Compliance officers live for policies. Defining the need for them, crafting them, rolling them out through an organization, this is what compliance officers do. Hence the ability to craft effective policies is a crucial key to a successful compliance program.
That is no easy task. Today’s business environment is highly regulated and fraught with risk, and also operates with global scale and diversity. All those forces work against the goal of straightforward, effective policies that can apply across the corporate enterprise as needed. So, compliance officers must find a way to consult with business operating units to identify risks and objectives, and then create policies and policy management programs to fit.
At the same time, however, budgets for compliance programs can be slim. So, compliance officers must systemize the creation and adoption of policies, even as the substance of those policies becomes ever more specific and granular. As we said, no easy task.
How to begin? The best approach for compliance officers is to understand the traits of an effective policy. That understanding becomes the “muscle memory” of a good compliance program: as a new risk or regulatory requirement comes along, those traits can guide your creation of a new policy so it actually works, even as the substance of the policy might vary greatly from one risk to the next.
Below we’ll explore seven hallmarks of an effective policy.
A Policy is Not a Procedure
The compliance community uses “policies and procedures” as short-hand so often that one might assume they are one thing; they are not. A policy states an objective the company wants to achieve, whether that objective is rooted in regulatory compliance (pay no bribes) or good business practice (always give the customer the benefit of the doubt).
The important point is that a policy tells the employee what the goal is, not how to achieve the goal. The latter is a procedure, and procedures do have an important place in your compliance program.
But, policies are even more important, because they fix the employee’s attention on the desired result.
A Policy is Clear and Simple
The wording of a policy should engage employees in ways they understand. The easy example of this point is to translate policies into local language (which is now a given for effective compliance programs), but it goes well beyond that.
For example, guidance issued by the Department of Health and Human Services in March 2017 says policies should be written at no more than a 10th-grade reading level. Or a policy might use idioms or turns of phrase that don’t convey the desired meaning; in many non-English speaking regions, “execution risk” translates into something decidedly more grim.
Good policies are clearly written and simply written. If a legal team is drafting your policy, they may appreciate the objective to be achieved, but smother it in technicality. Consider whether a professional editor might help clarify the policies’ intent.
A Policy Specifies What Prompted It
One of the worst situations a compliance officer might confront are cynical employees, trudging through daily routines because “this is the way we’ve always done it. I don’t know why.” That attitude arises from policies that exist without any clear purpose.
All policies should be tied to something: a regulatory requirement, a core value, a performance objective. Not all policies need to stem from regulatory requirements, although many do. But all policies must state why they exist (cite the relevant regulation, if one applies), and why the company wants employees to follow them.
For example, an anti-discrimination policy might say: “The company’s policy is not to discriminate in hiring on the basis of race, ethnicity, gender, or physical disability. Discrimination is against the law, and offends our core values as an organization that wants to hire the best people we can find.”
An Effective Policy Includes Examples
Thoughtful employees will always appreciate examples and context, so they can see a policy “in action.” An anti-bribery policy, for instance, should include examples of what is not allowed (making a donation to a charity run by a foreign government procurement officer) and what is allowed (paying a bribe to escape false imprisonment).
The examples you include must be considered carefully. They should be practical, “real” examples of what an employee might encounter, and they also must reflect the core values or risks driving the need for the policy in the first place.
With modern technology, including examples is easy to do. Online, interactive policy manuals can include short videos rather than written material. Innovative companies can even construct an app with a “choose your own adventure” approach, leading employees to the correct policy depending on their specific questions.
A Policy Includes Related Materials
This is a corollary to our earlier point that a good policy specifies what prompted its creation. Again, thanks to modern technology, a policy can link back to underlying regulations, laws, a company’s own Code of Conduct, a risk the company has identified, or even performance goals, whatever circumstance prompted the policy to begin with.
A Policy Includes a Vehicle for Exception Requests
Every policy should explain how an employee can seek an exemption to it, or why exceptions are not allowed. A policy should never ignore exception requests entirely, for fear that employees will simply decide not to ask about an exception at all, and violate the policy without telling you.
For example, a policy might state that client dinner expenses should never exceed more than $150 per person. What if the original restaurant is closed, and the only alternative is a more expensive venue? That’s a reasonable scenario where the company might want notice of the higher expense within 24 hours; or might want prior approval.
On the other hand, a manufacturer of commercial airlines might have a policy of mandatory reporting of safety concerns, no exceptions, since the flying public’s lives could be at stake.
The point is that employees should never feel “cornered” by a policy, where they hide their decisions. A procedure to ask for exceptions (even if the answer is no) tells employees that they can play a role in policy implementation and overall disclosure management; that policies are not decrees from high command, where questions are hidden rather than raised.
A Policy Encourages More Than it Discourages
Many policies are “Thou Shall Not” in nature: compendiums of anti-discrimination, anti-bribery, anti-theft, anti-fraud, anti-collusion, anti-disparagement. To a certain extent, that is unavoidable; many laws are themselves prohibitive, so policies created to comply with those laws veer toward prohibitive language themselves.
Still, a policy’s ultimate aim is to win the enthusiasm and support of employees, more than their blind obedience. So in a policy’s language, its objective, its tone, its examples, how can the policy emphasize what employees should do, rather than what they should not?
It’s an important question to ask, because it forces executives drafting the policy to ask: Why are we doing this? How does the policy help us? In an ideal world, this exercise will also lead executives to ask how the policy helps the company achieve its main priorities and uphold its core values.
Conclusion: Building an Effective Policy Compliance Program
Effective policies go well beyond these seven hallmarks, of course. Compliance officers need to address the broader question of policy management: ensuring that various policies don’t contradict each other, or ignore a risk, or linger past their useful lifespan. You must also ensure that the policies you create work well with the training systems and technology that your organization uses for its compliance objectives. Those subjects are beyond the scope of this paper, and worthy of full papers themselves.
The foundation for success, however, is a methodical approach to crafting policies individually: policies that employees (and third parties) can understand, respect, and follow. Whatever the regulatory requirement or business risk might be that drives the need for a specific policy, if it can’t deliver on those three points, the policy won’t work as well as the company needs.
The above hallmarks of a good policy, and policy management program, can be the foundation for that methodical approach. Call it a procedure for good policy creation, or a protocol, or even just “muscle memory” as we did at the start of this paper; whatever the name, all effective policies have a few common traits, such as the ones identified above.
An effective policy compliance program nurtures those traits as a structure for policy creation. A compliance officer should strive to educate everyone involved in policy creation about those traits, and help them apply that more rigorous approach as they form policies across the enterprise; because, for better or worse, creating more policies will be the order of the day for quite some time.
Miriam Konradsen Ayed is the VP of Product Marketing at GAN Integrity. With a track record of building and executing GTM strategies and growing pipeline for SaaS products, she brings products to life through value-driven positioning and messaging.