The third webinar we conducted with the Open Compliance and Ethics Group for the “Policy Management Illustrated” series dealt with policy maintenance through proper measurement and evaluation. In my previous blogs, I discussed best practices around policy enforcement, including how behavior and enforcement go hand in hand, dealing with policy exceptions, and policy compliance across the extended enterprise. In my next couple of blogs, we’ll look at ways to maintain effective policies. First up: how proactive policies help keep you defensible against risk.
All too often, organizations fall into the trap of creating policies and even distributing them to the workforce, but then allow the policies to stagnate as the business environment changes. Then, when trouble comes along and the organization looks back at the policy, it’s revealed that the policy no longer applies to the current operating conditions, and the issue at hand has not been addressed.
Michael Rasmussen, in his article in Compliance Week, is adamant about maintaining a regular maintenance schedule for polices: “My recommendation is that every policy goes through an annual review process to determine if the policy is still an appropriate policy for the organization.”
Effective policy management requires a proactive, “evergreen” approach. You can’t just create policies, write them down, and let them gather dust on a shelf until something happens. By keeping policies fresh and current, you’re proving your commitment to the policy process – and really, your entire compliance initiative – and showing that the policies matter, that you didn’t just go through some checkbox exercise in writing them in the first place.
Most organizations can see the need for policy maintenance, but many aren’t doing it. According to the survey conducted during the OCEG webinar, less than half of those polled said they require that policies be reviewed on a regularly scheduled basis. Policy management software will send you automatic reminders to review policies.
As your business environment changes, your policies very likely will need to change to keep up. Otherwise, you risk the possibility of having your concerned employees refer to a policy only to find outdated guidance. Well-maintained policies keep you out of hot water and increase your position of defensibility. By having current policies and being able to show that your workforce is current on those policies, your organization can defend itself against “rogue” operators who violate those policies (e.g., Morgan Stanley and the Garth Peterson case).
Next time, we’ll look at measuring and evaluating policy through the use of metrics.