After a company defines its mission, vision and its values the most important documents that follow are the policies & procedures as well as the code of ethics. But what are their differences and key elements in order to be successful?
A policy is defined as the rules of the company; compare it as “The 10 Commandments”…you won’t kill, you won’t lie, you won’t cheat, etc. So they should be written clearly, direct to the point, plain. No more than one page or two as a limit.
While a procedure is defined as the “how to comply with the policies”…an instructive for any person to do what is need to be done; an anti-bobo guide for anyone to understand. So, the procedure can be as long as it is needed to be.
Then the code of ethics is defined as how any person working for the company should conduct itself. This includes all personnel: from the top to the bottom. Yes, CEO, Directors, Managers, and staff no matter their position, area or in which country they are. Also any third party, strategic alliance, supplier; they should have access to the code in order to comply with it.
The three documents are defined as the “must be” and have key elements in order to be successful; they are:
a) Must be written clearly; to the point, without spelling errors. Many companies blend into a single document the policy and the procedure. If there is a separation between them it is ok, but if not the risk is that personnel won’t differentiate them and be confused about what is allowed and what not. Another common mistake is to write them in a complex vocabulary or that they are too long…think about yourself as the main user of every policy, procedure and code of ethics…right now, as they are; will you understand what they say? How to apply them? If the answer is yes, your company is in the right way! If not, invest time to modify them. Your employees will be grateful, you will avoid mistakes due to misunderstanding and the company will win. It is worth it.
b) Must be in concordance between them and of course with the vision, mission and values of the company. Logical? Obviously! But it is very frequent this kind of mistake. Companies issue policies and procedures without making sure they are consistent among them. So when applied, personnel get confused on which to follow and complications come along…for example: operations department says that the only thing needed to open an account for a client is to ask its ID and address while compliance department says that other documents are needed. When the file gets to compliance it is rejected because lack of information; the executive should return to the client asking for more information when it could have been asked the first time. This exemplifies how policies are not consistent and how a simple procedure can be come exhausting. The worst: irritate a client!
c) Must be stored in an easy and accessible place for everybody. Whether they are in the company’s intranet, in the internet, physically given…everybody should have access to them. Also, that the access can be remote; in case they work at home or any other facility. If the personnel do not have access to them, how does the company expect that they must be fulfilled? Give your employees all tools, documents for make their work as it should be. Avoid excuses.
d) Train, train, train. P&P´s as well as the Code lose its effectiveness if they are not spread among personnel, third parties, strategic alliances and suppliers. Not making them of the knowledge of people, the must be becomes just a paper…rules live within the persons. So make sure to train them when: a new policy, procedure, or code is made; when they are updated. Either there are changes or not, at least once a year train personnel.
e) Update them! They need maintenance. If your last modification of P&P and code was in 1980…it is time to update them. When to do that? After a new system is bought, changes in regulations, a change in areas or departments that affect either the rules or how to do things, emergence of new risks, news in the paper that affects the company image, in relation to the results of any revision made from Internal or External Audit or Compliance, that you have seen is recurrent, etc. Do not assume or rely on people to know the changes by heart. Maintain updated P&P as the code with the latest.
f) Avoid conflict of interest: many companies ask to Internal Audit to elaborate other areas’ policies because "they think it’s their job". Do not permit this. Internal Audit should not elaborate any other policy rather than their own. If IA makes others policies then they are becoming judge and jury; when auditing people can question: if you made the policy and also review it, should that not make you part of it? Each area or department should make their own policies, again keeping in mind to be consistent with others.
g) Make sure to be open for comments towards them of all personnel. The majority of the companies appoint someone to write down the procedures; however depending upon its level there could be the risk of not having the complete knowledge of how the area works. Involve personnel from all levels so the policy can be complete and after publishing and spread it, make sure to have a hot line or email where people can make suggestions towards them. If they are right, make the change.
Do not forget to include in your code the importance of the company to check gifts given by third parties to any personnel from the company. Remember this can avoid conflict of interest and reputation damage. We will talk about this on other coming articles.
Enjoy making the "must be" and... Happy New Year 2016!
Mónica Ramírez Chimal, México
Mónica Ramírez Chimal, México
Partner of her own consultancy Firm, Asserto RSC: www.TheAssertoRSC.com
Author of the books, “Don´t let them wash, Nor dry!” and “Make life yours!” published in Spanish and English. She has written several articles about risks, data protection, virtual currencies, money laundering. Monica is international lecturer and instructor and has been Internal Audit and Compliance Director for an international company.