Part of risk management is making sure that the risk management framework (a hierarchy of policies, standards, guidelines and procedures) remains accessible to every person in the organisation through:
- language (use simple words);
- presentation (make it easy to find important bits);
- location (policy is of no use if you don’t know where to find it);
- relevancy (policy on proper usage of the stapler is generally not required).
In most organisations each business division, or even team, will eventually desire their own policies. Generally they’ll write them with little consultation with others, implement their own look and feel and then jealously hide the policy from others, only to bring it out as a stick when someone strays from this unpublished policy.Having a central policy repository is the first step towards improving the sad state of policy management in most organisations. Sadly what usually happens is those policies get picked from Place A and dropped in the central repository without making sure that they don’t overlap with other policies, are consistent with other policies in style, format, message, corporate culture.Of course the policy trip doesn’t end there. You will need a person that will make sure that the policies are:
- updated regularly;
- keeping with the style and the formatting; and
- understandable to anyone in the company.
To do otherwise is to do your organisation a disservice.Now if you’ll excuse me, I need to go to a meeting where I’m supposed to explain just what the policy says and who’s meant to enforce and implement it. :-)