During an unprecedented period like the COVID-19 outbreak, visibility and control become even more important, since there are so many places where compliance may break down.
To make it easier to understand, let’s look at this through the lens of policies and procedures, but the same perspective can be applied across other areas, too.
Why are visibility and control important?
Visibility and control of policies are essential elements in maintaining a good compliance practice within an organisation, irrespective of the department or function. Firstly, policies should be visible only on a need-to-see basis. As an example, an employee might need to be prevented from viewing a particular policy because it is restricted to the treasury department. There could be confidential trading-related policies that shouldn’t be read by employees outside the department.
Secondly and more importantly, the correct version of the policy should be visible to the relevant employee or stakeholder. There is no point in an employee being able to read and adhere to a policy that is outdated. Reporting also plays a vital part here by ensuring that employees have read and acknowledged the policies relevant to their roles as per corporate direction.
So we can see how visibility and control are tightly coupled in making sure that the right employees read and adhere to the right policies at the right time.
Some practical examples
Here are some simple examples of how visibility and control, when applied to a particular policy, can be helpful.
Take for instance the typical “anti-bribery policy” – every organisation has some shape or form of this. Employees are hired and employed in good faith, and under the usual circumstances, an employee would willingly never take a bribe. But how is s/he supposed to know the difference between an acceptable gift which can offend the giver if not received versus a gift that can be constituted as a bribe? Correct visibility and control around the “anti-bribery policy” can help the organisation track whether the employee is aware of the latest corporate direction in terms of what is acceptable or not.
Or consider the “whisteblower policy” which almost every company also has in some form or other. Here, we see the other end of the spectrum. Can we confidently say that an employee in an organisation will take action and become a “whistleblower” if necessary? Here, we want an employee to take action in a certain way. Unless the employee is confident that s/he is clear on the steps to be taken and the fact the s/he is protected from repercussions, the whole point of the policy has failed.
What happens if either visibility or control fails?
The examples illustrated above are based on two random policies I pulled out from our own corporate policies. But we can easily cast our net wider and look at real life examples as well. The well-publicized Volkswagen Emissions Scandal could probably have been avoided if there had been visibility and controls in place with regards to a proper whistleblowing policy.
There was every chance that an engineer in the testing department could have escalated this to the top had s/he had adequate visibility of the “whistleblowing” policy. This has led to questions being raised around where the “whistleblowers” were in the company at that time. I believe a more pertinent question is, was there adequate visibility and control in order to effect a proper whistleblowing culture in the organisation at the time of the incident?
What’s the best way to protect against failure?
Technology can certainly ease in protecting against failure of visibility and controls in every department. It can make administration and reporting easier and help have tighter controls in place. Outside technology, department heads should be empowered and made responsible to ensure their teams follow the right policies and procedures at all times.
The buck does not stop there and individual employees also need to understand their roles and responsibilities in following and maintaining relevant procedures at all times. This can happen only when there is adequate training and employees, have access to the relevant information right at their fingertips. If they have to reach out to a person every single time, they may feel awkward and rather follow imagined procedures than follow defined protocols.
Organisations and employees want to do the right thing. But oftentimes, the problem is not with people, but the way information is organised and cascaded. Like it or not, visibility and control are essential elements of this structure. So a well-thought-out method of providing visibility and at the same time controlling the information is key to success. This will greatly help an organisation navigate their regulatory and compliance requirements, which in turn frees resources so the business can focus and excel at its core business.