How to get these key compliance tools right !
Almost all organisations have policies governing aspects of their operations. Policies, and indeed procedures, are a key part of implementing regulatory compliance (as shown below in Step 2 of our Compliance Cycle Model). But preparation of policies and procedures can carry risks for the unsuspecting and turn this compliance necessity into a liability.
Click here to view model.
Policy or procedure?
Policies are generally documents intended to guide an organisation (including directors and personnel) in the day-to-day running of an organisation and/or decision-making.
Policies often include a high level statement of intention about how the organisation views a specific matter (such as a vision). They can be valuable in setting out key information, particularly at personnel and contractor induction, about minimum expectations of the organisation, such as applicable legal standards.
Procedures, meanwhile, are more prescriptive. They often set out specific processes for how decisions or day-to- day operations will be conducted.
Key risks and how to overcome them
There are five key risks to consider when writing and managing corporate policies and procedures:
- Prescriptive policy
If the policy is prescriptive in setting out standards or procedures that will be achieved by the organisation or its people, and deals with an aspect of employee behaviour, the policy may be found to have contractual force, even if it is not intended to do so.
It is therefore important to make sure that where a policy starts to look more like a procedure, special consideration is given to the legality of that procedure and practical consideration is given to whether the procedure or process is what the organisation does, or will, actually do in practice.
If the intention is for policies to create binding obligations on employees, consider whether it may be better to include conditions in an employment contract. Also consider whether or not it would be more helpful to develop a manual for your key management personnel to use (particularly in human resources) which could assist them by providing detailed procedures, rather than generic policies accessible to the whole organisation.
- Internal vs external policies
Distinguish between policies that will be used internally within the organisation and those developed for external use (eg for investors or customers to review).
Internal policies typically include policies on human resources and governance issues. By contrast, external policies will often set out the values of the organisation (eg on sustainability; confidentiality). However, some policies can fall within both categories, either deliberately or inadvertently (eg policies on anti-discrimination; ethics; and environment protection).
There are different risks associated with policies for internal and external use. Internally, a policy that is ignored could create legal liability for an organisation or, at the very least, look embarrassing. Externally, the accuracy of policies could also have significant reputational consequences if the policies are not adequate, accurate or simply not used.
- Ensuring your policy or procedure is fit for purpose
Is the policy or procedure fit for the purpose and the structure of the organisation? Policies that are too ambitious in their vision and standards ultimately expose the organisation to reputational risk or give employees and others an unfavourable view of the organisation’s compliance commitments.
It can often be better from a risk management perspective to articulate achievable standards, rather than those that have no likelihood of being implemented. Even if a policy does not have legal effect, it can be wise to ask: “do we need a policy at all?” Sometimes, it is better to avoid putting something in writing if there is the risk that it won’t be used or could be used incorrectly.
- Striking the right balance between too many and too few policies
Strike a balance between too many and too few policies, particularly when considering a developing a policy that might mitigate a key area of risk for the organisation.
The development of policies is often organic. However, it is always advisable to periodically take stock of current organisational risks (using your organisation’s risk register if you have one) and ensure that necessary policies are in place.
For example, the laws on bullying and privacy have changed in the last year. If your organisation has not updated or created a policy dealing with these changes, you may be missing out on a key opportunity to manage legal risk. Ultimately, it is necessary to strike a balance between policy “overkill” and making sure the basics are in place.
- Ensuring policies and procedures are integrated into your compliance framework
Compliance is not about documents, it is about developing everyday processes for the organisation to follow.Once you have developed a suite of policies or procedures for your organisation, always ensure that they are integrated into your organisation’s compliance framework. There is little point in developing policies or procedures that will sit in a drawer getting dusty. Ensure that they are accessible, updated regularly, and that the organisation trains its employees (and contractors and volunteers as necessary) on the content.
Bottom line for EHS managers
- Undertake a self-check of your existing policies and procedures to ensure that they are up-to-date for your organisations current structure and legal obligations.
- Consider whether you are missing key policies that would help minimise risk to the organisation.
- Do your policies actually include procedures that could be binding on the organisation or be reputationally damaging if the procedure in the policy was not followed? If so, consider updating your documents to ensure that they minimise legal risk.
- Train your people in your policies and procedures.
- Seek legal advice on policies governing safety, environment and employment matters to ensure that they are legally accurate and appropriate