Organizations invest millions of dollars every year in compliance, hoping to improve quality, meet global and local standards, follow regulations and laws, and reduce overall risks. But based on the constant news of corporate scandals and data breaches, this investment doesn’t seem to be paying off.
- Boeing is facing claims that it sold the 737 Max with dangerous software. 1
- A jury in California ruled that Monsanto failed to warn customers that its weed killer could allegedly cause cancer.2
- Google reportedly paid an executive 10’s of millions of dollars after he was let go after a sexual misconduct investigation. 3
- Major data breaches have occurred recently at DiscountMugs4, Dunkin Donuts5, and Houzz6, to name a few.
- Ransomware attacks are on the rise with government agencies, municipalities, and corporations. These attacks cause significant damage to systems and day-to-day operations.7
The weak links in all of these situations are one or more human mistakes, organizational culture, ineffective policies or procedures, poor ethics, inferior technology, and a lack of accountability. Fortunately, there are steps that every organization can take to remedy the causes and reduce the risk or likelihood of a compliance situation occurring.
Building A Foundation For Compliance
The first step, regardless of organization size, is to invest some time and resources into creating or updating your strategy or charter for your policies and procedures, which includes defining how your organizational culture fits within your goals. Your overall charter should include:
- Your objectives concerning policies and procedures
- Which areas of the business they will cover
- The life cycle or process used to create, review, publish, amend, and destroy policies or procedures
- How you will train and implement policies across the organization
- Goals and metrics you will use to measure your compliance and success
Once you create the charter, you can now focus on the specific policies and processes you want to formally document. Some policies are governed by law or specific industry regulation, so you should create those first. Next, create any policies or procedures required to maintain a particular certification or standard like ISO, HIPAA, PCI, etc.
Next, create organization-specific policies and procedures, likely including a mixture of policies that set expectations for employees, partners, vendors, etc. as well as IT policies and operational processes that should include your plans for business continuity and disaster recovery. The key to creating sound policies and procedures is to work with a group of stakeholders that will use them daily to ensure they are workable and flow naturally with each team.
There are several resources to aid with policy creation. You can find information security policy templates at SANS Institute (sans.org). The Society for Human Resource Management (shrm.org) also has some excellent sample policies.
Why Are Current Approaches To Compliance Failing?
Now that you have a rich set of documented policies, procedures, and manuals that have been reviewed and approved, what's next?
You could publish them on an internal or external website and point your employees or partners to them. You can include them as part of your employee handbook. You could email them around to everyone. You could use a fancy document management system to house and publish them, with the option of tracking who opens them or collect e-signatures for acknowledgment.
At this point, if that’s all you accomplish, then you’ve wasted a lot of your investment. Employees don’t always read through policies or procedures and thoroughly comprehend them. Yes, you’ve gotten acknowledgments and signatures, but it doesn’t prove the material was absorbed and applied.
You can measure or test that a policy is being adhered to by checking various data points or observations, but is it being used correctly by all individuals? And do they understand why a policy or procedure exists in the first place? Simply making your compliance program about checking boxes doesn’t work; it also devalues your employees as they see it as irrelevant and a waste of time.
How does your company culture affect compliance? A culture of doing things quick over doing things right, or a high-pressure culture requiring people to deliver are all counterproductive to having an effective policy and procedure adoption across the organization.
The Modern Approach to Compliance
Training and inclusion are critical elements of your compliance strategy. Policies and procedures require measurable training, as well as knowledge reinforcement and regular reviews. Over time knowledge is lost, and humans tend to invent shortcuts, which then cause mistakes leading to a failure.
Consistent reinforcement is critical to keeping this knowledge fresh and applied. Include your employees while building and reviewing the training elements of policies and procedures. This inclusion will help convert your employees into advocates and build a culture of improvement.
To make the training relevant and engaging, take a group of policies or procedures along with your experts and build some scenario or story-based training. The instruction should cover why the policies or procedures exist, what they are attempting to prevent, and how individuals play a crucial role in using them.
Relevant Testing Over Time
Quizzes and knowledge checks that you run over an extensive period of time are proven to develop longer-lasting knowledge. Make sure your training includes some testing where individuals can get an assessment of what they know and what they don’t. Look at how various groups need different information around a policy or procedure. Folks in your sales team will have different needs than those in a finance team. Build a reward system that is not only tied to training, but also integrated with day-to-day activities.
Deploy your compliance training in bite-sized pieces. It should be accessible and searchable so employees can access it during times when they need information or to verify what they are following best practices. Couple your processes with checklists, which allow employees to follow guidance quickly, make sure nothing is missed, and reduce the occurrence of mistakes.
A LMS Can Help Manage Your Compliance Efforts And More
An LMS or learning platform such as TOPYX can help your organization publish the policy and procedure documentation and combine them with online training, blended learning in classes and webinars, as well as creating quizzes, assignments, and knowledge checks. Additionally, the LMS or learning platform becomes a one-stop-shop for not only your compliance, but also training, career advancement, and organizational knowledge.
To learn more about how TOPYX can help transform your organization, request a personalized demo today.