Whether you’re creating policy documents for the first time, auditing existing documents as part of a policy review process, or being tasked with reviewing all existing compliance documents post-merger, there are a handful of policies that you’ll likely want to create/review before all others.
No matter the size of your business, these key policies and procedures help to ensure the smooth operation of the business, ensure its workforce is performing safely and in line with regulatory requirements, and – top of many agendas right now – deliver on its GRC and ESG goals.
The 10 key policies and procedures every organization needs
The number of core policies you need to have in place to operate effectively and in line with any regulatory compliance requirements will vary from organization to organization, but for GRC purposes, you should have the following in place as an absolute minimum.
- Code of Conduct
- Risk Management Policy
- Compliance Policy
- Third-Party Management Policy
- Business Continuity Plan
- Incident Response Plan
- Information Security Policy
- Data Retention Policy
- Acceptable Use Policy
An organization’s Code of Conduct is the “Policy of All Policies”, outlining the standards expected of its employees in the pursuit of operational excellence.
A Code of Conduct outlines principles, values, and standards of behavior expected from employees, and provides guidance on how they should conduct themselves in the workplace and what to expect as consequences of not adhering those guidelines.
The Code of Conduct is also essential for maintaining a positive and ethical workplace culture, preventing reputational and legal risks, and protecting the organization’s brand and stakeholders.
A Risk Management Policy outlines how risks associated with the organization’s operations, processes, and activities are identified, assessed, and managed.
As with the Code of Conduct, a Risk Management policy helps to protect the organization from potential financial, legal and reputational risks, and provides guidance on the necessary steps employees should take to identify, evaluate and mitigate potential risks through the use of risk registers and other risk management tools.
Compliance Policies are especially important in highly-regulated industries where the organization may need to adhere to numerous legislative measures, providing guidance on how individual employees should conduct themselves in the workplace to stay compliant.
A good Compliance Policy outlines the organization’s approach to complying with relevant laws, regulations, and standards, including the use of compliance frameworks and audits.
A Third-Party Management Policy outlines how the organization manages relationships with third-party vendors, suppliers, and contractors, including the use of due diligence and monitoring procedures.
It provides guidance on how employees should evaluate, select, and manage third-party relationships and it is especially important that employees follow the policy to ensure that these relationships are properly managed and the organization’s data and assets are protected.
A Business Continuity Plan outlines how the organization will respond (and recover) when faced with such an event, and includes details such as backup and recovery procedures, and the roles and responsibilities of all parties involved.
Having a Continuity Plan in place helps minimize the impact of disruptions on business operations and ensures continuity of services in the event of an unexpected event or emergency, such as a natural disaster or cyberattack.
The Incident Response Plan outlines the steps to be taken in the event of a security breach or other incident, including the reporting and investigation procedures, and the roles and responsibilities of all parties involved.
It provides guidance on how employees should respond to incidents to minimize their impact and is again an important measure to have in place to help minimize the impact of incidents on the organization’s operations, protecting its assets and data, and maintaining its reputation.
|In large organizations, it’s also standard practice to have a Crisis Communication Plan in place. This plan should outline the procedures to be followed in the event of a crisis, including the communication strategy, media relations, and messaging.|
An Information Security Policy outlines the organization’s approach to securing its information and data, including the use of access controls, encryption, and other security measures, and is important for protecting the organization’s data and assets from potential cyber threats and other security risks.
This policy covers how information assets are protected from unauthorized access, use, disclosure, modification, or destruction, and provides guidance on how employees should safeguard sensitive information.
It is important that employees do what they can to help protect the privacy and rights of individuals, and this policy provides guidance on how they should handle personal information to ensure compliance with the privacy laws and regulations applicable to their business.
A Data Retention Policy outlines how the organization manages its data retention and destruction policies in order to comply with applicable legal and regulatory requirements.
This policy provides guidance on how long different types of data should be retained and the appropriate methods for destroying data.
An Acceptable Use Policy outlines how IT resources (such as computers, networks, and information systems, including email, internet and social media) should be used by employees, and provides guidance on the appropriate use of technology resources along with the consequences of misuse.
It is important for employees to follow the Acceptable Use Policy to help prevent security breaches, data leaks, and other risks associated with the misuse of technology resources.
|Depending on the size and type of your organization, a separate Social Media Policy may also be high on your list of priorities.
This policy should outline the organization’s approach to social media use, including the rules and guidelines for employees’ personal and professional social media activity. If you’re in the UK, you’ll be aware of just how important this policy can be, following the fallout between the BBC and TV presenter/Gary Linekar.
Other Operational Policies and Procedures
Once you’ve got the basics covered, you can start to look into areas that are more specific to the way your organization operates:
- Human Resources Policies (covering recruitment, hiring, training, performance management, employee relations, etc,) – which may include policies related to anti-discrimination, harassment, and retaliation, as well as standards of conduct and disciplinary procedures.
- Financial Policies (covering budgeting, accounting, financial reporting, and internal controls) – which may include policies related to expense management, procurement, and fraud prevention.
- IT Policies (such as network security, software use, and device management) which may include policies related to access controls, password management, and software licensing.
- Environmental, Health and Safety (EHS) Policies: These policies should cover areas such as workplace safety, hazardous materials, environmental protection, and emergency response. This may include policies related to training, inspections, and incident reporting.
- Disaster Recovery and Business Continuity Plans: These plans should outline the organization’s approach to recovering from disasters, including natural disasters, cyberattacks, and other disruptions. This may include procedures for backup and recovery, communication, and resuming operations.
If you’re an Enterprise-sized organization, you would also want to focus on supply chain policies which detail your approach to supplier relationships, covering issues such as sourcing, procurement, and quality control; and approach to supplier diversity.
With these policies and procedures in place, you have the foundations of a strong GRC framework that supports your business objectives while managing risks and complying with relevant laws and regulations.
Effective Policy & Procedure Management
If your organization is already well-established, it’s likely that you’ll have hundreds – if not thousands (perhaps even hundreds of thousands if you’re post-acquisition!) – of policy and procedure documents.
And if you’re lucky, you may even have a spreadsheet that contains a link to a master version of each of these documents. But when the risks associated with non-compliance can be so high, Excel cannot really be considered fit for purpose.
You need to invest in a proper policy management solution that includes the ability to manage the policy management lifecycle and effectively engage employees on policies, ensuring their awareness, training, and understanding of them in their individual business contexts.
“Organizations need structured processes to manage the entire policy management lifecycle, from creation through maintenance and eventually retirement of policies.” – Michael Rasmussen
Increasing policy visibility and engagement
There are many policy management point solutions available on the market today, each offering a similar set of features.
But as gaining employee engagement with your policies is almost as important as having the policies themselves, it’s worth investing in a platform that not only helps manage your policy documents, but increases awareness and engagement with them, too.
The Ekko policy and training management platform offers all of this and more:
- Policy creation (with workflow process), personalized distribution, and attestation tracking capability
- Rapid, just-in-time access to relevant documents and training materials – Just ask Ekko!
- Integrated learning management and engagement tool suite