Setting, documenting, implementing and following clear corporate policies is more vital today than ever before. With the post-COVID return to corporate life on the horizon, and with growing emphasis on ESG and DEI — alongside the usual changes a business would face — policy management is a priority.
There are several questions for any board looking at best practice policy management:
- How can companies set policy effectively, and what role does the board play here?
- Why is policy management as crucial as policymaking, and what is the board’s role?
- What risks are there in policy change, and how can you mitigate them?
- How can policy management support and drive broader effectiveness across governance, risk and compliance?
As a board, you need to communicate your vision and allow management to put it into practice. Knowing when to take the lead and when to delegate is critical.
Determining business policy and strategic management of those policies is the board’s responsibility; detail should be left to your management teams. The most effective boards focus on the bigger picture of policy rather than involving themselves in the detail of on-the-ground policy changes.
Boards also play a crucial role in mitigating the inevitable risk that accompanies policy change. And then there is the question of ongoing policy management, the oversight and guidance that ensures policies become embedded in the organization’s DNA, not put in a virtual cupboard and forgotten.
In this guide, we explore what best practice policy management looks like for boards.
Why Is Policy Management Important?
To look at the importance of policy management, we need to consider the importance of policy over all.
Why is having policies important? Your business policies set out your corporate stall, establishing your standpoint and supporting your goals and values.
Your policies give your business operations a structure and framework that underpin your governance, risk and compliance programs. They provide a bridge between leadership vision and management tactics; policy is aptly described as “the collective voice of the board” — how your directors communicate and enforce the values and approach they espouse.
But of course, setting policy is only half the battle. Life would be easy if boards could set the organization on its chosen course and sit back to enjoy the ride.
In practice, there can be a chasm between board-level policymaking and business-wide adoption. This is where policy management is vital.
The Board Responsibilities: Knowing When to Step in — and When to Step Back
What is the board’s role in policy management? The consensus is that an organization’s directors play a central part in determining policy but should employ a lighter touch on implementation and policing.
The UK’s Institute of Directors believes that the board should determine company policies and delegate the implementation of those policies to management, confining the board’s role in monitoring and evaluating this implementation. This sounds reasonable when you consider that delegating appropriate decision-making is recognized as one of the habits of highly effective boards.
Understanding when to step back is a skill all board directors should hone when it comes to policy. Your leadership team has been appointed for their collective expertise and judgment and should be allowed to exercise them.
Your policy statements should therefore be broad yet concise, designed to outline your corporate purpose and position, not to give step-by-step implementation actions.
This is where delegation comes in, empowering your business teams to turn broad policies into more detailed, bespoke documents. This enables the business to take ownership of policies, tailoring them to fit specific circumstances and updating them as needed in response to internal or external change.
The board has another crucial accountability in periodically reviewing and evaluating policies, which we cover in more detail below.
What Does Best Practice Policy Management Look Like?
What is best practice policy management? It encompasses several activities.
1) Documenting Policies
When organizations start out, they often take a relaxed approach to documenting policies. A small number of employees and an entrepreneurial ethos can drive a reluctance to overly formalize procedures. As a business grows, though, documenting policies and processes becomes more critical.
Documenting your policies enables you to take a more consistent approach — especially if your organization consists of several locations or business entities — facilitating proactive risk management and giving boards comprehensive oversight of organizational operations and performance.
2) Reviewing and Updating Policies
When you ask, “how often should we review our corporate policies?” answers vary. But best practice is to review policies every one to two years — some experts suggest annually. And of course, if organizationally you have undertaken change, this will usually demand a change in your policies and procedures.
The most lovingly crafted policy is no good if the regulation it refers to was superseded years ago, or if legislation has been expanded since it was drafted, or if your business no longer resembles the organization described in the policy.
Maybe you have undergone corporate restructuring. You may have gone through a merger or divestiture or carried out an IPO. External events may have caused you to revisit your business continuity plans. All of these should trigger a review of your corporate policies.
3) Harnessing Best Practice Policy Management to Drive GRC
Policy management is vital in itself — but from a board perspective, its importance in helping to create a risk-management-focused organization shouldn’t be overlooked.
A best practice approach to policy management gives you a framework for your governance, risk and compliance strategy — enabling you to embed GRC at every level of your business. Having well-defined policies is a vital start point for any programs designed to improve governance, risk or compliance. Policy management enables you to see where documented procedures are lacking and where your approach could be improved.
Mitigating Risk During Company Policy Change
All change initiatives, including policy changes, come with execution risks.
Whether you are undertaking an organizational restructuring or implementing new ways of working post-COVID-19, any change to business policy and strategic management brings with it several risks.
The risk that the change will not drive improvement. Not all changes are for good, and every policy tweak carries the chance that the new approach won’t better the previous one. Boards need to communicate a sound rationale for change, underpinned by data that evidences the shortcomings of the outgoing policy.
The risk that managers are ill-equipped to drive through and lead the changes being proposed. Management must remain focused and positive (although realistic) about the project, particularly any slippages in timescales, to inspire commitment and buy-in.
A risk of apathy or challenge from employees. Change is often met with skepticism, fear and resistance. Boards can help mitigate this by introducing policy change in small steps, rather than overhauling too much at once, and by leading by example in adopting new practices.
Turning reluctant employees into advocates of policy change demands clear communication and a pragmatic approach, which management may implement but should originate from the board. Change should never be forced but should be bought into at all levels.
Improving Governance, Risk and Compliance Through Effective Policy Management
What have we learned from this quick assessment of the board’s role in policy management?
- Effective policy management is a must-do for board directors — not just in setting policy that reflects the board’s “collective voice” but in actively managing those policies, overseeing implementation, reviewing and updating policies in response to external and internal stimuli.
- There’s a fine balance when it comes to responsibility and accountability. The best results come via a board that leads in setting strategy but steps back to allow management teams to oversee implementation.
- Best practice policy management demands comprehensive policies and procedures built on reliable data and management information. It also requires regular reviews of policies in place, led by the board but guided and driven by management.
- Get it right, and your organization will not only enjoy better documented, more relevant and comprehensive processes but can deliver improvements to your entire GRC strategy.
If you want the latest updates on governance, risk and compliance issues, with actionable advice and strategies, sign up for our GRC Newsletter.