The policyIQ team hosted a webinar presented by GRC analyst, Michael Rasmussen, focused on how to drive employee engagement through effective policy management and communication. During the session, we asked the audience: “Does your organization have a policy communication plan?” Remarkably, one in three respondents answered, “No."
In other posts, we have drawn attention to the potential hazards of NOT keeping your employees informed, trained, and certified. No doubt, some companies have learned a multi-million-dollar lesson on why it is important to build out a policy communication plan. In case your organization can relate to the third of respondents who identified with not having a formal plan, we want to share some ideas on how you can get started crafting your plan and reducing legal exposure right away.
What is the risk?
Are you having a hard time figuring out how to prioritize your policy updates? Consider, first, how your policies are related to your risk environment and what practices you must have in place to protect the organization from the top down. Next, you may wish to focus on the policies and procedures that you have in place to safeguard your organization: security policies and procedures. The next area in need of attention, depending on your type of organization, may be documentation related to ensuring that product, process, or service quality is delivered. If you have a quality system in place, you likely already have associated documentation on a regular cadence of review.
How will you know that all of these practices are actually taking place and operating as designed? You could also prioritize the documentation and routine practice of monitoring, from an operations and financial perspective. Auditing your business and finance functions will go a long way to provide assurance that you have the right practices in place.
Can your organization provide evidence that your house is in order?
Who is the audience?
Retail store managers, truck drivers, accounting and finance personnel, nurses, IT project managers—there is a seemingly infinite list of roles in the pool of potential policy and procedure audience members. Rather than drafting policies and simply publishing them for broad access or distribution on the company’s intranet, you may want to take a step back and consider more closely, again, the level of risk associated with the documentation. Starting with your areas of greatest exposure, which of your employee roles would be impacted by the absence of the policy or documentation? Pay particular attention to those roles that are directly tied to your high-risk areas and critical controls.
How will you reach them?
The question, here, may be two-fold: What level of assurance does the situation demand? What media is most accessible to the audience?
Policies related to hours-of-service limits for truck drivers and anti-bribery policies for employees working in high-risk geographies may be among your top priorities as it relates to communicating your organization’s values and practices, but they certainly do not have the same work environment or access to information. An important step in your communication plan is the consideration of the level of assurance that the situation demands. Simply publishing some policies may be enough, but for others, it will be critical that you capture a receipt of your employees’ review, their attestation that they understand and agree to follow your policies, and some may warrant training and certification evidencing the employees’ understanding of the critical values and practices.
If you want to better ensure engagement by your employees, you may also wish to consider whether the content requires live and in-person training or if delivery to your employees’ mobile devices will be satisfactory. Getting into the flow of what your employees do and see every day is the best way to boost the likelihood that they will see and interact with your content.
Next steps:
policyIQ is an easy to setup and use SaaS platform that can be leveraged to author, manage and share policies, procedures, links to training materials, certifications, and other related documentation on an employee’s device-of-choice. Click here to learn more about our policy management solution or reach out to us, directly! We are happy to help you see your data in a free policyIQ trial site.
Again, special thanks to GRC 20/20’s Michael Rasmussen for sharing his expertise with our audience (and us, too!). If you are interested in learning more from Mr. Rasmussen, we encourage you to check out his website and, specifically, his “Policy Management by Design” white paper.