The COVID-19 pandemic is challenging organizations across the globe to operate in a new paradigm that is changing almost on a daily basis. Business leaders are having to make decisions to best deliver on customer commitments without compromising on employee well-being. Whether it’s banks, hospitals, manufacturers, or retailers, they are all relooking into their policies and procedures and making changes to them to help deal with the crisis. Some policies that top the list are work from home policies, travel policies, information security policies, health and safety policies, expense policies, etc.
How are the compliance and ethics teams dealing with this? How are they rapidly updating the policies? What impact are these updated policies having across the board? Is the change communicated to the applicable employees? Are the policies being followed? Given the current, fluid situation, the need for a robust policy management program is amplified. Listed below are some policy management strategies that compliance and ethics leaders can follow to address these concerns and sail through the current disruption and beyond
Most organizations follow a siloed approach to policy management in which different teams within the organization work independently and follow different templates and guidelines. While there may be a dedicated owner for each policy while creating or updating the policy, the owner needs to collaborate with other business functions. For instance, while updating the work from home policy in these times of the pandemic, the information security policy, or the expense reimbursement policy, will also be impacted. A policy management technology platform can be of great help.
• It can have streamlined workflows where multiple people across the globe can easily collaborate on different sections of a policy to provide comments and feedback
• Proper version control can be maintained
• You can get a clear defensible audit trail on the changes made to policies
Take a contextual view of the policies when you are creating or updating them. It will help to have answers to the following questions.
• What is the risk associated with a policy?
• What are the regulations or standards tied to each policy and what are the processes that they may impact when a policy gets updated?
• How many exceptions are raised against a specific policy?
All exceptions carry some amount of risk which has to be taken into account. Many organizations are also not aware of the violations of policies or if these violations or cases are tracked, if they are not linked to policies. Linking policies to cases gives a lot of insight to compliance professionals on the policies they need to rework, and whether they should invest in new training programs or put additional controls in place.
With the current COVID-19 situation, some policies are getting updated on a weekly basis and there could be compliance implications if the policies are not adhered to by the employees. While most companies use email as a mechanism to communicate policies, there is a probability that policies get lost in the many emails that one receives. Some best practices could be:
• Post policy updates on your intranet or any other operational or internal social platforms
• Focus on sticking to the most important messages and keeping the short, engaging and empathetic
In addition to email, announcements regarding the policy can be made available on a centralized policy portal. Whichever channel is chosen for the communication of policies, it really helps to be clear about what the change is, why the change is required and what measures need to be taken by employees to make sure they adhere to the new requirements. MetricStream Policy and Document Management has a centralized state of the art policy portal that only shows the latest relevant policies applicable to each employee, relieving the employee from having to search through multiple databases.
Consider a case where the employee has to search for policies in multiple portals, not knowing which one is the latest and which one is applicable to him/her. It makes sense for the policies to pop up in the intranet, in the chatbot, customer relationship tool, or any other operational system that is frequently used by employees. For example, if the loan processing agent needs to refer to the updated policy on loans, it makes sense for him/her to access the latest updated policy quickly on the intranet, rather than referring to the old outdated policy, and thereby violating norms.
Policies can be deemed effective only if they are adhered to. Most organizations invest in quizzes and surveys to gauge how well employees have comprehended the policy. This is more prevalent for training on the FCPA, information security and sexual harassment policies. With policy management technology, employees can be allowed to attest to a policy only upon a minimum passing score and the questions can be designed to be engaging as well as interactive.
While the pandemic has compounded the need for an effective policy management program, businesses understand that policies are an integral part of the overall compliance program. There is no doubt that policies, procedures and other compliance-related documents are the foundation for a successful compliance program. It helps to have a technology solution like MetricStream Policy and Document Management that can automate, streamline and integrate policy change management so that you can mitigate compliance related risks and stay ahead of the curve.
Shua is the Senior Manager at MetricStream.