6 Practical Principles for Policy & Procedure Management

Good policies are not just a set of rules but the framework that an employee should operate within to maintain the standards set by the organisation. Incidents often occur where policies are not well thought out, communicated, or kept up to date.

There are a number of effective strategies for developing, maintaining, reviewing and communicating policies but there are some common ‘best practices’ that should be used as the basis of a framework on which your policy management system is built.

Culture of compliance

For policies to be a successful part of the compliance framework they must be part of the “the culture of compliance” and this culture must be driven from the top down. The task of writing policies and keeping them up to date is a critical part of the organisation’s compliance and should be seen in that context. Keeping policies up to date is time-consuming, and resources must be allocated to this task.

Structure

It is much easier to read a policy if it’s structure is consistent and follows a logical pattern. A template should be defined for policies as this will benefit both the reader and those writing the policy as subject matter experts may not be dealing with documents on a day to day basis.

Clear and concise

Policies should be written in clear and concise language so that it is unambiguous and clearly explains what is required to comply with the policy. However whilst providing clarity the content must be accurate and up to date which may require collaboration from multiple reviewers and it is the responsibility of the policy owner to ensure that the correct people are involved in this work. Where policy is driven by regulation the policy should show how this relates to specific activities carried out within the organisation.

Communication

No matter how well written a policy that has not been communicated to the business is of little use if it is simply left ‘on the shelf’ or put on the organisations Intranet as a ‘post and hope’ approach. Focus must be given to communicating the policy to only those employees who are affected, remember over communication is often as negative as under communication. Employees should not only read the policy but for critical policies also show their level of understanding by answering questions about that policy.

Review

Policies are ‘living documents’ that are subject to change as business priorities or events occur. For each policy there should be a regular review process in place involving both the policy owner and subject matter experts.

Technology

Organisations should leverage technology as the task of ensuring compliance with policies should not be underestimated particularly within organisations with a diverse and distributed workforce. The days of a printed ‘Staff Handbook’ are over and employees must be supported by being able to access a central ‘policy hub’ wherever they are located.

In summary: Policies form a vital part of the organisation’s defence and Michael Rasmussen himself has said how “to defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.”