Outdated policies can leave your organization at risk. Old policies may fail to comply with new laws and regulations. They may not address new systems or technology, which can result in inconsistent practices. Can you imagine a policy that still addresses whether you can bring in floppy disks from home or discusses the proper use of fax machines? Yet there are probably policy manuals out there that still have this information in them.
If you're not sure whether you need to review your policies and procedures, consider these statistics:
- 69% of executives are not confident that their current policies are enough to meet future needs.
- Only 27% of CCOs believe the compliance function has a change management process in place to identify changes in laws and regulations and to incorporate those changes into their policies.
- 63% of organizations say their policy management program helps reduce legal costs and resolution time of regulatory issues and fines.
Bottom line, regularly reviewing your policies and procedures keeps your organization up to date with the latest regulations and technology, as well as consistent with the industry's best practices. Your policies are more consistent and effective, and they help protect the organization, the employees, and the people you serve.
And if you're in a high-risk or highly-regulated industry, such as healthcare, public safety, banking, or financial technology, you should be conducting regular policy reviews anyway. However, it's a smart idea for every organization, regardless of how regulated you are.
When to review policies and procedures
With everything you have to do in the normal course of the workday, it's easy for the policy review process to fall through the cracks. Even your executives and administrators know it's important to review policies and procedures, but everything else still manages to steal their attention and energy.
But policy review is most effective when it's done regularly and proactively, not in reaction to an event (more on that in a minute). Don't wait for a problem or violation to decide to review your company policies. If you had an ongoing review process, you could confidently address any issues or events that you face, and head off a lot of potential problems.
Regular policy and procedure review
The best way to proactively review your policies and procedures is just to schedule time into the corporate calendar.
As a general rule, you should review every policy between one and three years. But most policy management experts recommend that you review all your policies every year.
That's also more easily managed with policy management software than a 3-ring binder. Good policy management software will let you set up workflows in order to collaborate with your policy review committee, gather feedback, and track approvals. It can even automatically remind people to read and review policies, send out signature reminders, and integrate with your training management program.
Here are a few times you should conduct an additional policy and procedure review.
When your organization undergoes large-scale changes, such as change in ownership or executive leadership, it's a good idea to review your relevant policies. Your policies should align with your organization's mission, vision, and values, as well as those of your senior leadership.
So any time you have a change in strategic direction, new leadership, a merger, or your company is purchased by another, you should review your policies and procedures.
Of course, these kinds of changes won't affect every policy. For example, a new strategic direction probably shouldn't affect your vacation policy. But it may change other day-to-day policies and procedures.
Changes to laws or regulations
On the other hand, laws and governmental regulations change constantly, which will affect certain procedures. Your compliance team needs to be aware of these changes and know which policies they affect.
If there is a big regulatory change on the horizon, you should gather your policy review committee for a special meeting, rather than waiting until your annual review period.
Incorporate these pending changes into your policies as soon as possible to help your organization adjust to the new regulations and follow them right away. If you build the regulations into your policies early on, the transition will be much smoother once the new laws go into effect.
An incident or policy violation
As we said before, you shouldn't wait until an incident occurs to start reviewing policies and procedures. But things happen even when you don't expect them or want them to. An incident of policy violation can still indicate the need for a change.
After any kind of incident, it's a good idea to debrief and make sure the policy had the intended effect, even if the violation still occurred. Examine the details of the incident to see if employees followed procedures properly, and whether there were any gaps in training or problems with employee understanding of the policy.
This will help you decide whether you should revise the policy in question, make small changes and updates, or just let it stand.
Of course, not every violation should result in sweeping changes. Sometimes, it's an isolated incident that calls for additional training or remediation for the employees involved. Sometimes, an employee just made a bad decision, even though the policy is sound, and they should be dealt with accordingly.
But if you find repeated violations, especially in the same area or of the same type, then the issue may be that the policy is outdated, confusing, or requires more training.
Identifying Policies and Procedures That Need to Be Updated
Policy review doesn’t always have to result in policy revision. Sometimes, you may need major changes and revisions, other times, you may just need to make a few small tweaks. And sometimes, the policy is just fine as it is, and no revisions are needed at all.
You're not going to actually change or rewrite your policy manual every year, because that would be overkill. So how do you know which policies need to be updated?
Here are a few questions to ask during your policy review process.
Is the policy being implemented as intended?
You don't need a major incident or high-profile issue to know whether employees are complying with a particular policy or procedure. If they're not, you need to determine why.
Is the policy outdated? Are the procedures difficult to follow? Have you introduced a new technology or process that your policy doesn’t address? Or is it a training issue?
Get feedback from your front-line employees, or anyone else affected by the policy, for some ideas on how you can improve it.
Is the policy having the desired effect?
Every policy should have a clear goal or objective. Over time, this will help you measure whether the policy is effective. But there can be times where employees are following your policies and procedures perfectly, but they're not having the desired effect.
For example, you implemented a policy to improve employee safety. The employees are following it but accidents are still happening at the same rate. Clearly, the policy is not doing what it's supposed to and it's not having the desired effect.
That means you need to look at where the policy is failing, ask the people who are covered by the policy about what they would do differently, and make sure you have procedures and tools in place to allow you to measure everything. Maybe it's a training issue, or it's confusing and incomplete, or maybe it's a completely different problem.
Are the policies and procedures current and relevant?
You want to make sure your policies and procedures align with the way your current systems and structures actually operate. If your policies and procedures refer back to old structures or technology — remember what we said about floppy disks and fax machines? — employees are more likely to ignore them because they think they don't matter.
For example, let's say your company has adopted flexible remote and work-from-home arrangements, or flex scheduling. But your attendance and tardiness policies still revolve around the old standard schedule. You need to update that policy to reflect your new work system, and make those new expectations clear.
How to Update Policies
You've established a regular schedule for reviewing policies and procedures, and you've identified the policies that need to be updated. How do you actually update them? Are there any best practices?
Of course there are!
Here are a few of them for you to consider.
Determine who is involved with this policy
Your policy review and writing team will be different, depending on the policy. You don't need the same people dealing with every policy for every department. For example, you don't want the sales department dictating accounting policy, or the finance department creating IT policies.
So pick team members based on the work they do and the policies you're reviewing. Your team could (and should) include supervisors who oversee the procedures, managers, HR directors, or executives. But don't count out the frontline employees who actually do the work the policies cover.
For example, an executive is not the ideal person to create safety policies in a manufacturing operation; the people who are working on the floor and operating the machines are the best ones for that. An HR director is not the best person to decide on the cybersecurity policy for the organization, you need a network administrator handling that.
Once you’ve decided on your team, explain why the changes are needed, and what needs to happen.
If you're making small changes, it may be as simple as just making some edits and rewrites to the policy language. In other cases, especially as it relates to laws and governmental regulations, it's going to be a more involved process. You'll need subject matter experts and even your organization's legal counsel to get involved.
And if your organization is accredited or licensed, be sure to include the accreditation manager so they can make sure your policy language meets the accreditation standards the organization has to follow.
Document all comments and changes to the policy
As the policy writing team does their work, make sure to document all comments, notes, and input from every team member. This kind of information is important if there are ever legal issues surrounding a later policy violation or its enforcement.
It's often helpful to appoint one policy owner to gather all the feedback and information (as well as the comments, notes, and input) and make the final edits.
But you don't want any essential feedback to slip through the cracks.
This is where policy management software like PowerDMS gives you full version control and a full audit trail for each document. You can keep all the information, comments, notes, and any other input in a centralized location. You can create workflows, see who has made changes, and what they are, and even track whether all appropriate managers have signed off, and whether all employees have reviewed the policies.
If you would like to learn more about PowerDMS policy management software, you can contact us to schedule a demo. Or if you're wondering what is a policy versus a procedure, you can read about it on our blog.