Bring out the best in policy management
Many failures in business today could be addressed or even prevented with better policy management. Data breaches, workplace accidents, employee misconduct, third-party incidents, customer complaints, and more are often traced to policies that were absent, ineffective, or out of sight, out of mind.
What if policies were more than just about dos and don’ts for employees and legal protection for business? Imagine if policies were also about what Jack Welch, former chairman and CEO of General Electric, views as critical to success: employee engagement and customer satisfaction.
For policies to bring out the best in employees and delight customers, as well as serve the company’s best interests, you’ll need to follow five key principles of sound policy management.
Influence employee behavior with policy communications
The best, most adhered to policies don’t just live in a policy manual filed away. Policy adherence thrives on communication, training, and testing. Publish and distribute policies, making sure to articulate what a given policy is and why it matters. Give employees a test to check their comprehension of the policy. As it takes an average of 21 days to form a new habit, employees need repeated exposure to a policy for integration into their daily routine.
Use code of conduct to drive employee engagement and customer satisfaction
Policies do more than manage risk. A code of conduct can inspire and encourage employees and business partners to think and act in a certain way. For example, as part of an overhaul of its compliance program, Volkswagen rolled out a new code of conduct that detailed three main responsibilities: responsibility as a member of society, responsibility as a business partner, and responsibility in the workplace. Whether you’re an employee or a partner, you know where Volkswagen stands on numerous issues and what is expected of you.
Highlight policies after incidents to head off issues or convey tone from the top
Workplace incidents require investigations, corrective action plans, and reports as part of remediation. But don’t stop there. Use incidents to communicate and emphasize rules and policies. With sexual harassment becoming a growing concern and many organizational leaders wanting to implement a speak-up culture, existing and new policies need to be revised or written and shared across the organization. When combined with an anonymous whistleblower program, policies can affect real change.
Link policies to controls for contractual agreements and regulatory requirements
Policies related to contractual agreements help ensure that participants act in accordance, resulting in less risk of conflicts and issues. Prove compliance with regulations by showing a linkage between policies and controls. The linkage provides a defensible record that helps protect the company.
As Michael Rasmussen writes in the GRC Pundit Blog, “to defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.”
The best company defense is thoroughness and traceable roots to laws, standards, and guidelines.
Update or create policies as business changes and events occur
Polices aren’t set in stone. They’re subject to change at any time. As previously discussed, policies link to controls created from regulation citations. Events like incidents and management initiatives, as well as regulatory changes, create the need for policy updates and new policies. It happens with such frequency that it’s a good idea to review policies annually. Every policy change, update or new, must be written, recorded, and shared with its intended audience.
Leverage technology for policy management
You can create a policy easy enough using a word processor. That’s great if you’re a small company and just need an employee manual. If you’re a corporation with a sizeable workforce, multiple offices, and have customers and vendors in many locations or countries, word processing and spreadsheets don’t cut it. You need a solution that saves time, saves money, and does more.
The answer is technology designed for policy management that can scale, adapt, streamline, and equip you to engage employees and drive customer satisfaction. Technology that can bring automation to processes, like automatically comparing versions of documents for changes or notifying a target list of recipients of a new or revised policy with a request for acknowledgment and attestation.
Sound policy management with the right technology can address or even prevent many business failures while helping protect the company. And for company goals to be more employee and customer-centric, the management/technology solution is a catalyst for employee engagement and customer satisfaction.
NSCC members face a new compliance requirement: cybersecurity confirmation. It sounds easy, complete a form, but risk is high. Here’s guidance.
Compliance departments are seriously challenged these days. As business swirls in response to COVID-19, compliance has taken a back seat. That can lead to trouble—violations, fines or both—due to missing deadlines. Management, in a questionable move, may ask compliance to do something taboo. Instead of reading a half empty glass post designed to help compliance deal with these challenges, they instead get a half full glass post that is brimming with optimism for compliance’s role during COVID-19.
Learn about how HIPAA Compliance plays a role in protecting against cybercriminals.