This is the third blog in a four part series exploring the assertion “that for Enterprise Risk Management to work effectively, an organisation needs to have a robust organisational policy framework and a means of obtaining assurance that these policies and procedures are actually being followed in practice”.
The other blogs in this series are:
Part Four – A simple model for ensuring effective policy management
The first step in developing a policy management maturity model is to identify the key elements that are required to ensure that an organisation not only has the right policies in place, but also that these policies are being effectively implemented and maintained.
We’ve come up with the following “key elements” required to achieve effective policy management outcomes within an organisation.
As you read through each element consider how your organisation fares in terms of policy management maturity.
Element 1 – Policy Identification & Prioritisation Process
Too many policies create too much complexity and are unlikely to be complied with, or effectively maintained. Too few policies expose an organisation to key risks as outlined in Part One – Why effective policy management is critical to organisational success. The process of policy identification and prioritisation constantly evolves, either as a result of changes in laws, changes in an organisation’s strategic direction, or as a result of commercial drivers.
Does your organisation have a process in place through which it regularly considers its internal business processes, identifies areas in which policy documentation is required, and then prioritises the drafting of these policies?
Element 2 – Policy Ownership
Policy ownership starts once a decision is made that a policy should exist (remember we are using the term “policy” broadly to include policies, procedures and programs). From the moment a decision is made that a policy is needed, the policy needs to be owned by an individual. The person who identifies the need for the policy may not necessarily be the person who drafts it. Similarly, the person who drafts it may not necessarily be the person who oversees it, reviews it or maintains it. What is important, however, is that an individual owns each stage in the policy management process.
Where your organisation has identified the need for a policy or has existing policies in place, can you easily identify the individual/s within your organisation who are responsible for the ongoing management of the particular policy?
Element 3 – Policy Publication Strategy
Policies are designed to be referenced, not memorised. For policies to work effectively they need to be published in such a way that people know (i) that the policy exists (ii) how to reference it quickly and efficiently, and (iii) how to implement it effectively. Failure to have an effective strategy for publishing policies results in “policies sitting on the shelf”, or more likely these days, being hidden on a network drive. If you have difficulty locating a particular policy or an attached form, you probably don’t have an effective policy publication strategy.
Does your organisation have a clear strategy for publishing its policies and procedures which ensures that your staff know (i) that the policy exists (ii) how to reference it quickly and efficiently and (iii) how to implement it effectively?
Element 4 – Policy Style Guide
Consistency in style and language, as well as in how particular policies are structured and formatted, is important to enable effective creation, implementation and maintenance of policies within an organisation.
Does your organisation have an easy to follow policy style guide, which is actually followed in practice?
Element 5 – Policy Drafting Expertise
The drafting of policies that are capable of being effectively implemented and maintained requires skill and experience that goes well beyond simple subject matter knowledge. The individual/s drafting a policy need to understand the policy’s target audience, the organisation’s publication strategy and style requirements. All these things need to be considered and balanced if a policy is going to be effectively implemented.
Does your organisation recognise that the drafting of effective policies requires skill and experience that goes well beyond simple subject matter knowledge?
Element 6 – Co-ordinated Policy Management
In our experience, while most executive managers now recognise that effective policy management is critical to organisational success (refer to Part 1 of this blog series), in many organisations policy management is still undertaken in an ad-hoc manner, with individual managers creating policies in their particular functional areas without any centralised management co-ordination.
Does your organisation recognise that the effective creation, implementation and maintenance of policies requires a co-ordinated management approach to ensure consistency in style and language across your organisation, and to avoid “policy silos”?
Element 7 – Policy Approval Process
Every organisation needs to have some form of policy approval process in place. Organisations that require every policy to be approved by the board of directors, or a quality assurance committee, tend to create bottlenecks which lead to policy paralysis. Organisations that leave heads of functional departments to do their own thing, with little or no management co-ordination, tend to end up creating policy silos. The key is to adopt a balanced policy approval process that provides quality control and consistency of application, while avoiding overly bureaucratic processes.
Has your organisation adopted a policy approval process that provides quality control and consistency of application while avoiding overly bureaucratic processes?
Element 8 – Connecting Policies to Outcomes
Policies rarely stand alone. More often than not a policy will reference a form, a checklist, a register, or some other document which is used to ensure that the policy can be effectively implemented. An Annual Leave Policy will usually connect with a Leave Form, a Conflicts of Interest Policy will usually connect to a Conflicts Register and so on. Connecting policies to outcomes is critical to effective policy implementation and these days, related forms and other documents will often be available in electronic formats directly linked to the parent policy.
In your organisation can you easily access forms, checklists, registers, and other related documents, directly from a parent policy (for example, by using a hyperlink)?
Element 9 – Navigating Between Related Polices
Very similar to connecting policies to outcomes is the concept of connecting related policies. More often than not when drafting a policy it will be necessary to refer to a related policy. By way of example, a policy designed to manage workplace stress may link to other organisational policies related to standards of workplace behaviour (e.g. an Anti-Bullying Policy) or to an Internal Grievance Policy which is designed to allow a staff member to provide notification of their concern with respect to a particular issue. Seen in this light, the ability to quickly and efficiently link between related policies is critical to effective policy management.
In your organisation can you easily navigate between related policies (for example, by using a hyperlink)?
Element 10 – Training Policies
Given that policies are designed to be referenced, not memorised, efficient training of policies is a critical element in the policy implementation process. All staff need to be trained to be aware of the existence of the policies that are relevant to their position, and know how to reference these policies quickly and efficiently. Contrary to popular belief, not all policies need to be specifically trained. By way of example, staff do not need to be trained on policies such as Annual Leave, or Parental Leave, that are designed to be referenced on an as needs basis. On the other hand staff should receive specific training on polices relating to “high risk” areas such as workplace safety, bullying and harassment.
Does your organisation have in place a robust process for ensuring that all staff are aware of the existence of policies that are relevant to their position and receive training with respect to policies that relate to “high risk” areas?
Element 11 – Policy Testing & Record Keeping
It is generally recognised that individuals will have much greater focus on training if they know that they are going to be tested on the subject matter. From a risk and compliance perspective, testing and the maintenance of records with respect to both training and testing, becomes particularly important in the event that an organisation is required to defend litigation, or, as is becoming more common, is required to satisfy either commercial or regulatory due diligence.
Does your organisation have in place a robust process for recording details of the training and testing of individual staff members in high risk areas?
Element 12 – Policy Assurance Program
Even if you have developed robust policies and procedures and trained, tested and communicated them effectively, how do you know if your staff are actually following the policies and procedures? For any policy management program to work effectively it is critical that an organisation implements a system that allows it to obtain assurance that policies and procedures are being implemented properly. A policy assurance program essentially involves extracting the key operative parts of a policy (e.g. maintenance of a Conflicts Register), assigning responsibility for these tasks to individuals, monitoring whether or not they have completed the task, and finally, providing reports to management that provide information as to the overall effectiveness of the policy implementation.
Does your organisation have a policy assurance program in place through which individuals are made accountable for the implementation and maintenance of policies, and reports on the overall effectiveness of policy implementation are provided to management?
Element 13 – Policy Review & Maintenance
Given that organisational polices constantly evolve, either as a result of changes in laws, changes in an organisation’s strategic direction, or as a result of commercial drivers, the establishment of a robust system for policy review and maintenance is critical to good policy management within an organisation.
Does your organisation have in place a robust process to ensure that your organisational policies and procedures are maintained up-to-date and fit for purpose?
Element 14 – Policy Version Control
Hand-in-hand with the process of reviewing and maintaining policies and procedures is the concept of policy version control. Maintaining version control is a key requirement in quality assurance programs and is also critical for managing litigation risk. Version control systems also assist in developing continuous improvement processes as they provide a high degree of transparency as to historical development of an organisation’s policy framework.
Does your organisation have in place a robust policy version control system that records changes in individual policies within your organisation’s policy framework over time?
Use our Policy Management Maturity Assessment Tool to go through each element and rate your organisation’s policy management maturity level. Once you have completed the questionnaire you will be provided with a notional maturity rating.
How CompliSpace can help
CompliSpace combines specialist risk management consulting services with practical, technology-enabled solutions. Our risk management programs, which are designed in accordance with the International Risk Management standard ISO 31000, are delivered online and in a format that allows clients to quickly and efficiently tailor the content to their own particular specifications.
If you are looking to streamline your existing governance, risk or compliance programs and make them more relevant to your organisation give us a call. We are passionate about helping organisations to implement sustainable governance, risk and compliance solutions.
P: +61 (2) 9299 6105 (Sydney) / +61 (8) 9288 1826 (Perth)