Policy Transformation: the Good, the Bad, and the Ugly


Post By: Andrea Falcione, JD, CCEP
Principal & Head of Advisory Services
Rethink Compliance LLC

I’d like to take this opportunity to ask all Compliance & Ethics professionals to think about your organizations’ policies for a moment.

That’s right. Close your eyes. Take a deep breath and think about your policy universe. Breathe in. Breathe out. Slooooow, deeeeeep breaths. Now open your eyes. Do you feel calm, cool, and collected? Or, are you more stressed now than you’ve been since this nutty, global pandemic started?? If I had to take a wild stab in the dark, it’s closer to the latter for most of you — and with good reason.

Most organizations — public, private, government, and non-profit — have an absolute mess on their hands when it comes to policies. There are too many of them. They are inconsistent, in form and in substance. They are incomprehensible and impossible to find. And — news flash! — nobody reads them.

It’s time to make sense of that mess. And, honestly, it’s not that hard. It’s not easy, mind you. But it’s doable — and most certainly worth doing. If you’re ready to take that journey, here are a few thoughts, tips, and ideas to consider:

  1. Leverage other initiatives: Build a case for policy revitalization by leveraging your other compliance initiatives!Often, there’s more of an appetite to update — indeed, even to transform — the Code of Conduct at an organization. If a Code rewrite and redesign is in your company’s future, use it as a jumping off point to assess your compliance-related policies. Do a desktop review for consistency, length, readability, topical coverage, number of policies, and — most importantly — use.Add policy-related questions to your annual employee survey to determine employees’ opinions about ease of use, accessibility, readability, and utility. If you have data analytics capabilities, analyze employee use by tracking policy hits and time spent in your policies. Cross reference policy use with other compliance program data, including your hotline and training data.
  2. Develop a plan: A policy improvement project is not for the timid and will not be a small undertaking. Recognize that reality up front and approach policy transformation methodically. Create a detailed plan to guide you along the way. Craft your policy assessment criteria up front, execute on a structure and inventory gap analysis, and make remediation recommendations — all of which will factor into your overall policy transformation plan.In all likelihood, your plan will involve:➝ retaining some policies as is,
    ➝ retiring some policies altogether,
    ➝ retaining but updating a variety of policies,
    ➝ combining certain policies, and
    ➝ removing certain policies, but retaining them as procedures.I know it feels daunting just reading that, but it’s achievable — I promise.
  3. Be realistic: Know that this will not be a short process. Depending on your number of policies, the complexity of your organization, and how many cooks you will be forced to let into the kitchen, a robust policy transformation initiative will take anywhere from nine to 18 months. Be prepared to be in it for the long haul, and don’t let anyone fool you into thinking it will take less time. I’ve led many of these projects — and those are just the facts.Build in efficiencies where you can, but give yourself room to flex. There will be delays that neither you — nor your vendor partner, if you choose to work with one — can control.
  4. Understand your stakeholders’ needs: Recognize that this is an educational opportunity and that your stakeholders will need time to absorb the changes that will be afoot. Like it or not, there will be power dynamics at play. Eliminating policies will feel like you’re eliminating certain people’s power. And updating policies can be even worse if your policy owners are not open to constructive feedback!In the long run, cleaning up your organization’s policy mess will make your stakeholders’ lives easier. And, I’m talking about all of your stakeholders — from policy owners to the people who have to enforce policies to senior leadership to the broader staff at your organization. With fewer, more comprehensible policies come increased efficiencies. That may be hard to articulate up front, but it is the outcome — no matter how hard it may be to envision at the outset.
  5. Seek feedback: This seems so obvious, but so many organizations don’t do it. User feedback is important — both during and after the policy transformation process. Engage users every step of the way. In particular, remember that, without a feedback prompt, users really won’t pay attention to policy changes until they are affected by them. So, ASK! And ask for specifics: Is the nomenclature easier to follow? Are you able to better or more easily write effective procedures to the policies? Are the policies easier to find
  6. Find a good policy management tool: Time for me to express my frustration with GRC technology providers: a policy management tool that cannot also be used as an enterprise-wide policy repository is useless to the compliance department. Period. To all the policy management technology vendors out there: seek market feedback and change your features, functionality, and pricing models to actually meet the needs of your customers — and not just your balance sheets.Ok, back to you, dear readers: without a workable policy repository, your life — and your stakeholders’ lives — become much more difficult. Your policy portal has to be universally accessible by ALL — not just by policy owners and auditors — and it’s got to be searchable. A lot of organizations try to retrofit tools like Sharepoint for this purpose, but it’s nearly impossible to appropriately manage policies — or your business — that way.

So, there you have it. Those are my tips. Now, go out and conquer that mountain of policies! Your organizations will be better off. And, more importantly, your colleagues will be relieved. Heck, they might even thank you!!

About the Author:  Andrea Falcione is a Principal of, and Head of Advisory Services at,
Rethink Compliance She has 25 years of legal and compliance experience in a number of different capacities. Most recently, Andrea served as Managing Director and Compliance &
Ethics Solutions leader at PwC. She has provided governance, risk and compliance consulting services to leading organizations since 2004. Andrea services clients on a cross-sector basis, regularly assisting in the design, development, implementation and assessment of corporate compliance and ethics programs.


Comments are closed.