This is the final blog in a four part series investigating the assertion “that for Enterprise Risk Management to work effectively an organisation needs to have a robust organisational policy framework and a means of obtaining assurance that these policies and procedures are actually being followed in practice”.
The other blogs in this series are:
The following diagram illustrates a very simple model for ensuring effective policy management. In this final blog we explain each part of the process and how, through this model, an organisation is able to develop an effective continuous policy improvement process.
The top row of the model sets out the fundamental processes that an organisation must implement if it is to develop a policy management framework. The second row of the model outlines the critical assurance processes that are required to ensure that an organisation’s policies are being effectively implemented. Working together these processes create an effective continuous policy improvement loop.
||The starting point for any organisation is to identify the policies it requires, to have them drafted to suit their organisational style and intended publication strategy, and to establish an effective approval process which involves review by both a relevant subject matter expert and executive management.|
|Communication||Even the most professionally drafted policies are useless if people cannot reference them quickly and easily, if they do not integrate with existing policies, or people can’t effectively access related documentation, such as forms and checklists, that are required to affect implementation outcomes.The development of an effective publication and communication platform is a fundamental element within any co-ordinated policy management strategy.|
|Training||Just because you give someone access to a policy, or sit them down and ask them to read a manual, doesn’t mean that the person will understand what is being asked of them.To achieve this most basic outcome an organisation must develop an internal training program that covers basic information, such as how to access policies, as well as content that is considered higher risk, such as workplace safety or bullying.|
|Testing||In organisations that do run in-house training programs it is often presumed that knowledge has been effectively transferred and often little, if any, testing is undertaken.Training is most effective where participants know that their knowledge will be tested. Evidence of testing, and knowledge acquisition, is also often vital for defending legal claims bought by employees or regulators.|
|Record Keeping||The final element of ensuring a robust policy management framework is record keeping. Record keeping is required at multiple levels within an organisation from version control of organisational policies through to maintaining records of staff training and testing. Records need to be easily accessible in order that they may be produced in the event of litigation or commercial or regulatory due diligence requests.|
For many organisations the achievement of an effective “policy, communication, training, testing and record keeping” process has traditionally been considered enough to get by.
Unfortunately “times are a changing” and now in many industry sectors, regulators and key stakeholders are demanding more. What they are demanding is that organisations not only have policies in place, but also that they are able to provide assurance that these policies are actually being followed in practice. To put this in perspective the new national Workplace Health Safety laws in Australia now require that as part of their due diligence obligations, officers of an organisation are able to “verify” that their workplace programs are actually working in practice.
The second row of the model outlines the critical assurance processes that are required to ensure that an organisation’s policies are being effectively implemented – in other words that “people are doing what they are supposed to be doing”.
This “Assurance” process is best carried out through workflow software (often referred to as GRC software) which has the capability to capture key tasks, automatically email them to responsible individuals, monitor task completion and provide reports to management as to the overall effectiveness of the policy implementation.
|Capture||The first part of the policy assurance process is to:
|Assign||Once the key operative parts of policies (as well as related risks and incidents) are captured they need to be clearly assigned to responsible individuals for action.This assignment process is usually achieved through workflow software with tasks emailed to responsible individuals at a frequency that is dictated by the perceived level of risk of the particular task. This process creates a level of personal accountability, or “ownership”, which is critical to ensuring that policies are actually being followed in practice.|
|Monitor||Notwithstanding the fact that a task has been clearly assigned to an individual, the reality is that the task may not get completed for a variety of reasons including lack of resources or simple human failure. Monitoring of the performance of assigned tasks is critical to being able to verify that “people are doing what they are supposed to be doing”.|
|Control||Where tasks are not completed, completed but not compliant, or simply not actioned, they should be controlled by being escalated to more senior staff within an organisation. Again the escalation process can be automated in accordance with predetermined timelines and the level of sensitivity of the risk involved.|
|Report||The final part of the “Assurance” process is perhaps the most important, and that is the ability to report on the overall effectiveness of an organisation’s policy management system and answer the question “are people doing what they as supposed to be doing”. Using appropriate workflow software organisations are also able to link tasks to risks and incidents to get a much more complete view of their non-financial performance.|
The lines linking the policy management and assurance systems are designed to highlight the process of continuous improvement that occurs when this process is carried out effectively. This is explained as follows:
Once the “policy, communication, training, testing and record keeping” process has been implemented the “assurance process” is utilised to identify areas of non-compliance. Organisational compliance breaches and incidents, such as complaints, are often indicative of process failures. Once these failures are identified they are most usually rectified through a combination of policy amendment and staff training and testing, thus creating a continuous improvement loop.
How CompliSpace can help
CompliSpace combines specialist risk management consulting services with practical, technology-enabled solutions. Our risk management programs, which are designed in accordance with the International Risk Management standard ISO 31000, are delivered online and in a format that allows clients to quickly and efficiently tailor the content to their own particular specifications.
If you are looking to streamline your existing governance, risk or compliance programs and make them more relevant to your organisation give us a call. We are passionate about helping organisations to implement sustainable governance, risk and compliance solutions.
P: +61 (2) 9299 6105 (Sydney) / +61 (8) 9288 1826 (Perth)