This morning I attended a workshop on policy management conducted by noted GRC pundit Michael Rasmussen [BLOG]. We’ve all heard the old adage about change being the only constant. In speaking about the maintenance of policy, Michael said something along the lines of, “While we’re sitting here talking right now, change is going on out there. When you get to your office in a few hours, things will have changed – somehow, somewhere.”
When done right, policy management does wonders for the effectiveness of a company’s compliance efforts. Done shoddily, policy management exposes an organization to risk, liability and even regulatory penalties. One of the big things to consider when it comes to effective policy and procedure initiatives is making sure your P&Ps are kept up to date. In many cases, companies change their way of conducting business but don’t remember to go back and update the relevant policy.
Best practice says to establish a regular interval for policy review, so that updates can be implemented as change occurs. The frequency of review should be specified in your meta-policy (the policy about your corporate policies). But what is the appropriate interval?
No doubt in the few hours I was with Michael, regulatory change was happening out there – somehow, somewhere – in the worlds of finance, healthcare, manufacturing, international trade, etc., etc. The truth is that every policy, including the Code of Conduct should be reviewed at least annually. While this may seem like an onerous burden, the reasons are fairly straightforward. One, there’s always a risk that a new court case or law may change the way your organization has to do business. Two, a merger and/or acquisition may add complexity that did not previously exist. And three, the number of incidents or cases of a particular category may require clarification of policy language, or illustrate a loophole in your existing policy. The annual policy review provides an opportunity for you to step back and learn from the data being collected in your compliance program.
You may find that only one or two policies need to be changed in a given year, and the rest are simply reviewed and approved for the next year. Changes in policies may require minor changes to the Code of Conduct, to help ensure your last rewrite remains fresh and accounts for regulatory changes – but that may not require a major rewrite.
The person who owns each policy should be reviewing that policy annually to make sure that if a change is needed, it doesn’t fall through the cracks.