You hear us repeat it over and over again: if it’s not written down, it’s not happening. Documentation is a critical component of any organization. Policies and procedures are vital to your business operability, business continuity, consistency within your organization, training new employees, controlling risk, meeting regulatory compliance requirements, meeting client requirements, and so much more. Policies and procedures demonstrate how you conduct your business.
What is a Policy?
A policy is an executive-level document that defines that something must be done. They are a statement of management intent. Policies are the law at your organization. An effective policy should outline what employees must do or not do, directions, limits, principles, and guides for decision making. Policies can be rules, acceptable or unacceptable behaviors, limits, approval authorities, consequences for non-compliance, who needs to know, etc. They answer questions like: What? Why?
What is a Procedure?
A procedure is the counterpart to a policy; a policy defines that something must be done, but a procedure defines how you do it. It is the process to fulfill management intent. It is the instruction on how a policy is followed. A policy defines a rule, and the procedure defines who is expected to do it and how they are expected to do it. Procedures answer questions like: How? When? Where?
Policy and Procedure Creation
Individuals with the appropriate authority need to be involved in drafting policies and procedures. When creating new documentation or amending the existing, there should be a process for checking for conflicts with existing documents, checking for legal requirements, and ensuring the document discusses all necessary topics. A formal review process is also necessary to keep all policies and procedures up-to-date. Policies and procedures should be reviewed at least annually.
Communication is key to putting policies and procedures into action. Even if a policy or procedure is perfectly crafted, if it’s not in effect, then it’s worthless. Policies and procedures should be documented, in use, and known to all affected parties. Your personnel must be living out what the policies and procedures require of them. It is not sufficient that you generate documentation just for the sake of an audit.
Documented policies and procedures are critical components of an effective compliance management system. In some ways, if a regulatory agency doesn’t see documentation, then they consider that a policy or procedure isn’t happening at all. Policies and procedures help create consistency and standards within an organization, and are key in training new employees. Policies and procedures are also effective in monitoring and auditing internal company practices. In order for policies and procedures to be effective, they should be reviewed whenever laws or requirements change, or at least annually.