Part Two - Keys to an Effective Employee Awareness Program
Sunday, February 25, 2007
Implementing a Program – 5 Keys to Success
Now that you understand the reasons and benefits of an effective policy awareness program, this section will provide some suggestions to help you implement a quality program. Each of the recommendations below can be implemented with or without automation. The question of whether technology automation is required will depend on your organization, its size, and the number of policies, but given the scope of regulatory issues, more companies will likely need some level of automation to deal with the challenge.
1. Write clear and focused policies
It sounds obvious, but this is a frequently broken rule. If you don’t start your employee awareness program with policies that the average employee can understand, then you have little chance of success. More often than not, the culprit is one of two things. Some policies have been in existence for a long time, and over that time they tend to be updated to handle every exception and close every loophole. Eventually they end up sounding like legal contracts and not something the average employee will take the time to understand.
Another common cause is trying to directly address regulatory requirements. In an attempt to incorporate regulatory requirements into their policies, many companies end up quoting and referencing the regulations themselves. This is more information than is typically needed and these requirements are also written in such a way that most employees won’t be able to easily grasp. The key here is to resist the temptation to copy text from the regulations or standards directly. Instead, interpret the requirements and write them in a manner that is appropriate for your audience. Most employees do not care, nor should they in most cases, which regulations a policy addresses. They are only concerns with what they need to do in order to complete their jobs appropriately.
Policy length is another common problem for many organizations. Employees are not going to wade through 250 pages of text to find what they are looking for. As a result they will just wing it, or ask a co-worker what to do, with unpredictable consequences. Instead, break your policies up into smaller pieces, ideally 5-10 pages and target them to only the employees that need to be aware of each piece.
Don’t just post policies on a file server or intranet, or email them and hope that people are reading them. Instead, you must require the employee to formally acknowledge that they have read, understand and accept the requirements of the policy. This can be done via manual signature, email response, electronic signature or some other means, but proving that the employee has acknowledged and accepted a policy is critical. This will give you a mechanism to track progress and make the employee accountable for their actions.
Regardless of the seriousness of a policy and the significance of accepting, the reality is that many people will sign or accept a policy without actually reading it. This is the equivalent of installing software and accepting a license agreement without a glance at the content of the agreement. It may be legally binding, but does nothing to ensure that employees are aware of the requirements.
To combat that problem, it is important to also test the employees on their comprehension of the policy. Tests can be very simple or extremely complex, depending on the need, but the end goal is to gain a reasonable assurance that they did indeed read the policy and understand the content. In most cases just the knowledge that there will be a test is enough incentive to make them carefully read the policy.
Measuring the progress of your awareness program is critical for a couple of reasons. First, without accurate and timely data, you have no way to evaluate the effectiveness of your program. Are people accepting policies and passing quizzes. Who are the problem employees? Is there a policy quiz that has a high failure rate (possibly indicating unclear policy or poor quiz questions)? Do some policies need additional work, such as a training program?
Secondly, data is important for provability on many levels. Can I prove that an individual has accepted specific policies (such as in the case of a specific violation)? Can I prove to the CEO that I managed the policy awareness program and people are responding appropriately? As the CCO, can I prove to regulators that I have an effective awareness program in place?
The complexity of this data will depend on your business, the program implementation and what level of automation you employ, but even the most basic metrics are important to answer the question of “How are we doing?”. Even if your program is extremely effective it won’t mean a thing if you can’t prove it to yourself or to external parties.
In part three of this series, we will detail the final two components.