Meeting at the Intersection of Policy and Compliance

If you’ve spent any amount of time with your compliance unit, you know about the seven elements of an effective compliance program. These are the foundation pieces that frame compliance at our institutions. The first element speaks directly to the establishment of policies and procedures. It’s not good enough to just have policies and procedures, however. There’s more to this element, namely, policies must be:

• clearly written,
• relevant and current,
• specific to job functions within the organization,
• reviewed on a regular basis, and
• readily available.

This is why your role at your institution fits so well with addressing this element.

Clearly Written

This is a bit subjective since everyone has different experiences. Using the word “debit’ in an accounting policy may not resonate with individuals who don’t often use this word. The good news is that it’s also not likely that the policy would apply to them.

Here are some questions to ask yourself or group:

• Are there words or phrases that are not allowed in your administrative policies?At the University of Minnesota, ‘shall’ was only used in our Board of Regents policies.Administrative policies used ‘must’, ‘are responsible for’, ‘are prohibited from’, etc. to make it clearer to the reader.
• Do you require that acronyms only be used in policies once the full term has been spelled out the first time it was used? Are acronyms then used consistently throughout the policy?
• Are there sentences that are too long?How might they be broken up into smaller chunks of information to be more easily absorbed?
• Are there terms that are not commonly understood?
• Are the sections of the policy in the correct order (e.g., initiation to termination)?
• Do you use bullets to make points vs. wordy sentences, when appropriate?
• Do you have someone with editing skills who is part of the review process?
• Do you have institutional mechanisms to create usability tests?

The most important question, however, is this: have you asked your stakeholders? This may not be a small investment in time but if the policy is not understood, it’s hard to know if the individual will be able to comply with the requirements.

Relevant and Current

This is typically the role of the policy owner, but you as the policy administrator can send out routine reminders to review the information and let your office know if changes are needed.

• Are policy owners encouraged/required to regularly review their content to ensure that the content is current?
• Is the policy still needed? If so, why?This is a hard one because there is ownership, and it can be hard for the owner to ‘let go’ of a policy.
• Does your office help watch for changes in related policies (e.g., Board of Regents or governing laws and regulations) so that the policies may be updated?
• Do any new laws trigger the need for a new policy?

Specific to Job Functions within the Organization

Most of the work here likely resides with managers who should ensure that their staff know which policies apply to them. I use the word ‘should’ but it often doesn’t happen, especially if there are a lot of policies in your policy library. Helping the policy owners make it clear as to which audience is impacted by the policy could fit well with your role as policy administrator.

• Does the policy scope or equivalent state the individuals/groups for whom the policy requirements apply?
• Are there definitions in the policy that might further elaborate the roles that are impacted?
• Do you have groupings by high-level functions (research, teaching, outreach, human resources) that might help guide employees to the right sections?

Reviewed Regularly

If a policy needs to be ‘dusted off’ before viewed, it’s likely been too long since an actual review was conducted. There are also flavors of reviews. A simple review might be one that merely confirms that the content is still current. This is the most passive of reviews and it does allow policy owners to take the easy way of just saying ‘yes’.

A more comprehensive approach to regular reviews will net you significant benefits:

• Are there policies that can be combined because the topics are so closely related?
• Are there policies that should be retired?
• Would existing policies benefit from a partial or full re-write to improve readability, etc.?

Readily Available

If part of your responsibilities includes managing the website and the policy library, the onus for this part of the element is all yours. It’s a bit more complicated for you if you depend on technical resources not under your control to accomplish updates and more.

• Is your website and content available 24/7?
• Are downtimes announced?
• Are stakeholders able to view policies on a version specifically for mobile devices?
• Are you able to promote new and significantly revised policies on your home page to help stakeholders stay up with the most current of information?

Institutions care about being compliant and the important work you do is essentially to helping fulfill this element.

Can a policy management system track as well as I can?

The views expressed in this post are solely those of the author and do not represent the views of ACUPA or Purdue University.

I track a fair amount of data with each of the policies in the Purdue University policy library. Currently, I use Excel to manually track all my data. Even to me, this seems a bit archaic with the variety of policy management systems out there. I have looked at a couple vendors, but have stopped short of pursuing a contract because I am afraid I won’t be able to capture all my data.

Some data are pretty standard, such as the date of issue, the responsible executive, the responsible office, and the volume and chapter (see my post from October 2020 on Organizing a Policy Catalog to learn more about the last two). It’s easy to designate a field that captures these data. It is also easy to track the date a policy was last revised. Even systems that are not designed exclusively for policy management can track version dates.

Where I run into trouble is finding a way to automatically track the last date a policy was reviewed. Policies get revised all the time. Titles, phone numbers, and email addresses change frequently, which require an update to the affected policy, and thus, a new version date. Most of the time, however, these small administrative updates do not coincide with a comprehensive review of the policy. If I were to use the version date to determine when a policy is due for review, I would likely have a lot of policies that never get reviewed because the version date never falls outside the review period (which, at Purdue, is every five years).

I also get tripped up when a policy supersedes another policy. This can happen for a number of reasons, such as the title of the policy changing, two policies being combined into one or vice versa, old memos being updated into policies, etc. With my Excel spreadsheet, I am able to track a current policy all the way back to its origin, even if that is a memo from 1952. I can tell you the name and number of the policy or memo that addressed a given subject on a given date, and I can find a copy of that document in our e-archives. I have not had to track anything back to 1952, but I have had instances when our legal counsel needed all the versions of a policy going back several years. I just don’t see how a system could track this kind of serpentine information.

Last, but not least, we allow for interim policies. This means a policy can go into effect without having gone through all the required steps. The policy owner then has six months to finish all the steps and finalize the policy, or request an extension of the interim status. I mark policies as interim and track the six-month deadline in Excel. It seems to me that I would have to continue to track this sort of thing manually even if I had a policy management system.

Maybe I am making things too complicated. Maybe I need to let something go. What do you think?