Beruflich Dokumente
Kultur Dokumente
We now turn our attention back to my series on Effective Policy Management & Communication.
MICHAEL RASMUSSEN
In the previous posting we looked at the disarray and chaos of how policies are managed, maintained, and communicated within
organizations. Often inconsistent, poorly written, out of date, lacking consistency, developed with no style guide, and
ineffectively managed and communicated - corporate policy management in most organizations is a mess. Now we will turn from
our flogging of the corporate policy mess to constructively developing an effective policy management process.
The first point to clearly understand - policies, done right, articulate the corporate culture.
Unfortunately, most organizations have not connected the world of policies to how they influence and establish corporate culture.
Granted - corporate culture is there with or without policies. However, without policies there are no written standards as to what
is acceptable and unacceptable conduct. Culture is allowed to morph and change without policies. The organization can quickly
become something it never intended.
Policies provide a definition of the boundaries of the organization. At the the highest level it starts with the Code of Conduct
laying forth ethics and values that extend across the enterprise. These filter down into specific policies at the enterprise level,
down into the business unit, then department, and to individual business processes. Policies are supported by procedures. Both
GRC Pundit
policies and procedures at the statement level establish and authorize controls by which the organization is closely managed and
monitored.
Policies articulate the culture of compliance. They define what is acceptable and unacceptable. This starts at the ‘Mandated What is GRC?
Boundary’ level of communicating what is right or wrong legally and how the organization will stay within legal boundaries within http://tinyurl.com/ylneb9m
the various jurisdictions that it operates in. Policies then extend to the ‘Voluntary Boundary’ level to articulate what is acceptable 6 days ago
and unacceptable when it comes to matters of discretion - ethics, values, code of conduct, corporate social responsibility, and What is GRC?
other areas. Both the mandated and voluntary boundaries are written into policies so that individuals within the organization and
http://tinyurl.com/ylneb9m
6 days ago
its relationships know what is acceptable and unacceptable. It should not be open to broad discretion and interpretation.
Follow me on Twitter
Policies articulate the culture of risk. Every organization takes risk, it is part of business. Without clearly written guidance as to
what is acceptable and unacceptable risk the organization is like a ship without a rudder. Policies provide clear guidance on what
is acceptable and unacceptable risk, define risk acceptance and tolerance levels, and establish who owns and manages risk.
Please do not misunderstand me - policies are not a magic answer to culture, governance, risk, and/or compliance. Not at all. An Search
organization can have a wide array of policies that are not adhered to and end up in very hot water. Policies ARE a way to clearly powered by
define, articulate, and communicate what the boundaries, practices, and expectations of the organization are. While you can have
a horrible culture with policies, you cannot have a strong and established culture without them. The right policies are necessary to
define and communicate what the organization is about. GRC.PUNDIT BLOG
ARCHIVE
Culture itself is broader than policies - policies are the vehicle that communicates and defines culture so that culture does not
▼ 2010 (13)
morph out of control. This requires that policies be adhered to, exceptions closely managed, and violations dealt with.
▼ February (4)
Over the next several weeks we will continue to look at Effective Policy Management and Communication. We will specifically
What is GRC?
explore:
What is the right number of policies? Defining a Policy
Defining a process lifecycle for managing policies Management Lifecycle
Establishing policy ownership and accountability
Policies, Done Right,
Providing consistency in policies through consistent style and language
Communicating policies across extended business relationships Articulate Culture
Tracking policies attestation and delivering effective training The Value of a Common
Monitoring metrics to establish effectiveness and/or issues with policies
Architecture for GRC
Relating policy management to risk, issue/case, and other GRC areas
Platfor...
Using technology to manage and communicate policies
► January (9)
In addition to this series on policy management, Corporate Integrity is also offering a full-day workshop on the topic of Effective
Policy Management and Communication. ► 2009 (40)
► 2008 (18)
POST ED BY CORPORATE INT EGRITY AT 7: 29 PM
LABELS: GRC, GOVERNANCE, RISK, COMPLIANCE CO M PLI ANCE , GO V ERNA NCE , P O LICI ES , P O LICY ► 2007 (2)
M ANA G EM ENT , RIS K
LABELS
Group: Healthcare Compliance and Risk Management Resource Center Axentis (1)
Subject: New comment (1) on "Policies, done right, articulate culture" BI (1)
"The greatest danger" for HIPAA covered entities is having policies and procedures no one is following. "A policy on a shelf Board Entity Management (1)
is not going to be very helpful — it won't be helpful in protecting privacy and security, and it won't be helpful in
Bootcamps (2)
responding to an investigation....Having procedures in place, training people in those procedures, and taking action when
BPS (1)
http://corp-integrity.blogspot.com/2010/02/policies-done-right-articulate-culture.html... 25/02/2010
Corporate Integrity, LLC: Policies, Done Right, Articulate Culture Page 2 of 5
I am so glad that you have started this discussion. Policy management is a major issue in company where I work, as well. Integrity (2)
Intellectual Property (1)
I have just done a research among employees on how well they are familiar with key policies and what they think of it's investigations (4)
implementation and adequacy of it's introduction.
ISO 31000 (1)
IT-GRC (1)
When identifying such issue and assesing the risks arising from it, what would be the next step? Who in your opinion
should be the manager of company policies and what does such management include? Lean (1)
Legal (2)
These are the questions, I haven't jet answered. We have Department for orgaization and standardization that publishes Magic Quadrant (1)
policies after they are addopted, there is Compliance Department and of course other departments that proposes or
Matter Management (1)
issues policies and procedures... Having so many policies and procedures, looks like, we would need extra employee to
Merger (1)
work only on policy management. Is there a normal number of policies that company of 1 b annual revenue and 2500
employees should have? Michael Rasmussen (1)
Microsoft (1)
As compliance officer, I had issued guidelines for how the company policies should be introduced and implemented and NYSE (1)
what provisions they have to include for assuring appropriate linkage to other policies and procedures... Don't seem to
OCEG (12)
work as well as I hoped.
Operational Risk (1)
Would be great to have some more insights from you or other members dealing with this problem. ORM (2)
Paisley (1)
Andrijana policies (4)
Posted by Andrijana Zrinji
Policy Management (7)
F EBRU AR Y 15 , 2 010 9 : 54 A M Policy Management. (1)
Red Book (3)
Corporate Integrity said...
Regulatory Intelligence (1)
Andrijana,
Resolver (1)
Risk (17)
Thank you for your feedback. I am posting more on this subject over the next few weeks - stay tuned.
Risk Intelligence (2)
risk management (10)
http://corp-integrity.blogspot.com/2010/02/policies-done-right-articulate-culture.html... 25/02/2010
Corporate Integrity, LLC: Policies, Done Right, Articulate Culture Page 3 of 5
RSA (1)
I just worked on a poll last week with OCEG on the number of policies of organizations of varying sizes. We have had
SAP (2)
several hundred respond. If you wish to contact me I can share some of the raw data with you (I have not yet put it into
pretty PPT slides. SCCE (1)
I am just in the process of doing a "Risk Assessment" project to make my Safety Training more along the lines of the Shell
Company approach, a simple "intervention step for all employees". Their latest edition includes a "Life Safety Skills"
approach, very impressive.
More or less understanding the Hazards and putting the controls in place and then incorporating them into the "Change
Management Plan". Very few companies realize this is crucial for the Safe Operation of their facilities, because it is a
"proactive approach" to learning from the mistakes of others, which also needs to be incorporated into the Safety
Training Plan.
Will keep you posted of my progress in this area.
LinkedIn Groups
I could not agree more that policies, done right, articulate the culture of the organization. I wrote a policy for our agency
on remote access management. Basically, the policy outlined how employees and partners would access the agency’s
enterprise network from locations external to the agency.
There were several factors that made this policy effective. First, our Chief Information Officer, was required by an
oversight agency to institute the policy. Thus, I had an identified sponsor, the CIO, who was committed to supporting the
policy. Second, the policy was not left to ambiguous interpretation, I clearly defined the technical requirements for
remote access in an easy to understand bulleted format and outlined in detail the roles of the users, managers and
business partners in accessing the agency’s systems. Third, the policy was circulated to all the senior managers in the
agency who were required to review and concur on the policy. I had buy-in from the Directors in the organization whose
role was to assure that they, and their employees, adhered to the policy. And last, I worked with the
Telecommunications team to implement technical controls in the enterprise network which supported the technical
stipulations in the policy.
Posted by Portia Cross
F EBRU AR Y 18 , 2 010 1 : 28 PM
LinkedIn Groups
Hello Michael,
I believe your illustration of how the organization Code of Conduct should be translated "down" to the basic individual
business process pinpoints the main problem most organization encounter when implementing – or trying to implement –
Code of Conduct.
I find the connection between Corporate Culture and Professional (Personal) Ethics critical to the continuous Corporate
Success and should be done, and therefore must be methodically managed, by aligning Individual objectives, with the
organization's ones.
I'm looking forward to your future ideas.
Best,
http://corp-integrity.blogspot.com/2010/02/policies-done-right-articulate-culture.html... 25/02/2010
Corporate Integrity, LLC: Policies, Done Right, Articulate Culture Page 4 of 5
Noam Sarfati.
Posted by Noam Sarfati
F EBRU AR Y 22 , 2 010 1 0: 2 2 AM
Date: 2/16/2010
I am just in the process of doing a "Risk Assessment" project to make my Safety Training more along the lines of the Shell
Company approach, a simple "intervention step for all employees". Their latest edition includes a "Life Safety Skills"
approach, very impressive.
More or less understanding the Hazards and putting the controls in place and then incorporating them into the "Change
Management Plan". Very few companies realize this is crucial for the Safe Operation of their facilities, because it is a
"proactive approach" to learning from the mistakes of others, which also needs to be incorporated into the Safety
Training Plan.
Will keep you posted of my progress in this area.
F EBRU AR Y 22 , 2 010 2 : 06 PM
POST A COMMENT
http://corp-integrity.blogspot.com/2010/02/policies-done-right-articulate-culture.html... 25/02/2010
Corporate Integrity, LLC: Policies, Done Right, Articulate Culture Page 5 of 5
http://corp-integrity.blogspot.com/2010/02/policies-done-right-articulate-culture.html... 25/02/2010