LONDON/NEW YORK(Thomson Reuters Regulatory Intelligence) - This is the first of two articles looking at policy management. It focuses on basic policy management principles, while the second will look at a number of specific issues with which the managers of policy functions will likely wrestle in time.

Part of the three-train clock, which drives the hands of Big Ben, is seen in the mechanism room, which will be dismantled and cleaned during the renovation work on the Elizabeth Tower at the Palace of Westminster, London, Britain August 17, 2017.

There is no one way, certainly no single right way, to shape and run a policies function. That said, there are a number of things that firms must get right – the right structures, capabilities, and practices – for their policies to fulfill the seven "C"s set down in the first article{bit.ly/policy-1} of the "Putting policies in place" series. This article looks at those things.

FIRST THERE HAS TO BE MANAGEMENT

The most basic element of policy management is that there has to be policy management. As odd as this is to say, there are organisations that leave policy management to the separate individuals writing policies for their particular businesses or functions, with no central oversight or coordination. This is not a recipe for long-term success. Writing policies is rarely the first priority of either business or other functional/control managers. So, if left to individuals without proper focus or oversight, policies tend to plunge down the priority scale. When left to be done off the side of someone’s desk, policies are in danger of slipping off the desk entirely. Therefore there has to be a control point with policies as its focus, a “policies central”, if you will. That implies an individual (we’ll refer to him/her as the “policy manager”) with ultimate responsibility for policies across the enterprise.

Please understand that I am not suggesting that the policy manager must be a hands-on, full-time policy czar in all organisations. How the role is implemented depends on such factors as the culture, the size and breadth of the policy library, the source of subject expertise and the degree of centralisation of the organisation’s management style. The policy manager may be essentially a score-keeper who tracks and reports on policy progress and maintenance, or s/he could run a tightly controlled and centralised policy-writing function, or anything in between. Depending on the size and complexity of the policy library, the policy manager role may or may not require a full FTE.

Whatever the implementation however, the policy manager’s role includes the establishment of the framework and processes for policy making and maintenance, and for codifying, monitoring and enforcing those processes. And it is essential that the individual assigned have visible support for his/her authority and that the authority come from high enough in the organisation that the authority cannot be ignored.

ESTABLISHING STRUCTURE

The structure you build for policy management should reflect the size and culture of your organisation. Whatever best fits your organisation (and the resources provided for policy making and management), a few principles apply:

—Make sure that the structure is supported by appropriate, senior management. (I know I said that before, but it’s vital), and that the policy manager is clearly identified as having authority over policy matters.

—Don’t be a salmon. Don’t swim against the stream. A policies structure that flies in the face of the way your institution functions is bound to fail. Use existing structures if possible, e.g., if responsibility tends to be distributed along regional lines, follow a distributed model, perhaps a hub-and-spoke arrangement that builds on the regional structure. If your organisation centralises functions, pull more responsibility and activity into your centre.

—Don’t over-engineer. Don’t create a structure so complex that others can’t understand it or that you won’t be able to keep current. Challenge yourself as to whether you need and can support the roles or layers of management that you are proposing.

—Don’t under-engineer. In large organisations, managing all individual policy owners from policy central may not be reasonable. Consider establishing a layered approach, where each business or function that produces a body of policies identifies someone within the business or function as the “go-to” policies person. The overall policy manager can then manage primarily with and through those go-to persons.

—Establish management channels throughout the organisation.

Manage down: The policy manager must have the ability to communicate with individual policy owners and their managers, both individually and as a group, and to provide support, guidance, correction and credit as appropriate.

Manage up: Establish a reporting channel to senior management. Get credit for what’s done; get support for ongoing process discipline.

—Ensure communication channels about key policies and key policy changes to relevant employees. The channels should reflect the scope of the policies.

—Insist that policy activities be part of each involved individual’s day job. Managers of policy makers must agree that the time spent on policy making counts. Best practice is to have policy activity and responsibility set out in the annual goals of involved individuals.

—Make sure you have the data you need to manage policy activities, including:

- originating business or function of each policy;

- owner of each policy and the owner’s manager;

- due date for revisions or project plan for new items; review of on-time performance;

- approver(s);

- related policies.

—Make sure that the existence and the role of policy central, its authority and its functions are clear (and clearly communicated) to the entire organisation.

POLICY ON POLICIES

Document all aspects of policy making and management in a policy on policies. Include:

- authority;

- structure;

- responsibilities of all stakeholders;

- approval process (make sure you have buy-in from senior managers or committees who will have approval responsibilities);

- access (website, repository or other policy application);

- document templates.

Approval for the policy on policies must come from the authority that created the policies function.

OVERSIGHT

Management requires oversight. Oversight implies visibility. Visibility depends on process and, in many cases, systems capability. Especially in organisations with large numbers (frequently in the thousands) of documents to manage:

—Identify the documents that need your close attention, e.g., you might determine that you will personally review all global/enterprise-wide documents or documents that relate to regulatory priorities.

—Establish a metric for sampling the other documents. Set the metric at a level that 1) gives you a high degree of confidence that they are up to quality standards, and 2) is sustainable. Make sure stakeholders know that you are watching, and don’t be afraid to reject or require correction of documents that don’t meet standards. At the same time, be prepared to lend a hand to less-experienced writers.

—Monitor on-time performance (which is separate from document quality).

—Institute a reporting regime:

- Report to senior management on a schedule with which they are comfortable. If they don’t want regular reports, report when you have something (good or bad) to report about, but at least quarterly.

- Report to the policy owners/businesses or functions responsible for policies, so they know that their performance is being watched.

- Report to the managers of policy owners when they are delinquent and have not responded to oversight. It’s also a good idea to report good news, that all is OK, to appropriate managers perhaps semi-annually.

- Be prepared to be able to report to regulators and auditors about the status of the policy library or policies on specific topics. Remember, regulatory requests come on the regulator’s schedule, not on yours.

—Finally, make sure you set your oversight activities at a level that you can sustain. The last thing you want to be is the cork in the bottle.

PUTTING POLICIES TO WORK

Having and maintaining competent policies is one thing, putting them to work is something else. That takes availability (the policies must be easy to find), responsibility (someone has responsibility for monitoring and enforcement) and communication (key policy issues are communicated to the right people at the right time). Each of these takes partnerships between policy central and business and functional leadership, but the coordination and drive are responsibilities of the policy manager sitting in policy central.

AVAILABILITY

Remember, the whole point of policies is to affect employee behaviour, so it has to be easy for employees to find the policies that apply to them. Generally, people will look for policies in one of two ways: they will browse to the documents by clicking through a series of menus, or they will use a search facility. Organising the policies for browsers takes the most work from policy central.

For browsers:

—People in each business or function know how they will categorise and look for their policies. It is, therefore, essential to work with people in the businesses and functions to establish the categories and menuing system.

—The number of clicks needed to get to a document is less important than the clarity of the path. Each menu should present a series of mutually exclusive choices. That way, each time a browser clicks, s/he will be rewarded with a set of choices, one of which is clearly correct.

—Documents can appear in more than one place, e.g., on a business page and a jurisdiction page, but don’t over complicate. It’s OK to have two or even three routes to a document, but don’t create a maze.

—Try not to let your categorisation go too deep or narrow. When the categories get too narrow, you risk having highly specific category labels that may not be recognised by your browsing employees. Also, changes in business structure will very likely require changes in the categorisation of the documents. If your menus go too deep and get too narrow, you risk chasing those changes forever.

—The other side of too narrow is too broad. As rule of thumb, try not to let lists of documents go beyond two screens (the original screen and one scroll-down). If you want to present lists that are longer than that, make sure the list is in an easily discernible order, so browsers will be confident that they are headed in a fruitful direction as they click down the page.

For searchers:

Note: The following points depend on the capabilities of your policy system.

—Allow searchers to filter results by intuitive categories based on the organisation of the firm, e.g., filter by geography, by business or division, by product type, by activity, as appropriate to your context.

—Consider weighting your search so that, for instance, firm-wide policies are listed before business level, or key words included in a document title push the document toward the top of the results.

—In search returns, show the searched-for words in their context within the listed documents.

—Provide authors with a chance to indicate special words or phrases that will weight the document higher, lifting it toward the top of the returns list.

RESPONSIBILITY

OK, you have a wonderful new policy. Who is responsible for enforcing it? Some thoughts:

—It is not necessarily the owner of the policy who has to enforce it across the firm. But the owner and his/her subject-matter experts should provide expectations for review, monitoring and reporting in the policy itself.

—It is individual managers/supervisors who are responsible for ensuring compliance with the policies that govern their businesses and functions. (Note that in the case of policies governing single businesses or functions, the owners and enforcers are frequently the same.)

—Compliance (especially compliance testing or monitoring functions where they exist) and internal audit are usually responsible for checking compliance with policy.

Organisations may have different views on policy enforcement. That’s OK, as long as the enforcement responsibility is made clear and is generally understood. Keep in mind, however, that many regulators look to business management for policy enforcement and may expect compliance to be watching as well.

COMMUNICATION

When a new or substantively revised policy is posted, the owner has a responsibility to make all relevant employees aware of the posting. But communication does not end there. I believe that timing and focus are key to delivering messages. I also strongly believe that employees tend to listen most closely to their direct managers. So, while broad announcements or broadcast emails are OK, they are just the starting point.

—Put the messages in the hands of the people who can deliver them with the most impact when the topic has the greatest relevance.

—Provide tools for managers to help them communicate relevant policy issues to their reports. These are best as short talking points or brief bulleted PowerPoints. The key is brevity, focus and ease of delivery.

—Look for occasions for messaging. Consider, for example:

- enforcement actions in the news;

- annual planning or goal setting;

- management changes;

- new or changed business organisation or models;

- introduction of new products.

COMING NEXT

The next article will look at a number of discussion items that can arise around policy management, e.g., GRC, regulatory tracking/mapping policies to regulation, use of workflows, file formats and a few of my personal pet peeves.

Tony (Anthony) Stein LinkedIn profile(here).

(Mr. Stein has been a leader in policy development, management and governance for more than two decades, establishing and leading the policies efforts first at Goldman Sachs, where he introduced the notion of enterprise-wide policies and helped establish and manage the regulatory change effort, and then BNY Mellon, where he built the function literally from the ground up. He is currently an independent consultant in the program management and policies space. The views expressed are his own.)