GRC Tuesdays: Making Full Use of Policies in Your GRC Program
Policies can’t be considered as “just another piece of paper” as they’re really the foundation of your governance, risk and compliance (GRC) program. They define the scope in which your GRC program operates and impersonate the G in GRC! They can be preventive, like a Code of Conduct to try and reduce business risks; detective, like a Whistleblowing procedure; or even corrective, like Business Continuity Plans that help you continue working even if in a degraded mode. So they are efficient, you have to make them relevant to their audience and make sure that the recipients do apply them as they have been intended.
Make Policies Engaging
Like most of you, I have received and signed my fair share of policies. And I have to admit that in some cases, I wasn’t sure of how to apply them, but since it was a compulsory exercise, I just did it.
From a compliance perspective, the job was done, but was it well done? Not really…
To make a policy more engaging, I find that adding examples of past cases or potentially real situations is extremely relevant and helps recipients relate to it.
Also, in some cases, listing the prohibitions is too fastidious and it’s difficult to make an exhaustive list. Try listing the best practices instead and, by default, all that is not there will be of a suspicious nature.
Adapt Your Policies Locally
As I’ve touched upon in a previous post (Governance, Risk and Compliance, Taking Into Account Cultural Differences), simple translation of a policy might lead to misunderstanding. If a policy is written in one country and not reviewed for local adaptations for other regions, there is a high likelihood that comprehension won’t be the same across the globe.
This could lead to two potential outcomes:
- Stakeholders signing the policy because it’s required, but not applying it because they think it’s not relevant to their location
- Stakeholders erroneously thinking they understood it but actually not complying with it. This is the worst case scenario. Because it’s done in good faith, there is a high likelihood that you won’t catch this until a negative event happens.
Track Not Only Acknowledgements but Also Understanding
Knowing that stakeholders have received the policy or even that they have acknowledged it is no longer sufficient for some regulations such as anti-bribery and corruption. You’re also responsible for ensuring that the recipients have understood it. And when you think about it, it makes perfect sense, right?
There are multiple ways of doing so (online webinar, classroom training) but they all end-up with a quiz that users need to take and only a certain level of response will get you a pass.
Instead of regular textual questions on the policy itself, I would recommend putting this in a business case. This way, not only will it be more relevant and ‘less dry’ so to say, but most of all, it will show you whether the policy is really applicable to your colleagues or whether it should be reviewed.
Regularly Update Your Policies
The context in which your organization operates continuously changes and so does your compliance program— and this is especially true for IT-related policies. Regularly update your policies to reflect this and to ensure that they’re still relevant to protect the company and its employees.
For instance, does your bring-your-own-device (BYOD) policy contain chapters about usage of mobile devices and applicability to iOS, Windows but nothing about Android? Maybe you should consider adding something about this operating system and defining what is allowed and what isn’t so that there is no gap in your defence system.
What about you? Do you have any additional tips on how to create efficient policies?
I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard !