Streamline policy management with a policy hierarchy

Swagata Roy

Swagata Roy

By Swagata Roy

Swagata Roy (swagata.roy@libertyutilities.com) is Director of Compliance Strategy and Performance at Liberty Energy and Water, in Oakville, Ontario, Canada.

Written policies and procedures are foundations of an effective compliance program, enabling the organization to meet regulatory requirements, identify risk mitigation controls, and define roles and responsibilities for compliance. Compliance training, communication, and even monitoring activities are dependent on the quality and effectiveness of policy management.

But policy management can be quite the challenge, as compliance teams are facing several demands in the current regulatory and business environment. Large organizations with multiple lines of business must track specific compliance requirements for each area, especially for heavily regulated industries, such as healthcare and financial services. In addition, business mergers require the compliance function to address policies and procedures of the acquired entity that may need to be aligned with the parent.

Emerging technologies are also attracting increased regulatory scrutiny. Technology makes it easier to do business and have customers in multiple jurisdictions, but it carries the burden of compliance with laws and regulations in each jurisdiction.

All of this indicates existence of numerous, even conflicting, policies and procedures throughout the organization. The easy answer may be to centralize policy management for better control and in meeting regulatory compliance obligations. This is not always possible, however, due to many constraints, not in the least being limited resources. During the COVID-19 pandemic, organizations grappled with budget cuts, and the compliance function has been forced to rethink policy management practices.[1] Compliance teams do not usually have an army of policy administrators, and even if they did, it would be quite impossible for them to have the understanding required at a granular level to manage and keep updated the entire policy and procedures library.

Therefore, to help streamline policy management, a hybrid system incorporating a policy hierarchy is proposed.

Policy hierarchies—an overview

The overall strategy of a policy hierarchy is to assign a level to each policy representing the risk level and extent of applicability of that policy.

Enterprise-level policies, which define the mission and vision and set strategic direction of an organization, are the highest level in the hierarchy. Documents like an organization’s purpose statement, governance policies, and board charters are also on this level. The code of conduct being an enterprise-wide principle-based policy with a high consequence of violation also has a higher level in the hierarchy. Other enterprise-wide policies that would be assigned to a higher level in the hierarchy are policies on workplace health and safety, commitment to quality, privacy, diversity, and sustainability (Figure 1).

Figure 1: Example of a policy hierarchy

The enterprise-level policies are usually approved by the board or C-suite. To be successfully operationalized, these higher-level policies need to be supported by jurisdiction-specific or more procedure-based policies. The travel, gifts and hospitality, employee benefits, or vacation policies may be tailored to the geographical locations or business unit.

The U.S. Department of Justice’s Evaluation of Corporate Compliance Programs asks, “What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries?” And when misconduct occurs, “If policies or procedures should have prohibited the misconduct, were they effectively implemented, and have functions that had ownership of these policies and procedures been held accountable?”[2]

This indicates that policies and procedures must be owned and implemented at the appropriate level of accountability.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2023 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings