Many organisations appear to be struggling with policy management. Policy governance is not sexy, it takes skill, focus and discipline which is hard when there are so many competing demands on management time and attention.
We often see organisations with ineffective policies. The problems are across a number of areas:
- Currency – out of date policies and procedures that are not reviewed regularly undermine compliance and may not reflect changes in organisational needs and legal requirements.
- Design – policies and procedures that are hard to understand, complex or too high level do not add value by providing clear guidance on management expectations and requirements and are easily forgotten.
- Training and Awareness – whilst new staff may be provided induction training covering a range of corporate policies or manager-delivered training, an ad-hoc approach to communication on changes and lack of refresher training means many staff assume they know what is required however are not across the detail.
Why is that?
Many people view that spending time on developing, reviewing or enhancing policies and procedures detracts from core responsibilities. Limited resources or a lack of a structured framework are also a factor. This is a challenge for many smaller organisations and is particularly relevant when the driver behind having the policy or procedure is viewed as a “compliance” requirement. There may be no direct penalty if not meeting requirements as management can often use the excuse that the organisation thought it was appropriate for the size, business mix and complexity of the organisation. It is for this reason that as long as documents generally meet some core requirements then any control weaknesses or process improvement opportunities are often not considered as a priority.
Many people however forget that the underlying reason for having policies and procedures is to ensure things are done right. Regulators do not dream up compliance requirements for the sake of making life difficult or to add red tape. Policies and procedures are often required to manage specific areas of risk to an organisation that may not otherwise be managed well.
Underlying rationale
Operational risk is the risk of losses from inadequate or failed internal processes, people and systems, or from external events. This means that to manage operational risk and prevent losses organisations need adequate policies and procedures to prevent human error or detect changes in the external environment and have appropriate response plans in place just in case.
Producing policies that are clear and concise and explicitly meet compliance requirements ensures there is no ambiguity and actions are consistent, timely and repeatable. This means that the standards expected by management are easier to learn for new staff and more likely to be met. This is especially important for smaller organisations where loss of staff and associated corporate knowledge has a greater impact on the organisation. If policies and / or procedures are out-of-date, then management’s commitment to managing operational risk and meeting compliance obligations may be undermined.
Professional looking documentation that can be clearly and easily understood by independent third parties demonstrate management’s capabilities and provides a level of assurance to regulators, internal audit and the Board. This helps to build a strong constructive working relationship and ensures that if there are ever any issues, they are easily solved, and the level of oversight is often lower (as the risk is lower).
Effective and efficient policies and procedures help manage risk and reduce operational losses and near miss incidents.
How can you make policy governance efficient and effective?
1. Policy Governance framework
Develop a Policy Governance framework…a policy for policies. This should include:
- Approval framework i.e. which policies, procedures or manuals should be approved by Board, executive or senior management.
- Template to ensure consistency in design and table of content e.g. owner, approver, version, next review date, scope, objectives, references and communication or training requirements.
2. Policy Governance functional oversight
Appoint a person to oversee policy governance who will assist in facilitating maintenance of policies and procedures and hence management of operational risk. This may be delegated to a governance, risk management or compliance function. Responsibilities could include:
- Sending reminders that policies or procedures are due for review.
- Assisting with understanding the policy governance framework, developing new policies and procedures or designing training and awareness.
- Reporting to the risk committee where policies or procedures are overdue for review.
3. Policy writing
Writing policies and procedures in clear, concise manner, including relevant details without too much detail is a skill that not all subject matter experts hold.
It is important that language used is not legalistic, includes relevant context and speaks to the casual reader. A plain language writing course or policy writing workshop may assist develop organisational skills.
4. Review frequency
Set the review frequency as appropriate to the topic and nature of the policy.
Many organisations set the frequency of review that may not be necessary and unable to be met. This undermines the importance of the following the policy or procedures if management do not maintain the document as it may no longer appear as relevant.
5. Independent review
If a subject matter expert writes or updates a policy or procedure, request an independent 3rd party such as a risk manager or internal auditor to review and provide feedback.
6. Policy Governance system
Maintain a policy register which includes for each policy and procedure – the owner, last review date and next review date. This may be in excel, SharePoint or a GRC system. Many organisations limit this to board approved policies which means that often the operational procedures relied upon to manage risk may not be sufficiently maintained.
This could be extended to included frequency and timing of communication and awareness training.
There are also more sophisticated integrated Policy Management systems that have online training modules and policy attestations which can maintain details of policy issuance and training provided to staff members as well as support the policy management lifecycle.
Next steps
Good policy governance is integral to enabling effective operational risk management. All organisations should conduct a high-level review of their approach on a periodic basis. This could be an assessment by governance, risk management or internal audit personnel or an external consultant. This would identify opportunities for improvement and if required assist with management commitment to a more integrated approach.
How we can help you solve the policy problem
InConsult is committed to helping organisations enhance governance and risk management frameworks. We have extensive experience in designing, reviewing and enhancing governance and risk management frameworks to ensure appropriate for the culture and operating environment of individual clients.
If you would like to know more about our governance and risk management services, including governance health checks and better practice assessment of individual policies, contact us to discuss your needs.