Transcript for Best Practices in Policy Management and Development
Giovanni Gallo: So, while we’re waiting for the room to load up and everyone to get settled, please look on the bottom of your screen. If you hover with your mouse, you’ll see a little menu pop-up and jump in the chat and why don’t you tell us where you’re joining from today and we’ll go around the panelists right before we do an intro. So, I’m coming in from Charlotte, North Carolina. Is there anyone…go ahead, Matt.
Matt Kelly: I was gonna say I’m here at Radical Compliance headquarters in Cambridge, Massachusetts.
Desiree K. Ramirez: I’m here at Fort Worth University of North Texas Health Science Center.
Gwendolyn “Gwen” Hassan: I’m in Oak Park, Illinois, just outside of Chicago.
Giovanni: All right. We got Portland, Maine on the books, McKinney, Texas, and Portland, Oregon. We got both the Portlands. Welcome, Grand Rapids. Thanks for jumping in, everybody. So, we’re glad you’re joining us today. We’re really excited to talk about this topic of policy management. Obviously, it’s ubiquitous and, you know, everyone should be on a continuous improvement process of figuring out where you are and how you can get better. Hopefully every organization has some form of policy management in place, but you can always make it better and that’s part of what we do as compliance and ethics professionals is figure out what’s most important and do more of it. So, we’re pumped for you to join us today.
I’m Giovanni Gallo, Co-CEO of ComplianceLine. We provide a bunch of software and services to compliance and ethics professionals including a bunch of things that tie to policies like conflict of interest and people signing off on policies and making sure that they’ve read them and things that we do through our hotline are obviously related to that and all of that. So really excited to get into this discussion with you today. As usual, we are hosted by the wonderful, knowledgeable, entertaining Matt Kelly. Thanks for leading us on the panel today, Matt, and you can take away the intros.
Matt: Sure. And by the way, everybody who’s signing in with where you’re from, Gio, I did hear from a person in Perth, Australia who is in fact asleep right now because it’s a 12-hour time difference, I think, but she wanted to make sure that this would be recorded because she was so excited. She’s sorry that she couldn’t be here live, but Perth, Australia, they were all the way from there.
Giovanni: Awesome. Yeah. Shout out to Perth, Australia and yes, we will be recording this and you guys, all the attendees will get it. So, feel free to send it to your friends in Australia.
Matt: So, for everybody who’s joining, we are here today to talk about policy management and we’re gonna cover a few big concepts within that umbrella. Number one, we’d wanna talk a bit about what policy management should be able to do. What are the big capabilities, the basic capabilities of a good policy management program and especially how a compliance officer who might be running the policy management program, how does the compliance officer work productively with other parts of the business to make sure that they don’t go off the range and start adopting their own policies without telling you, or they forget to tell you that they’ve changed it or vice versa? But there’s a lot of collaboration that has to go on to make sure that policy management goes well.
So, we’ll be talking about that. We will talk a bit about what the compliance officer’s challenges are, not just how you manage and develop a policy but how do you manage all policies at scale when you might have hundreds of them across a very large enterprise. What are the technology capabilities that you might rely on to be able to do that?
And then third, I wanted to talk a bit about what you should be thinking through to demonstrate the effectiveness of your policy management efforts to your board, to regulators, to anybody else who might need to know about it, to audit firms or something like that. But very much you’re going to have to be able to show that your policy management program works somehow, you know, what are the metrics you’re looking at for performance, documentation, things like that. So that’s what we wanna talk about and we have some great guests here.
So first I will introduce Gwen Hassan, who is the…until earlier this year, she had been the global head of compliance for CNH Industrial, which is a big agriculture equipment manufacturing business that is headquartered in Europe. And Gwen is in Chicago where she’s teaching compliance law these days at Loyola University. So, Gwen, hello, and thank you for joining us.
Gwen: Hi, thanks for having me, Matt. It’s always a pleasure to talk with you.
Matt: And also joining us is Desiree Ramirez. She is the Chief Integrity Officer at UNT Health Science, which I think is University of North Texas. And Desiree has also been a long-time compliance officer and professional specifically in healthcare in teaching hospitals, things like that. And so, Desiree, welcome to you too. Thank you for being here.
Desiree: Thank you. Thank you for having me. I’m really happy to be here, I’m happy to join Gwen and Gio on this call. So, thank you.
Matt: And then yes, we do also have Gio who is going to be with us as well for the hour. So, I wanted to start with a broad introductory question just about what is policy management. Let’s define what it is supposed to be able to achieve for a large enterprise. Because I had mentioned that, okay, part of it is making sure some local department doesn’t adopt the wrong policy. I assume there is more to it than that. Desiree, I’ll put it to you first and then to Gwen, but give us your big picture thoughts about what is it that you’re seeking to be able to do with a good policy management program.
Desiree: Sure. For us for policy management, what we wanna ensure is, particularly me as the compliance officer, we wanna ensure that people know what is expected of them, what are the behaviors and processes that they need to know. Because it is very difficult when you do an investigation or try to impose any corrective action to look at a policy and for a person to say, “I didn’t know what was expected of me.” So now, you know, we have the proverbial, the thumb pointing back at you, what did we not do to ensure that this person knew what was expected of them, knew what the policies of the organization were so that we hold them accountable to the behaviors or to the misconduct that we don’t expect from them. It’s hard to do that when the policy isn’t clear because people just don’t know what’s expected of them.
Gwen: So, I’d jump in and say that I agree 100% with Desiree, but I’d put it in the context of risk management on a broader sense, right, which is the ultimate goal of having policies…I mean, you don’t just have a policy for fun, at least I hope you don’t. You have one because it is supposed to be helping you reduce or manage risk somewhere in your business. So ultimately, I would say the goal of a good policy management system or process, or whatever you wanna call it is risk reduction and risk mitigation. That’s the bigger context for me.
Giovanni: Yeah. I love that perspective because, you know, what can be impacted by your policies and how you manage them can be very expansive, right. And I think that what you should get out of your policy management program and system really changes as you mature, but at its full expression, it should help you do a bunch of things, not just define how things should be done, but it’s kind of part of training and it should be things that you can reinforce on and should be part of your ongoing communication and also feedback into your risk management system to realize, okay, “Where is the breakdown and how can I solve that with policy or training or managers and all of these other things?” And I think that as you kind of move along this maturity curve from a policy management standpoint, you start getting more comprehensive from just defining a process or requirement to actually interacting with employees and managing that kind of full scope of risk.
Matt: It’s interesting that one of the notes I had jotted down before this was what is policy management and I jotted down herding cats. And I mean…
Gwen: That’s fair.
Matt: Let me ask a little bit more. Say, so for example, Desiree, when you were talking about trying to educate the specific employees so that they do know I wasn’t supposed to do this, I was supposed to do that. And I understand that that’s one important part of policy management, but I’m also intrigued by trying to figure out what are the herding cats capabilities you need for, you know…you’re gonna have, say, 30,000 employees and you really wanna make sure that all the business units know that all cats have to move in this direction roughly to make sure that there isn’t a business unit that’s adopting the wrong policy, or it’s leaving the old policy in place that it should have decommissioned or something like that. What are some of those more policy management at scale capabilities that a good program should have? And Desiree, what are your thoughts? And then Gwen, I’ll circle back to you for a bit more too.
Desiree: So, for me, I think when you talk about making sure people know what direction to move in, I think a good…you know, all organizations should definitely have their code of conduct. We call ours our code of culture because we want it to be more than just conduct. It was really about the values and the expected behaviors that we all commit to in the organization. So, you have to kinda start with that guidepost. We all have the values that we have committed to, we all sign the code of culture that we commit to. So, I think as managers and leaders from the policy perspective, that has to be the first guide that you have is what are the values, what is the code of conduct of the organization. And then I think from there, as a compliance officer, you guide people into how you write the policy, what is expected in the policy because you have the guidepost that starts with your code and starts with the values. And I think you can then incorporate all the “legal regulatory” things into the policy, but people have to have the guide of what is the organization’s belief as far as the expectation of the organization and I think that helps them to guide how you commit to writing your policies.
Matt: Gwen, what would you say?
Gwen: I would start with the three lines of defense model argument, right.
Matt: Okay.
Gwen: Which is at scale, you wanna teach a man to fish, right. You don’t want to go out and spoon-feed policies to every situation, every subgroup, every tiny office, every department. You wanna be able to, at scale, teach somebody how to put in place a meaningful policy. And that means educating that first line, right. The first line needs to know what is risk, what’s a policy’s role in mitigating or managing risk. What does a good policy look like? What does a bad policy look like? How do I make sure it’s tailored in a way that it’s broad enough, but not too broad? How do I make sure that the applicability is very clear, who it applies to, who it doesn’t, what situations applies, what doesn’t? So, I’d argue that at scale, a compliance policy management function is a coaching function. Your role is to go in and coach the front line as to what it looks like. And that means providing them with tools and processes and systems that can help them manage their own risk.
Matt: Is it safe to say that good policy management has become more important to get right at large organizations? Let’s say over the last 10 years, and I’m not clear on…is that because there are more issues that you could wind up being over-policied and it’s all a confusing mess, or is it because employees could make mistakes more quickly and more severely? I don’t know. And I’m also just floating the thesis there, the assumption that policy management is becoming more important. But Gio, let me ask you first what you think, and then Gwen and Desiree as well, about how important good policy management is as an organizational skill.
Giovanni: Yeah. it’s a great question. I think the broad answer is yes and there’s some nuance to it. I’d love to do a little informal poll and if the audience can jump in the chat, tell us what your perspective is on this. And Desiree, we have a go Mean Green cheer from the chat, so people are jumping in. So yeah, I think it has gotten more important, partially along the lines that everything in compliance and ethics has gotten more important. So, you can apply that broad brushstroke of, you know, employees are putting up with less, regulators are enforcing more, organizations are getting larger and more complex on average and things like that. So, I think all of that makes everything we do in ethics and compliance more important. But in addition to that, I think specifically within policy management, the world has just gotten a bit more complex.
There are more chance for people to interact or mess something up or kind of touch something farther away from them and I think because of that, we need to be able to manage that complexity as well as, you know, I think that another force that’s in effect here is we’re more and more becoming a knowledge economy and an information economy and that necessarily has complexities in it of, to a certain extent, someone sending emails all over the world and signing contracts with people in different states and different countries and stuff are gonna necessarily be taking on more risks or have more of an opportunity to do the wrong thing than, say, someone sitting on a shop floor, you know, milling some metal.
So, I think regardless of what industry you’re in, it’s more important but just the interconnectedness of us as a society and an economy, I think necessitates us getting a better handle on this which…final point to what we were talking about earlier, it doesn’t necessarily mean that you need to script out so many more actions and tell everybody what to do, it just means that doing this right and getting that balance is I think more important than ever.
Matt: Yeah. Okay. Gwen, what do you think? And then Desiree.
Gwen: Yeah. I’d add to that too. And I agree with everything that Gio said, but also as another layer of complexity is the regulatory environment right now that we’re in, which is, there’s just been, in my perception, over especially the last decade, an explosion of new regulations that companies are supposed to be complying with, right. There’s, you know, all of the human trafficking regulations that have come out, the new ESG and kind of transparency and third-party diligence requirements. Vigorous enforcement of FCPA which makes all of the kind of anti-corruption and gift-giving and all of those types of risks elevate in complexity and in severity because the enforcement risk has also gotten higher.
So, I think that that environment, regulatory and legislative environment is tied very closely to policy management complexity, right, because they go together. If you’ve got more of an enforcement risk, you’ve got a higher risk you need to address, which means you need more or different or deeper or broader or more finely tuned policies. And they all tie together for me.
Giovanni: Yeah.
Matt: And then Desiree, what do you think?
Desiree: I echo both what Gwen and Gio said. What I will also add to that is that we’re a more informed society. People are informed and they challenge more because they have more information. And I think for us as organizations and policy managers, what we have to do is be able to give guardrails and information, the information that we expect of the collective, because people are not gonna just, “Oh, this is the policy?” Because we all know people say, “Well, what does the policy say?” Or they challenge it or the policy doesn’t quite say that, right.
So, we have to also understand that the society changes, people…when I started in compliance, the internet was not as robust as it is right now and people have more access to information. So, we have to help with guiding that through the policies for the organization and for us as compliance officers.
Giovanni: Love that perspective, that perspective about the information that we have, how informed we are. It kind of lines up with this democratization of society and business where it was 2002 when Thomas Friedman came out, “The World Is Flat”, it keeps getting pounded flatter and flatter because more people are informed and more people have questions and people can do more and your tweet can get heard around the world and all that stuff. And that necessarily means that we need more people in the organization, not just the execs need to know what the policy is. Everyone on the front lines could have a bigger impact and risk than they might have been able to have 10 years ago.
Desiree: Right.
Gwen: And I think you can also tie into that to the pandemic effect and/or the social justice movement effect because they overlap, right. So now you’ve got people who are like many…well, me. I’m in my home and I’m working from here and that gives people a new perspective on how different issues impact them personally, which they bring with them when they bring their whole person to work. And that has a dramatic effect on policy as well.
Matt: Yeah. I should say we have some comments popping into the chat box there, which is awesome. And if you are listening, feel free to keep popping those questions and comments in. We’ll try to weave those in throughout the hour as we can, but we are going to try also to set aside probably the last 10 or 15 minutes to go through any other questions listeners have, but if you have them, submit them and we will do our best to keep a running tab on what’s going on, but I’d really like to see that.
I wanted to talk a bit about the compliance officers’ good diplomatic relations with the first line. Because I think, Gwen, you kinda touched on a good point there that it’s not the compliance officer’s job to draft every policy under the sun, but to, I guess, maybe coach the first line that here’s what you can develop yourself or, you know, we should have a policy about policies or something like that. But there’s, I guess a balance that has to be struck between what the operating units can do for themselves and how much you wanna peer over their shoulder that they’re doing it well. Gwen, let me ask you first and then Desiree, what should that oversight be or what’s the good working relationship there so that you’re not over-policying other people, you’re not weeding into somebody else’s business, but there’s still order? How does that work?
Gwen: So, I’m a fan of a sandwich approach, a top-down, bottom-up, right. So, at the compliance officer level and with your team, there should be a number of policies, as small a number as possible, I would argue, that link directly into your code of conduct or code…I love, Desiree, the code of culture concept. I think that’s fantastic. I’m stealing that. But if you can issue a few high-level policies, the last position I had, we had 12.
We had 12 global compliance policies and then we looked to the front line, the people that are actually in the operating business and are arguably creating risk to develop the rest because they will vary based on location, based on function, based on the type of role that they have within their function.
And so, I think if you…and I know this is kind of a term that’s bandied about with a lot of joking in mind, but a policy on policies I think is actually a good idea, which is you need to instruct your front line, “Hey, here’s what a policy looks like. Here’s our standard format, here’s the things you should have. And if you wanna pass a new policy, here’s how you should go about getting that reviewed and approved.” And the structure that I’ve used most often is if you’ve got a business level where you’ve got a corporation with multiple businesses or regional, or if you’ve got, you know, function level control, somebody within that business unit should be responsible for owning the policy and they should be the policy owner and be responsible for reviewing it and approving it and making sure that the right people see it before it’s adopted. And it should be, you know, provided at least on an information basis then to the compliance office so they can track it and add it into a system and make sure that it’s updated and audited and reviewed. But I think a good solution is both of those things. It’s top-down and it’s bottom-up.
Matt: Okay. Desiree, give me your thoughts. And also, I just wanted to see if you could give us some extra analysis. Gwen gave some really good best practices and a lot of should. I’m curious, you know, where have you ever seen the best practices break down or are there obstacles that have to be overcome. But what do you think, Desiree?
Desiree: So, I unfortunately stepped into an organization that had 415 policies.
Gwen: Wow.
Desiree: So, you can just imagine walking in and people asking me, “What is X policy?” And I have no idea where to start because at the time, we just didn’t have even a good search system. But when we started the journey to reduce the policies about two years ago, obviously the first thing was we’re reducing policies. So at least that’s what people hear, right. And so, the first thing is what are you taking away from me. A, I’m new coming in, just imagine. And I’m now telling these business units who have operated with their own set of policies, because that’s why it got to 415. People created their own policies for their own divisions and nobody talked to each other about what’s best for the institution itself.
So, walking in and people hear we’re reducing policies, the first reaction was, “Well, what are you taking away from me?” So, what had to happen at the beginning for us was really talking about why this was in the best interest of the institution and the best interest of them as a department to run their operations more efficiently. So, it was really a lot of education and conversation and a lot of face-to-face about here’s what the benefit is. Here’s why this is best for the Health Science Center. Here’s how we’ll operate more efficiently, save ourselves a lot of time and finance. And so, for us, I think it was really a lot of time making sure people knew what their vested interest was in the whole policy process, understanding what was expected of them, having some documentation and guidance.
So, we created…you know, I’m a fan of the policy on policies. I don’t know if fan is the right word, but I think it’s very cool. We also created just a guidebook on how to write a policy, what’s the difference between policy and procedure, because that was a big one. People didn’t know… the growth of policies and the length of the policy. So, a lot of time was invested in ensuring that everyone knew their stake in the process and what it also helped us do was once we kind of explained what the process was going to be, a lot of people decided, “Maybe I’m not the subject matter expert, or maybe I shouldn’t be the policy owner on this one.” So, it also gave us some guidance on where these things belong because people owned policies that didn’t necessarily belong to them. People had expansion of policies so it was just a great…for me, from an educational standpoint and providing guidance and also just getting people involved in the process was helpful in how we kind of, “Hey, we don’t need all 400 of these policies.”
Matt: You know, Desiree, maybe if I could just stick with you for a moment, and if you could tell us a bit more about how you got to the end stage, because I had some notes about what might sound like the more arcane parts of policy management. Like, you’re gonna have to take an inventory of them to find out, “Okay, you have 415.” Or you might find, “Well, we have eight different policies about travel and entertainment that all say the same thing.” And, you know, mapping out where policies overlap or contradict. And I assume that some of that mechanical stuff has to be done at some point. How did that work at UNT or did you go through those kinda steps or what did you go through?
Desiree: We did. I mean, obviously first it was just finding how to download and dump. What are the names of the policies? Where are they? What’s even the nomenclature of the policy process? And then looking at them, first even just looking at the names and going, “Why does this policy sound exactly like this one?” And then digging a little deeper and then going to the people who we thought, at the time, owned it and saying, “Okay, what’s going on with this?” So, we also had some external help, so I’ll just be transparent. We had some external help because the office can only do with so much. We have compliance work to do day-to-day, but we had to go through a whole process of just knowing what is it that we had, what was required for us from a state standpoint.
We’re also part of a system. So, we also had to look at the system regulations and the Board of Regents tools. So, what are all the things that we need, all the components and parts? So, we had to go through that process first of figuring out what are all the components and parts. What are the have tos? What are the, “Oh, this was nice to have.” And also asking the question why did you create this “policy” or procedure that you had in the first place. And coming to find out, it was really people who did not want to manage so to speak, meaning instead of being a manager and saying to your employee that this behavior’s not acceptable, right, this is…you know, more for performance, more than anything else. Instead of being able to have that conversation, instead, what they did was create a policy to say, “Well, the policy says you have to do this.” When really what we found is if the person had just had that performance conversation with whoever the bad behavior was with, we wouldn’t need the policy or the policy that was in place would have worked. So, you created a sub-policy to avoid a performance conversation. So that was a little difficult to weed through.
Giovanni: Which I bet is so common and it leads to such messes and I think it’s great as we think about this. I mean, it’s part of that thing of the policy about policy. It’s some approach to this, right. How much do we script all of this out? How much do we wanna centralize at our central set of policies or empower to a division or director or manager to set their own policies? Or this shouldn’t be a policy, this should be part of culture. This is how we do things here. Maybe you have to do a monthly report, it shouldn’t be a policy, it’s just something that you do.
And you know, having this tiering of policies…maybe your code of conduct and your values and your culture are an umbrella over everything, you have some policies, you have some procedures and SOPs, and then there’s a bunch of other things that people need to do that maybe doesn’t rise to the global, full company, risk management. We’re gonna define this for everybody. But I find so much that, like, in a lot of companies that haven’t taken this comprehensive approach to it, it ends up being driven by personalities of this person wants to document everything and they make everyone sign off on this and this person, you know, shreds, all the policies and stuff like that.
I think that as we, as compliance and ethics professionals, get our arms more and more around this, and it’s never gonna be perfect and you gotta start with where you are, but as you do this, you can clean a lot of that confusion out of the way, get clarity so that your policies are managing the things that you care about and ultimately delegate what you need to to the front lines and let some of it be culture and some of it be management and some of it be SOP and the essential things that you want to be in the policy.
Gwen: Gio…
Desiree: I’ll give you an example. Sorry, Gwen.
Gwen: It’s okay.
Desiree: I’ll give you an example, the silliest policy when I got here was how to share refrigerator space because people just didn’t like…you know, the refrigerator and people were putting their lunch and one was putting too much and there was a policy on how everyone should be thoughtful about using the refrigerator. And it was the most silliest policy I’ve ever seen in my career, but there was a policy on it. And part of it may have been because we’re a research institution as well and, you know, making sure that the lab stuff wasn’t in the refrigerator. I don’t know, but it was just really how to utilize as a good team member, how to be fair in how we use the refrigerator for lunch. So, it was just kinda…
Giovanni: There could be a lot of risk if there’s too much mold growing in there. There might be a lot of risk in the refrigerator.
Gwen: There could be some kind of an outbreak. Yeah. I’ll add one to you, Desiree, which is in my…and I won’t identify which company, I’ve worked for multiple, but I had a situation where…and it ties in, Gio, to your kind of cult of personality reference because there was a local office, foreign country that, when we did a full inventory, had a policy specifically about how many times a year you could give alcohol to government officials. And it was written down with all kinds of details about the store that you should buy it from and the amount that you should…and I was just horrified because…but they thought they were doing a great job because they were being very clear locally with what was allowable without regard for the fact and no understanding that it was an FCPA issue. So, you can find some fascinating things when you do a policy inventory. For sure.
Giovanni: Yeah.
Matt: Let me ask this question. I originally had said shouldn’t policies be tied as clearly as possible back to the company’s core values, its ethical priorities, its code of conduct. And in the margins, I wrote, I know that sounds kinda corny. But the more I think about it, the more I realize whether it might be corny or not, that’s actually really essential because it helps the compliance officer not to over-manage the policy creation process. And you know, it kinda gets to maybe Desiree’s point. Like, why are we doing this? Why did this policy come from wherever? And I don’t think refrigerator space ties back to anybody’s code. Maybe, I don’t know. But it can be a mechanism to first demonstrate the company’s commitment to its ethical culture. But more than that, it’s a good approach or a strategy a compliance officer could use to tell the business, “Look, you have a lot of freedom, but your policy’s gotta be in this sort of way and connect back to the culture in this way.” So at least they’re close to the ballpark, even if they’re not 100% on. Am I right in thinking of that? Gwen, what do you think about what I just said there?
Gwen: Yeah, I agree. I think you have to be very careful too, about the difference between what is a compliance policy and what is, to Desiree’s point, a procedure or a process. I’ve experienced before in a few places, this scope creep problem, which is, “Oh, accounting has a specific policy about how we will process close every month for the financials and that’s a policy and so it should belong to compliance.” “No. No, no, no,” is my response. No. That’s a procedure that relates to finance and great for creating that, but the ones that compliance is responsible for are the ones that tie to that code of culture or code of conduct.
And I think the same…I mean, you can extrapolate this to helpline issues as well, because there’s a lot of push to have compliance own everything that comes into the helpline. But if, you know, 60% to 70% of what’s coming in actually relates to my coworker is chewing too loudly next to me, is that really a code of conduct issue? So, I think you’re right. I ascribe to the same philosophy that policies should be based in code and should be springing from the values that are supposed to support that code. For sure.
Giovanni: Yeah, because it’s not just the discussion about should anybody in the business specify this action. Not all of those things should be compliance policies. There are plenty of good finance SOPs that should be written down somewhere but that is not necessarily a compliance policy. And Matt, I think that’s a good kinda forcing function of, like, is this in or out of compliance and ethics purview. Well, if it’s not really tied to the code of conduct and your values and risk, then you should at least be asking, “Okay, maybe I should push this down or we don’t call it a policy. It’s a procedure or something like that.” Because at the end of the day, we need to have a handle on the things that are given to us and if we let too much of that be pushed to us, then we’re just gonna get buried and not look at the more important risks to manage.
Desiree: And I definitely agree. It definitely has to be tied to your values and a code of culture. I think the balance with that is something we call here…what we call the value slap. So, to Gwen’s point, someone was chewing gum too hard or someone didn’t tell me good morning, there’s a balance that goes with that, but because you tie things to your values and code of culture, people tend to…some of the things that…again, I go back to some common-sense things and some courtesy things. They take that as, “Well, that’s a violation of our code of culture, that’s a violation of our values.”
And then they believe it becomes a HR misconduct issue or a compliance issue when it really is about the expectation of the values, not necessarily a violation of policy. But there’s that middle between here’s an employee misconduct issue, here’s a policy violation, but that middle conversation of, “Okay, these are not the behaviors and the values that the organization prescribes to.” What’s that conversation look like? Because it’s not the extreme on each side, which is, you know, an HR performance issue or a violation or terminable offense. But some people would believe not saying good morning, maybe. And so just being very careful with the balance of having that conversation around values in code of conduct and what really constitutes the other ends of the spectrum so that people understand that while these are closely related, understanding the difference of what values we want in the organization versus what’s a violation.
Matt: I think that’s an excellent point, Desiree, because I’ve seen plenty of companies where the same unwanted incident happens three times and a manager somewhere says, “You know what? We’re gonna put in a policy and end this now.” And that’s how you get to 415 policies because they don’t have this break to say, “Well, wait a minute. Is a policy the right response or do we sit down and engage a bit more?” But I don’t know. Maybe if you had any thoughts about that…that’s where policy creep or policy proliferation, that’s where it comes from.
Gwen: I would say, I think that to your point, to Desiree’s point, a policy can be the lazy manager’s best friend, right, which is they want to be able to legislate from on high and kind of…I saw somebody mention in the comments from the ivory tower perspective, right. I’m up here with my crown on, and I am dictating to those of you who are below me that you shall use the refrigerator appropriately, as opposed to having an open door and sitting down and talking with your team and saying, “Hey guys, we’re all working together here. Let’s show some respect. Please do this.” And I think that’s a real important tension within an organization and especially a really large organization, because back to Gio’s point, you can get that kind of personality driven policy development, right.
Somebody who is either super attentive to detail and wants to cover every possibility and is very conflict-averse and doesn’t wanna have face-to-face conversations so they issue 50 policies for their office. And on the flipside, you can have somebody who’s, “I don’t wanna write any of that down. We don’t need a policy for that. We all know what we’re doing. We’re good friends here.” And neither extreme is good from a risk standpoint, right. You want a middle ground place where you’ve got someone who’s willing to have those tough conversations and doesn’t have to develop a policy for everything but at the same time, somebody who’s not adverse to putting in place policies that really would help reduce risk.
Desiree: Sorry. I think that goes back to what we said earlier about the culture, because I think definitely to Gwen’s point, having an open door where people are able to have conversations and it doesn’t have to be a policy, but the culture has to be set up for that to happen so that the policies don’t become a problem because the conversations are there but the culture has to be able…it has to be set up for you to be able to have that interaction with your employees, anyone else. Anyone else, you know, any team member that you have that accountability conversation, the culture has to be set up for that to be possible. So therefore, the policies don’t become as this overarching kinda…as you said Gwen, the on high because people are seen as people and they can talk to each other and the policy doesn’t necessarily have to be the forefront of the conversation.
Giovanni: Yeah. And that culture and that personality of your organization is gonna come into how you manage policies, right. So, we can talk about a bunch of best practices of how you should save a policy and how you should archive the old policy and how you should have people attest to them on a yearly basis or when they get updated. There are a bunch of the what you need to do that we can build best policies around, but kinda the why and the how end up being a function of your organization, right. Netflix pretty famously had these no rules, rules of just kinda do the right thing and we trust you. And that worked pretty well for them. They grew a lot and made a lot of shows and videos and stuff.
A lot of other organizations are like, “That’s way too loose. Someone could mess something up and we get a million-dollar fine so we gotta have some very specific policies.” Some of that is gonna be driven by your industry, the scale of your organization, the complexity of things you work on. But also, some of it is gonna be driven by the culture and personality of the people in leadership, the people running your ENC team, or just kind of your culture at large. So, some of that of, like, you know, do I wanna have a 400-page policy or a 2-paragraph policy, is gonna be some discretion that you and your leadership or your team are gonna decide on. So, there’s a lot of leeway to kind of figure out how deep you wanna go based on your culture and your personal or team personality. And then when you execute that, then there are a bunch of best practices of how you actually put that into practice and make sure they’re adhered to and you audit them and all of that stuff.
Matt: Let me ask a question here, because we have a couple of questions that have come in on the chat about more, like, the mechanics of what should be in a policy, such as what sort of language should we use. How do we make sure it’s not legalese? What grade level of reading should it be? And some people have said it should be 5th grade or 8th grade or 10th grade.
Gwen: Third, third grade.
Matt: Somebody else is asking how long should the policy be, one or two pages. My big thing with policies is always, should you include an exception request procedure within the policy where that’s appropriate. What would you all think about that? And Gwen, I’ll start with you and then Desiree, but kinda those mechanics of what should the policy actually look like with the words and things like that. What do you advise?
Gwen: I am a fan of short policies. I mean, if it’s more than a couple of pages, I think you have a problem. Because first of all, no one’s gonna read it. Second of all, the people that are going to read it are going to read it with a view towards figuring out a loophole for it, right. The ones who pay the most attention to your policies are probably the ones who are trying to figure out a way to violate it. So, I think a broader, higher level, very easy language. And I have used before the idea of a third-grade reading level type of language is to me the ideal policy content with a couple of important caveats. Number one, I think it’s really important within your policy that you delineate who this applies to in what situations. Because if you’re passing policies that are global, this applies to every person everywhere, always, then you’re creating a situation where you’re gonna need policy exceptions and I am not a fan of those. I think a well drafted policy should never need an exception. Fight me, fight me on this.
Giovanni: What? Oh.
Gwen: Let’s go.
Giovanni: There’s a challenge for you.
Gwen: Yep. Let’s go.
Giovanni: Cool.
Gwen: Because I think if you have a policy that requires exception and an exception process, it means that it’s too narrowly drafted and that you are making it too detailed to apply to appropriate situations. I think a good policy…for example, I’ll toss out an example. Let’s say you’ve got an entertainment policy, when you can and cannot entertain third parties. If you go through and you apply a list that says, “Here are the following 25 situations when it’s okay to entertain someone.” And somebody comes up with situation 26, then they have to come to you for an exception, as opposed to a policy that says, “Here are the things that are true about entertainment that’s okay with us. It is valued below this. It has been approved by this level of a person. It is not to a government official.” And you provide just those three sign posts, then if they’re following those three sign posts, you never need an exception. So, I know I’ve rambled on a bit, but those are my thoughts.
Matt: Desiree, what do you think?
Desiree: I mean, I agree with Gwen. I don’t think there’s any reason for exceptions in a policy. And I think that’s where the confusion between policy and a procedure comes in because there’s not necessarily an exception. It’s just as here is step one, step two, step three to step four, and if you follow these, this is where it should be. There’s distinct things that you want to be followed in a policy. Procedure just tells you how to go about them. And there may be differences in how to do that but exceptions in a policy just says that, to Gwen’s point, it’s just not well written for people to understand what is expected of them.
I am definitely a fan of a short policy. We hear no more than four pages if not two, if possible. We do have some that are much more extensive than that, but I’m kinda picking my battles as we went through the transformation, which is…they come back to you because this is not ever going to be something someone can adhere to because I’m the compliance person and I can tell you I’m having a hard time reading these 18 pages as I go back and as much as we try to do education and give education on procedure versus policy versus process, some people…it’s a hard concept to grasp. And as I talked about earlier, what are you taking away from me? That mindset. We kind of pick our battles with some. I mean, there’s enough now for people to be able to adhere to, but I still think as we continue to review our policies, we wanna be able to make them in a way that yes, I can get through this and understand it within, you know, the first 10 lines or whatever. But I definitely agree with the exception piece should never be a part of the policy.
Giovanni: Yeah. I love that kind of…oh, go ahead.
Gwen: I’m gonna toss in, sorry, Gio, one more thing.
Giovanni: Yeah.
Gwen: As you’re designing those policies and trying to keep them short and in simple language without legalese, I think it’s really important too to remember diversity as you’re doing that because you’ve got people who learn different ways with different perspectives, different primary languages. So, I’m a big fan of a short policy with then tools that you can use to understand the policy, a decision tree, a process map, a visual map that shows, “Hey, here’s a Venn diagram that shows the universe of this policy and who it applies to. So, make sure that when you’re looking at diversity, you’re looking at diversity of learning styles, reading abilities, comprehension levels. So, you’re adding tools to understand the policy and not relying solely on words on white paper.
Giovanni: Yeah. Because I mean, ultimately there’s some Nirvana, right, there’s some ideal that we wanna push toward across all the policies in our whole organization that, you know, maybe in short is that…one way that we would evaluate that is no one ever has to ask for an exception to this. But to what Desiree was saying, we gotta pick our battles, right. This is not all gonna get fixed in the next month. So, you gotta kind of take a pass at it and clean up the most egregious errors, you know, take the 45-page one and try to boil it down to 15 pages. And then maybe next year we can kind of take another pass at it and people are gonna adjust to it. Because at the end of the day, you know, maybe if your policies were just written by general counsel, they would be super long and very detailed. And if they were just written by front line managers, they would be like, “Well, I’ll figure it out. Just let me do whatever I want.” And we have to kinda bridge that and we have to be the voice of reason and the ones who integrate risk considerations and detail and regulations, and ultimately what is going to influence people’s behavior because ultimately, what we wanna get to is compliance, is culture.
Culture is people’s behavior and we wanna be able to influence people’s behavior to reduce the amount of risk that we have to manage and defend against and look out for and improve the ethical stance of our companies. That’s always gonna be a dance and it’s always gonna be a balance. And we have to kind of, you know, pick our battles and make it a little bit better and then take another pass next year and kind of get it closer to that ideal. If you’re doing a sweep or writing a new policy, then hopefully you can implement it with those best practices and those ideals. And until then we gotta, you know, kind of do a Pareto process and do the 80-20 rule of, like, well, which actions that I can spend on this process are gonna give me the best lift in understandability and applicability. And I love the idea of adding that process map and stuff like that. And you gotta kinda take a step forward and then, you know, take another shot at it the next quarter, the next year.
Matt: So, I just wanna give an observation from one of the listeners here who were talking about how long the policy should be. They say that we have the policy, which I guess is on the shorter side, and then they give the employee the option of having an accompanying document that they have dubbed the policy in practice which has more information, it has some FAQs, examples and whatnot. And if you want that more information in practice, you, the employee, you can go and you can investigate it that way. And that’s all housed in one policy center. So that’s how one listener is trying to approach this.
We have another question I’d like to put to Desiree and to Gwen. How would you recommend pushing policies out to employees aside from the annual attestation or the onboarding where they sign it and then two months later, they’ve forgotten everything they’ve learned, but how do you manage the outbound communication policies to make sure that it’s sticking? Gwen, what would you say? And then Desiree, what do you think?
Gwen: I think there’s a…and another listener tied this in earlier, the importance of training and its connection to policy can’t be understated. Because you can issue a policy as often as you want, but if people don’t know it’s out there and they don’t understand how it applies, then it’s not gonna be very helpful. I’m a proponent of taking a policy and breaking it down to look at who it applies to and how, and then customizing your communication for that group. So, let’s say you’ve got a broad anti-corruption policy and it’s two pages long. It’s going to apply differently to someone who’s working on a line manufacturing something than it is to somebody who’s in sales. So, if it’s a new policy, I would take the approach of an audience that is only sales and craft a short email and say, “Hey, we’ve got a new policy. Here’s how it impacts your daily work. Number one, when you’re entertaining people, you can’t do this. Number two, make sure you’re doing diligence on the outside third parties, here’s a link to our diligence system. Number three.” And I would send that to them.
Separately, if I’ve got a group that is working in manufacturing, I might send them an update that says, “Hey, we’ve got a new anti-corruption policy. We don’t expect that this is gonna impact your daily work very much, but to the extent you ever have to get a permit for manufacturing of any kind and you’re dealing with a government official, please make sure that you are aware of this policy and here’s where you can ask for more information.” So, I’m a fan of customizing your communication based on the applicability of the policy, with the exception of those very few super broad policies that apply to everyone like anti-discrimination or, you know, fair treatment of people, respect in the workplace. Those would apply to everyone, but otherwise, narrow focus, narrow communication.
Matt: Desiree, what are your thoughts about communicating and pushing it out in an effective way?
Desiree: Sure. Part of our approval process is before…because before I send it to the president, because he approves the policies as the final approver, just because the state regulation says we have to do that. I’m sure he wouldn’t mind not doing it, but part of the approval process is asking the subject matter specialist or the policy owner, what is your communication plan. So, before it gets approved, we have to have a solid…we do have a form that we use. We have to have a solid plan from the owner or from the subject matter specialist. What is your communication plan? So, asking questions…to Gwen’s point, who’s your audience? What is it that you’re going to communicate? How are you gonna communicate that? Because we don’t want to have a policy approved, it gets uploaded into the repository and it sits there and nobody knows why, who’s it for, what is it supposed to do. Is it even there? I didn’t even know.
So, we add that to it. And part of that includes, there may be some training. So, for example, today we’re doing one on sexual harassment and Title Nine because the policy just was recently updated and a lot of people are confused about what’s Title Nine, what’s Title Seven, what’s sexual harassment. They don’t know. So, the decision when we talked to our Title Nine coordinator was what’s your communication plan. And his decision was, “I’m gonna have a face-to-face session webinar today. Then we’re gonna roll it out as a part of a policy, but to Gwen’s point earlier about differentiated learning, that’s also the purpose of this.
But the biggest proponent for us is we have to know before the approval is done what is the communication plan from the policy owner about what is this you expect to do with this policy. And some are very simple. It’s just like, nothing needs to be done. It’s an overarching policy. It’ll be there if we ever need it. But some have to be more detailed because it’s so complicated that it’s gonna be difficult just to say attest to this policy and expect that people understand what they just read.
Matt: Yeah. I wanna try and sneak in one more question here before the end of the hour.
Giovanni: Matt, can I just jump in quickly? We talked about you gotta write the policy, you gotta train people on it, you gotta interpret it. I think one of the great ways to make effective policies is to try to contextualize it. Where is somebody going to be doing something where they should keep this in mind? For example, we do conflict of interest attestation. When someone’s doing that, they should be able to look at the policy, reference it and, you know, get some insight to it and maybe even attest to that policy in the middle. The more you can kind of split this out and say, “Okay, well, when someone’s submitting their expenses, they should be able to look this up against this and evaluate it.” The more you can contextualize that, then you’re not relying on when someone got trained 3 or 12 months ago, but it’s kind of in front of them and kind of you can try to keep it fresh.
Matt: A couple of people have written in asking or giving this scenario. This really happens, that they’ll have a policy that they develop and they’ll turn around to the business unit and say, “Here’s the policy.” And the business unit will say, “Well, I don’t want it. I refuse policy because if I have this policy in place, I could be audited against my following through that policy and I want flexibility.” And somebody else said, “You know who reads policies very closely, is auditors and they’ll have a lot of questions.” And that’s a good point. So, I don’t know if either Gwen or Desiree, if you have any advice for that kinda scenario. I didn’t know that that would be a thing, but I mean, maybe it is. Gwen and then Desiree, what do you think?
Gwen: I’ve seen that happen before. It’s not out of the realm of ordinary. I will say part of the reason for the bottom-up approach is to cut some of that off, right, which is you shouldn’t have people who are not operators of the business imposing rules on people who are. Unless you are sitting in that person’s seat and understand the impact the policy has on how they do their jobs every day, it’s gonna be really tough to get them to buy in.
So, I think part of the solution is to make sure that that frontline is involved in the creation of that policy and they have the chance to provide input and to tell you, “Hey, that’s not gonna work.” Very quick example. I had a very well-meaning group create a policy on third-party due diligence. And they implemented kind of from on high, the requirement that if anyone was going to bring in a third-party, they had to conduct full due diligence on them before they could execute the contract and they sent out the policy and fantastic. The business came back and said, “Are you kidding me right now? Because if I wait to do due diligence right at contract execution, I will have spent six months prior to that working with this third-party trying to figure out what are the deal terms, what is the region, what is the opportunity from a market standpoint. Waiting until I’m about to sign a contract is way too late. If you want to do due diligence and tell me I can’t do business with this person, we should do that when I first come up with a list of candidates for potential third-party roles, not six months later.”
And if you don’t know that as the person who’s creating the policy, you’re creating one that will automatically be pushed back on. So, I can’t overstate, rather, the requirement that you get the business, that front line involved in creating the policy.
Matt: And Desiree, we only have about a minute or so here, but…
Desiree: I absolutely wholeheartedly agree with what Gwen said. There’s no way possible that the policies would have been able to do this process unless the stakeholder was involved. We had the vendor actually speak to the policy owners themselves. We didn’t get involved. We were only there in case someone was not following through, but it was very important that the policy owner spoke to the vendor who helped us with our policies because they needed to understand the business. I can’t explain that operation and that business to the vendor as they’re creating the policy, that person has to do it. So, it was really important that they be involved at that level so that we had the right policy for the operations of that business.
Matt: All right. So Gio, I’ll give you the last word in any wrap-up you wanna do, but Gwen Hassan and Desiree Ramirez, thank you very much and thank you, everybody, who’s also been listening. We have a ton of great questions and observations in the chat today as well. And this has been really productive and informative. Thank you very much. And Gio, I don’t know if you’ve got any closing remarks but the floor is yours.
Giovanni: Just a big thank you to Gwen and Desiree. This has been a true masterclass on the nuance and the thoughtfulness and how we can move our really entire organization together. We’re not just talking about policies, our policies inform so much of what we’re at risk of because auditors and regulators are gonna check it, what we want people to do and how much freedom we give them. This ends up impacting your culture a lot, like we’ve talked about, not just the things that you specify or things you have policies on, but how specific they get. So, Gwen and Matt and Desiree, I really appreciate you joining us today and just a big thank you and congratulations for a job well done to the crowd. We’ve had so much activity in the chat.
I know you all are teaching each other and bringing up questions and you know, if nothing else, hopefully you can see on there, “Okay, other people are dealing with this.” And please try to get in touch with each other, connect on LinkedIn and your peers around you in the compliance and ethics industry are a wealth of information whether you’re both trying to solve the problem now, or someone else has been down that path before. We can all learn from each other and do a better job at what we’re doing to hopefully be more on top of it, move our organization forward and together we will all make the world a better workplace. Thanks for joining us today, everybody.
Desiree: Thank you.
Matt: Thank you.
Gwen: Thank you.
Desiree: Thank you. Okay. Thanks, everyone. Bye-bye.
