Calvin London (email@example.com) is the Founder and Principal Consultant of The Compliance Concierge in Melbourne, Australia. Reyna-Chris Comeros (firstname.lastname@example.org) is the Compliance Manager, Celgene Pty Ltd., and An Nguyen (email@example.com) is the Associate Manager Affiliates Quality, ANZ & CEA, Celgene Pty Ltd. in Melbourne, Australia.
According to Wikipedia, operationalizationis a term in research design, especially in psychology, social sciences, life sciences, and physics. It is a process of defining the measurement of a phenomenon that is not directly measurable, though its existence is inferred by other phenomena. The definition then goes on to give several examples from different disciplines of how the term is used, none of which are particularly helpful.
Nonetheless, operationalization is a term that has gained prominence in the compliance world. It is mainly a result of the term’s use in the Evaluation of Corporate Compliance Programs in 2017 by the Department of Justice (DOJ). DOJ emphasized the importance of an “implemented, reviewed, and revised, as appropriate, in an effective manner” compliance program versus simply having a “paper program” in place. Following this guidance (which was developed from guidance provided in the previous year by the Foreign Corrupt Practices Act (FCPA)) should be automatic, given the potential legal consequences.
Employees within our own organization may well have had good intentions when implementing operationalization but struggled with what it exactly meant, let alone how to pronounce it. I am sure many compliance professionals also share this sentiment, and definitions like the one on Wikipedia don’t help. So, what is operationalization?
Ricardo Pellafone put it quite nicely: “You ‘operationalize compliance’ by integrating it into business process—so it becomes part of how people do their job duties.” He went on to say it was not enough to simply have a policy, but that it had to be applied to the operational tasks and duties that would support the compliance initiatives (operationalize it).
Problems with operationalization
A large number of internal review/audit observations and DOJ/FCPA prosecutions reflect that companies have difficulty effectively demonstrating that the intent of policies has been transitioned into procedures or that they are understood by employees within the company. This is the reality for many companies: Although they may have good intentions, there is a disconnect somewhere between the policy and the actual procedures and processes.
Policy operationalization also becomes more complicated when the policies are issued by global headquarters for implementation to a subsidiary or affiliate office. Often, they assume that since the policy has been given, it must have been implemented. It is not until an internal audit that they realize the policy has not been effectively transitioned into meaningful procedures or practices, exposing the company to regulatory compliance risks.
Making policies POP
The following description of what we called policy operationalization plans (POPs) may be of assistance in effectively implementing the intent of policies in a controlled, consistent, and effective manner. As we describe below, the essential elements of operationalization—documented understanding and interpretation, progression into procedures at a local level, and records of training and understanding—are covered by the use of POPs. POPs also provide documented implementation when it comes time for internal review of audits.
The POP process
The purpose of the POP process is to provide a formal documented plan that confirms (in our case) that each affiliate of a broader international company base had effectively:
Considered the intent of a corporate policy;
Translated intent and adapted local governing requirements into procedures and acceptable practice; and
Ensured that the corporate policy and locally implemented procedures/practices have been communicated to all responsible personnel at the affiliate.
This overall process supplements the document management component of the compliance and quality management system.
At the center of the POP process is the POP Form, which is a controlled document within the Document Management System (DMS). The process established for the completion of POPs is shown and described in more detail in Figure 1.
In our organization, POPs are initiated by the compliance function (Figure 1, step 2). This serves two purposes. The first is to provide an opportunity for compliance personnel to become well-acquainted with the intent of the policy and its requirements. The second is to reinforce that compliance is responsible for the implementation and operationalization of policies regardless of who the authors may be. This is particularly important when the authors of global policies are apart from the affiliate and the analysis by local compliance shows good leadership.
In many cases, compliance may also be involved as a subject matter expert (SME) that is then involved in conducting the risk and adequacy assessment for the current processes and procedures. Compliance, as the guardian of the DMS and policy operationalization, selects the most appropriate SMEs or functional managers associated with the policy. In collaboration, compliance and the appointed functional SMEs assess whether the current procedures in place satisfy the requirements in the Policy Requirements section of the POP and determine whether new local processes are required or if current processes need revision.
In each case, the aspects of operationalization to address the policy requirements are entered into Section A of the POP Form (Figure 1, step 3). Any additional procedures or updates to current procedures required are detailed in the Implementation Plan section of the POP Form (Figure 1, Section B, step 4b). If the current processes and procedures are adequate when reviewed, section B of the POP Form is left blank (Figure 1, Section B, step 4a).
Once processes and procedures required to operationalize the intent of the policy and meet the specified requirements are effective, the target training audience and estimated due date for completion of training is documented in Section C (Figure 1, step 5). This step completes the practical operationalization of the policy, ensuring that not only have the processes and procedures been implemented, but also the effective education of personnel has also occurred. In our situation, to complete the process, we require a list of completions for each of the employees listed in the target audience. Training was not always deployed as electronic “read and understand,” as is common to the industry, for reasons that have been discussed previously. Several other possible modalities for effectively training and educating on the intent of policy content and operationalization have been presented.
Review and approval of the POP
To complete the appropriate document management cycle, the appropriate sections of the POP are formally approved by the responsible SME or functional manager of the area concerned, and final approval that due process had been appropriately followed and the statements in the POP were an accurate representation are made by compliance.
POPs remain current until either a significantly revised policy is issued at a corporate or global level, or a three-year period has elapsed. At the discretion of compliance, POPs may be reviewed and updated prior to mandated review periods in response to internal or corporate audit findings or if a corrective action arose from a deviation investigation in any of the areas covered by the policy and resulting in POP.
Timelines for completion of the POP were established at three months. Extensions (from compliance) were generally not issued without an explanation or justification for delays in implementing the procedures. On occasion, extensions are required because of the complexity of process operationalization, especially when introducing a new procedure with a flow-on effect to the existing procedures.
Benefits of POPs
POPs provide a structured process to effectively review the operationalization of policy content and, as required, address any inadequacies or introduce document enhancements. Several references to the responsibilities within a company, which are outlined by the DOJ in the Evaluation of Corporate Compliance Programs, have been previously discussed. POPs have the potential to address some, if not most, of these.
For example, Tom Fox, in his series of articles “Operationalizing Compliance,” emphasized the importance of actually doing compliance and not simply having a paper program in place under the term operationalization of compliance. POPs provide a controlled documented approach to address this issue. They demonstrate that the compliance program has not simply been an exercise in documentation of policies. Rather, it has been a sequential implementation of principles expressed in policies that are converted in processes and procedures with the appropriate input of the respective functions under the overall guidance and oversight of compliance.
Fox has also discussed the requirements for substantiation of a complete process design associated with good documentation. It highlights that DOJ and the Securities and Exchange Commission will review whether a company has taken steps to make certain the code of conduct remains current and effective and that it will lead to well-thought-out and articulated policies and procedures. POPs provide documentation of the sequence and progression from policy into practice.
Foxand Pellafone have also indicated the need to ensure that it is not enough to simply have a policy. There should also be evidence that the policy has been linked to operational tasks and that the intended audience has been effectively trained. Section C of the POPs (Figure 1) was included to ensure the required training was linked to processes and procedures required to operationalize the policy. It also ensured that before the POP could be formally approved as implanted, an independent review that the training had occurred was required.
POPs have been instrumental in linking the policies and process (operationalization). They also provide documented evidence in an audit to prove this has occurred by a structured and deliberate process.
Operationalization means doing more than simply having a paper compliance program in place.
Many audit observations derive from companies having policies but failing to convert them into actual procedures and processes.
Processes for policy operationalization benefit from having a controlled implementation form that provides a summary of the procedure and training related to the policy.
In our case, policy operationalization plans provide a structured process to effectively review the operationalization of policy content.
Policy operationalization plans can provide documented evidence in an audit that a formal process of implementation has occurred by a structured and deliberate process.