With the ever-changing regulatory framework and the proliferation of threats, every business – irrespective of the sector it is in – needs effective and updated policies and procedures. To ensure policy management, it is key to embed the culture of compliance within the organisation.
Developing policies in business, whether for cybersecurity, premises security, legal, human resources or even social media is difficult and undeniably unglamorous. Since all but a select few enjoy compiling and implementing a policy set, many entrepreneurs avoid instituting policies altogether. Consequently, insufficient and non-existent policies pose a legal threat to all businesses.
This is the topic discussed in a new webinar organised by RegTech firm ClauseMatch. The speakers were Volkov Law Group CEO Michael Volkov, ClauseMatch EVP of sales Jeff Weiss and UK MLRO at Nvayo Limited global chief compliance and risk officer Willem Wellinghoff.
Weiss kicked off the webinar by highlighting how companies today face increasing pressure to build effective ethics and compliance programs as part of an overall governance structure. Investors, activists and key stakeholders are pushing for transformative reforms built around environmental, social and governance principles. As a result, an essential part of this initiative is a well-designed policy management program.
While most organisations have written policies in place, much more is required to ensure that those policies are adhered to across the enterprise, Volkov said. To build a pervasive culture of ethics and risk-intelligent behaviour, headhonchos need to ensure that policies are communicated effectively and updated regularly in line with regulatory and business changes. Moreover, policy compliance and violations need to be tracked on an ongoing basis and addressed proactively, he added.
Weiss added, it’s indeed not uncommon for companies to have formulaic policies that are seldom updated on a yearly basis. In certain areas such as cybersecurity policies and procedures are often not given enough attention or left to the purview of the IT department. And, outdated and ignored policies create the ideal breeding ground for liability.
The main challenge facing companies with regard to compliance is long policies. According to Weiss, the more complex and wordy a policy is, the less likely that it can be easily followed. When a policy is too complex, it becomes difficult to prove adherence. This proof comes in the form of employees’ execution. If the policy itself is too long and robust, it will become difficult to convince an aggrieved party that your company was in fact in compliance with its own mandates. He detailed that the best policies are clear, concise and easy to follow. So, it is essential to periodically review policies and procedures to parse out unnecessary language that can be confusing.
Apart from keeping policies simple and crisp as well as a robust policy development process, Weiss suggests having a well-defined approval process and workflow for the approval of policies. He continued that having 20 different policy portals to find policies across the organisation means employees are just confused about where to go to find the policy. Not having a central portal where policies are stored is “just a recipe for disaster.” He added, “You need to really drive consistency in the approval process and not just have somebody say, ‘I don’t agree with wearing a mask to work so I’m going to write my own policy on that.’” Indeed, accessibility and transparency are crucial. The risks, roles and responsibilities in maintaining policies and procedures have to be documented so that people are accountable for all the controls that they issue within the organisation.
Weiss said, “You need to have a clearly defined process for designing and developing and approving policies depending on what the policy is and how integral it is to the organisation, and then document it and have a single source for your employees to go through to find those policies.” If your business is going to have an official policy, continually review policies relevant to particular departments. It is essential to align the compliance, legal, finance, operations and risk teams to ensure complete productivity and transparency, he said.
Of course, policies get increasingly complicated when it comes to a company operating in various countries. Different geographies in the world have different views on data privacy and, Weiss said, companies have to make a decision on how they’re going to implement that. “Are they going to do it from the least common denominator or take advantage of whatever they can in each region that they’re doing business, they need to have a global policy that has localisation applied and they’re going to have to modify those but it needs to be tied back to a centralised policy,” he explained.
This is where technology comes in. Weiss said, selecting a cloud-based policy management system should be a key concern as it can deliver a high level of reliability and security therefore protecting companies from breaches and inconsistencies.
You can watch the full webinar here.
Copyright © 2018 RegTech Analyst
