Shop Talk: Executing Enterprise-Wide Policy Management

Policy management has become a hot topic lately.

Thanks to several recent trends and incidents in compliance—dumb employee use of social media here, a class-action lawsuit over pay discrimination there, and regulatory enforcement actions all over the place—companies are dusting off their policy manuals with an eye toward streamlining and reforming their approach to corporate policy making. These developments are a stark reminder to all companies that the mere existence of a policy means nothing if it isn't applied and enforced at the corporate level.

THE PANELISTS

The following executives participated in the July 19 roundtable on how to execute policy management across the enterprise.

Kristin Caplice,

Assistant General Counsel,

Analog Devices

Patrick Carmody,

Manager, Global Compliance,

National Grid

Bob Conlin,

Senior Vice President of Business Strategy,

EthicsPoint

David Frishkorn,

Vice President, Chief Compliance Officer, Comverse Technologies

Al Gagne,

Director, Ethics & Compliance,

Textron Systems Corp.

Gretchen Herault,

VP, Compliance & Fraud Prevention & Deputy Chief Compliance Officer,

Monster.com

Judy Kalisker,

VP, Compliance & Compliance Officer,

The MENTOR Network

Barbara Kamens,

VP, Corporate Compliance,

The TJX Companies

Jessica Pill,

Director, Global Compliance Investigations, Auditing & Monitoring,

Boston Scientific Corporation

Dawn (O'Sullivan) Smith,

Director, Tribal Internal Audit,

Mashantucket Pequot Tribal Nation

Candace Sutcliffe,

Chief Compliance Officer,

Liberty Mutual

For More Information on Compliance Week Roundtables

At a recent editorial rountable in Boston hosted by Compliance Week and software firm EthicsPoint, compliance, legal, and audit executives shared how they manage the policy-making process. Participants talked through the need for a “policy on policies,” the distinction between policies and procedures, the difficulties of setting uniform policies worldwide, the eternal hassle of exception requests, and the training needed to ensure that policies are followed.

The most vexing challenge, many agreed, is developing a single corporate policy that can be applied across global operations. Boston Scientific, for example, is expanding its business operations at a rapid pace in various countries around the world. “Marrying the corporate objectives of a policy with the local laws and cultural considerations in countries where we are doing business is an area of focus for us right now,” said Jessica Pill, director of global compliance investigations for the $7.8 billion medical device maker.

Keeping pace with a fast-changing regulatory environment adds to those challenges. “If you're a multinational company doing business throughout the world, you've got to be aware of new laws and regulations as they are introduced in different countries,” said Bob Conlin, senior vice president for business strategy at EthicsPoint.

Few rules crystallize that trend like the recent proliferation of anti-bribery laws around the world, mostly modeled after the U.S. Foreign Corrupt Practices Act. Companies are struggling to develop overarching anti-corruption policies that, when followed, keep companies on the right side of the rules no matter where in the globe they are. “You've got to be aware of, and understand, how [such rules] impact your company and what risk your company assumes if you don't have policies to address those rules,” Conlin said.

Achieving a global policy can be especially difficult when it runs counter to cultural norms. For example, participants discussed the problem of setting a policy that prohibits all gift giving, when closing deals with a gift is standard business practice in China. Getting certain countries and cultures “to agree to commit to those actions in your policy is very difficult,” said Gretchen Herault, vice president of compliance and fraud prevention at Monster.com.

Some attendees argued that too much centralization could also infringe on local business practices. Local regions around the world should have policies relevant to their culture and geographic locations, they said, although a corporate oversight component needs to exist as well. “The big challenge is making sure that corporate policy truly is corporate policy and not something that only applies to some, or part of the business,” said Al Gagne, director of ethics and compliance at Textron Systems.

Conlin advises companies to consider centralizing the process via a single system to write policies, approve and distribute those policies, and identify potential issues that arise or map where events are happening. “A policy management system not only automates a process that companies have to put in place; it also provides significant return on investment from a risk-reward standpoint,” he says.

For the Mentor Network, a national network of local human-service providers with 25,000 employees in 35 different states, setting uniform corporate policies is especially difficult due to the patchwork of state industry standards and regulations, said Judy Kalisker, compliance officer for the company. “In that aspect, how do you manage that and develop company-wide policy?” she lamented.

Once a centralized system is in place for setting corporate policy, those policies need to be enforced; that brings a new set of challenges. Some participants fretted about implementing and communicating policies where fewer than half the workforce has on-the-job Internet access (not an implausible scenario for corporations operating in emerging markets). “The risk of not having policies understood and widely disseminated can be catastrophic to a business,” Conlin said. “There has to be a balance between automated policy management and traditional paper-based policy management.”

Roundtable participants also pondered the question of who should enforce policies: central management, or the heads of various business units? For some, the answer is a matter of putting responsibility on the front-line supervisors to communicate those policies to lower-level employees or third parties.

“Not every employee needs to know about every policy,” said Gagne. “We try to focus on targeting our communications to the people who have job responsibilities in those respective risk areas, so those policies do get to the right people.”

Judy Kalisker (left), chief compliance officer at the Mentor Network, discussed the difficulties in setting strict corporate policies due to the vast mixture of state industry standards and regulations. At right is Dawn Smith director, tribal internal audit, at Mashantucket Pequot Tribal Nation, and National Grid Manager, Global Compliance Patrick Carmody.

“The big challenge is making sure that corporate policy truly is corporate policy,” said Al Gagne, director of ethics and compliance at Textron Systems. At his right sits Kristin Caplice, assistant general counsel at Analog Devices; at far right is Liberty Mutual Chief Compliance Officer Candice Sutcliffe.

Attendees also talked about having a “policy on policies” to clarify who can promulgate which policies at what time. Should the company manage policies at the corporate level, the division level, or both? Should they include future aspirations, or only current reality? How do they distinguish them from procedures?

Most attendees said they have taken recent steps to put a more rigorous process in place for setting corporate policies, in some cases due to a strict regulatory environment. For example, the Mashantucket Pequot Tribal Nation, owner of Foxwoods Resort Casino, is under strict gaming-industry regulations, so the tribe's standards of operation and management (SOMs) are delineated by its agreement with the state of Connecticut, said Dawn Smith, the tribe's director of internal audit. “All SOMs and any standards and procedures relating to SOMs have to go through the Mashantucket Pequot Tribal Gaming Commission.” SOMs also go through a comment period by management, internal audit, and the internal general counsel, she said.

Attendees agreed that employee feedback also is a critical component of policy creation. “One of our practices is to challenge our employees to challenge our policies and procedures and to encourage them to ask questions,” said Gagne.

Particularly daunting about policy management is “making sure that … you do have concurrence across the enterprise—not only at the corporate level, but also at the segment and operating-unit levels,” Gagne said.

Textron was able to overcome this obstacle by streamlining its policies at every level throughout the enterprise. “The idea was to create a thread that followed from the corporate enterprise level down to the business operations,” Gagne said. “The challenge was to get those silos to work together and come out with a unified policy,” he added. By looking at the policies at each level of the organization, they were able to identify and eliminate a host of redundant policies, he said.

Policy Fatigue

Training is also a major component of rolling out corporate policies. If employees report that the training they are receiving is not relevant to them, for example, that feedback is taken into consideration and may result in customizing an off-the-shelf training program to make it more relevant to their jobs or our industry, said Kristen Caplice, assistant general counsel of Analog Devices.

Attendees also discussed what they dubbed “the law of threes,” the idea that policy information must be conveyed three separate times before employees really grasp it. “Like most companies, we have so many policies that it seems like we're introducing new ones every day,” Caplice said. “How do you convey the messages in those policies in an effective way and not create policy fatigue and frustration for people at the end of the day?”

Others found ways to simplify the policies to make them easier to communicate in the first place. “I consider a policy document to be a statement of principles,” never more than two pages long, Herault said; one example would be “We don't bribe government officials.” Having a simple rule helps avoid issues such as including lengthy procedures or exception requests within a policy, which makes them easier to remember, she said.

“One of my pet peeves is having an exception request process written into a policy,” said David Frishkorn, chief compliance officer of Comverse Technology. He believes exceptions should be treated as abnormal, and building them into the process just invites them. If a true exception issue arises, the person should approach the appropriate policy owner or section manager with the situation and discuss it, he said.

Caplice agreed. “If you write an exception into a policy, you might as well not have a policy, because people won't follow it,” she said.

In thinking about overall policy development, “the easy answer is to start small,” said Stephen Molen, director of solutions at EthicsPoint. “Look at your core policies. Then move on.”