner: The typical organization has numerous policies and procedures that lack an owner responsible for managing them and keeping them current.
• Policies lack lifecycle management: Most organizations maintain an ad hoc approach to writing, approving, and maintaining policy with no defined system for managing the workflow, tasks, versions, approval, and maintenance processes.
• Policies do not map to exceptions or incidents: Typically, an established system to document and manage exceptions to policy is missing. Further, there is a lack of a structure to map incidents, issues, and investigations to policy — the organization is unaware of where policy is breaking down.
• Policies do not map to standards, rules, or regulations: The typical organization does not have the ability to define and maintain a record of policies that address legal, regulatory, or contractual requirements. The organization does not have the ability to easily assess the impact of new or changing regulations that affect policy.
• Policies lack adherence to a consistent style guide: The organization has policy that does not conform to corporate style and templates. Policies use complex language, excessive legalese, and are often written in the passive voice, making it difficult to read.

I would love to hear your thoughts on the chaos, disarray, and hordes of policies you see scattered across organizations and corresponding GRC policy management strategies to address this issue.

Policy, done right, articulate corporate culture, the boundaries of individual and business behavior, and personal conduct. Consider that:

• Policies articulate the governance culture and structure: Without policies there are no written standards about acceptable and unacceptable conduct. Without good policy, culture morphs, changes, and takes unintended paths without a compass to guide its way.
• Policies articulate a culture of risk: This includes risk responsibilities, communication, appetite, tolerance levels, and risk ownership. Every organization takes risk — it is part of business. Without clearly written guidance and ownership, risk governance policy will be ineffective.
• Policies articulate a culture of compliance: Policies define what is acceptable and unacceptable. This starts with legal and regulatory requirements:  communicating how the organization will stay within legal boundaries given the various jurisdictions in which it operates. Policies establish the values, ethics, commitments, and social responsibility of the organization, when it comes to matters of discretion.

It is important to be clear: Policy does not provide corporate culture, nor does it resolve the issues of  governance, risk or compliance (GRC). An organization can have a wide array of policies that are not adhered to, and end up in very hot water. However, policies are a necessary means to clearly define, articulate, and communicate the organization’s boundaries, practices, and expectations. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot have a strong and established culture without it. The right policy is necessary to define and communicate what the organization is about.

Policies are the vehicle that communicates and defines culture so culture does not morph out of control. This requires policy to be adhered to at every level, exceptions to policy be governed, and violations be dealt with consistently and responsively. Because policy can establish liability, mismanagement of policy can introduce liability to the organization as a policy establishes a duty of care for the organization. Reliance upon policy violation as a duty of care can be used by regulators, prosecuting and plaintiff attorneys, and others to place culpability on an organization. It is paramount for an organization to establish policy it is willing to enforce – but also necessary to closely manage and monitor the policies that are in place.

I would love to hear your thoughts on Why Policies Matter and corresponding GRC strategies.

I am a man on a mission. Make that a business on a mission – to completely refocus organizations on how they approach policy management and communication. To take business to the new frontier, to boldly go . . . You get the picture.

Policies are in a complete and disappointing disarray. In my training and workshops I have found bright spots. There are organizations that are developing a consistent enterprise-wide approach to writing, communicating, and managing policies and procedures across the organization – supported by a centralized system to manage the policy life-cycle.

However, most organizations are a mess:

• Policies are scattered, written in varying language styles with inconsistent use of definitions and terms.
• Often out of date (I have seen policies of organizations that have not been reviewed in a decade).
• To make matters worse – they are often scattered across different internal websites and document systems.

What are organizations thinking?

Policies define and articulate the corporate culture. They set expectations and boundaries for what is acceptable and unacceptable. They also can establish a legal duty of care for the organization.

Enough of that – I have written plenty on this issue. Today I want to bring it to a new level. Not only are businesses failing in consistent and effective policy management, they are also behind the times in communication.

To the point: How do you manage and communicate policies in a YouTube generation?

In my training and advisory I am encountering organization after organization stating that the new generation of workers are demanding video. They do not read policies. Do not get me wrong – the written policy will always be critical as it defines what is allowed and disallowed to the ‘letter’ and is critical. The issue is how do we communicate to a generation of workers what expectations and boundaries are when they have been raised on video?

The answer is we need to take policy management systems to a new level:

1. Any employee (across geographies, educational levels, and disabilities) should be able to log into a centralized policy platform and be able to find all of the policies and procedures that relate to their role in the organization.
2. These policies should be written clearly in a consistent template and style that reflects the culture and tone of the organization.
3. These policies are to be written in a way that the average reader can understand.
4. Any tasks for the acceptance and attestation to policies should be clearly communicated and easily accomplished.
5. It should be apparent how to ask for help and clarification on the policy by having a phone number or link to ask questions.
6. Finally, and to the point, many policies (but not necessarily all) should have a video component in which the policy is explained to the individual.

This video component should be integrated into the policy management system – not just a link to some other systems. I firmly believe the value and ease of use is realized when the written policy and the video training on the policy are in the same integrated interface.

This is what I call Next Generation Policy and Procedure Management.

What are your thoughts and experiences on managing policies and procedures?

Corporate Integrity is also delivering a full-day workshop on this topic:

Chicago, IL, USA – Effective Policy Management & Communication

Date: August 23, 2010 – 8:00 AM to 5:00 PM (PT)

I would love to hear your thoughts on the topic of Policy Communication in a YouTube Generation. Please feel free to comment or send me an e-mail.

Sincerely,

Michael Rasmussen, J.D., CCEP, OCEG Fellow
Risk & Compliance Lecturer, Writer, & Advisor
mkras@Corp-Integrity.com

I am amazed at the number of risk management programs I encounter that lack an organized structure and approach. So often what we know as ERM (enterprise risk management) is a hodge-podge of processes and assessments that somebody tagged the ERM label on without much thought for what they were doing. In fact, most of the ERM processes I encounter are nothing more than a slightly expanded view of SOX and financial controls: they are not truly an enterprise view of risk across the organization and its operations.

Most ERM programs lack the fundamental building blocks for a risk management program. This begins with a well written charter for ERM and a supporting ERM policy.

A recent client of mine, looking to engage me in the development of an ERM policy, asked what the main components of an ERM policy are.

MY ANSWER: ERM policies are organization specific; no two ERM policies are identical. However, there is a logical structure that works well as a starting block for most organizations. These include the following structural components for an ERM policy (note: these same components can be used for other risk management policies besides ERM such as IT/information risk management):

• Objective/Purpose. As with any policy it is necessary that the policy begin with the organization and purpose of the policy. This is nothing more than writing out the charter for ERM and establishing the authority of this policy to establish and govern the ERM program.

• Risk Governance Structure. It is critical that the organization establish the governance structure for risk management. This is a big area of failure for most ERM programs when it is often the case that risk management operates as an island with very little to know interaction with the board and executives. A solid ERM policy will identify how the board and its committees interact with ERM as well as senior executives.

• Roles & Responsibilities. Once the governance structure is in place, the policy should get into specific roles and responsibilities for ERM. This includes a clear understanding of the roles of a Chief Risk Officer, executive management, business operations, risk management staff, and the role of audit in the assurance oversight of risk management.

• Risk Culture. The single greatest hurdle to successful ERM is articulating and integrating risk management into the organization’s culture. In one sense risk management is part of the culture no matter what is articulated in policy – an organization can have a cavalier approach to risk taking, a structured approach to risk taking and oversight thereof, or anywhere in between. The organization needs to clearly spell out how the organization approaches risk taking, management, and ongoing monitoring of risk in the organization.

• Risk Strategy. Following on the heels of risk culture, the ERM policy should next deal with how ERM aligns and integrates with corporate performance, objective, and strategy management. ERM often is disconnected from these areas which makes it of little practical use to the organization.

• Risk Tolerance & Appetite. The next logical sequence in the ERM policy is to establish the boundaries of risk taking in articulating the organization’s approach and boundaries to risk tolerance and appetite. It is hear that the policy discusses what is acceptable and unacceptable risk. This provides the high-level boundaries and approach to risk taking, though most of the specifics on these boundaries will be found in supporting policies (e.g., credit risk policy).

• Risk Taxonomy. The ERM policy needs to authorize and give authority to the development and ongoing maintenance of the organization’s risk taxonomy. The highest level structure for risk management should be included in the policy – such as the establishment of risk oversight for areas such as financial/treasury, operational, and legal/compliance risks. The policy should reference and give authority to the establishment of another document that defines the depth of the structure of risk categories that the organization recognizes and manages.

• Risk Ownership. You cannot hold anyone accountable for risk unless clear ownership of risk id defined. While specific ownership of individual risks are found in supporting risk management policies (e.g., vendor risk policy, privacy policy, credit risk policy, information risk policy) – the ERM policy should state the ownership of risk at the high-level categories defined in the risk taxonomy. It should also be clear on the point that the risk management function does not own risk, the business and process owners are the ones that own risk. The ERM process is there to communicate and provide the infrastructure to manage and monitor risk to support the risk owners across the business.

• Risk Assessment Process. The ERM policy is to authorize the formation of risk assessment processes in the organization. The policy itself should outline the expectations of required periodic assessments such as an annual ERM assessment process, and is to authorize the establishment of more specific risk assessments that are established in supporting risk management policies. This section of the policy should identify the approval needed to establish a risk assessment, what structure is provided, and how the assessment gets communicated and integrated into the ERM structure.

• Risk Infrastructure, Documentation. & Communication. Documentation of risk, risk taking, as well as assessment, management, and monitoring activities for risk are critical to a successful ERM program. An organization cannot hold individuals accountable for risk taking if there is not clear documentation on the risk. This section should authorize the establishment of an enterprise platform to monitor ongoing risk management processes across the organization. It should also establish a warning against the use of technologies such as spreadsheets for risk assessments that lack proper audit trails.

• Mitigation & Response. The ERM policy should articulate the proper response plans to risk such as risk transfer, risk acceptance, risk mitigation, and risk avoidance. While much of the details of this will be worked out in supporting risk policies, it is in the ERM policy that the are defined at a high level.

• Key Risk Indicators. Ongoing monitoring for risk is critical to a successful ERM program. This involves the authorization and establishment of a process to gather metrics on Key Risk Indicators that are further defined in supporting policies. The ERM policy should provide guidance on how KRI information is collected, how often, and establish that KRI’s are to be relevant to the business and mapped to Key Performance Indicators of the business.

• Risk Training. Everyone in the organization has some role in risk management – it is necessary that risk culture, risk taking, and risk responsibilities be clearly understood at all levels of the business for the various business roles and the risks they encounter and manage. The ERM policy establishes an ongoing risk training and awareness program to communicate and educate risk to employees, stakeholders, and business partners.

• Risk Budgets/Funding. The ERM policy should establish and authorize the financing for risk management and oversight activities. This ties into other sections of the ERM policy as well as supporting policies to clearly define what budget areas various risk activities will be financed from.

• Risk Activities (calendar). The ERM policy should establish what activities are required of ERM on an ongoing/calendar basis. This should include monthly/quarterly/annual reports and assessments, the individuals responsible for them, and who they get communicated to. One of the best examples I have seen of this is at Microsoft in what they have called ‘The Rhythm of Risk’ in which risk management is aligned to the needs of the board and executives based on their quarterly and monthly calendars.

• Definitions. Finally, as with all policies, a section is needed that clearly defines definitions related to risk and risk management. I highly encourage the use of standard definitions such as those in ISO 31000:2009 and ISO:IEC 73.

As I stated before, no two risk management policies are alike. What I have provided here is some guidance on the sections I most often include in developing an ERM policy (as well as supporting risk policies). There are other standard sections to policies such as revision history I have not included for the sake of simplicity.

I would love to hear your thoughts on the topic of ERM policies. Please feel free to comment in this forum, or send me an e-mail. If anyone seeks further help in writing, reviewing, and/or revising their risk policies please do not hesitate to contact me.

I have stated it before and I will state it again: the typical organization is a mess when it comes to managing policies and procedures. Organization size does not matter – I have seen small to large organizations that have horrible policy management practices. Policies are scattered across the business, reside in a variety of formats ranging from printed documents to Intranet sites, are out of date, not integrated into other GRC processes such as investigations or risk management, and are poorly written.

Policies articulate culture, they establish a duty of care, define expectations for behavior (for individuals, processes, and business relationships), and establish how the organization is going to comply with regulatory and contractual requirements. Policies are an integral part of corporate governance, enterprise risk, and compliance management. They support a range of other GRC processes: corporate social responsibility, legal, human resources, business operations, security, environmental, health & safety, quality . . . .

A significant short coming in policy management is the failure to define a style guide. A style guide for policies defines standardized:

• Taxonomy. Policies are to have a logical relationship to each other following a hierarchical categorization taxonomy – this is usually done through a numbering system mapped to policy areas across the business.

• Format. Policies are to have a consistent look and feel. Anyone should be able to see a policy and recognize that it is a corporate policy without reading the document.

• Structure. Related to format, policies are to have a consistent structured arrangement of the headings/sections.
• Language. Policies are to have consistent language. Good policies are easy to read and written in the active voice. This includes paragraph, sentence, punctuation, and word guidance for policies.
• Definitions. Policies are consistent in how they use words. Terms used in policies are to be used consistently across the organization with a common understanding of what they mean.
• Process. Policies are to be written and revised following a standardized process. The style guide should outline roles and responsibilities for writing, editing, and approving policies.

Leading organizations are establishing a policy manager responsible for the style guide and consistency of policies. One major brand, who attended my Effective Policy Management & Communication Workshop, has established the role of “Internal Policy Manager.” This person is responsible for managing the development and maintenance of all policies to assure their consistency and relevance to the organization. This role does not own or write policies. In fact, this role has only written one policy – the policy on how to write a policy (in other words a style guide).

BOTTOM LINE: Policy writing that is wordy and confusing is damaging to the corporate image and costs time and money. Every organization should have a policy style guide in place to provide for clear and consistent policies. Leveraging a style guide increases effectiveness.
Good policy writing:

• Articulates corporate culture
• Demonstrates professionalism in the organization
• Shows the organizations cares
• Avoids expensive misunderstandings
• Provides consistency across the organization

This provides a quick summary view of the need and implementation of a style guide for policies. Over the next several weeks we will dive into specific portions of Effective Policy Management & Communication, including:

• Policy writing best practices
• What is the right number of policies?
• Establishing policy ownership and accountability
• Communicating policies across extended business relationships
• Tracking policies attestation and delivering effective training
• Managing policy incidents and exceptions
• Monitoring metrics to establish effectiveness and/or issues with policies
• Relating policy management to risk, issue/case, and other GRC areas
• Using technology to manage and communicate policies

Previous blogs on this topic are:

• Corporate Policies in Disarray and Chaos
• Policies, Done Right, Articulate Culture
• Defining a Policy Management Lifecycle
• Providing Consistency in Policies Through Consistent Style and Language

In addition to this series on policy management, Corporate Integrity is also offering a full-day workshop on the topic of Effective Policy Management and Communication.

I would love to hear your thoughts, experiences, and approaches to effective policy management. Please comment on my blog or send me an e-mail

Most organizations fail to manage the lifecycle of policies. This results in policies that are out of date, ineffective, and not aligned to business needs. It further opens the doors of liability as an organization may be held accountable for the policies it has in place but are not appropriate or is not compliant with.

Effective policy management starts with a lifecycle approach to managing policies. This is the process of managing and maintaining policies throughout their effective use within the organization. This lifecycle is defined in three primary phases:

1. Creation
   
2. Communication
   
3. Management
   
4. Maintenance

Each of these primary phases has several sub-phases.

1 – Creation. The lifecycle of policy management starts with the Creation phase, which includes the following sub-phases:

• Need. It is at this beginning that the need for a policy is determined. It may be a regulatory requirement, values/ethics of the corporation, business partner requirement, best/industry practice, awareness of potential liability, or a host of other reasons that brings the organization to the point of determining that a new policy needs to be established. An organization needs an active risk and regulatory intelligence process to identify when a policy needs to be created.

• Ownership. The next step in the Creation phase is to assign a policy owner. Every policy in the organization should have an individual or business role that is the owner of the policy. Even if the policy is applied across the entire organization, such as with Code of Conduct, it is necessary that someone be established as the owner of the policy to oversee its implementation and monitoring within the environment.

• Writing. Once an owner is established the next part of the Creation phase is writing the policy. The policy should be written in a consistent style, format, and language as all other policies in the organization. Policies are to be clear and easily understood by the intended audience.

• Approval. Once the initial draft of the policy is written, it moves into the approval process of the Creation phase. The owner sends the draft policy over to identified stakeholders needed to approve the policy before going to publication. Some stakeholders may be in the approval stage for every policy written (e.g., human resources, legal). Other stakeholders are approvers because the subject matter touches on their area of the business and they are needed as a subject matter/process expert.

The Creation phase is iterative as the approvers may send back the policy requiring changes before it is approved and everyone comes to agreement that it is the right policy for the corporation.

2 – Communication. After the Creation phase comes the Communication phase. Communication involves the sub-phases of:

• Publication. After approval, the policy then needs to be published. Publication can be in printed policy manuals or on Intranet sites. Unfortunately, many organizations have scattered systems to publish policies and procedures without a single authoritative source. This often complicates the management of policies. Multiple publication places adds to the number of policies that become out of date. Best practice is to have a single policy publication engine in which any individual within the environment can login and see all of the policies that apply to his/her specific job role in the organization.

• Training. We live in the day of YouTube. It is no longer good enough to have just published a policy. Organizations have to actively show that individuals understand the policy and what is required of them. This requires that certain policies have associated training in either online or classroom formats to validate they understand the policy(s). Surveys and testing is an integral part of training to validate that individuals understand policies.

• Attestation. Once an individual has read a policy, and taken any associated training, it is next necessary to track their attestation to the policy – that they will adhere to it. Some policies such as Code of Conduct by their nature require specific attestation to on a regular basis (e.g., annual). Other policies may be grouped together in an attestation. While some policies it may be determined do not need specific attestation.

3 – Management. After a policy is communicated it enters the ongoing management phase. The management phase of the policy lifecycle contains:

• Enforcement. The policy is monitored for compliance within the organization. Specific controls that the policy authorizes are established and monitored to determine if the policy is being complied with. Incidents of non-compliance and policy violation are noted to provide feedback when the policy is next reviewed.

• Exception management. While policies are to be complied with there are instances that arise in which the organization accepts non-compliance. These exceptions have to be documented and managed. An exception is granted for a specific time period and is to be reviewed to validate that the exception is still needed.

4 – Maintenance. The final phase of the policy lifecycle is maintenance. The maintenance phase includes:

• Review. Every policy is to have a regular review cycle. The review of a policy should be done at least annually. It is during the review process that the policy owner looks at the incidents of non-compliance and exceptions granted alongside of the business requirements driving the policy. It is in this process that the policy is either authorized as is for another management cycle, goes back into the creation phase to update and approve the policy, or is archived for retention. The updated policy then moves into the communication phase.

• Archival. Every policy, and version of a policy, is to be archived for referral at a later point in time. When an organization becomes aware of an incident or a regulator has a question it is necessary to have a full view into the history of a policy – the owner, who read it, who was trained, who attested and on what version of the policy.

This provides a quick summary view of the policy lifecycle. Over the next several weeks we will dive into specific portions of the lifecycle, including:

• What is the right number of policies?
• Establishing policy ownership and accountability
• Providing consistency in policies through consistent style and language
• Communicating policies across extended business relationships
• Tracking policies attestation and delivering effective training
• Managing policy incidents and exceptions
• Monitoring metrics to establish effectiveness and/or issues with policies
• Relating policy management to risk, issue/case, and other GRC areas
• Using technology to manage and communicate policies

Previous blogs on this topic are:

• Corporate Policies in Disarray and Chaos
• Policies, Done Right, Articulate Culture
• Defining a policy management lifecycle

In addition to this series on policy management, Corporate Integrity is also offering a full-day workshop on the topic of Effective Policy Management and Communication.

We now turn our attention back to my series on Effective Policy Management & Communication.

In the previous posting we looked at the disarray and chaos of how policies are managed, maintained, and communicated within organizations. Often inconsistent, poorly written, out of date, lacking consistency, developed with no style guide, and ineffectively managed and communicated – corporate policy management in most organizations is a mess. Now we will turn from our flogging of the corporate policy mess to constructively developing an effective policy management process.

The first point to clearly understand – policies, done right, articulate the corporate culture.

Unfortunately, most organizations have not connected the world of policies to how they influence and establish corporate culture. Granted – corporate culture is there with or without policies. However, without policies there are no written standards as to what is acceptable and unacceptable conduct. Culture is allowed to morph and change without policies. The organization can quickly become something it never intended.

Policies provide a definition of the boundaries of the organization. At the the highest level it starts with the Code of Conduct laying forth ethics and values that extend across the enterprise. These filter down into specific policies at the enterprise level, down into the business unit, then department, and to individual business processes. Policies are supported by procedures. Both policies and procedures at the statement level establish and authorize controls by which the organization is closely managed and monitored.

Policies articulate the culture of compliance. They define what is acceptable and unacceptable. This starts at the ‘Mandated Boundary’ level of communicating what is right or wrong legally and how the organization will stay within legal boundaries within the various jurisdictions that it operates in. Policies then extend to the ‘Voluntary Boundary’ level to articulate what is acceptable and unacceptable when it comes to matters of discretion – ethics, values, code of conduct, corporate social responsibility, and other areas. Both the mandated and voluntary boundaries are written into policies so that individuals within the organization and its relationships know what is acceptable and unacceptable. It should not be open to broad discretion and interpretation.

Policies articulate the culture of risk. Every organization takes risk, it is part of business. Without clearly written guidance as to what is acceptable and unacceptable risk the organization is like a ship without a rudder. Policies provide clear guidance on what is acceptable and unacceptable risk, define risk acceptance and tolerance levels, and establish who owns and manages risk.

Please do not misunderstand me – policies are not a magic answer to culture, governance, risk, and/or compliance. Not at all. An organization can have a wide array of policies that are not adhered to and end up in very hot water. Policies ARE a way to clearly define, articulate, and communicate what the boundaries, practices, and expectations of the organization are. While you can have a horrible culture with policies, you cannot have a strong and established culture without them. The right policies are necessary to define and communicate what the organization is about.

Culture itself is broader than policies – policies are the vehicle that communicates and defines culture so that culture does not morph out of control. This requires that policies be adhered to, exceptions closely managed, and violations dealt with.

Over the next several weeks we will continue to look at Effective Policy Management and Communication. We will specifically explore:

• What is the right number of policies?
• Defining a process lifecycle for managing policies
• Establishing policy ownership and accountability
• Providing consistency in policies through consistent style and language
• Communicating policies across extended business relationships
• Tracking policies attestation and delivering effective training
• Monitoring metrics to establish effectiveness and/or issues with policies
• Relating policy management to risk, issue/case, and other GRC areas
• Using technology to manage and communicate policies

In addition to this series on policy management, Corporate Integrity is also offering a full-day workshop on the topic of Effective Policy Management and Communication.