Policy & Procedure Management – Linchpin of a Defensible Compliance Program

Scott Bamford |

In the United States, the Federal Sentencing Guidelines for Organizations (FSGO) has provided the basis for American courts to impose harsh penalties upon organizations whose employees or agents have violated federal statutes.

The guidelines are designed to encourage organizations to develop effective compliance and ethics programs to prevent and detect violations of law.  There are seven key areas that should be included in building just such an effective governance program:

  1. Written policies and procedures
  2. Designated compliance officer and compliance committee
  3. Effective training and education
  4. Effective lines of communication
  5. Internal monitoring and auditing
  6. Enforcement of standards through well-publicized disciplinary guidelines
  7. Prompt response to detected problems through corrective actions

The role of policies and procedures

Arguably, the biggest and most visible of these key areas for organizations to focus on is policy and procedure management. This involves implementing compliance standards (policies) and procedures that are reasonably capable of reducing the prospect of criminal conduct or employee negligence.  

The communication of policies and procedures to employees by disseminating publications that explain in a practical manner what is required is considered the cornerstone of an effective compliance program and best-practices-based policy & procedure management. This, though, goes way beyond simply having some policies and procedures written down and tucked away in a dark and lonely network folder somewhere.

What if you were asked to prove the purpose of every policy your organization has, who wrote it, who approved it, when it was last reviewed, who reviewed it, when it was implemented, how it was communicated, whether it was understood by staff, how you made sure it was understood, and whether or not it conflicts with any other of your company’s other policies or practices? Could you do it?

Yes, it’s a lot, and it’s hard. But this is what is now being asked of organizations by regulators.  This level of detail is absolutely critical when proving that your organization is maintaining its internal controls to reasonable standards.

Proving your program is defensible

Policy management is one of the most difficult areas for organizations to manage effectively, because it is not as simple as just writing policies, emailing them to staff or posting them on an intranet or SharePoint page.  The days of manually trying execute an efficient, accurate, and defensible compliance program with spreadsheets, documents, emails, phone calls, and network drives for storage just will not cut it anymore. It’s too onerous and inefficient to manage manually, not to mention loaded with risk. The threshold for what is considered defensible is much higher now than it used to be.

Policy & Procedure ManagementFor an organization to show defensibility in regards to its ethics & compliance program, it has become more critical to prove that its policy and procedure lifecycle management as a whole is sound and that it follows best practices.

In short, the onus is on the organization to prove that it’s doing everything in its power to make sure policies are aligned to objectives, reviewed regularly with changing regulations and risk, have auditable approval of management, and are effectively communicated to staff.

Streamlining policy and procedure management

This is where the use of best-of-breed policy and procedure lifecycle management software can make all the difference in the world. First and foremost, a best-practices-based technology solution provides a rock-solid foundation for building an ethical and defensible compliance program. How? Because it handles all the complex layers of a compliance program for the user.

Program elements like automated review and approval workflows, intelligent distribution, attestations and knowledge assessments, version control, time and date stamps, and full audit trails and reporting become automated, streamlined functions. These are extremely time-consuming and error-prone when a compliance team is trying to white-knuckle the entire process manually.

Let technology help you by taking care of the manual complexities, so you can truly focus on the people in your organization and the quality of your compliance program.