Your organization’s policies are the foundation of your corporate governance system. If you need to prove that your organization is effectively governed, you need to be able to demonstrate that your policies are under control - 

• There is no doubt about which policies are currently in effect, nor about which policies were in effect at any time in the past. (In the event of an accident or incident, the organization may be called upon to produce them.)
• You have records to prove that employees are familiar with the policies relevant to their work.
• There is an assigned accountability for each policy, a documented procedure to ensure that each policy is communicated and implemented effectively, non-compliance is detected, and performance is measured and reported.
• You have a formal method to ensure that the organization has all - and only - the policies it needs.

Setting up a policy management system is not difficult. Here is one way to do it—

1. Make an inventory of the existing policies

Make a list of all the documents with ‘policy’ in the title or listed somewhere under a Policies heading. Check who created them, how old they are, what’s in them, and - if there’s any way to know - how often they get looked at.

It’s not uncommon to find multiple sets of ‘policy documents’ - 

1. Board-approved policies, under the control of the company secretary or general counsel.
2. Policies used by HR as part of the induction for new employees.
3. Framed statements about safety, quality, and environment on the wall in the office foyer, read only by visitors while they wait.

It’s also common to find shared-drive folders called Policies with large numbers of extraneous documents in them (2,400 in one organization we helped): prior and alternative versions, drafts-in-progress, supporting notes, implementation procedures, forms. Valuable information, no doubt, but not documents you’d want to be defending if your corporate governance system were under investigation.

2. Define what ‘policy’ means in your organization

Some organizations use ‘policy’ loosely, for any guideline intended to help employees make decisions. Others use ‘policy’ strictly for Board-issued statements of corporate intent. A strict definition is easier to manage for corporate governance purposes - 

• A policy articulates a governance objective.
• A policy authorises the use of organization resources.
• A policy establishes management accountability: someone has responsibility for implementing the policy and will be held to account if the objective is not achieved.
• A policy may authorise employees to act outside the normal chain of command (for example, a safety policy may authorise any employee to halt an activity if they think it dangerous).

There is no ‘right’ definition of policy (although there are plenty of wrong ones). The important point is that you have a definition. In general, the more precise the definition, the fewer policies you will have; and the fewer policies you have, the simpler and more effective will be your corporate governance. If a document is merely a guideline for employees, then call it a ‘guideline’.

Your definition will determine, in turn, who may issue a policy: Board only? Senior management team? Any manager?

3. Establish what policies you need

Map your policies against your governance objectives. Every governance objective should be supported by a policy; every policy should support a governance objective. This mapping is not necessarily one-to-one. You might have a single sustainability governance objective, implemented through separate policies for health, safety, and environment.

• If you have a governance objective with no supporting policy, there is a policy missing.
• If you have a policy that does not support a governance objective, then either there is an unstated governance objective, or the policy is unnecessary.

Management system standards like ISO 9001 and ISO 14001 mandate the existence of a supporting policy.

4. Create a register

There should be no doubt about which policies are in effect at any time. A folder called ‘Policies’ on a shared drive is not sufficient. At a minimum, your register should show - 

• ID number
• Status: draft, current, superseded, withdrawn
• Date issued
• Accountability
• Approved by (if the policy is Board-approved, this should be a reference to the meeting record)

In the event of an accident or investigation, the organization may be called on, as a matter of document discovery, to produce every policy that was in effect at a given date. With an effective register, this is trivial; without, this could be an expensive embarrassment.

For the same reason, policies should have ID numbers. Policies are sometimes renamed: the Policy on A, B, and C is re-issued as the Policy on B, C, and Q . Without ID numbers, it might be difficult to prove that the earlier policy is not still in effect.

5. Spell out what it means to be accountable for a policy

It’s not enough for a policy simply to make a statement about the organization’s good intentions. For every policy there needs to be a position or team accountable for giving effect to the policy. The details and procedures of this accountability should be spelled out in the policy management system. This accountability might cover - 

• Determining what the policy means in the context of the organization’s actual activities.
• Planning, budgeting, and managing the actions necessary to implement the policy.
• Verifying compliance and reporting performance.
• Detecting and reporting non-compliance.
• Annual review

6. Create awareness and notification procedures

You should be able to prove that your people are aware of the policies with which they must comply. This means - 

• Induction: new employees, and employees moving to a new position, must be made aware of the policies relevant to their work.
• Notification: all affected employees must be notified if a new policy is issued or an existing policy is updated or withdrawn.
• Annual review: it is prudent to require all employees to confirm, annually, that they have reviewed the relevant policies.

Some organizations use a written Policy Acknowledgement form (‘I have read and understood these policies….’) to be signed by new employees as part of their induction, and by all employees as part of their annual review.

George Kesteven is a Lead Consultant with Phrontex. Contact him on +61 409 606 899 or george2@kesteven.com.au if you'd like to see how policy management works using Phrontex.