Kelly Lange (klange@bcbsm.com) is Vice President Enterprise Compliance and Privacy Official at Blue Cross Blue Shield of Michigan in Detroit, MI.
Documentation serves an organization beyond the needs of expectation-setting and performance quality. Not only do documented policies set expectation and drive accountability within the workforce, they are fundamental in an organization’s hierarchy of needs and can be a key business enabler, building the trust of your customers and regulators. When your workforce clearly knows what to do with supporting expectations, accountability and engagement will thrive and contribute to business results and compliance effectiveness.
Policies are a key control for companies, enabling compliance with applicable laws, regulations, and standards for operations. They are critical to business audit readiness, that is, policies are generally included in the first set of audit requests and informational requests made. They demonstrate the commitment and buy-in of overarching principles and support defense against fraud, waste, abuse, and misconduct. Policies are also part of risk mitigation and a part of corporate enterprise risk management. Given their importance and value, companies could be underinvesting in their policy governance maturity. After all, we have heard (and perhaps experienced) the old adage, “What is documented is more likely to be followed.”
With the increasing pressures of the “new compliance normal,” which can be defined as the growing industry demands from consumers and regulators and fast-paced implementation needs, there could be more pressure to defer or minimize key process control documentation in policies or procedures. It may also be increasingly difficult to obtain consistency if your organization is expanding or changing. Overall quality of documentation may be an unintended victim of circumstances. When changes are needed fast and furiously to meet demands, it may be tempting to deprioritize policies and other supporting documentation. Unfortunately, if deferred and not completed, it leaves the company exposed to knowledge gaps, missed requirements, and accountability gaps that could ultimately erode the trust of key stakeholders in your compliance program and negatively impact your business reputation and revenue.
Policy requirements
Regulators expect organizations to have corporate policies and standards. The HHS Office of Inspector General (OIG) and other regulatory bodies have reinforced—and even called out—written policies as an expected compliance program element. An organization must have standards of conduct and internal controls reasonably capable of reducing the likelihood of criminal and other improper conduct.[1]
The OIG has issued a number of compliance program guidance documents, all of which emphasize the need for written compliance guidance for employees. They comment that:
At a minimum, comprehensive compliance programs should include…the development and distribution of written standards of conduct, as well as written policies and procedures that promote the [organization’s] commitment to compliance and that address specific areas of potential fraud, such as claims development and submission processes, code gaming, and financial relationships with physicians and other health care professionals.[2]
The United States Sentencing Commission’s Federal Sentencing Guidelines comment that to “have an effective compliance and ethics program..., an organization shall…establish standards and procedures to prevent and detect criminal conduct.”[3]
Policies make it clear to the workforce how they are to act. It is important that the most essential policies and the supporting governance structure are endorsed at senior leadership levels and by the board members. When effective and supported by a strong tone at the top, policies are preventive and target doing the right thing. The most important policy in tone setting is generally the code of conduct. It is oftentimes the policy most collected from organizations by customers and regulatory auditors and, in many cases, is externally facing, communicating the company’s ethical attitude.
As you know from regulatory and customer audit experiences, policies provide insight into the culture and design of an organization’s internal controls. Policies are the windows into your organization. They set decision-making guidance for the company on a daily basis. Often, the policy will set the high-level requirements and answer the question “what.” Procedures are generally more detailed and define how the policies are put into practice. They define lower-level processes, such as day-to-day functions and activities and often answer the detailed questions around “how.”
As compliance professionals, we can help improve the policy infrastructure and strengthen this fundamental element of our programs. Engaging early with our Human Resource partners and other key business champions is first and foremost in importance. Disciplined policy governance and a strong partnership with change champions can lead to enhanced performance accountability, consistent practice, and more effective compliance.
12 recommendations
So what are some other key ways to improve policy governance within an organization and move the needle forward on effectiveness? Here are other suggestions.
1. Elevate the governance over policies
Consider a cross-functional oversight committee that helps to set rules around policy. Set guidance surrounding policy leveling versus procedure detail, and consider solidifying the rule through workforce training. Policies shouldn’t be perceived as just an audit or compliance request, but as a corporate necessity that commits the workforce to success. It is important that the governance is endorsed and supported by senior leadership. Policies need to be valued throughout the workforce.
2. Set common template elements
To help to further drive effectiveness and to avoid workforce confusion, a common template drives consistent coverage of policy elements, common definitions where important, common labeling, as well as a sense of organization/process maturity with stakeholders when policy sharing is required externally. Consider adding a section for regulatory requirements for a clear tie to compliance. This enforces audit readiness of your organization. Other key template components include a title, area of coverage or scope, objective or purpose, related policies/procedures, responsible parties, noncompliance statement, review, and effective dates.
3. Establish periodic review
Consider establishing a common corporate cadence for policy review; annually is the generally accepted best practice. The cadence of review is important to stay relevant and accurate as material changes occur. Customers and regulators expect this rigor. If you can connect to your Governance Risk and Compliance application or similar tool and use it for change tracking, you’ll land with an even more cost-effective process. Compliance can tap into the tool as needed for risk-based oversight.
4. Implement a source of truth
The common repository helps to support overall oversight and promotes a disciplined publishing process that tracks changes along the way and acts as a “quality gate” before final publication. Implement a common repository with the expectation to make it the source of truth for policies and all their changes. This process also promotes availability, supporting business continuity readiness. Your business continuity team may also be a good champion for change throughout your policy journey.
5. Set expectations with business associates
This starts contractually, of course, but through oversight processes, monitor the key policies that are needed for your overall program compliance effectiveness. Consider that monitoring at least annually within your own policy discipline. Make sure that your contract administrators know what to look for and why as your first line of defense in the vendor relationship.
6. Invite your subsidiaries to the table
Subsidiaries and/or affiliates may benefit from the information sharing (as relevant and if practical) versus learning on their own accord. Their success is generally yours; just be sure that if they are smaller in size, the policy governance is right-sized to their organization. Policies should be risk-based to fit their organizational laws, regulations, and needs.
7. Set clear approval level expectations
Higher levels of leadership should be aware of policies owned in their areas. It also helps to convey tone and support, which we all know contributes to effectiveness. Consider having higher-level leaders sign off on the policies for their areas to demonstrate support and awareness. Be mindful of which policies are the most important for higher-level leadership endorsement versus perhaps middle-line leader endorsement.
8. Consider overarching written guidance for clarity
A policy document on corporate policies may be one of your first steps in improving governance early in the process. It will drive consistency and aid clear understanding for your workforce. Again, you may want to consider senior-level leadership endorsement to emphasize the importance.
9. Training
Require that material changes and new policies require companion communications and/or education plans. What good is a policy unless the workforce knows there has been a change? Oftentimes in audits, interview questions or work programs are derived based upon understanding gained from policies and aim to substantiate that your organization’s practice is aligned with management’s intent. It is important that the policies aren’t just on the shelf, but that your workforce is aware of them and understands them. Invite your communications team to the table to be a partner and to help be change champions for important workforce expectations, thus supporting this role.
10. Monitor policy practices as written
If you have a Governance Risk and Compliance application, the tool can be used to best manage the change and monitoring process. For those policies that cover higher-risk operational areas, consider some cyclical business self-monitoring practice. To be cost-effective, sample where necessary. Auditing and monitoring should provide reasonable assurance on policy adherence. Policies that aren’t followed or that misrepresent controls can be just as problematic as a missing policy document.
11. Tailor policies to meet your needs
Size the policy universe to match the risk and size of the organization. Policies and procedures are not a one-size-fits-all practice. Policies should be tailored to the culture, risk, operational, and compliance needs of an organization. Aim to keep the policies realistic, attainable, and cost effective.
12. Engage communications expertise
Useyour internal communications team to set standards for writing policies clearly and concisely so that your entire workforce can use them as a guideline. Set a general grade level of complexity, and use tools that help to keep within the target. A common benchmark is an eighth-grade reading level, but this could vary based upon the market being served.
Takeaways
-
Policies are essential controls for companies.
-
Policies build trust and compliance with key stakeholders, including regulators and customers.
-
Regulators have issued supporting guidance, emphasizing the importance of policies as preventive controls.
-
Policies should align with culture and risk; they are not a one-size-fits-all practice.
-
Compliance professionals can help to elevate policy infrastructure and improve program effectiveness by partnering with fellow change champions, encouraging common guidelines and risk-based oversight.