Keys to an Effective Employee Awareness Program - Part One - Introduction
Sunday, February 25, 2007
There probably isn’t a company or organization in existence that doesn’t have a healthy collection of policies and procedures. Typically stored in binders on shelves, stuffed in drawers, sitting in email inboxes or placed haphazardly on file servers, these policies represent lost opportunity and potentially a compliance nightmare.
Most organizations put a lot of effort into the policy development process. Incorporating company best practices, industry standards, regulatory requirements and other factors, an organization’s policies represent the ideal operating goals and intent for the organization. At a minimum they define the rules for the smooth operation of the company; at best they provide a unique competitive advantage in the marketplace.
Unfortunately, the true value of policy is rarely ever realized. The most common roadblock is a lack of awareness of policies throughout the organization. Beyond executives and the original authors, operational knowledge of policies and procedures is rarely uniform throughout the organization.
To be fair, some areas of policy are effectively communicated. Policies that are easy to understand, don’t change frequently and are similar between organizations are found to have more wide-spread acceptance and understanding. Examples would include T&E Expense policies, purchasing procedures, vacation policies and physical security requirements.
Much of the success of these policy areas can be attributed to their general familiarity and the fact that they are normally managed by departments, such as HR, that have many years of experience with policy awareness.
However, the recent surge in regulations worldwide and the high speed of business change in general has put added pressures on all areas of an organization. These pressures have put a new emphasis on documented policies and the need for an effective policy awareness program.
Historically, organizational policies were non-existent or informal. As companies grew and matured, the need to formally document policies increased. Next came the need to prove an employee’s acknowledgement of the policy. The most common examples were those policies that were delivered as part of the hiring process, signed by the employee and placed in their file.
Now companies are realizing that the “sign and file” method of policy communication is no longer adequate. Some of this realization just comes from good business practices, but new regulations and added focus on previous regulations are driving much of the need. So if you are questioning the need to revamp your policy awareness program, the simple fact is that you are likely subject to a regulation that requires it.
Sarbanes-Oxley, PCI/DSS, AML/BSA, SAS-70, IT standards such as Cobit and ISO, and most other regulations and standards specifically call out the need for documented and communicated policies and procedures.
So why are the old methods no longer adequate? There are many reasons for this, but the primary two are provability and scope. In order to satisfy the requirements of many regulations, you must be able to prove that your awareness program is effective. This goes way beyond showing a regulator that each of your employees signed the employee handbook when they were hired. You must be able to demonstrate that you made every effort to ensure that they did indeed read the policies, but also that they understood them. This doesn’t mean that you need to hold day long training sessions, but you must take some steps to verify that the employee have a reasonable comprehension of what they have received.
Scope is definitely the most challenging aspect of policy communication. Your employee policies are now dealing with regulations and business requirements that are changing much more frequently than in the past and because of those regulations there are bound to be more policies to communicate. Some of the policies that they signed when they were hired are likely outdated within a few months.
Compounding the scope challenge is the fact that many regulations require that you repeat the awareness process on a regular basis. Often referred to as “re-certification”, it simple means that you have to re-distribute policies and obtain acknowledgement from each employee, even if the policy does not change. So for example, rather than just having employees read and sign your corporate Code of Ethics policy when they are hired, you now have to repeat the process annual for each of your employees. Most organizations today just aren’t prepared to handle that added workload.
It is not all bad news. By now you should understand that an effective policy awareness program is a requirement, but there are some benefits as well.
Complying with regulations is obviously the primary goal, but it is also true than having an effective and documented awareness program can help the audit process as well. Whether you are dealing with regulators, external auditors or internal personnel, once they know that your employees are well informed, the audit process can focus on other areas, speeding the process and reducing cost.
In the event that you do have a problem, those companies that have effective program in place are better positioned to discover the cause (i.e. was it an employee not doing their job or was the policy or control not adequate?), and more importantly the potential consequences can be greatly reduced. In fact, the U.S. Sentencing Commission has stated that fines and penalties can be reduced up to 95% for companies with an effective program in place.
Lastly, communicating your policies to employees is just good business. As discussed earlier, not educating employees on company policies is lost opportunity and a recipe for disaster. In 2005 the consulting firm Watson Wyatt did a survey on Communication ROI and found that “companies that communicate effectively with their workers financially outperform those that do not”. They found that the companies with the best programs in place returned 57% more to their shareholders than those that did not.
In part two of this series, we will detail three key components that should be part of any employee awareness program.