Part One – Why effective policy management is critical to organisational success
In our recent blog Pitfalls to Avoid When Implementing an Enterprise Risk Management Program we highlightedone of the key pitfalls as being the failure to implement an effective policy management framework. The basis of our argument was that for Enterprise Risk Management to work effectively an organisation needs to have a robust organisational policy framework and a means of obtaining assurance that these policies and procedures are actually being followed in practice. We discuss this concept in greater detail in this four part blog. Blogs to follow are:
Part Four – A simple model for ensuring effective policy management
In very simple terms, policies set out guiding principles as to how management expect an organisation to operate, whilst procedures set out the detail of actions that should be taken to achieve policies. Sometimes policies and procedures are all wrapped up in the same document that is referred to as a “program”. Sometimes they stand alone. Don’t get caught up in the semantics!
Having a robust set of documented policies and procedures and, perhaps more critically, effectively implementing them, is a must for any organisation seeking a sustainable future. Here are more than a few reasons why!
- Driving Strategic Goals & Objectives: Whatever your organisation’s goals and objectives, a well designed and properly implemented policy framework will allow management to provide clear direction to your employees, which will in turn allow them to clearly focus on, and carry out, key activities which will ultimately deliver your organisation’s vision. Want to be an “employer of choice”? Start by documenting a high performance human resources program. Want to have “happy customers”? Document your customer relationship management processes. And on and on it goes…
- Individual Accountability: Documented policies and procedures are the first step toward achieving accountability by clearly establishing expectations with respect to the conduct, roles and responsibilities of individual staff members. If this is properly managed then your policies and procedures will allow management to guide operations without constant and costly intervention.
- Controlling Risks: Whilst many organisations don’t think in formal risk management terms the simple fact is that the primary reason policies and procedures are written is to control perceived risks. If you haven’t documented your disaster recovery program the chances are you don’t have one. If you do not have a documented compliance program then this means an ad-hoc approach to compliance etc. You get the picture.
- Ensuring Compliance: Of course, a critical risk within any organisation is that it may fail to comply with its legal and regulatory and/or contractual obligations. Documented policies and procedures are key to ensuring compliance. In many cases (e.g. workplace safety) the maintenance of documented policies and procedures is, in fact, part of the compliance obligation.
- Protection of Corporate and Personal Assets: Anyone who has ever been involved in litigation knows that at the end of the day it often comes down to whether policies and procedures have been documented and whether they have been followed. What was your organisation’s safety policy, how was it communicated to staff, did they understand it, what levels of assurance did management have that the policy was being followed? Can you prove all of the above?
- Developing a Corporate Culture: Anyone who has genuinely been through the process of defining an organisation’s vision and values knows that it’s not an easy task. Unless you write it down and develop a strategy and policy framework for developing your desiredculture and what is acceptable and unacceptable behaviour (e.g. code of conduct, email and internet usage policy) it will morph, often with unintended negative consequences.
- Succession Planning: Documenting policies and procedures is a key part of the succession planning process. Rather than thinking about replacing the CEO, think about replacing the accounts/payroll/IT officer who has been happily running the back office for years. Without proper policy management these employees can become “irreplaceable”, not because of the standard of their work, but rather because they play a critical role in your organisation, and no one actually knows what they do.
- Training Staff: If you don’t document your key policies and procedures how can you effectively train your staff? The simple answer is that you can’t. The more complex answer is that you can. However, you may be relying on the “buddy system” where an “experienced staff member” trains the “inexperienced staff member”. Sounds great in theory, but the “buddy system” leads to inconsistent outcomes and is extremely labour intensive (i.e. expensive).
- Increasing Productivity: Well documented policies and procedures which are effectively implemented mean it is easy to train staff to achieve consistent outcomes. Well trained staff mean uniformity and consistency in the delivery of products and services. If your staff are all consistently doing what you want them to be doing, mistakes are reduced, fire fights (think customer complaints, supplier disputes) are avoided, and productivity will increase as management are released from fire fighting duty to focus their full attention on achieving your organisation’s strategic goals and objectives.
- Continuous Improvement: Last, but not least, is continuous improvement. Documenting policies and procedures forces you to focus on the whys, the whats, the who’s, the hows and the whens. Once you have thought through the policy and documented it, the process of ongoing monitoring, review and continuous improvement is a relatively straight-forward one. Without documented policies and procedures the process of continuous improvement is close to impossible.
In Part Two of this blog series we identify our top policy management blunders. No organisation is perfect. However, recognising what you are doing wrong is always a good starting point for improvement.
How CompliSpace can help
CompliSpace combines specialist risk management consulting services with practical, technology-enabled solutions. Our risk management programs, which are designed in accordance with the International Risk Management standard ISO 31000, are delivered online and in a format that allows clients to quickly and efficiently tailor the content to their own particular specifications.
If you are looking to streamline your existing governance, risk or compliance programs and make them more relevant to your organisation give us a call. We are passionate about helping organisations to implement sustainable governance, risk and compliance solutions.
P: +61 (2) 9299 6105 (Sydney) / +61 (8) 9288 1826 (Perth)