Technology tools can play an integral role in helping organisations minimise risk in this area. The Red Flag Group’s ComplianceDesktop® Technology Platform manages the lifecycle of policies throughout your organisation, enabling you to manage them from creation and throughout the review, approval and roll-out processes. This feature can be utilised in conjunction with the communication, training and tracking mechanisms built into the platform.
A policy management technology system can be very useful for you and your organisation. In order to successfully deploy the tool into your compliance programme there are many factors that you should consider and prepare for.
Before you can consider the actual content of your policy management system it is beneficial to examine what role it will play, not only in organising policies but within the organisation as a whole. This is instrumental in understanding how to implement the policy management system. The system should have dedicated resources in order to help make it more effective. The focus should be on clearly-defined objectives that will make the system useful and easier to manage. It is vital to understand this before initiating the process of integrating with a technology platform. Some things to consider at this stage are:
Have your policies recently been reviewed to bring them up to date?
It is counterproductive to initiate the roll out of a platform to manage your policy documents if your documents are out of date, not up to speed with the latest developments in the business or not addressing all the key-risk areas that they should.
Do you currently have all of your policies in one place?
This is important as you will need to consider where you draw your policies from. Individual departments will likely have their own policies separate from the rest of the firm. Gathering all of the existing documents into one place is a crucial step.
To what degree will senior management be involved?
Many policies are effectively “owned” by senior management. Often senior-level managers will lead very busy schedules and will not have the time to update policies on a consistent basis. Their level of interaction must be considered, as well as alternatives: If someone is unable to make changes to a policy due to their schedule, who will make that change in the interim? If someone other than the creator or owner of the policy makes a change, who will approve it? A chain of authorisation and review must be developed and established.
Who will be responsible for maintaining the database?
While certain individuals will be required to approve policy documents, there will ultimately need to be someone who can manage the day-to-day running of the system. Ideally a person such as a programme manager will be tasked with running the programme as a whole once it has commenced. This person would, for example, track which respondents have not yet read and certified a policy. It is also important that a senior-level employee with experience in risk management and approval be tasked with helping to approve and formulate policies.
Now that the objectives and roles are more clearly defined, consider the execution of the system: How accessible will the system be to employees? Will they be encouraged to access it frequently? In order to maintain the efficacy of the tool it is vital to think about usage and interaction.
How will you keep track of employee data? Does the platform need to be in multiple languages? Do all employees need to be able to access and view policies? Will you require them to certify or acknowledge that they have read and familiarised themselves with a policy?
Defining the level of interaction that employees have with the tool will more easily help determine how effective the tool is and maintain this effectiveness. Ideally, transparency and accessibility of all policies is enough to ensure that employees are familiar with them, but requiring employees to certify that they have read a policy adds an additional layer of procedure and guarantee. Making policies globally applicable by providing translated versions will also mean employees are more likely to read them.
How will policies be approved once the technology integration has been implemented? What level of employee will be responsible for approving the content and wording of a policy? Who will complete this in their absence? Will you require multiple levels of approval?
In order to minimise exposure and ensure that company policies are satisfactory you will likely need to get approval for any changes. Determining who is responsible for this task, based on the type of policy and the scope of the change, is essential.
- Will you have more than one type of policy?
Different departments will likely have different internal processes and not all policies will be applicable to all employees. You should consider who the audience is (for example internal or external staff, or staff from a specific division or geographical region) and who owns each policy. Many policies will be global or company-wide, but one must consider policies that are region-specific.
Monitoring and review
Corporate policies should be continually reviewed, edited and certified as a means of continued improvement. Constant review of policies ensures that the provisions are correct, relevant and in line with regulation and corporate culture. Policy management systems should have built in functionality for reviewing and renewing policies at least once annually. Reporting of policy data is necessary for several reasons, including reporting statistics to superiors, providing a high-level overview of the effectiveness of the system, and as a way to measure various certifications and renewals of policies.
- Who will be conducting the review of policies?
It is important to designate whether the actual owner of the policy is the one who will be responsible for reviewing and approving its contents. Best practice indicates that a secondary approver should be involved in the process to ensure that the policy is compliant and relevant.
It is essential to consistently review your policies, especially given recent trends in changing regulations. Policies should always be “active” and enforced within the corporation, and a regular renewal cycle of six months or a year will mitigate the expiration of any policies. Furthermore, regularly reviewing policies ensures that the information within is current and relevant.
- How will I know when a policy was last changed? What about policies that are no longer effective?
Policy management systems should include an internal mechanism to record who has made changes and when. Although all changes should go through an approval process, it is still useful to have visibility of the history of a policy. Furthermore, it is beneficial to be able to view old policies that were once active and have now been archived.
Developing and maintaining a policy management system may sound overwhelming, but there are effective technology solutions that can make this process smooth and simple. In order to take full advantage of this, be prepared to consider aspects of your process that may not immediately be apparent. The first step to minimising risk in this area is to evaluate your current model; assessing what you currently have in place and how it can be improved will aid you in conceptualising what is involved in a policy management system.
Policies that are not effectively managed or continually updated will be seen as unimportant and may not be taken seriously. This can lead to exposure internally and can encourage a negative business environment. Policies should be clearly stated and available to all employees. It should be immediately apparent who they apply to, how long they are effective for and who owns them. Keeping track of your company policies is one of the first steps in ensuring employees adhere to them.