Compliance Conversations: How do you determine if a policy is working and effective?

Posted by Craig Thornton

In this video series, Peter Rogers from Mango discusses how to determine if a policy is working and effective.

He discusses with compliance consultants, from around the world, whether policies are understood and be effective.

The consultants give us insights into some handy tips that your policies are clear and concise.

This is the final video in a series of 4 compliance conversations about policies.

The question we answer in this conversation is "How do you determine if a policy is working and effective?"

Check out the video here:

 

How do you determine if a policy is working and effective?

 
Andrew, IRM Systems, Australia

I would start with the leadership level.

A policy that's not effective is one that just sits on the wall and there’s been obvious evidence of changes in the business and the operational processes. Perhaps changing some of the stakeholder or legal requirements, and three or four years down the track, the policy is gathering dust and has never been reviewed.

So, I would start at the top:

Is the policy actively looked at?

Not just, tick it off in a management review, but to understand its importance as a guiding document for our business, here's what we're aiming for.

If we take it in that context, then we should be revising it regularly asking ‘Is it still what we're aiming for?’ not just what we put together for an audit 4 or 5 years ago.

I see lots of organisations, not really understanding the importance of the policy, its setting your direction, it is both internally and externally, a commitment of what we're aiming for so hence, it should be revised actively.

That's the best technique to make sure it's current and effective within an organisation.

 Sean, Kaizen Consulting, New Zealand

You really need to turn each one of those policy statements into objectives and have KPIs against them to see whether they're effective and the monitoring of them is quite important for the management team.

Taking an example of quality policy:

    1. You have a statement on customer satisfaction
    2. Then you need to turn that to a quality objective to recording of customer complaints, reporting of customer positive feedbacks,
    3. Then in a lower level, you have objectives on closure of customer complaint investigations within X number of days, and so on.
    4. You need to have that flow on, that traceability of:
      • How do we contribute to that one statement?
      • What does that statement mean for us?
      • How do we turn that into a KPI across our operation?
Michael, Momentum Safety and Ergonomics, Australia

A good policy should have some sort of objectives and broad measurements like targets built into it.

It does depend a bit on the policy, you can use some of those targets sometimes to measure. But if you don't have a nice convenient number, or a nice convenient target built in, then you need to design your internal audit systems to reflect policy objectives.

Build good questions around your auditing to make sure that you can determine whether the policy is effective.

Jodie, Penarth Management, United Kingdom

This is where the internal audit process comes into its own, because you will probably go and scrutinise the evidence, and you'll look for fact-based information.

Chris, FQM, United Kingdom

In terms of effectiveness, I think first and foremost, you must consider your audience.

An organisation that puts a policy in place simply just for the organisation, its probably not going to be a very effective policy.

In my opinion, it's important that you understand your audience, you understand the level and expectations of them, and you gain feedback from them, if they believe the policy is working, if they believe it's doing its part.

Of course, there is a level of effectiveness through an audit process as well, that lets you see if the policy goes into specific details, then, of course, it's quite clear that you can observe and monitor and see how effective it is.

But one of my pet hates is a policy document that's put in place and never changes, and often, one of the things is, it's there, not for the company, not for the employees. It's there, because an external auditor expects to see it there.

The documentation should be more about:

    • What the company needs from it
    • What's expected from the company.

To verify the effectiveness of it, I would say that with any documentation in a company, it's got to play a purpose.

It's got to play a part, it's got to be effective in what it does, and therefore you've got to monitor and measure its effectiveness in some way, whether that be an observation, an audit and feedback.

That should gauge and allow you to identify - is this working?

Nicholas, SRM, South Africa

One of my key issues, and I have to say this is one of my biggest bugbears with policies, is that it’s such an essential document in gaining trust.

One of the big things that I focus on in organisations is the organisational culture.

The biggest way for leadership to erode that level of trust is to develop a policy that claims that we're going to bring about world peace and nuclear disarmament. Everything is basically incorporated into this policy, or they make all these commitments. Then, when guys go out onto the site, what the policy leadership committed to and what's actually evident on the site, are worlds apart.

I feel that a lot of policies are not effective because guys make these grandiose statements about what they're going to achieve, but when you go out onto the site, it looks like a warzone. I think that, for me, is one of the biggest concerns around policies not being effective.

If the CEO puts his signature on a document, it erodes a significant level of trust, because this is a document that we talk to workers about constantly, ‘it's in the policy’ or ‘check the policies on the notice board’, and we make all these commitments, and the CEO signs off on it. But when you go to the site, they're worlds apart, and that, to me, is the greatest erosion of trust and where policies are not effective, separate worlds from policy and what's actually in life.

Another way of determining whether a policy is effective or whether it's working, and again I go back to the ISO 45001 standard, one of the great requirements in there is, they’re always speaking about the intended outcomes of the management system.

They say, if you do this, you're going to achieve the intended outcomes of the management system. Specifically, in ISO 45001, it’s that you're improving your performance, you're achieving compliance, you're setting objectives, you're preventing injury. those in my mind are the paradigms that you want to compare the policy against.

if we're having massive amounts of incidents, and we're not complying, and our performance is not there, then we're not achieving the intended outcomes, and to a greater or lesser extent, a lot of the commitments that we make within the policy are the intended outcomes of the management system. So, we're going to prevent pollution and environmental degradation and prevent food safety incidents, etc, is that if we're achieving the performance, the intended outcomes of the management system, those align with the commitments that we made.

And if we're not achieving the intended outcomes, then the policy commitments are worthless.

Gary, QSM, Australia

Well, the only way of determining that, is to look at the outcomes of your system, whatever that looks like, against the policy requirements. That requires the ongoing monitoring, review of the outcomes and performance against the policy requirements and that should involve a wide group of stakeholders at all levels within the business.

Time and time again, you see policy statements that give a commitment to the communication and encouraging the participation of people within the business in their quality system or their safety system, but the people at the lower levels in the business have never been involved in determining or giving their input as to whether they actually feel involved and engaged.

It’s something that may be looked at the management review meeting, for example, the top management of the business sitting around a table, its one of their agenda items and looking at are we working towards growing our efforts aligned with the policy statements? And they'll all say, ‘Oh, yeah, we're making good progress there.’

But in fact, don't involve the people that are actually impacted on elements of that policy to determine that properly, because quite often, that can be enlightening for top management, where they think they're actually doing something, but the actual feedback and input from people in the lower levels in the businesses is something else,

Richard, Quality Safety, United Kingdom

You're looking for some objectives out of that policy to create a result. You should be actually measuring somewhere along the line, the output of what the policy is driving. It's no good just having a policy without having some measurements behind it, so we're looking for some KPIs around the policy, whatever that might be.

In quality, its quite clearly driven by the objectives, which drive through to the KPIs and you measure. You have to be able to measure what the policy is saying at the top, otherwise, it's just words of wisdom and waffle that nobody can actually use effectively.

There has to be a continuous improvement, it has to be measurable, and then you can test its effectiveness and feed it back. If the policy is not working, you'll soon find out

Mark, Business Basics, Australia

To work out if it's effective, you need to go back and audit it.

You need to go and look at what is the principle that it's trying to convey?

You need to objectively look at what are the principles that the business is actually walking and talking on a day to day basis, and determine if they align.

If they don't align, you need to talk to the people involved in the business and the people that develop the policy and work out where that disconnect is and what needs to be re-established.

Taking the time to actually do that 360-degree review on yourself and find out whether you're doing what you're saying your doing, and whether that is clear enough throughout the business, is the most important way to understand what's happening.

 

Takeaways
  1. Policies should be comprehensively reviewed on a regular basis.
  2. Turn the policies into objectives and have KPI's against them.
  3. Design your internal audit to reflect policy objectives.
  4. Monitor, Review, Audit and repeat.

Tags: Quality Management, Compliance, Compliance Conversations