Top policy management blunders – do you recognise any of these?

This is the second blog in a four-part series investigating the assertionthat for Enterprise Risk Management to work effectively an organisation needs to have a robust organisational policy framework and a means of obtaining assurance that these policies and procedures are actually being followed in practice”.

Other blogs available in this series are:

Part One – Why effective policy management is critical to organisational success

Coming soon:

Part Three – Where is your organisation in terms of policy management maturity?

Part Four – A simple model for ensuring effective policy management

So here are our top policy management blunders.  Please feel free to comment, argue and add to the list:

1. Having no policies in place:   Over the years we have come across more than a handful of executives that refuse to document policies and procedures.  The overwhelming reason appears to be that they have had a bad experience where the company’s documented policies have not been properly implemented, and have subsequently been relied upon in legal claims by former staff members.  For those that do not believe in documenting policies and procedures we wholeheartedly agree that you shouldn’t publish policies that you are not going to enforce. We also wholeheartedly believe that you can achieve the significant benefits outlined in Part One of this blog series “Why effective policy management is critical to organisational success” if you take the time and effort to ensure effective policy implementation and maintenance.

2. Paper-based content distribution:  We don’t see this too much these days, as most organisations make their policies available from a centralised publishing location such as an intranet or even a shared drive, where they can be assured (at least in theory) only the latest version of the policy is available to staff.  The old model of distributing paper-based policies is fraught with danger as every policy change requires each and every distributed version to be updated.  Of course, the updates rarely happen in practice with the end result being that an organisation has multiple, uncontrolled versions of policies and procedures floating around. All in all, a true recipe for chaos.

3. Lack of policy management systems and expertise:  The degree of skill required to draft policies, and effectively implement and maintain policies, is commonly underestimated.  Not only must policy managers be able to prioritise which policies need to be created, they must also be able to write in plain English, while conforming to organisational standards and styles.  However, perhaps the biggest challenge for policy managers is to understand the organisation’s policy implementation process and to draft the policies so they can be effectively communicated, maintained and integrated with other organisational content.  Many of the “policy blunders” listed in this blog come down to a lack of policy management systems and expertise.

4. Policy approval processes:  Policy approval processes can range from “ad-hoc” to “over-the-top”.  In our experience, organisations that require the board of directors to approve all policies and procedures (this typically occurs in smaller organisations) usually end up in policy paralysis, or with the organisation running on a set of “unapproved policies”.  Other organisations have little, or no policy controls in place, which can be equally as dangerous.  Organisations need to strike the right balance and establish a workable system for reviewing, approving, publishing and maintaining version control.

5. Cut and paste policy creation:  It is a bizarre fact that while many organisations will happily admit to not having the requisite internal subject matter expertise, this does not appear to be a barrier to delegating the drafting of a particular policy to a person who lacks the necessary skill and expertise in the area.  This is commonly seen with organisational policies, such as human resources and workplace safety, where it seems that “cut and paste” policy creation (often after a quick “Google search”, or plagiarising policies of another organisation) still seems to be common practice.  The end result is similar to “Chinese whispers” as basic errors often accumulate and the policies fail to fit the end user organisation’s requirements.

6. Bulky all-in-one manuals:  Even where organisations are effectively managing their version control,it is still very common for us to come across organisations that have spent a lot of time and money creating bulky manuals often running to tens, if not hundreds of pages.  Unfortunately, these manuals (which often contain a wide variety of cross-functional content material) are almost impossible to maintain up-to-date and are similarly difficult to read.  Often, the end result is that the manual becomes a useful doorstop and a litigation aid for disgruntled staff (refer to comments above).  The solution to this problem is “policy de-aggregation”, which simply means breaking down content into individual policies so they can be easily maintained and referenced.

7. Siloed policy creation:  Policies are often created as a result of a compliance obligation or a due diligence request.  When this occurs, the focus is usually on putting together a document that will “pass muster”, rather than putting together a policy that will work in practice.   When policies are created this way, organisations often suffer from “siloed policy syndrome” where each policy is designed as a stand-alone document without reference to other organisational policies.   A typical example would be an organisation that has stand-alone risk-based policies (e.g. enterprise risk, business continuity, fraud control, workplace safety, anti-money laundering) all complete with their own risk definitions and matrix, none of which talk to each other.  In policy parlance, organisations such as these suffer from a lack of “horizontal policy integration”.  Horizontal policy integration allows an individual to quickly access one policy from another policy where the two policies are related.  It also allows an individual to identify the source of the obligation (e.g. a particular piece of legislation) which is extremely useful come audit time.

8. Lack of accessibility:  It is critical that organisational policies are accessible from a central publishing platform, to the individuals that need to access them.  We know “paper-based policies” don’t work (point 2), and we know policies hidden in bulky manuals are difficult to access (point 6).  It follows that bulky policy documents posted to a share drive or intranet in Word or PDF format are similarly difficult to access.  We believe in the “rule of 3”.  Policies should be accessible to those that need to reference them in less than 3 clicks, or in 3 seconds.  To achieve this level of accessibility you need to have de-aggregated policies (point 6) available through an online content management system (CMS) / “intranet” presented through a logical classification methodology and in a text searchable format.   You also need to have a means of segregating policy access based on security levels so all individuals can easily access all policies that relate to their specific roles and responsibilities.

9. Lack of vertical policy integration:  Whereas horizontal policy integration allows an individual to quickly access one policy from another policy where the two policies are related, vertical policy integration ensures that an individual is aware of organisational policies and enables the individual to easily follow a particular policy to its operational outcome.  To explain the concept of vertical policy integration in more detail – Firstly, policies, especially high risk policies (e.g. discrimination, workplace safety), need to be trained and records need to be kept to prove each staff member has received the training. Secondly, a person should be able to quickly locate the relevant form or checklist from the policy itself.  This can be easily achieved by hyperlinking the form to the policy. Thirdly, these forms and checklists are often most conveniently completed remotely, or while a person is on the move.  Ideally, to achieve this outcome forms and checklists should be accessible from mobile devices such as smart phones and tablets.  Without effective vertical integration policies are often “left on the shelf” and become disconnected from day-to-day operations.

10. Lack of policy ownership:  Policies need to be owned by an individual within the organisation, otherwise no one is accountable for ensuring that the policy is effectively implemented, reviewed and maintained.   The concept of ownership is relatively simple.  The person with responsibility for the human resources function is usually responsible for human resources policies.  The person responsible for sales is usually responsible for sales policies etc.  Notwithstanding the simplicity of the concept, it is not unusual in our experience for key policies such as “business continuity” to fall between the cracks and to fall into disrepair for the very reason that no individual within the organisation was allocated responsibility for their implementation, review and maintenance.

11. Not having an assurance program:  How do you know if people within your organisation are actually following the company’s policies and procedures, and the policies and procedures are being maintained up-to-date?  The simple answer is you don’t, unless you have some form of assurance process in place.   Typically, the assurance process starts with allocating ownership to the policy.  It then involves extracting the key operative parts of the policy (e.g. staff performance reviews are held in June each year) and allocating them to a responsible individual.  This is often managed as an organisational compliance task.  Finally, there needs to be a process for monitoring whether or not the task has been completed and reporting the status of the task back up the line to executive management.  An assurance program allows an organisation to see what’s working, and what’s not, which is the starting point for a continual improvement process.

While the benefits of effective policy management are clear (refer to Part One of this series “Why effective policy management is critical to organisational success”) this blog clearly illustrates the path to effective policy management may be a little more complex than most organisations realise.

In “Part Three – Where is your organisation in terms of policy management maturity?” we develop a basic model designed to assist you to identify how your organisation is currently performing with respect to policy management.

How CompliSpace can help

CompliSpace combines specialist risk management consulting services with practical, technology-enabled solutions. Our risk management programs, which are designed in accordance with the International Risk Management standard ISO 31000, are delivered online and in a format that allows clients to quickly and efficiently tailor the content to their own particular specifications.

If you are looking to streamline your existing governance, risk or compliance programs and make them more relevant to your organisation give us a call. We are passionate about helping organisations to implement sustainable governance, risk and compliance solutions.

Contact Details

P: +61 (2) 9299 6105 (Sydney) / +61 (8) 9288 1826 (Perth)



This blog is a guide to keep readers updated with the latest information. It is not intended as legal advice or as advice that should be relied on by readers. The information contained in this blog may have been updated since its posting, or it may not apply in all circumstances. If you require specific or legal advice, please contact us on (02) 9299 6105 and we will be happy to assist.

One thought on “Top policy management blunders – do you recognise any of these?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s