First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

How to go beyond the words to craft smarter policies

policiesA recent Harvard Business Review article details the omissions that make sexual harassment policies ineffective, including language that leaves room for employees to interpret policy according to their own preconceptions.

As Uber’s ongoing housecleaning in the wake of harassment claims shows, policies must be clear, accessible, easy to understand and supported by training and the actual behavior of management. If any of those pieces are missing, it’s difficult to maintain a corporate culture that discourages harassment and encourages employees to report wrongdoing, instead of letting it fester until a scandal breaks out.

Along with the right language, here’s what else you need to consider to make sure your policies are more than just words on a page.

Intention is clear

An effective policy statement is clear and unambiguous, an explanation of how the organization wants employees, contractors and third parties to behave and not just a list of things they can’t do. This allows employees to understand the intent of each policy and how it aligns with the values of the organization. In the rare instance in which circumstances create a situation where a policy and values conflict with incentives or other opportunities, understanding intent will equip employees with the behavior that properly represents the organization.

Messaging is relevant

Policies and procedures must be understandable by all employees, especially employees at high risk. For instance, a 25-page policy written in English by lawyers and aimed at college graduates may not be effective on a factory floor where the majority of workers may have lower education and are non-native English speakers. Along with appropriate language, relevant messaging is necessary. Managers should regularly test understanding and the ability to use policies to avoid misconduct. An effective practice I have seen is one where the organization selects a cross-section of employees, gets them in a room and asks them questions designed to determine whether they understand the policy and how it applies in real-world situations.

Terminology and regulatory issues are current

Policy statements must be drafted using language that is simple, accessible and up-to-date. Regular reviews are necessary to ensure that the policy or procedures reflect changing regulations and workplace realities. A sexual harassment policy written in 1993 might not properly address same-sex harassment or transgender bathroom use.

Use of purpose-built automation and software as an effective differentiator

We found in the recently released 2017 Ethics & Compliance Policy & Procedure Management Benchmark Report that automated policy management systems are an effective way to ensure policy is coordinated among human resources, ethics and other departments and to monitor whether employees have complied with training requirements. Otherwise silos can develop, leading to the problem of “no single owner” for an essential element of running any large organization.

Language is simple yet influential

Policies should be simple. Procedures may have more detail and operational elements yet neither should be overly detailed. They do need to state in simple language how the organization expects employees to handle the wide variety of conflicts and situations they will face in the workplace. A policy on insider trading, for example, should make it clear that it governs any unethical financial activity. That includes trading in the employee’s own company stock, the stock of suppliers or customers, or supplying confidential insider information to a friend. The procedures may include the detail of certifications or disclosures. Similarly, sexual-harassment policies should alert employees to the fact that harassment need not be intentional; inappropriate visual displays in a colleague’s cubicle, while not intentionally offensive, could nevertheless offend a reasonable person and even generate a hostile-workplace claim. There shouldn’t be any room for interpretation on critical issues

Audience is accommodated

Policies need to be adapted for the intended audience. The harassment policy for an international employer might have to be tweaked to address social realities in Scandinavia versus Saudi Arabia, for example. Policies regarding the Foreign Corrupt Practices Act may have to be more detailed for employees dealing with international customers and suppliers than a retail clerk in Iowa.

Culture provides context

Culture is the context through which employees will interpret your policies. A company that instructs its marketing employees to be “fair and transparent” with customers but compensates them based on their “win at all cost” mentality might be sending mixed messages.

Remember culture trumps compliance. The afore-mentioned 2017 benchmark survey found that policy management programs which are identified as Maturing or Advanced, more clearly and effectively connected culture and policies (65%) versus those who deemed their programs as Basic or Reactive (38%).

Reporting policy misconduct must be encouraged and without retaliation

Employees must understand and be trained on policies and procedures if an organization expects employees to report misconduct internally. In addition to awareness, employers must make it clear that compliance is expected along with reports of misconduct. For this to be effective, employers must make it clear, in policy statements and by their own behavior that employees won’t face retaliation for reporting suspected violations. If employees fear retaliation, reporting may be suppressed and misconduct may continue or get worse.

In addition to fear of retaliation, many employees tell us that they may be reluctant to report issues because they are not sure if what they observed is really misconduct and they don’t want to get someone in trouble. A well-written code of conduct should make clear that employees don’t have to be correct in everything they report, just that they have to act in good faith.

Policies must be closely connected to all aspects of an effective compliance program

All of these tips seek to offer ways to make policies and procedures better, but the most important tip is that policies and procedures should not be managed in a vacuum. They are an important element of an effective compliance program without regard to what compliance guidance your organization follows. Ignoring policies can negatively impact compliance conduct, training, monitoring and auditing, investigations – and most importantly and ultimately – the reputation of an organization.

By: Randy Stephens, Vice President with NAVEX Global®’s Advisory Services team

Follow me

Ethics &Compliance Matters ™, Navex Global ®

Ethics & Compliance Matters™ is the official blog of NAVEX Global®. All articles posted on the Inside Internal Controls blog originally appeared on NAVEX Global’s Ethics and Compliance Matters Blog. The blog leverage the news, insights and best practices you find here to stay ahead of GRC trends, and take your compliance program to the next level. Read more
Follow me
Send to Kindle

, , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.