Striking the right balance between risk mitigation and the commercial demands of the business is an essential skill, which must be adapted according to the nature of your industry and the size, culture and risk appetite of your organisation. This role needs to have clear ownership at senior management level.
Organisations need to take a systematic and proactive approach to risk mitigation if they are to be better prepared to satisfy evolving legal and regulatory requirements, manage the costs of compliance and realise competitive advantage.
Achieving and maintaining policy compliance becomes more difficult to sustain as organisations grow, become more geographically dispersed and more highly regulated. But, it doesn't have to be this way.
The purpose of policies and procedures
Policies and procedures establish guidelines to behaviour and business processes in accordance with an organisation's strategic objectives. Whilst typically developed in response to legal and regulatory requirements, their primary purpose should be to convey accumulated wisdom on how best to get things done in a risk-free, efficient and compliant way.
Here are some of the most common grounds for policy non-compliance:
* poorly worded policies
* badly structured policies
* out-of-date policies
* inadequately communicated policies
* un-enforced policies
* lack of management scrutiny
So, what is the secret for effective policy management?
Policy Excellence In Six Steps
Step One: Create/Review
It is important to understand, when creating policies, that those created purely to satisfy auditors and regulatory bodies are unlikely to improve business performance or bring about policy compliance, as they rarely change employee behaviour appropriately. While satisfying legal departments, and looking impressive to auditors and regulators, busy employees will instantly be turned off by lengthy policy documents full of technical and legal jargon. External factors that affect policies are evolving all the time: for example technology advances may lead to information security policies and procedures becoming obsolete. Additionally, changes in the law or industry regulations require operational policies to be frequently adjusted. Some policies, such as Payment Card Industry DSS compliance, have to be re-presented and signed up to on an annual basis.
Typically, most "policy" documents are lengthy, onerous and largely unreadable--many are written using complex jargon...