Corporate Integrity, LLC: Policies, Done Right, Articulate Culture Page 1 of 5

Corporate Integrity, LLC

Phone +1.888.365.4560
info@corp-integrity.com

About Research Events Analysts Advisory Contact us

WEDNESDAY, FEBRUARY 10, 2010

Policies, Done Right, Articulate Culture

We now turn our attention back to my series on Effective Policy Management & Communication.
MICHAEL RASMUSSEN

In the previous posting we looked at the disarray and chaos of how policies are managed, maintained, and communicated within
organizations. Often inconsistent, poorly written, out of date, lacking consistency, developed with no style guide, and
ineffectively managed and communicated - corporate policy management in most organizations is a mess. Now we will turn from
our flogging of the corporate policy mess to constructively developing an effective policy management process.

The first point to clearly understand - policies, done right, articulate the corporate culture.

Unfortunately, most organizations have not connected the world of policies to how they influence and establish corporate culture.
Granted - corporate culture is there with or without policies. However, without policies there are no written standards as to what
is acceptable and unacceptable conduct. Culture is allowed to morph and change without policies. The organization can quickly
become something it never intended.

Policies provide a definition of the boundaries of the organization. At the the highest level it starts with the Code of Conduct
laying forth ethics and values that extend across the enterprise. These filter down into specific policies at the enterprise level,
down into the business unit, then department, and to individual business processes. Policies are supported by procedures. Both
GRC Pundit
policies and procedures at the statement level establish and authorize controls by which the organization is closely managed and
monitored.

Policies articulate the culture of compliance. They define what is acceptable and unacceptable. This starts at the ‘Mandated
What is GRC?
Boundary’ level of communicating what is right or wrong legally and how the organization will stay within legal boundaries within http://tinyurl.com/ylneb9m
the various jurisdictions that it operates in. Policies then extend to the ‘Voluntary Boundary’ level to articulate what is acceptable 6 days ago

and unacceptable when it comes to matters of discretion - ethics, values, code of conduct, corporate social responsibility, and
What is GRC?
other areas. Both the mandated and voluntary boundaries are written into policies so that individuals within the organization and
http://tinyurl.com/ylneb9m
6 days ago
its relationships know what is acceptable and unacceptable. It should not be open to broad discretion and interpretation.
Follow me on Twitter
Policies articulate the culture of risk. Every organization takes risk, it is part of business. Without clearly written guidance as to
what is acceptable and unacceptable risk the organization is like a ship without a rudder. Policies provide clear guidance on what
is acceptable and unacceptable risk, define risk acceptance and tolerance levels, and establish who owns and manages risk.

Please do not misunderstand me - policies are not a magic answer to culture, governance, risk, and/or compliance. Not at all. An Search
organization can have a wide array of policies that are not adhered to and end up in very hot water. Policies ARE a way to clearly powered by
define, articulate, and communicate what the boundaries, practices, and expectations of the organization are. While you can have
a horrible culture with policies, you cannot have a strong and established culture without them. The right policies are necessary to
define and communicate what the organization is about. GRC.PUNDIT BLOG
ARCHIVE
Culture itself is broader than policies - policies are the vehicle that communicates and defines culture so that culture does not
▼ 2010 (13)
morph out of control. This requires that policies be adhered to, exceptions closely managed, and violations dealt with.
▼ February (4)
Over the next several weeks we will continue to look at Effective Policy Management and Communication. We will specifically
What is GRC?
explore:
 What is the right number of policies? Defining a Policy
 Defining a process lifecycle for managing policies Management Lifecycle
 Establishing policy ownership and accountability
Policies, Done Right,
 Providing consistency in policies through consistent style and language
 Communicating policies across extended business relationships Articulate Culture
 Tracking policies attestation and delivering effective training The Value of a Common
 Monitoring metrics to establish effectiveness and/or issues with policies
Architecture for GRC
 Relating policy management to risk, issue/case, and other GRC areas
Platfor...
 Using technology to manage and communicate policies

► January (9)
In addition to this series on policy management, Corporate Integrity is also offering a full-day workshop on the topic of Effective
Policy Management and Communication. ► 2009 (40)

► 2008 (18)
POST ED BY CORPORATE INT EGRITY AT 7: 29 PM
LABELS: GRC, GOVERNANCE, RISK, COMPLIANCE CO M PLI ANCE , GO V ERNA NCE , P O LICI ES , P O LICY ► 2007 (2)
M ANA G EM ENT , RIS K

LABELS

10 COMMENTS: 3rd Party Risk (3)

Archer (2)
Tanya Schwarz said...
Audit (1)
LinkedIn Groups
Audit Management (1)

Group: Healthcare Compliance and Risk Management Resource Center Axentis (1)
Subject: New comment (1) on "Policies, done right, articulate culture" BI (1)
"The greatest danger" for HIPAA covered entities is having policies and procedures no one is following. "A policy on a shelf Board Entity Management (1)
is not going to be very helpful — it won't be helpful in protecting privacy and security, and it won't be helpful in
Bootcamps (2)
responding to an investigation....Having procedures in place, training people in those procedures, and taking action when
BPS (1)

http://corp-integrity.blogspot.com/2010/02/policies-done-right-articulate-culture.html... 25/02/2010
Corporate Integrity, LLC: Policies, Done Right, Articulate Culture Page 2 of 5

Business Intelligence (1)

you find a problem — that's the best position you can be in."
Business Performance (1)
— Richard Campanelli, former director of the HHS Office for Civil Rights and now an attorney with Baker & Daniels LLP.
Posted by Tanya Schwarz Caremark (1)

F EBRU AR Y 11 , 2 010 5 : 08 PM CCEP (1)

CCM (1)
Corporate Integrity said... CCO (1)

Tanya, Chief Compliance Officer (2)

Compliance (21)
I agree - having too many policies that are out of date or policies that are not enforced is a danger. A liability. Though Compliance Management (1)
that is not a reason to not do policies - it is making sure you have the right policies and that they are managed
Compliance Week (1)
effectively.
Conference (1)
F EBRU AR Y 11 , 2 010 5 : 09 PM
Contract (1)
Corporate compliance (2)
Tanya Schwarz said...
Corporate Integrity (1)
LinkedIn Groups
Corporate Integrity Agreement (

Group: Healthcare Compliance and Risk Management Resource Center 1)

Subject: New comment (3) on "Policies, done right, articulate culture" Corporate Secretary (1)
Of course, that was a given. I gather from Mr. Campanellie, the policy and the content of the policy is only as vialble as COSO (1)
the comprehension of the policy (training), the practicality of the policy (usefullness & applicability), the implementation CSR (4)
and montoring of the policy (mitigation & remediation).
Culture (2)
Posted by Tanya Schwarz
Discovery Management (1)
F EBRU AR Y 11 , 2 010 6 : 23 PM
Economy (1)
EcoSystem (1)
Carmen Ciuca said...
EMC (1)
LinkedIn Groups
ERM (7)

Group: CompliancEX Ethics (5)

Subject: New comment (1) on "Policies, done right, articulate culture" Event Management (1)
The policies indeed are a way of building and maintain an organizational culture. The controls and mitigation factors Extended Enterprise (1)
embedded in policies, procedures and process flows may induce to people a certain behavior and level of consciousness
Forrester (1)
about the "way we do things around here". It's also about self-audit and people being more open to participate in
Gartner (1)
designing controls in their own process charts.
Posted by Carmen Ciuca Governance (8)

F EBRU AR Y 15 , 2 010 9 : 09 A M GRC (50)

GRC Bootcamp (2)
Andrijana Zrinji said... GRC EcoSystem (7)

LinkedIn Groups GRC IT Blueprint (3)

GRC Reference Architecture (4)
Group: Society of Corporate Compliance and Ethics (SCCE) GRC Strategy (1)
Subject: New comment (1) on "Policies, done right, articulate culture"
GRC.EcoSystem (1)
Hi, Michael!
Hotline (1)

I am so glad that you have started this discussion. Policy management is a major issue in company where I work, as well. Integrity (2)
Intellectual Property (1)
I have just done a research among employees on how well they are familiar with key policies and what they think of it's investigations (4)
implementation and adequacy of it's introduction.
ISO 31000 (1)
IT-GRC (1)
When identifying such issue and assesing the risks arising from it, what would be the next step? Who in your opinion
should be the manager of company policies and what does such management include? Lean (1)
Legal (2)
These are the questions, I haven't jet answered. We have Department for orgaization and standardization that publishes Magic Quadrant (1)
policies after they are addopted, there is Compliance Department and of course other departments that proposes or
Matter Management (1)
issues policies and procedures... Having so many policies and procedures, looks like, we would need extra employee to
Merger (1)
work only on policy management. Is there a normal number of policies that company of 1 b annual revenue and 2500
employees should have? Michael Rasmussen (1)
Microsoft (1)
As compliance officer, I had issued guidelines for how the company policies should be introduced and implemented and NYSE (1)
what provisions they have to include for assuring appropriate linkage to other policies and procedures... Don't seem to
OCEG (12)
work as well as I hoped.
Operational Risk (1)

Would be great to have some more insights from you or other members dealing with this problem. ORM (2)
Paisley (1)
Andrijana policies (4)
Posted by Andrijana Zrinji
Policy Management (7)
F EBRU AR Y 15 , 2 010 9 : 54 A M Policy Management. (1)
Red Book (3)
Corporate Integrity said...
Regulatory Intelligence (1)
Andrijana,
Resolver (1)
Risk (17)
Thank you for your feedback. I am posting more on this subject over the next few weeks - stay tuned.
Risk Intelligence (2)
risk management (10)

http://corp-integrity.blogspot.com/2010/02/policies-done-right-articulate-culture.html... 25/02/2010
Corporate Integrity, LLC: Policies, Done Right, Articulate Culture Page 3 of 5

RSA (1)
I just worked on a poll last week with OCEG on the number of policies of organizations of varying sizes. We have had
SAP (2)
several hundred respond. If you wish to contact me I can share some of the raw data with you (I have not yet put it into
pretty PPT slides. SCCE (1)

F EBRU AR Y 15 , 2 010 9 : 55 A M Service Provider (1)

SOX (2)
Paul Koyich said... Spreadsheets (1)

LinkedIn Strategy (1)

Paul Koyich has sent you a message. Supply Chain (2)
Date: 2/11/2010 Supply-Chain (1)
Subject: RE: Policies, done right, articulate culture
Technology (2)
Michael, as a Safety Trainer, I have come to the realization that Corporate Governance varies from company to company,
Thomson Reuters (1)
at the worker level the message I use is "duties and responsibilities", more or less a commitment about working Incident
and Accident Free as was relayed to our management in 2002 after a "serious fire incident". As our company is ISO Trends (4)
certified, the prosper elements need to be understood at the worker level, that is my take on matters. USSC (1)
So for example if the employees cannot understand a "Corporate Health and Safety Policy" it is no wonder the message is Value (1)
not getting through, and I speak from experience. Living and working in a country without an Occupational Health and
Values (1)
Safety Act means we do rely on Policies and Procedures to give guidance to the workers, in all departments, 2500 policies
Vendor Management (3)
to date, the ones I am most interested in of course are basic Health and Safety Policies and including Permit to Work. So
my Safety Training again takes me back to the "foundation" of this Policy which is intended to "recognize hazards" and put Wave (1)
controls in place before starting the work. (Safe Work Practices) Wolters Kluwer (1)
I think you can see the thread of this e-mail is "educating the line supervisors" on Hazard Identification and Risk Workshops (1)
Assessment.
Now throw into the above discussion the nature of the workforce, multinational and multilingual and that is what my
challenge has been for 15 years working in the middle east.

I am just in the process of doing a "Risk Assessment" project to make my Safety Training more along the lines of the Shell
Company approach, a simple "intervention step for all employees". Their latest edition includes a "Life Safety Skills"
approach, very impressive.
More or less understanding the Hazards and putting the controls in place and then incorporating them into the "Change
Management Plan". Very few companies realize this is crucial for the Safe Operation of their facilities, because it is a
"proactive approach" to learning from the mistakes of others, which also needs to be incorporated into the Safety
Training Plan.
Will keep you posted of my progress in this area.

Respectfully, Paul Koyich, HSE Advisor/Trainer, Al Khor Community(pop.6000+), State of Qata

F EBRU AR Y 15 , 2 010 2 : 18 PM

Portia Cross said...

LinkedIn Groups

* Group: Unified Compliance

* Subject: New comment (1) on "Policies, done right, articulate culture"

I could not agree more that policies, done right, articulate the culture of the organization. I wrote a policy for our agency
on remote access management. Basically, the policy outlined how employees and partners would access the agency’s
enterprise network from locations external to the agency.

There were several factors that made this policy effective. First, our Chief Information Officer, was required by an
oversight agency to institute the policy. Thus, I had an identified sponsor, the CIO, who was committed to supporting the
policy. Second, the policy was not left to ambiguous interpretation, I clearly defined the technical requirements for
remote access in an easy to understand bulleted format and outlined in detail the roles of the users, managers and
business partners in accessing the agency’s systems. Third, the policy was circulated to all the senior managers in the
agency who were required to review and concur on the policy. I had buy-in from the Directors in the organization whose
role was to assure that they, and their employees, adhered to the policy. And last, I worked with the
Telecommunications team to implement technical controls in the enterprise network which supported the technical
stipulations in the policy.
Posted by Portia Cross

F EBRU AR Y 18 , 2 010 1 : 28 PM

Noam Sarfati said...

LinkedIn Groups

* Group: Society of Corporate Compliance and Ethics (SCCE)

* Subject: New comment (3) on "Policies, done right, articulate culture"

Hello Michael,
I believe your illustration of how the organization Code of Conduct should be translated "down" to the basic individual
business process pinpoints the main problem most organization encounter when implementing – or trying to implement –
Code of Conduct.
I find the connection between Corporate Culture and Professional (Personal) Ethics critical to the continuous Corporate
Success and should be done, and therefore must be methodically managed, by aligning Individual objectives, with the
organization's ones.
I'm looking forward to your future ideas.
Best,

http://corp-integrity.blogspot.com/2010/02/policies-done-right-articulate-culture.html... 25/02/2010
Corporate Integrity, LLC: Policies, Done Right, Articulate Culture Page 4 of 5

Noam Sarfati.
Posted by Noam Sarfati

F EBRU AR Y 22 , 2 010 1 0: 2 2 AM

Paul Koyich said...

LinkedIn

Paul Koyich has sent you a message.

Date: 2/16/2010

Subject: RE: Policies, done right, articulate culture

On 02/15/10 12:17 PM, Michael Rasmussen wrote:

--------------------
Paul, these are some great comments. It would be appreciated if you could post this on the discussion thread fro all to
read.

On 02/11/10 11:17 PM, Paul Koyich wrote:

--------------------
Michael, as a Safety Trainer, I have come to the realization that Corporate Governance varies from company to company,
at the worker level the message I use is "duties and responsibilities", more or less a commitment about working Incident
and Accident Free as was relayed to our management in 2002 after a "serious fire incident". As our company is ISO
certified, the prosper elements need to be understood at the worker level, that is my take on matters.
So for example if the employees cannot understand a "Corporate Health and Safety Policy" it is no wonder the message is
not getting through, and I speak from experience. Living and working in a country without an Occupational Health and
Safety Act means we do rely on Policies and Procedures to give guidance to the workers, in all departments, 2500 policies
to date, the ones I am most interested in of course are basic Health and Safety Policies and including Permit to Work. So
my Safety Training again takes me back to the "foundation" of this Policy which is intended to "recognize hazards" and put
controls in place before starting the work. (Safe Work Practices)
I think you can see the thread of this e-mail is "educating the line supervisors" on Hazard Identification and Risk
Assessment.
Now throw into the above discussion the nature of the workforce, multinational and multilingual and that is what my
challenge has been for 15 years working in the middle east.

I am just in the process of doing a "Risk Assessment" project to make my Safety Training more along the lines of the Shell
Company approach, a simple "intervention step for all employees". Their latest edition includes a "Life Safety Skills"
approach, very impressive.
More or less understanding the Hazards and putting the controls in place and then incorporating them into the "Change
Management Plan". Very few companies realize this is crucial for the Safe Operation of their facilities, because it is a
"proactive approach" to learning from the mistakes of others, which also needs to be incorporated into the Safety
Training Plan.
Will keep you posted of my progress in this area.

Respectfully, Paul Koyich, HSE Advisor/Trainer, Al Khor Community(pop.6000+), State of Qatar

F EBRU AR Y 22 , 2 010 2 : 06 PM

POST A COMMENT

Comment as: Select profile...

Post Comment Preview

http://corp-integrity.blogspot.com/2010/02/policies-done-right-articulate-culture.html... 25/02/2010
Corporate Integrity, LLC: Policies, Done Right, Articulate Culture Page 5 of 5

Newer Post Home Older Post

Subscribe to: Post Comments (Atom)

http://corp-integrity.blogspot.com/2010/02/policies-done-right-articulate-culture.html... 25/02/2010