A policy is defined as "the rules" of the company; compare it with "The 10 Commandments" ... you won’t kill, you won’t lie, you won’t cheat, etc. Therefore, they should be written clearly, straight to the point, concise. Not more than a page or two as a limit.
While a procedure is defined as “how to comply with policies”… an instructive for anyone to do what is needed to be done. An anti-bobo guide for everybody to understand. So, the procedure may be as long as needed.
The code of ethics is defined as the guide for anyone working for the company to know how to conduct themselves. This includes all employees: from top to bottom. Yes, CEO, Directors, Managers, and staff regardless their job position, area or in which country they are. Also any third party such as: strategic alliance, supplier, agents, etc. Everyone must have access to the code to comply with it.
The three documents are defined as the "must be" and must have certain key elements to be successful:
a) Must be clearly written; direct to the point and without misspellings. Many companies blend into a single document the policy and the procedure. If there is a separation between them it is ok, but if there is not, there is a risk that employees won’t differentiate them and be confused about what is allowed and what is not. Another common mistake is to write them in a complex vocabulary or that they are too long… think of you as the main user of every policy, procedure and code of ethics…right now, just as they are; would you understand what they say? how to apply them? If the answer is yes, your company is on the right track! If not, invest time to modify them. Your employees will be grateful, mistakes will be avoided due to misunderstanding and the company will win. It is worth it.
b) Must be consistent between them and of course with the vision, mission and values of the company. Logical? Obviously! But this type of mistake is very frequent. Companies issue policies and procedures without making sure they are consistent with each other. So when applied, employees are confused on which to follow and complications occur…for example: operations department indicates that the only thing needed to open an account for a client is to ask its ID and address while compliance department states that other documents are needed. When the file gets to compliance it is rejected for lack of information; the executive should ask the client for more information when it could have been requested from the first time. This exemplifies how policies may not be consistent and how a simple procedure can become exhausting. The worst: irritate the customer!
c) Must be stored in an easy and accessible place for all. Whether they are on the company’s intranet, on the internet, physically given…everybody should have access to them. Also, that the access can be remote; in case they work at home or any other facility. If the employees do not have access to them, how does the company expect that they must be fulfilled? Give your employees all tools and documents to do their job as it should be. Avoid excuses.
d) Train, train, train. P&P´s as well as the Code lose their effectiveness if they are not distributed and communicated between employees and third parties. Not making them of the knowledge of people, the “must be” becomes just a paper…the rules live by the persons. So make sure to train them when: a new policy, procedure, or code is made; when they are updated. But, whether or not there are changes, train your employees at least once a year.
e) Update them! They need maintenance. If your last modification of P&P and code was in 1980… it's time to update them. When to do it? After a new system is bought, changes in regulations, a change in areas or departments that affect either the rules or how to do things, emergence of new risks, news that affects the company image, in relation to the results of any revision made by Internal or External Audit or Compliance, that you have noticed is recurrent, etc. Do not assume or rely on people to know the changes by heart. Keep the P & P updated as the code with the latest.
f) Avoid conflicts of interest: many companies ask to Internal Audit (IA) to elaborate other areas’ policies because they think it’s their job. Do not allow it! Internal Audit should not elaborate any other policy than its own. If IA elaborates other policies then they become judge and part; when auditing, people may question: if you elaborated the policy and also review it, are not you responsible for it? Each area or department should make their own policies, again keeping in mind to be consistent with the others.
g) Make sure to be open for feedback. Most companies designate someone to write procedures; however depending upon their level there could be the risk of not having the complete knowledge of how the area works. Involve employees of all levels in order for the policy to be complete, and after publishing and spread it, make sure you have a hotline or email where people can make suggestions to them. If they are right, modify it.
Keep in mind; P&P plus code are more than documents. Its content can avoid conflict of interests and reputational damages. It is worth investing in them!