When you create a policy you need to ensure that it reflects the vision, expectations and guidelines of your business. It needs to be clearly understood so that it can be met by your stakeholders. Writing a policy and communicating it is tricky. There are some potholes to navigate. You can make some simple mistakes.
Compliance Conversations is a new series where we chat with some industry experts about the pitfalls and advantages of compliance and provide you with insights into your compliance journey. Subscribe to our blog to keep up to date!
What is the point of a policy?
"The point of a policy is that it sets the scene for the whole management system. It's top management's saying that the management system is important and they are committed to it. This may be through the company improving quality, reducing Incidents, protecting the environment or protecting their own data security".
Who is responsible for developing policies?
We often see companies who outsource consultants to write policies for them, resulting in the manager not even knowing what is in there. We asked Michael about his experience with this.
"You're actually right. Oftentimes, it is not the manager or director who is writing the policy, but I feel it should be. It's a missed opportunity if they don't, as this is their chance to say where they want to go for the company.
More often, it's either written by the consultant, or it's pulled off the internet. I think a lot of times they will check it, to see whether it aligns with the visions, but there's a real opportunity missed if the director is not involved".
Who is responsible for signing policies?
Is it normally a senior manager or is it the compliance manager who signs the policy?
"It's normally the CEO or the General Manager of the organisation. But I have seen situations where the whole management team will sign the documents. It's always great to see a signed policy sitting up in the reception area - showing customers, contractors and employees their commitment".
How often should you review the policy?
Quite often you go into places and you can tell a review has never been done, because you just move the policy on the wall, and you can see that the wall is faded - it's been up there for a long period of time. So, what is a good practice for the review of a policy?
"I think it should be reviewed at least annually. I often recommend people to do this at the start of the year so everything's gone by. Let's look at what we're doing, set some objectives and make sure our policy still aligns with what we want to see happening with the company this year. I think annually is a good number, but at least every two or three years".
"It definitely needs to be done annually. Part of that should be in the annual review of your system. You're reviewing the system, what's at the top of the system? It's the policy - review it, re-date it and reconfirm it. Get more people in there".
How can people remember to review the policy?
We've seen on far too many occasions that when arriving to an organisation and looking at the policy, the CEO who signed it, has left the company. You need to be more proactive about this and have methods of reminders in place so that this gets reviewed appropriately and stays relevant. So how can you do this?
"Some organisations I've been to will dedicate a section within their management review meetings to looking at the policy. Whether this is monthly, bi-monthly or every 3 months, that's a really effective way of doing it.
I'm still a consultant for an organisation here in New Zealand, and we look at the policy every three months to see if it's still working for the organisation. Does it need updating? What new legislation has been introduced?"
"We audit the whole system, so why do we not audit the policy? That way we can pick up any changes or requirements in legislation that need to be met. So, I think its a combination of setting a formal review, where if nothing has changed, you do it on an anniversary, but also considering the internal audit process".
What should be in a policy?
Let's look at the quality policy, for example. We know the standard says that you must have a commitment to quality, but what other things should be inside your policy?
"I think a policy needs to give more detail about what you're actually committing to, so that you can look at the it and then start planning your key objectives.
Your policy should have some dot-points outlining what you're going to commit to in regards to product, customer service, investigating non conformances. You can even put specific targets on these if you like".
"When I was a quality manager, I couldn't see the point in having objectives that sat in a procedure and a policy that wasn't client or employee facing.
I thought I'll just join the two together. A) it gets rid of a piece of paper making my system smaller. B) it means that when I had a statement in my policy, I had the objective and the KPI set with it displayed to me.
I would use the policy more to give broad objectives and then another document that sits beside that, that gives the detail for those objectives. But the objectives in the policy are the ones that form the rest of my planning for the year. I think a lot of owners don't like seeing their objectives that publicly".
"I've always gone with the three-legs-of-the-stool, which is quality, cost and delivery. Have a measure around quality of the product or the service. Have some sort of measure around the cost so that you're going to maybe reduce this over time. Then delivery - you're going to deliver things on time. I like to make it nice and simple, maybe three bullets around those three areas".
What shouldn't be in a policy?
On the flip side, what things shouldn't be in a policy?
"Lots of waffle and wordiness. Keep it clear, concise, direct and easy to read. You don't want the marketing team getting in and telling you about how great the company is in your policy - they can do that elsewhere. It's clearly saying what we want to achieve, what we will do and how we're going to do it".
"Policies I personally hate are ones that are based on a law. For example, if there is a law that you are not allowed to smoke on premises, why would you include that in your policy? You don't write policies saying, you will drive at the speed limit. You get a license, you do that.
I think compliance people think that if they make something a policy, it will be done, where it should just a procedure. Making it a policy does not actually make anyone do anything any better".
How can you determine if your policy is effective?
You create this policy, but need to make sure it is actually effective. So what are some good ways of determining this?
"You need to make sure the policy is written in a way that has clear objectives. If it's not directly in the policy, it can be in an accompanying document.You can then measure and report back through auditing and management meetings".
"Internal auditing will tell you whether your policies are effective, because you'll ask questions of people at various levels in the organisation to see whether they understand what the policy states.
A good way to do this is from the certification body or third-party auditor coming in and looking at which parts of your system are effective, and not so effective. But you still have to set a standard, as this is what outlines what your company means by effective".
How can you communicate what's in your policy to staff?
Your policy may hang in the foyer of your office, but employees don't often come through here as they have a different entrance. So it's not overly visible to them. What are some ways you can communicate the policy to staff at all levels?
"You can make sure that it's clearly stated at induction. I'm seeing a few companies do it really nicely where they have their MD doing a video presentation to staff as they walk through the door for the first time, if he doesn't get to talk to them directly. And he's saying, 'This is our policy' and outlining the key objectives that they're trying to achieve".
"I think that's a brilliant idea, but unfortunately it's compliance and CEOs are far too busy to do other things like compliance. They think it's just an overhead and just have it because they believe they have to for clients, but don't actually use it to change habits".
"Sometimes businesses hold 'all company meetings'. I know one organisation here that I consult for have a company meeting 3-monthly, and an agenda at this meeting is to discuss the policy. Yes, its a repetitive task, but it means that there is a conversation with the staff around what is discussed. It's not the general manager pushing the policy down to staff".
- The policy must come from the organisation itself, preferably the GM or managing director
- Don't get a consultant on board to write your policy for you, unless you know exactly what is in there
- Read the standard before you start writing the policy - it's all about intent
Want more of an insight into compliance in the workplace? Check out our other episodes here.