This month, Compliance Week and the Open Compliance and Ethics Group present the latest installment of our regular series, “GRC Illustrated.” The interactive series—which features visual representations of key governance, risk, and compliance initiatives—is intended to help readers understand how to put principles into practice (Click here for information on the series). In this month's entry, GRC Illustrated explores the necessity of having company-wide compliance programs in place to conduct business ethically and in compliance with regulatory and requirements. Here's how:

Today more than ever, incidences of ethical misconduct or legal noncompliance can result in “bet the company” outcomes. In the current environment, it is especially important to implement and review governance, risk and compliance processes to ensure business is conducted within both mandated (laws, regulations) and voluntary (values, brand) boundaries. That said, most companies are not in the compliance business. Their work is focused on providing goods or services to their customers and delivering shareholder value. Compliance may be considered more of a nuisance than a priority—and it is often addressed with less rigor than other business processes.

ILLUSTRATION

Part V of the GRC Illustrated series is sponsored by Axentis.:

Download The Illustration Accompanying This Column

The Series

Click Here For Information On The GRC Illustrated Series

Recent Related Webcast With OCEG CEO Scott Mitchell

Policies, procedures and controls are a cornerstone of a high performing compliance program and an important piece to get right. In well-meaning attempts to comply, some companies have established dozens, hundreds and even thousands of policies and procedures. The sheer volume and complexity of these policies and procedures, and the approaches to produce and manage them, can sometimes cause more harm than good.

A Tale Of Two Companies

At PharmaCo, a $500 million pharmaceutical company, executives have not systematically and effectively addressed non-FDA compliance requirements. Non-FDA compliance takes a back seat to what some executives consider to be “more pressing matters.” That said, no department wants to be left out and every unit wants its voice heard. There is HR, legal, finance, compliance, ethics—the list goes on, and each has opinions on how to address requirements. No matter that the various approaches are in conflict. “It will all sort itself out,” opines one executive.

Common Challenges

Like many companies, PharmaCo is wrestling with a number of common challenges. See how many of these apply to your organization:

Monolithic and Dense Delivery. A 256-page New Hire Manual is the core document—a manual that requires the employee to sign the last page indicating understanding of every policy and procedure therein. Finding information is challenging and cannot be easily applied. What may be needed for a given task is tucked away on pages 185-186 and only a skilled researcher could find it without reading through the whole document.

Information Overload. In many cases, a policy doesn't apply to everyone—yet everyone is still notified. At PharmaCo, one executive says, “We basically line everyone up against a wall, hose them down with the same compliance training and information, wring them out, and put them back on the job.” Employees are burdened with information overload. They quickly learn that many policy-related emails amount to internal “spam” and simply ignore all of them. Policy-related memos rapidly make their way to the trash can.

Unclear Accountability. For a number of policies, it is unclear who is truly accountable for addressing the policy and it is unclear to whom the policy applies. For other policies, everyone is held accountable—and so, no one feels accountable because everyone assumes that others are doing the job.

Meandering and Overly-Complex Content. Polices and procedures drone on for too many pages in “legalese” or overly-complex business-speak. Some policies may require a level of technical writing and advanced reading comprehension but the average reading level of the general population, and PharmaCo employees, is about the ninth grade level. And some policies that could be summed up in one page instead have 12 pages of narrative detail.

Change Management. Multiple copies of the same policy are scattered throughout the organization on various Web sites, hard drives and internal networks. When a policy changes, there is no guarantee that all previous copies are replaced. Employees are left asking, “Which one is current?”

Inconsistent Communication Channels. Policies and procedures are communicated using a variety of media including paper, email, Web sites and verbally. None of these channels are consistently used. As such, it is difficult for employees to understand which channels and which messages to listen to most closely.

Verbal Transmission. Sometimes policies and procedures are passed down through an “oral tradition” which runs the risk of inconsistency and misinterpretation. Most dangerously, this creates several points of failure where, if an employee were to quit or be fired, the organization would lose the institutional knowledge of what the proper procedure is.

Lack of Support. Even in the best case, when employees understand a compliance requirement and their accountability to it, they are often left without support for nuanced issues. They have no method for having questions answered before, rather than after, they take action.

The Consequences

When organizations exhibit some of the signs above, the end result is not good. PharmaCo's employees are more confused than informed. They often end up ignoring the important stuff and paying attention only to the loudest departments and executives—rather than the correct departments and executives. They are frustrated and, more likely than not, blame management. Morale suffers, as does productivity. Budgets are wasted and instances of non-compliance are on the rise.

In short, there are too many people sending too many messages about too many policies in too many ways.

There are direct financial consequences as well. The sheer number of “transactions” related to developing, posting, sending and managing policies and procedures are sometimes three

A Case Study In Contrast

At TechCo, a $1 billion technology company, management has put in place a streamlined plan with defined processes, people and technology to manage policies and procedures.

Defined Leadership and Policy-Setters. TechCo has specifically designated a number of top executives as “policy-setters.” These executives and their departments are accountable for one or more compliance areas and they collectively coordinated to address overlaps and potential conflicts.

Common Methodology. All policy-making departments are required to use a common methodology to develop policies and procedures. They use common templates and approaches. Some key steps to the development process include:

Define the scope and goals of the policy.

Identify if policies already exist that address the issue and ensure that there is no overlap or conflict.

Define to whom the policy applies based on roles and business activities (rather than titles). In other words, This policy applies to employees who hire staff” rather than, “This applies to all manager-level employees and above.” Some managers may not hire staff and some lower-than-manager employees may do so.

Understand the audience of the policy and its existing level of knowledge about the policy-related area.

Given the audience, write the policy using appropriate language. Use reading comprehension analysis (such as Flesch-Kincaid) to ensure that the language is appropriate. Work with a small sample of the target audience to ensure that the policy is written so that the group understands it and can act on it.

Choose one or more communication channels to inform the audience of the policy. If multiple channels are used, ensure that they are coordinated refer to the centralized management system. Do not rely solely on verbal transmission of any policy.

For high-stakes policies, require employees to electronically certify that they read and understand the policy. For extremely high-stakes policies, test employees for comprehension.

Consider and, if indicated, implement, training requirements related to the policy.

Consider and, if indicated, implement, support requirements related to the policy. Every policy should include a “helpline” or some means for employees to get in touch with experts on the policy-setter's team.

Centralized Management & Support. A single system was developed in house to serve as the authoritative “system of record” for all policies and procedures. Most local and decentralized document management systems were purged of old policies and procedure documents. When changes are made, a single copy needs to be updated in the new system. For the few locations where local systems were maintained (primarily in developing countries where international bandwidth was barely serving core transactional systems), they are manually synchronized with the centralized system each night to ensure that policies are up to date in near-real-time.

In addition to technology, TechCo employs a corporate “librarian” and three other knowledge management staff members to ensure that policies and procedures are consistent and follow standards (usage of templates, consistent level of detail, content quality, etc.). Most importantly, the knowledge management team ensures that policies and procedures are accessible and online 24/7. A helpline was added to the corporate hotline so that employees can not only report problems, but also ask questions. Helpline staff are involved in all centralized policy development so that they are knowledgeable about all key policies and upcoming changes.

By taking a systematic approach to development, implementation and management of its policies and procedures, TechCo has saved millions of dollars that would otherwise have been spent on duplicative and inconsistent efforts. TechCo has also successfully avoided numerous compliance failures arising from lack of clarity in established policies or failure of employees to understand, or even know about required procedures.

Getting the House in Order

Realistically, not every organization is a TechCo and most companies will find themselves in varied states of “maturity” when it comes to implementing and managing automated systems for policies and procedures. That said, a lot of this work requires simple organization rather than substantial financial expenditures. Organizations of all sizes can learn from TechCo's model and implement and manage more effective policies and procedures to serve as a cornerstone of a high performing compliance program.