Streamline policy management with a policy hierarchy

Swagata Roy

Swagata Roy

By Swagata Roy

Swagata Roy (swagata.roy@libertyutilities.com) is Director of Compliance Strategy and Performance at Liberty Energy and Water, in Oakville, Ontario, Canada.

Written policies and procedures are foundations of an effective compliance program, enabling the organization to meet regulatory requirements, identify risk mitigation controls, and define roles and responsibilities for compliance. Compliance training, communication, and even monitoring activities are dependent on the quality and effectiveness of policy management.

But policy management can be quite the challenge, as compliance teams are facing several demands in the current regulatory and business environment. Large organizations with multiple lines of business must track specific compliance requirements for each area, especially for heavily regulated industries, such as healthcare and financial services. In addition, business mergers require the compliance function to address policies and procedures of the acquired entity that may need to be aligned with the parent.

Emerging technologies are also attracting increased regulatory scrutiny. Technology makes it easier to do business and have customers in multiple jurisdictions, but it carries the burden of compliance with laws and regulations in each jurisdiction.

All of this indicates existence of numerous, even conflicting, policies and procedures throughout the organization. The easy answer may be to centralize policy management for better control and in meeting regulatory compliance obligations. This is not always possible, however, due to many constraints, not in the least being limited resources. During the COVID-19 pandemic, organizations grappled with budget cuts, and the compliance function has been forced to rethink policy management practices.[1] Compliance teams do not usually have an army of policy administrators, and even if they did, it would be quite impossible for them to have the understanding required at a granular level to manage and keep updated the entire policy and procedures library.

Therefore, to help streamline policy management, a hybrid system incorporating a policy hierarchy is proposed.

Policy hierarchies—an overview

The overall strategy of a policy hierarchy is to assign a level to each policy representing the risk level and extent of applicability of that policy.

Enterprise-level policies, which define the mission and vision and set strategic direction of an organization, are the highest level in the hierarchy. Documents like an organization’s purpose statement, governance policies, and board charters are also on this level. The code of conduct being an enterprise-wide principle-based policy with a high consequence of violation also has a higher level in the hierarchy. Other enterprise-wide policies that would be assigned to a higher level in the hierarchy are policies on workplace health and safety, commitment to quality, privacy, diversity, and sustainability (Figure 1).

Figure 1: Example of a policy hierarchy

The enterprise-level policies are usually approved by the board or C-suite. To be successfully operationalized, these higher-level policies need to be supported by jurisdiction-specific or more procedure-based policies. The travel, gifts and hospitality, employee benefits, or vacation policies may be tailored to the geographical locations or business unit.

The U.S. Department of Justice’s Evaluation of Corporate Compliance Programs asks, “What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries?” And when misconduct occurs, “If policies or procedures should have prohibited the misconduct, were they effectively implemented, and have functions that had ownership of these policies and procedures been held accountable?”[2]

This indicates that policies and procedures must be owned and implemented at the appropriate level of accountability.

Implementing a policy hierarchy

When strategically implemented, a policy hierarchy approach will support the growth of the organization within a complex regulatory regime. It needs to be well thought out and must be fit for purpose for the requirements of current business operations and short- and long-term corporate strategy. It can be implemented when a policy framework is being developed, but it can also be implemented over an existing policy framework without much disruption. The hierarchy can also be managed within a policy management software, an in-house system, or simply on any shareable platform where policies are housed.

The policy hierarchy works much like an organization hierarchy where operating units function within the oversight of divisions or departments. This means that lower-level policies and procedures will provide more clarity and step-by-step details as to how the policy must be followed, links to forms, work instructions, etc. It is important to ensure that lower-level policies and procedures never conflict with any principle stated in the higher-level policy.

The first step of implementation is to identify the highest-level enterprise-wide policies. The second step is to assess requirements of specific lines of business or geographical operations that need more detailed policies and procedures. Under a policy hierarchy structure, such policies are assigned a lower level and must support the overarching enterprise-level policy while providing the right level of detail for its intended audience.

Policies in the hierarchy should reference the higher-level policy or related policies for context. Cross-refencing can be easily achieved by tracking the interdependencies in a policy management software or an Excel sheet depending on the resources available. The number and extent of policies must fit the risk profile and regulatory obligations.

The most important aspect of policy hierarchy implementation is to select the right owner of the policies at the business unit or geographical level. The owner of the policy should ideally be a subject matter expert, and the approver should have the adequate authority to enforce the policy. A cross-section of reviewers is desirable, and for policies like a jurisdiction-specific antibribery policy or privacy policy, an external legal review is also recommended.

For procedures, work instructions, and forms, there can be a higher degree of autonomy allowing for the creation and approval at a local level provided there are no conflicts with a policy higher up in the hierarchy. Processes must be in place to continuously identify and evaluate regulatory changes and business-operation changes that require new regulatory compliance. A new regulatory requirement must be evaluated against the existing policies and procedures to determine if changes or updates are required.

During mergers and acquisitions, a policy hierarchy can be applied efficiently to an acquired entity. Once the new organization’s existing policies have been assessed against the policy hierarchy, it is easier to provide clear guidance on which policies will be needed and which ones can be retired and replaced by the parent company’s policies. Usually it will be higher-level, enterprise-wide policies that will be applied to the new business, and more detailed jurisdictional policies will remain. Policies may need to be transferred to a new template, depending on whether the acquired operations will be branded under the parent’s brand or retain its own identity within the group.

Find your ‘policy champions’

When the compliance function is lean, appoint “policy champions.” The policy champions can be the same people as the compliance ambassadors depending on their skill set.[3]

Policy champions have roles within the business unit or local geographical location and provide feedback on cultural nuances of policies, specific processes, or systems to be considered; they also can assist in defining roles and responsibilities that will help implement the policies. Policy champions also add value with their knowledge of the local language and can help identify knowledge gaps and provide valuable input in developing effective compliance training for the intended audience.

Translation of policies into local languages should not be limited to meeting legal requirements but should be undertaken with a view to make them understandable. It is important to consider cultural nuances to make the policy messages relevant, which your policy champions can help execute.

Centralized policy management

While a well-thought-out policy hierarchy will reduce the burden of policy management, there are some key elements of a policy management framework that should be centralized (i.e., kept under the management of the compliance department).

Policy numbering conventions, for example, should be managed centrally to prevent duplication of policies. This central policy repository also provides an easily referenced overview of the policy universe. It can house the enterprise’s policies with links to local databases, clearly showing where local business unit–level policies and procedures can be accessed.

Though policy templates should also be managed centrally to ensure a level of consistency, assign policy owners according to the policy’s level in the policy hierarchy. For example, expense claim approval policies providing how-to guidance can be owned by finance. Consider designating policy champions in each significant business area to assist policy owners in writing those policies. To help train your policy owners and champions, create an e-learning program on policy writing, and make it easily accessible and in multiple languages. Explain the importance of writing concise policies and enforcement sections, which must be clearly articulated, understandable, and enforceable; without them, the organization will risk a compliance failure. Further, consider writing a “policy on policies” to demonstrate the significance that the organization attaches to policy management.

Once the policy hierarchy is established and disseminated in the organization, periodic internal audits are recommended. Due to the distributed nature and collective responsibility of such a hierarchical policy framework, it is particularly important to have independent and unbiased assurance evaluating the quality and effectiveness of policies throughout the enterprise. Even when there are no adverse findings, periodic internal audits will identify areas of improvement that will further the efficiency and effectiveness of overall policy governance.

Sustainable policy management

Adopting a hierarchy approach allows the different business areas to define and take ownership of their compliance obligations. Engagement of policy compliance ambassadors further embeds policies into business operations, allowing compliance teams to focus on the highest-risk areas and provide strategic guidance to the organization. Sustainable policy management is possible with clear, relevant policies incorporating current regulations.

Takeaways

  • Written policies are the foundation of a compliance program and sought out by regulators.

  • A policy hierarchy streamlines policy management; key enterprise-level policies are the highest in the hierarchy.

  • A hierarchical system eliminates contradictions between numerous policies and procedures among different areas and lines of business.

  • “Policy champions” in different areas of the organization execute the policy hierarchy and keep policies relevant.

  • Centralized key elements like policy numbering, location, and document templates maintain consistency of the system.

 
2 U.S. Dep’t of Justice, Criminal Div., Evaluation of Corporate Compliance Programs (Updated June 2020), https://www.justice.gov/criminal-fraud/page/file/937501/download.
3 Duncan Milne, “Compliance champions can help you drive a stronger compliance culture,” CEP Magazine, May 2020, https://compliancecosmos.org/compliance-champions-can-help-you-drive-stronger-compliance-culture.
1 J. Veronica Xu, “Rethink your policy management system to strengthen your compliance program,” CEP Magazine, January 2021, https://compliancecosmos.org/rethink-your-policy-management-system-strengthen-your-compliance-program.


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings