Swagata Roy (email@example.com) is Director of Compliance Strategy and Performance at Liberty Energy and Water, in Oakville, Ontario, Canada.
Written policies and procedures are foundations of an effective compliance program, enabling the organization to meet regulatory requirements, identify risk mitigation controls, and define roles and responsibilities for compliance. Compliance training, communication, and even monitoring activities are dependent on the quality and effectiveness of policy management.
But policy management can be quite the challenge, as compliance teams are facing several demands in the current regulatory and business environment. Large organizations with multiple lines of business must track specific compliance requirements for each area, especially for heavily regulated industries, such as healthcare and financial services. In addition, business mergers require the compliance function to address policies and procedures of the acquired entity that may need to be aligned with the parent.
Emerging technologies are also attracting increased regulatory scrutiny. Technology makes it easier to do business and have customers in multiple jurisdictions, but it carries the burden of compliance with laws and regulations in each jurisdiction.
All of this indicates existence of numerous, even conflicting, policies and procedures throughout the organization. The easy answer may be to centralize policy management for better control and in meeting regulatory compliance obligations. This is not always possible, however, due to many constraints, not in the least being limited resources. During the COVID-19 pandemic, organizations grappled with budget cuts, and the compliance function has been forced to rethink policy management practices. Compliance teams do not usually have an army of policy administrators, and even if they did, it would be quite impossible for them to have the understanding required at a granular level to manage and keep updated the entire policy and procedures library.
Therefore, to help streamline policy management, a hybrid system incorporating a policy hierarchy is proposed.
Policy hierarchies—an overview
The overall strategy of a policy hierarchy is to assign a level to each policy representing the risk level and extent of applicability of that policy.
Enterprise-level policies, which define the mission and vision and set strategic direction of an organization, are the highest level in the hierarchy. Documents like an organization’s purpose statement, governance policies, and board charters are also on this level. The code of conduct being an enterprise-wide principle-based policy with a high consequence of violation also has a higher level in the hierarchy. Other enterprise-wide policies that would be assigned to a higher level in the hierarchy are policies on workplace health and safety, commitment to quality, privacy, diversity, and sustainability (Figure 1).
The enterprise-level policies are usually approved by the board or C-suite. To be successfully operationalized, these higher-level policies need to be supported by jurisdiction-specific or more procedure-based policies. The travel, gifts and hospitality, employee benefits, or vacation policies may be tailored to the geographical locations or business unit.
The U.S. Department of Justice’s Evaluation of Corporate Compliance Programs asks, “What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries?” And when misconduct occurs, “If policies or procedures should have prohibited the misconduct, were they effectively implemented, and have functions that had ownership of these policies and procedures been held accountable?”
This indicates that policies and procedures must be owned and implemented at the appropriate level of accountability.