Swagata Roy (swagata.roy@libertyutilities.com) is Director of Compliance Strategy and Performance at Liberty Energy and Water, in Oakville, Ontario, Canada.
Written policies and procedures are foundations of an effective compliance program, enabling the organization to meet regulatory requirements, identify risk mitigation controls, and define roles and responsibilities for compliance. Compliance training, communication, and even monitoring activities are dependent on the quality and effectiveness of policy management.
But policy management can be quite the challenge, as compliance teams are facing several demands in the current regulatory and business environment. Large organizations with multiple lines of business must track specific compliance requirements for each area, especially for heavily regulated industries, such as healthcare and financial services. In addition, business mergers require the compliance function to address policies and procedures of the acquired entity that may need to be aligned with the parent.
Emerging technologies are also attracting increased regulatory scrutiny. Technology makes it easier to do business and have customers in multiple jurisdictions, but it carries the burden of compliance with laws and regulations in each jurisdiction.
All of this indicates existence of numerous, even conflicting, policies and procedures throughout the organization. The easy answer may be to centralize policy management for better control and in meeting regulatory compliance obligations. This is not always possible, however, due to many constraints, not in the least being limited resources. During the COVID-19 pandemic, organizations grappled with budget cuts, and the compliance function has been forced to rethink policy management practices.[1] Compliance teams do not usually have an army of policy administrators, and even if they did, it would be quite impossible for them to have the understanding required at a granular level to manage and keep updated the entire policy and procedures library.
Therefore, to help streamline policy management, a hybrid system incorporating a policy hierarchy is proposed.
Policy hierarchies—an overview
The overall strategy of a policy hierarchy is to assign a level to each policy representing the risk level and extent of applicability of that policy.
Enterprise-level policies, which define the mission and vision and set strategic direction of an organization, are the highest level in the hierarchy. Documents like an organization’s purpose statement, governance policies, and board charters are also on this level. The code of conduct being an enterprise-wide principle-based policy with a high consequence of violation also has a higher level in the hierarchy. Other enterprise-wide policies that would be assigned to a higher level in the hierarchy are policies on workplace health and safety, commitment to quality, privacy, diversity, and sustainability (Figure 1).
The enterprise-level policies are usually approved by the board or C-suite. To be successfully operationalized, these higher-level policies need to be supported by jurisdiction-specific or more procedure-based policies. The travel, gifts and hospitality, employee benefits, or vacation policies may be tailored to the geographical locations or business unit.
The U.S. Department of Justice’s Evaluation of Corporate Compliance Programs asks, “What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries?” And when misconduct occurs, “If policies or procedures should have prohibited the misconduct, were they effectively implemented, and have functions that had ownership of these policies and procedures been held accountable?”[2]
This indicates that policies and procedures must be owned and implemented at the appropriate level of accountability.
Implementing a policy hierarchy
When strategically implemented, a policy hierarchy approach will support the growth of the organization within a complex regulatory regime. It needs to be well thought out and must be fit for purpose for the requirements of current business operations and short- and long-term corporate strategy. It can be implemented when a policy framework is being developed, but it can also be implemented over an existing policy framework without much disruption. The hierarchy can also be managed within a policy management software, an in-house system, or simply on any shareable platform where policies are housed.
The policy hierarchy works much like an organization hierarchy where operating units function within the oversight of divisions or departments. This means that lower-level policies and procedures will provide more clarity and step-by-step details as to how the policy must be followed, links to forms, work instructions, etc. It is important to ensure that lower-level policies and procedures never conflict with any principle stated in the higher-level policy.
The first step of implementation is to identify the highest-level enterprise-wide policies. The second step is to assess requirements of specific lines of business or geographical operations that need more detailed policies and procedures. Under a policy hierarchy structure, such policies are assigned a lower level and must support the overarching enterprise-level policy while providing the right level of detail for its intended audience.
Policies in the hierarchy should reference the higher-level policy or related policies for context. Cross-refencing can be easily achieved by tracking the interdependencies in a policy management software or an Excel sheet depending on the resources available. The number and extent of policies must fit the risk profile and regulatory obligations.
The most important aspect of policy hierarchy implementation is to select the right owner of the policies at the business unit or geographical level. The owner of the policy should ideally be a subject matter expert, and the approver should have the adequate authority to enforce the policy. A cross-section of reviewers is desirable, and for policies like a jurisdiction-specific antibribery policy or privacy policy, an external legal review is also recommended.
For procedures, work instructions, and forms, there can be a higher degree of autonomy allowing for the creation and approval at a local level provided there are no conflicts with a policy higher up in the hierarchy. Processes must be in place to continuously identify and evaluate regulatory changes and business-operation changes that require new regulatory compliance. A new regulatory requirement must be evaluated against the existing policies and procedures to determine if changes or updates are required.
During mergers and acquisitions, a policy hierarchy can be applied efficiently to an acquired entity. Once the new organization’s existing policies have been assessed against the policy hierarchy, it is easier to provide clear guidance on which policies will be needed and which ones can be retired and replaced by the parent company’s policies. Usually it will be higher-level, enterprise-wide policies that will be applied to the new business, and more detailed jurisdictional policies will remain. Policies may need to be transferred to a new template, depending on whether the acquired operations will be branded under the parent’s brand or retain its own identity within the group.
Find your ‘policy champions’
When the compliance function is lean, appoint “policy champions.” The policy champions can be the same people as the compliance ambassadors depending on their skill set.[3]
Policy champions have roles within the business unit or local geographical location and provide feedback on cultural nuances of policies, specific processes, or systems to be considered; they also can assist in defining roles and responsibilities that will help implement the policies. Policy champions also add value with their knowledge of the local language and can help identify knowledge gaps and provide valuable input in developing effective compliance training for the intended audience.
Translation of policies into local languages should not be limited to meeting legal requirements but should be undertaken with a view to make them understandable. It is important to consider cultural nuances to make the policy messages relevant, which your policy champions can help execute.
Centralized policy management
While a well-thought-out policy hierarchy will reduce the burden of policy management, there are some key elements of a policy management framework that should be centralized (i.e., kept under the management of the compliance department).
Policy numbering conventions, for example, should be managed centrally to prevent duplication of policies. This central policy repository also provides an easily referenced overview of the policy universe. It can house the enterprise’s policies with links to local databases, clearly showing where local business unit–level policies and procedures can be accessed.
Though policy templates should also be managed centrally to ensure a level of consistency, assign policy owners according to the policy’s level in the policy hierarchy. For example, expense claim approval policies providing how-to guidance can be owned by finance. Consider designating policy champions in each significant business area to assist policy owners in writing those policies. To help train your policy owners and champions, create an e-learning program on policy writing, and make it easily accessible and in multiple languages. Explain the importance of writing concise policies and enforcement sections, which must be clearly articulated, understandable, and enforceable; without them, the organization will risk a compliance failure. Further, consider writing a “policy on policies” to demonstrate the significance that the organization attaches to policy management.
Once the policy hierarchy is established and disseminated in the organization, periodic internal audits are recommended. Due to the distributed nature and collective responsibility of such a hierarchical policy framework, it is particularly important to have independent and unbiased assurance evaluating the quality and effectiveness of policies throughout the enterprise. Even when there are no adverse findings, periodic internal audits will identify areas of improvement that will further the efficiency and effectiveness of overall policy governance.
Sustainable policy management
Adopting a hierarchy approach allows the different business areas to define and take ownership of their compliance obligations. Engagement of policy compliance ambassadors further embeds policies into business operations, allowing compliance teams to focus on the highest-risk areas and provide strategic guidance to the organization. Sustainable policy management is possible with clear, relevant policies incorporating current regulations.
Takeaways
-
Written policies are the foundation of a compliance program and sought out by regulators.
-
A policy hierarchy streamlines policy management; key enterprise-level policies are the highest in the hierarchy.
-
A hierarchical system eliminates contradictions between numerous policies and procedures among different areas and lines of business.
-
“Policy champions” in different areas of the organization execute the policy hierarchy and keep policies relevant.
-
Centralized key elements like policy numbering, location, and document templates maintain consistency of the system.