Download the full 2020 BELA South Asia Magazine here.
The fundamental basis of any company’s compliance programs is its Code of Conduct and its suite of compliance policies. Having ‘policies and procedures’ in place is such a basic requirement, that we almost take it for granted. The biggest mistake we can make is building a policy that we use as a check-the-box exercise. In fact, how many times have we heard that to remediate a process gap or to mitigate risk, a policy is drafted? That seems to be the silver bullet for corrective action. Unfortunately, this critical component becomes the least impactful area to consider in evaluating the effectiveness of a company’s overall compliance program.
The fact of the matter is that the most important element of a compliance infrastructure for an organization is its policy structure. If applied well, policies can be vital to not only act as a strong defense mechanism for a company in the course of regulatory scrutiny but can become a cornerstone of building a solid culture of integrity and ethics, and compliance. To harness the real impact of a policy, one should consider its impact on employees and the company. For it to serve this purpose it’s important to note that policies should be well-drafted, organized, properly disseminated, digestible, visibly enforced, and stay current through timely revisions. Let’s get into each of these elements.
- Nuts and bolts of a policy: A well-drafted policy is one that is written with the target audience in mind. Having a super detailed and all-encompassing policy may give us a false sense of comfort that we have covered all risks that could possibly exist in a certain area. But the reality is it’s of little use if an average employee does not take the time to read it, let alone process it. At GE, we have taken a big step towards simplifying our policy structure by segregating our audience and defining the purpose a certain document serves. As an example, there are certain core policies within our code of conduct that need to be drafted in a very simple manner in a language that is easily understood by 200K+ employees globally. Our assessment revealed that we need policies with better readability scores at a high school reading level. To this effect, we re-drafted our Code of Conduct to highlight the basic principles and do’s and don’ts. Likewise, for businesses, we needed to set standards that define requirements from an operational and functional standpoint. These standards were drafted following a standard structure and content that is both easily measured and frequently audited. In drafting policies, it’s important to obtain feedback early on. Input from various internal stakeholders are obviously important for content and specificity. But the ease of understanding should be tested by obtaining feedback from employees outside legal and compliance functions. Their feedback is important to gauge whether they have understood the content.
- Organization: The next step is to organize the various documents in a manner that paves the way to good governance. Many of us are guilty of using terms like “policy”, “standards”, “guidelines”, “procedure” interchangeably. This creates confusion for the intended audience and results in the inconsistency of enforcement. While each organization may have nuanced definitions for these terms, a clear distinction is needed. Simply put, policies are principle-based documents that are adopted by an organization. Standards are basic and often mandatory expectations on ‘what’ is required to be done. Guidelines include factors to be considered while deciding a course of action. They vary in the level of details and are generally recommended or supplemental documents versus being strictly mandatory. Procedures are documents that list detailed step-by-step actions required to accomplish a task. Procedures often cover the ‘how’ and include ownership, a delegation of authority, tools, systems etc. They are required to operationalize policies and standards and establish controls in critical processes. Each of these documents collectively makes a company’s policy governance framework.
- Communication: Policies need to be communicated which is not the simple act of posting the document on the company’s website/intranet. That’s the greatest disservice we can do to ourselves and our employees. We may be delusional in thinking that anything on a company’s website is pro-actively accessed and reviewed by employees. It’s necessary that a basic communication approach is planned for any dissemination depending on the nature of policy and size of the organization. In most cases, a multi-pronged approach is required such as sending a communication to employees along with socializing with the audience via cascading through managers and may go as far as obtaining an acknowledgment, as in the case of a Code of Conduct. Referencing and pointing to the locations of a policy during training is equally important and reinforces the messaging.
It is important to note, however, that communication will not guarantee comprehension. How do we know our policies are understood? Creating a test after training maybe one way. A useful way we have figured this out at GE is through a process called “risk roll-up”. In this process, every 12 or 18 months, we run a campaign where managers at all levels discuss key policy areas and risk with their employees starting from front line employees. Managers then roll up the questions/take away with their leader and so on until the discussion happens with the senior-most person in the business. The inputs from all levels are recorded along with questions, concerns as well as highlight gaps in understanding if any. This input is invaluable to compliance organizations to not only gather risk perception from employees and management but also a reflection of a general understanding of various policies.
- Enforcing policies: Just like laws, policies are only as effective as they are enforced. No amount of governance structure would achieve its true objective if it’s not enforced. When issues happen, and they will happen, the first litmus test is whether the policy existed and was understood, and the next step is to check how the company responded to the issue. If the response or action is not aligned with the tenets of the policy, it’s failed all the effort taken in prior steps.
- Continuous update: Creating a policy framework is never a one-time exercise. As times change, it is imperative to continuously review and update the policy’s content and follow the whole cycle. It also instills confidence in the minds of employees that there is machinery that ensures that policies remain relevant and new realities are incorporated.
As custodians of policies in our companies, a robust policy framework can act as one of the most important tools at our disposal. When done wrong, policies can simply be a tick-the-box item on a checklist of compliance and do nothing more. In compliance, we are always looking for the right way and when done right, policies can play a significant role in making a solid compliance infrastructure as well as be a catalyst for enabling the right culture for a company.
About the Author: Ritu Jain is the Chief Compliance Officer for GE Asia region which includes South Asia, South East Asia, Japan, Korea, and Australia New Zealand covering 30000+ employees across 19 countries. In this role, she is responsible for GE’s Compliance program and strategy in the region, identify emerging Compliance trends including related regulatory and policy issues that may impact the businesses’ compliance readiness, and make appropriate recommendations.