Why a ‘Policy on Policies’ Is So Important

Don’t faint from surprise at this news, but corporate compliance is a world with lots of lingo that can be difficult to understand. Case in point: a “policy about policies” – something that sounds obscure, but actually is one of the most important items in the compliance officer’s toolkit.

At the abstract level, a policy about policies is just what the name suggests: a single, master policy that dictates how all other policies at your business are created and used. A policy about policies specifies what the structure of those other policies should be, the content they must include, how new policies should be approved and implemented, and many other details.

Simply put, a policy about policies brings order to chaos. Without one, your enterprise could end up with a jumble of policies that contradict each other, or policies that make no sense to the employees supposed to follow them. That does a compliance officer no favors as you try to develop a strong, enterprise-wide culture of ethics and compliance at your organization.

Hence a policy on policies is so useful. The question is, what should that policy about policies contain, so that you can reap its full value?

Policy about policies 101

Remember the goal here: a policy about policies is a document that spells out what other policies should contain. In that case, your policy about policies should address numerous important points: 

  • The structure policies should have, such as whether they’re written with an introduction, or presented as a series of bullet points, or some other format.
  • The content policies should have, such as whether they include excerpts of relevant regulations or specific examples of the issue the policy is trying to address.
  • Who “owns” the policy, although ownership should be assigned to a role within your organization rather than a specific person, since personnel might change.
  • What “owning” the policy means in practice. For example, should that person train relevant employees on the policy, or leave that to others? When can they investigate policy violations themselves, rather than in conjunction with you?
  • The process for executives to request a new policy, and who approves the policy before it goes into effect.
  • Details about any procedure to request an exception to the policy if you want to allow exception requests at all. (There is a school of thought that if your policy includes a procedure for exception requests, you’ve written a bad policy; but that’s a debate for another day.)
  • A requirement that every policy must include links to more specific, detailed procedures as necessary to fulfill the policy. For example, policies about spending approvals should include links to the specific approval forms employees should use, and the procedure on how to submit an approval request.

Your policy about policies should also include a requirement that a copy of all new policies should be sent to the Compliance department, so you can catalog all policies and keep them up-to-date in a policy library.

Along similar lines, it should also require managers to follow a uniform taxonomy for naming their policies, so that those policies can be organized in a clear, logical way in your policy library.

That brings us to another question. How can you, the compliance officer, put a policy about policies to good use?

Moving toward policy management

Let’s stick with the above point about a uniform taxonomy for policies, so that the compliance officer can organize all the company’s policies in a logical way. That’s one great example of why a policy on policies is so useful – because it lets you analyze all your policies and move toward stronger policy management.

For example, you might discover some of your policies are duplicative and can be consolidated into one policy. Others might be outdated, referring to obsolete practices or regulations; they can be updated. But to bring those analytical insights into the light, you first need to organize all policies your enterprise has – a policy about policies is the vehicle to do that.

You might also find that some policies have no owner. Think about what that really means: nobody is accountable for enforcing that policy, which is the start of a slippery slope that ends in nobody taking your policies seriously. A policy about policies lets you intercept that situation and assign owners to those orphan policies, so the policies can be enforced.

Oddly enough, companies aren’t required to have a policy about policies. The phrase appears nowhere in the Justice Department’s guidance for effective corporate compliance programs, the U.S. Sentencing Guidelines, or any of the other sacred texts for corporate compliance officers. But consider two of the three fundamental questions in the Justice Department guidance:

  • Is the compliance program well-designed?
  • Does the compliance program work in practice?

A policy about policies brings you closer to “yes” for both of those questions. It forces the compliance officer and other executives to take policy management seriously (the question about design) and assures greater consistency and efficiency in policy enforcement at scale (the question about working in practice).

So no, you don’t necessarily need a policy about policies; but a compliance officer’s life gets a whole lot easier when you do.

Policy and procedure management can be a major vulnerability for compliance programs, and NAVEX is here to help. For more information on PolicyTech®, our policy and procedure management software on the NAVEX One platform, check out this webpage.

Looking to get started with a comprehensive policy management program? Download the Definitive Guide to Policy & Procedure Management.

Download Now

Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

The Element of Surprise Keeps Things Honest
A CCO Perspective on Artificial Intelligence

Suspending Cynicism in Hotline Investigations

In hotline investigations it is necessary to suspend cynicism in order to avoid potentially biasing the investigation. This post discusses why investigators must suspend cynicism and bias in whistleblower report intake and investigations to instill trust in the program.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Risk and Process Management Framework: Lessons Learned in Getting Started

Let’s talk about the ‘R’ in GRC. Organizations face a complex risk landscape that is made more challenging by organizational and risk silos across the company. But there is a better way! This post explores how to address risk holistically and proactively to better protect the enterprise.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.