The world of corporate compliance uses many terms of art, and one of the most common is “policies and procedures.” Yet, somehow, it also ends up being one of the most vague phrases we use, too. This is why even the most seasoned compliance professionals need a refresher on why policies and procedures important in the workplace.
Think about it: when was the last time you encountered a compliance issue that didn’t somehow involve better policies and procedures? No matter how your corporation operates or the particular problem is haunting you today—when management asks, “How do we assure this doesn’t happen again?” part of the answer inevitably involved better policies and procedures.
So clearly it’s important, but why do we have policies and procedures? Let's review.
What Is the Purpose of Policies and Procedures?
As we've mentioned previously, the purpose of policies and procedures is to bring uniformity to corporate operations, and therefore reduce the risk of an unwanted event.
Another way to phrase it: policies and procedures organize employees to behave in certain ways, which lets the business achieve its objectives more efficiently. Sometimes policies and procedures help to achieve operational objectives—say, ways to develop a new product, or how to handle a customer service call.
Other policies and procedures help to achieve compliance objectives: how to treat all job candidates equally in hiring or promotion; how to perform due diligence on a third party; when to seek consent from a customer before collecting personal data. Tasks like those can be done in any number of ways, but policy and procedure show the employee how to do those tasks in your preferred way.
That’s important because every company sets its own tolerance for risk. Policies and procedures help employees to keep their actions within those tolerances. For example, all hiring managers might think they’re fair in hiring and promotions—but some might be more diligent about fairness than others. If a manager is sloppy about policies and procedures for hiring, he or she is acting outside the company’s risk tolerance, and bringing more compliance risk to the organization.
Why Is It Important to Update Policies and Procedures?
Well, that’s easy: because business operations change. If you don’t update policies and procedures to keep pace with that change, they’re no longer fit for purpose.
A better way to think about this question is to consider all the ways your business operations change. That gives a sense of all the ways you should assess your policies and procedures to see whether circumstances have changed so much that your policy manual deserves an update. For example:
- You could move into new geographic markets. That might bring compliance obligations from those new jurisdictions (a new country’s consumer protection laws, say), or new compliance obligations here at home about how your business behaves there (no bribing foreign officials; no selling weapons technology).
- You could offer new products, or target new customers. That might entail new compliance duties such as gaining consent to collect personal data that previously your business never collected; or creating procedures to let customers return products they no longer need (such as Japan’s rules for recycling consumer goods).
- Your business might embrace new technologies. That could be something like moving to cloud-based software vendors for your business applications, or letting employees conduct business on their personal devices. Either move would create new data privacy obligations, which means new procedures to log onto systems and keep data safe.
Aside from all those forces, the laws, regulations, and enforcement priorities that affect your business might also change. Consider all the new anti-bribery and consumer privacy statutes we saw around the world in the 2010s, or the climate change disclosures we’re likely to see in the 2020s. Those new regulatory requirements have to be met somehow. Policies and procedures tell employees how.
Why It's Important to Have Policies and Procedures
Those are some of the big, conceptual reasons why policies and procedures are important in companies. That said, they’re also important for several practical reasons.
1. Regulatory Requirements
First and foremost, a business needs policies and procedures to meet the standards of an effective compliance program, as outlined by the U.S. Justice Department. The department’s guidelines on evaluating corporate compliance programs contain a whole section on policies and procedures, covering points such as the design, accessibility, and comprehensiveness of your policies and procedures.
Other regulators around the world also stress the importance of policies in the workplace. For example, Britain’s Serious Fraud Office has guidance on compliance with the U.K. Bribery Act, where policies and procedures are a significant theme. Individual U.S. states, industry regulators such as the Department of Health & Human Services—many of them cite the need for policies and procedures. If yours aren’t sufficient, neither is your compliance program.
2. Hold Employees Accountable
As we mentioned, policies and procedures guide employees on how to behave. So when they don’t behave as instructed, you now have a mechanism to hold them accountable: they weren’t following policy and procedure, as they’d been told to do.
This does drive up the importance of clear policies, so employees can’t claim they didn’t know what they were supposed to do. It also reflects the accessibility of policies, as mentioned by the Justice Department’s guidance: employees need to be able to get their hands on a copy (written, electronic, whatever), and it has to be in a language they understand.
But fundamentally, policies and procedures allow the organization to hold employees (and third parties) accountable for unacceptable behavior. That’s just as important as encouraging acceptable behavior.
3. Identify Anomalies
When most employees follow policy and procedure most of the time, most of the company’s transactions will unfold in the same way—which, in a roundabout way, helps compliance and audit teams to identify transactions not happening in the usual way. That is, policies and procedures bring anomalous events into sharper relief.
For example, if all expense reports are supposed to include itemized receipts (that’s the policy), and all reports are to be submitted via a certain online system (that’s the procedure) you can more quickly find those employees who aren’t submitting expense reports with itemized receipts. Then come the obvious questions: Why not? Are the reports illegitimate? What else should we examine? And so forth.
Moreover, if employees keep coming to management asking for exceptions to policy, or complaining that a procedure is too onerous—that’s a warning sign that perhaps your policies and procedures are the anomalies, rather than reluctant employees.
4. Build a Stronger Culture
Ultimately, the most important reason to have policies and procedures is that they help to build a stronger corporate culture. When all employees understand how they’re supposed to go about their daily routines, and they understand the core ethical values and priorities behind those policies and procedures—that builds a more unified, trusting culture.
Once an organization has a culture like that, all manner of benefits emerge: greater efficiency, lower employee turnover, and yes, fewer compliance failures. Traits like those can provide an invaluable strategic edge over your competitors.
So as vague as the phrase “policies and procedures” might be, strong policies and procedures are hugely important. Whatever the time and effort to get them right, it’s worth it.
Implement a bespoke Integrated Risk Management solutionView platform