The Dalai Lama's timeless advice, "Learn and obey the rules very well so you will know how to break them properly,” has been widely interpreted. While he championed civil disobedience as a means of peaceful protest, his wisdom has found applications in various realms, including both innovation-driven entrepreneurship and questionable actions by certain individuals. A famous entrepreneur once said, “Being creative in business requires you to know the rules and often break them - and the boundaries/limitations simultaneously! Watch the mavericks -- they see opportunities where others see limitations and failure.”
This prompts us to consider the links between policy, violating policy and the enforcement of those policies. In the world of GRC (Governance, Risk, and Compliance), these connections are fundamental, often taken for granted and sometimes overlooked.
INCONSISTENT ENFORCEMENT OF COMPANY POLICIES HAPPENS WHEN POLICY DEVELOPMENT EXISTS SEPARATELY FROM TRAINING
In business, policies sit at the intersection of laws, regulatory issues and employee conduct. They play a vital role in providing clear guidance to employees who may not be well-versed in the complex landscape of laws and regulations governing their organization. There’s a loop – from policies to informing employees on policies, to enforcing them – that is most effective when it functions as an interconnected chain rather than a disjointed collection of links.
When companies address this as a set of disparate links, they have policies, some of which may be complex and comprehensive “Here” and training and policy awareness take place “There.” What is provided in training may not accurately and completely reflect the actual policy, but allows the company to check the box that training on the subject or topic is available. Then, in yet another disconnected area, there might exist a means to report a policy violation which could be based on the training or the written policy. Hopefully, the training materials and the policy itself should be in such close alignment that employees can reasonably grasp whether a policy violation has occurred before needing to report it. When the three links, policies, training, and enforcement, are managed separately, it can be difficult to expect that employees will have the knowledge and awareness to navigate the intricacies of policy access, training, and reporting without difficulty.
HOW TO SIMPLIFY AND ENFORCE POLICY UNIFORMLY
Employees should be able to read the policy and verify their understanding with a simple quiz to show that they understand their company’s policies. This allows them to be well-informed employees who will know when a policy is being violated rather than figuring it out on their own.
When an employee submits a report, it is important for them to have trust in their organization's commitment to taking their concerns seriously and taking appropriate actions. Whether an employee chooses to remain anonymous or not, their anonymity should be safeguarded. They should feel a sense of importance and believe that their concerns are handled equitably, with no bias in the interviewing or questioning process. The entire reporting process should be seen as fair and respected, reflecting the company's dedication to ethical standards.
Shifting to a new policy management system isn’t as challenging as it sounds. Whether you’re working to build a policy management system from the ground up or taking steps to improve an existing one, avoiding these seven pitfalls can help to ensure your success.