Some organizations operate with the reactive mindset that, as long as things are running smoothly, there is no need to worry about documenting policies, procedures and processes. This can be a serious mistake as this mentality overlooks the importance of proactive risk management practices, maintains a siloed view of the organization and key operations, and limits the upside for performance-improvement initiatives.
This view is further hindered by the common perception that policies, procedures and processes are merely stagnant reference documents, which underestimates their true value. To grasp that value, you must understand the meaning of the policies, procedures and processes and their true function in the business. With this baseline understanding, the importance of these operational controls to the market and competitive success becomes clearer.
Policies contain high-level principles or requirements that a certain department or functional area of the organization must follow, as formally agreed upon by management. These policies set the directional tone for individual departments or areas of the business.
Procedures are affiliated with particular policies and define lower-level processes, such as daily, weekly or quarterly functions and job activities. Procedures bring a set of related functions and organizational processes together, which can then be consolidated in a well-defined category—such as hiring and termination in HR or access management in IT.
Processes are typically contained within procedures, defining in detail how regular business functions are performed, whether on a repeating or as-needed basis. A process has both a start and finish, and shows interrelationships and dependencies with other processes and organizational areas or technologies. It also provides insight into standard functions and key risk and control points that need to be monitored and taken into consideration for risk assessment, mitigation and audit efforts.
To some degree, the extent and detail of these processes, policies and procedures are a hallmark of organizational maturity. They provide something like a strategic vision, identifying what a risk and control environment should look like. This helps to shape direction, so an organization can move from a “check-the-box,” compliance-first mindset to one that recognizes risk management as a critical business discipline.
Well-defined policies, procedures and processes also provide a basis for an organization to analyze how to get from their existing state to a target state. By outlining current requirements, operations, interdependencies, risks and controls, they can help identify gaps and improvement opportunities. Only then can organizations intelligently embed the right controls into the right processes.
For example, say an organization has documented a process for terminating IT access for an employee who is leaving the organization. This process is contained in a procedure alongside other processes regarding technology access changes and monitoring activities for employment and termination. The procedure is part of an overarching policy that sets the high-level requirements and purpose of the associated departments or organizational areas (IT and HR in this case).
This documented process and procedure includes details that relay information about technology and resource dependencies in addition to current operations and identified risk and control points. An organization can review current procedures and processes to define gaps or constraints in resources, automation, communications among departments or areas, technology or the ability to remediate process-related risks. Gaining awareness of such restrictions is the first step to eliminating inefficiencies and vulnerabilities that otherwise may have been overlooked.
Executives will never understand the inner workings of the business without a clear view of the principles and requirements that establish the organization’s tone and direction, and granular visibility into the processes, functions, interrelationships, dependencies and risk/control points.
What’s more, many regulators and auditors consider these to be essential operating tools for an organization and expect to review them in the course of standard audits and filings. Regulators and auditors repeatedly seek to understand and determine organizational compliance with external and internal standards, as well as industry standards. As such, policies, procedures and processes are viewed as evidence of a company’s current operational status and its commitment to effective risk management and compliance.
Organizations seeking stronger policies, procedures and processes must first examine what is already in place. The board of directors, executive management and other key senior stakeholders across the enterprise will likely need to be involved in this effort. If current documentation is insufficient, they should start to develop a plan, prioritizing critical operations—especially those that have the greatest lack of policies, procedures and processes. They will also need to assess if they have adequate expertise and resources internally to lead the documentation effort.
Organizations with these in place should next consider when they were last reviewed and recertified or updated. At a minimum, this review and recertification process should be a yearly activity to understand organizational changes and take any necessary action. The idea is that the documents must be viewed as living, breathing management tools.
The next step is to determine current monitoring capabilities. Are policies, procedures and processes being followed and used in daily operations? Are they incorporated into training curricula for new hires? Do they factor into organizational decision-making and strategic-planning efforts? Are they a prominent feature of compliance and regulatory reviews? If they are not actively being used, business and risk management leaders will need to determine why or why not and set an appropriate course of action to get them off the shelf and into the business.
It is also important to define responsibility for recertification and yearly review, in addition to defining the organizational policies that govern procedures and processes. This may involve risk management teams, internal auditors and other groups. Without adequate direction and clearly defined responsibilities, the tools will not be properly utilized or updated and will become inaccurate over time.
In developing new or updating existing policies, procedures and processes, it is imperative that organizations ensure there is clear understanding of the risks that various controls are mitigating. Having this insight is invaluable in planning for risk mitigation, understanding the effectiveness of current compliance programs and highlighting future improvement opportunities.
Lastly, organizations must determine if adequate training exists to communicate processes, requirements, dependencies, controls, risks and the purposes of specified objectives or functions. If none exist, such efforts should be developed and launched with the input of senior management.
While the mention of “policies and procedures” tends to make many business leaders’ eyes glaze over, they are critical to every company’s effective enterprise risk management. They can also give organizations valuable and actionable insights into securing, streamlining and integrating operations. Better documentation of policies, procedures and processes can not only improve the effectiveness and efficiency of regulatory compliance efforts, but can also unlock opportunities to improve business performance.
Lauren Amadei is a principal with Infinitive’s enterprise risk management practice