There’s a deep connection between risk and policy management. Policies and their associated management best practices can only be successful if the business has a clear set of stated objectives, and has identified the threats or risks involved in achieving (or not achieving) them.
Once a risk has been defined and understood, organizations really only have four basic ways in which to deal with it:
- Avoid – Stop the risk from happening totally and put a plan in place to make sure it never happens
- Transfer – Shift the responsibility to someone else, i.e. Insurance
- Mitigate – Devise actions to make the risk less of a problem if it does happen
- Accept – Actively decide to do nothing (maybe the cost of mitigating outweighs the impact)
Policies (and procedures) are specific controls or plans that are put in place to mitigate risks or avoid them altogether. Here’s where the relational connection between risk and policy management comes from. Ultimately policies and procedures are responsible for defining the organization’s risk culture. Policies and procedures provide the framework for the ethics, values, and actions that the organization expects its employees to follow.
Failure to understand this intrinsic relationship is where a lot of companies fail – in both managing risk, policies, and procedures, and in building a true culture of ethics and compliance that permeates an entire organization from top to bottom.
Failing to define objectives & risks
Organizations that fail in this often fail because their objectives or associated risks have not been defined. This leads to a knock-on effect in the creation of what has been termed “ad-hoc policies” or “rogue policies.” Policies that are created in an ad-hoc manner, meaning that they are not aligned to objectives or defined risks, often can impede an organization and leave it exposed to risk.
It’s a problem that occurs when risk and policy and procedure management are not taken seriously, and it is an easy pitfall that organizations can find themselves in, often without realizing the increase in exposure.
These ad hoc policies, if left unchecked, will inevitably end up over-complicating business and leaving the organization more exposed, because they are not written with a clear connection to organizational objectives. Even though ad hoc policies may be written to address a specific risk, it is nearly impossible to gauge their effectiveness without understanding what the organization’s objectives are. One of the main purposes of risk management practices is to establish tolerance levels for risk, and the organization’s overall appetite for dealing with risk.
Having strong risk and policy management practices means these tolerance levels are established, and the expectations for controls and policies are understood. Only then can accurate measurement of the effectiveness of policies take place. Measuring the effectiveness of policies should involve the assessment of the policy management process as a whole. For internal audit departments to conduct proper assessments, they require complete visibility into the processes implemented. Processes are themselves another form of control, and in this case, it’s a control of the management of controls.
New guidelines for corporate compliance
Best-practices-based policy & procedure lifecycle management complements and works in unison with a solid risk management process. As part of a control assessment when taking steps to measure a policy’s effectiveness, organizations need to routinely measure the comprehension of the policies by employees.
Establishing these metrics and implementing mechanisms that act as key indicators in identifying potential gaps or lapses in behavior provides the organization with two things:
- It shifts the organization into a proactive state.
- It adds to the defensibility of the organization’s overall compliance program.
This is why best-practices-based policy and procedure management is so incredibly important in proving compliance and remaining defensible. It shows that risks are being taken seriously, and that the controls and policies in place are there for a defined purpose. They are actively measured and are being continuously assessed within the changing landscape where the business operates.
The Department of Justice recently updated the guidelines they use to evaluate the effectiveness of corporate compliance programs. It’s no shock to see that large portions of this guide are specifically related to risk and policy management.
Policy management to meet a new set of rules
The granularity of detail that regulators are seeking in these areas is something that may have been recognized by various industry experts, but the DOJ is clearly putting a stake in the ground and telling you exactly the criteria they will use. This granularity now the rule rather than the exception, and organizations should expect these questions at a minimum when trying to prove their compliance programs are sound.
When it comes to risk management and policy management being successful, both need constant assessment and management, and it’s important they be addressed holistically. The relationship between the two, and the alignment of processes to manage them, will play a crucial part in how an organization will remain defensible and consistently execute on its compliance obligations.
Let technology help you by taking care of the manual complexities, so you can truly focus on the people in your organization and the quality of your compliance program.
Other resources you might find interesting:
Infographic: GRC Hurdles & High Jumps in Building a Culture of Compliance