Growth is a good thing. Don't let it turn bad with sloppy attention to governance, risk, and compliance systems at a company in transition.
That can happen quite easily. The mergers and acquisitions, expansions, affiliations, and ever-growing network of contractual arrangements that spell success can also lead to an overly complex mishmash of policies and procedures. An organization's policies must be managed consistently and continuously throughout the enterprise to remain effective; that's one of the fundamentals of policy management. But as corporations grow more complicated and their operations grow more tentacles and as an increasingly international economy continues to change the nature of how and with whom companies interact, it becomes more critical than ever to have an enterprise-wide approach to streamlined policy management. Otherwise, consistency and continuity may be lost.
A well-tested and workable approach to your organization's enterprise-wide policy management is to use a federated approach, similar to how the U.S. federal government interacts with the state and local governments.
“Using a federated approach to policy management has served me very well,” says Paul Liebman, chief compliance counsel at the computer manufacturing giant Dell Corp. “It's the most efficient and effective way I've found to push out important corporate policies and standards from headquarters while recognizing that business units and departments will always be better at adapting them to their needs and business realities.”
It works like this: A corporation's mission statement (much like a country's declaration of independence) sets the direction for the organization and what it will accomplish as a whole. In other words, the mission statement explains why the company is in business.
The code of conduct, meanwhile, is its constitution, outlining all the rights and responsibilities of employees at all levels. That document sets the minimum standards of behavior for every member of the workforce (regardless of position, since the code applies to all) and gives everyone a common understanding of what they as employees are expected to do.
At the corporate level, the board and senior management establish policies and sometimes procedures that must be followed. Policies are similar to laws, and procedures are similar to regulations, churned out by Congress and various agencies created by Congress. Corporate policies and procedures should focus only on those issues and risks with enterprise-wide importance, in the same way federal laws or regulation apply to the whole of the country rather than, say, states east of the Mississippi River. In other words, avoid the temptation to be too detailed and to “legislate” minutia for every nook and cranny of corporate operations.
No matter how your board or senior executives want to implement policy management, you, the compliance executive, play a vital role in ensuring policy management takes root across the extended enterprise.
Business units are required to carry out all mandated corporate policies and procedures. Where policies don't exist to implement some specific policy, the business units are expected to design their own, in a way that lets them comply with the policy that makes sense for them. Business units also should (and usually do) have much more flexibility to create their own policies and procedures for their own specific operations, so long as those rules don't contravene the overall corporate direction. That is to say, each state can devise its own laws for its own needs, so long as it doesn't pass a law that violates federal law or the U.S. Constitution.
We can keep pushing the analogy all the way down to individual work teams and facilities—the municipalities of the overall company—where each level's policies act like laws, its procedures like regulations. As policy management moves downward through the organization, each level sets policies and procedures that suit its specific needs, so long as they don't conflict with any superior policies and procedures.
Of course, that task is far, far easier when the various sub-corporate entities involved are all part of the same corporation; the more tightly integrated they are, the more command-and-control the central government has. Corporations that value flexibility, however, or those with a flat reporting structure or complex webs of collaborators and partners, don't necessarily have the same ease at compliance. Still, streamlined policy management can be extended across large enterprises through a variety of means. Depending on the extended enterprise partner, the business you're in, and the activities that the two of you manage together, there are several models to consider.
Minimal/none. You and the extended enterprise partner conduct business at arms length, and no policies or procedures are exchanged or agreed to.
Contractual agreement. You and the extended enterprise partner agree to, and include in contracts, important operating principles and a code of conduct. Those binding contracts legally obligate compliance and possibly allow enforcement from the other party.
Periodic certification. The extended enterprise partner signs and periodically certifies that it adheres to specified policies and procedures.
Integration and use. In this instance, the extended enterprise partner actually adopts and integrates your policies and procedures into their organization.
Monitoring and auditing. Beyond integration, usage and self-certification, the extended enterprise partner agrees to periodic monitoring and auditing for compliance with policies and procedures. This is the most invasive sort of arrangement, but also one of the most reliable.
No matter how your board or senior executives want to implement policy management—even if they decide to stick with the old-fashioned approach of uncoordinated management—you, the compliance executive, play a vital role in ensuring policy management takes root across the extended enterprise. Thankfully, the important elements do not change no matter what model your company follows.
Consistency. There must be a common taxonomy and process to design and develop policies and procedures; corporations also need a process for subordinate organizational units to provide input back to the central headquarters.
Accessibility. The right people must have easy access to the right policies at the right time. Consider some sort of database or other central repository of policies and procedures that key staff can review; lower-level employees could see policies applicable to their corner of the company only, while more senior executives could have increasingly broader clearance to see other policies and procedures.
Integrity. There should be a single authoritative copy of each policy. Multiple copies and duplicates can easily get out of step—the dreaded loss of “version control” that can prompt many employees to make up their own policies rather than sift through conflicting ones.
Usability. The workforce must be able to understand and implement policies. Legalese should be avoided.
Measurability and enforcement. Compliance with policies should be evaluated and measured. Policies without monitoring or enforcement are empty words, and employees will eventually discern that management doesn't take its policies seriously, so the policies can be ignored. Consistent enforcement is critical, as it sends a signal to the workforce (and government) that policies actually mean something.
No comments yet