Having strong risk and policy management practices means these tolerance levels are established, and the expectations for controls and policies are understood. Only then can accurate measurement of the effectiveness of policies take place. Measuring the effectiveness of policies should involve the assessment of the policy management process as a whole. For internal audit departments to conduct proper assessments, they require complete visibility into the processes implemented. Processes are themselves another form of control, and in this case, it’s a control of the management of controls.
Best-practices-based policy & procedure lifecycle management complements and works in unison with a solid risk management process. As part of a control assessment when taking steps to measure a policy’s effectiveness, organizations need to routinely measure the comprehension of the policies by employees.
Establishing these metrics and implementing mechanisms that act as key indicators in identifying potential gaps or lapses in behavior provides the organization with two things:
-
It shifts the organization into a proactive state.
-
It adds to the defensibility of the organization’s overall compliance program.
This is why best-practices-based policy and procedure management is so incredibly important in proving compliance and remaining defensible. It shows that risks are being taken seriously, and that the controls and policies in place are there for a defined purpose. They are actively measured and are being continuously assessed within the changing landscape where the business operates.
The Department of Justice recently updated the guidelines they use to evaluate the effectiveness of corporate compliance programs. It’s no shock to see that large portions of this guide are specifically related to risk and policy management.
Policy management to meet a new set of rules
The granularity of detail that regulators are seeking in these areas is something that may have been recognized by various industry experts, but the DOJ is clearly putting a stake in the ground and telling you exactly the criteria they will use. This granularity now the rule rather than the exception, and organizations should expect these questions at a minimum when trying to prove their compliance programs are sound.
When it comes to risk management and policy management being successful, both need constant assessment and management, and it’s important they be addressed holistically. The relationship between the two, and the alignment of processes to manage them, will play a crucial part in how an organization will remain defensible and consistently execute on its compliance obligations.
Let technology help you by taking care of the manual complexities, so you can truly focus on the people in your organization and the quality of your compliance program.