Ford’s Model N cars (the Model T’s predecessor) were built by workers adding parts that were laid out on the floor.
Policies have often been managed individually, like the autos which were built prior to the Model T. They are the foundation for all risk and compliance decisions and solutions. They are an integral part of a corporate planning and Risk Management strategies. Policies are the basis of critical controls and serve to mitigate risks to an organization.
Ford’s innovation and standardization reduced the time it took to build a car from more than 12 hours to two hours and 30 minutes.
Policy management is that same standardization for policies. It is process of creating, communicating, and maintaining policies and procedures within an organization throughout all the stages of the policy life cycle. Organizations need a formal policy management process to reduce risk, legal costs and the time it takes to identify and resolve problems. Keeping policies current with continuously evolving laws and regulations is a constant and growing challenge. Having documented guidelines for creating and distributing policies, or a “Policy on Policies” is essential. This serves as the basis of a consistent and reliable policy management program within an organization, provides clear documentation for how to create policies and specifies a process for approvals and distribution.
A strong Policy Management strategy is a clear indication of the strength of management and its ability to meet regulatory and governance obligations. It is a focus of Board-level management who must ensure alignment with the organization’s vision and mission. Moreover, exhibiting robust policy management is important to clients, regulators, investors, partners, suppliers and others that an organization interacts with. A single defined source of the truth enables an organization to more easily establish policies and procedures as well as document which version of a policy was applied to a regulatory request. A schedule for reviewing and updating policies with appropriate risk weightings will enable regulators and auditors to review the riskiest interactions first and allows policy administrators to set thresholds for policy reviews vs. being dismissed automatically as a false positive.
Ford authorized the motion-study expert Frederick Taylor, to make processes even more efficient.
To develop and manage the strategy with respect to how an organization manages their policies, organizations frequently form a Policy Oversight Committee. The committee is tasked with the responsibility for developing and implementing policies, procedures, and controls. Policies and procedures must be more than theoretical principles or ideals. Policies must be linked with regulations and associated with related risks, controls, processes, risk indicators, incidents, issues, etc.
In some cases, there are many departments that own various parts of a policy. This can cause confusion and at times redundant policies. Every policy should have a clearly defined owner who is responsible for creating, circulating and maintaining the policy. Fragmentation of ownership both complicates management of policies and makes it more difficult to attain a centralized and standardized system to alleviate policy management challenges. The owner is responsible for knowing when a policy needs to be updated, modified or discontinued based on organizational and regulatory changes. Additionally, the owner should be responsible for sending out timely updates on every policy, specifying how it affects the organization and overseeing associated testing.
To address the communication issue in the factory the Ford Motor Company established a school, with classrooms right in the factory.
Once a policy is written and approved, its distribution and attestation that it has been read and understood, are paramount. A single source where policies can be viewed makes the process more straightforward and prevents employees from accessing outdated documents. Documenting understanding is a key item for both management and regulators. Reducing the gaps in policy understanding can also offer practical insights to its implementation. Employees also require periodic re-training to ensure that they remain top of mind. As employees change roles, supplemental policy training may also be needed. Policies must be disseminated in each language of choice, so that there is appropriate communications across multiple geographies.
At times rules are violated. These exceptions and their approvals need to be documented. Improper violations must be addressed. Maintaining proper lineage between policies and procedures helps to document and track exceptions as well as demonstrates efforts to control and correct violations. Each exception request must be analyzed for potential impact and a risk rating assigned. The process for determining an exceptions risk rating must be well documented. Proper approval and management authorization are required for each exception and an expiration date should also be assigned. With any volume of exceptions, it is important that they are stored in a central repository and can be accessed by staff. Changes to the business or regulatory environment may also necessitate the reevaluation of previous exceptions.
In 1902 Henry was dismissed by his board of directors from the company that carried his name because of his inability to bring a car to production.
Taking the time to create a policy management process is not a trivial endeavor. Much thought and collaboration are required as well as backing from Senior Management. Once you have it up and running, enforcing the policies, handling exceptions and managing regulatory changes becomes much more of a standard process in a well-defined assembly line instead of reinventing the wheel each time.