Rethink your policy management system to strengthen your compliance program

By J. Veronica Xu, Esq., CHC, CHPC, CCEP

J. Veronica Xu (veronica.xu@saberhealth.com) is the Chief Compliance Officer for Saber Healthcare Group headquartered in Cleveland, Ohio, USA.

“Mom, help! Where can I find the weekly schedule online?” “Mom, the portal doesn’t work.” “Mom, what’s the difference between a ‘private source’ and a ‘secondary source?’”

These are the questions I have been recently asked by my 10-year-old who is acclimating to doing schoolwork online, and I am sure this resonates with many parents facing similar pleas for help on a daily basis. As the nation is combating COVID-19, numerous schools have adjusted their teaching mode and moved everything online. As a result, parents or guardians have inevitably become teachers’ assistants and technical support for their young children grappling with virtual learning.

Since the beginning of the pandemic, many things have changed in our lives, welcomed or not. Compliance’s work is no exception. My son’s questions prompted me to ponder: Do our employees know where to find policies and obtain information? Can our employees easily access our policy system when working remotely? Do they understand the content of the policies? Is our policy system ready for all the changes and challenges that the pandemic has brought forth?

Policies are an essential part of a compliance program. They are—by their inherent nature—meant to help guide employees in dealing with issues encountered in business operations to enhance safety, ensure quality, and reduce the number of incidents and violations of laws and regulations. In my opinion, as an integral component of a compliance program, policies are a triangular framework that consists of three basic elements: (1) a policy management and review process, (2) a policy library and database system, and (3) policy training and education (Figure 1). All three elements are closely correlated and ultimately affect the overall success of your policy implementation and level of compliance.

Figure 1: The three elements of a compliance policy system

This article is intended to share some practical tips to help you and your team improve, communicate, and use your policy system as part of your effort to strengthen your compliance program.

Element 1: Policy management and review process

First and foremost, a company must have policies. Governmental guidelines[1] and regulations have long established and highlighted the importance of policies and written standards for companies. As the very first element of a compliance program, policies play instrumental roles in structuring a company’s business practices and ethical framework. In fact, they are the foundation of a company’s operations, from employee attendance and anti-discrimination to personal protective equipment, donning and doffing procedures, and workplace safety. Here are some key factors to be considered in a policy management and review process.

Development of policies

  • Inventory and assessment of needs: Know what you have and need. Create an inventory of the company’s policies, and make a list of policies that are mandated by regulatory requirements and are significant to your company’s operations. Institute the policies that are must-haves and retire those that are outdated or no longer pertinent. Avoid having a policy for everything because it is impractical and often causes an undue burden on the company to devote resources to maintain them.

  • Collaboration: Know who the subject matter expert is. To effectively engage people and track progress, the compliance team can work with designated personnel (e.g., a policy director) or launch a task force consisting of representatives from key departments. Depending on the size of the company, you may consider forming a policy committee with clear delineation of duties.

  • Content: Know what is in your policies. The devil is in the details, so the content of policies must be assessed to ensure its applicability, accuracy, and consistency with regulatory requirements and business needs. For instance, temperature taking and employee testing are now the mandatory safety measures in many industries, and thus should be reflected in the respective policies. Moreover, it is equally important to use concise language and keep the message brief. Policies are meant to provide guidance to employees in an effective manner rather than testing employees’ academic levels or knowledge base. Therefore, simple and clear verbiage is preferred. It is not uncommon that companies hire lawyers to write their policies, but not all the readers can comprehend legal jargon like “prima facie” and “malfeasance.” Also, avoid using abbreviations and acronyms, since not all employees, especially new hires, are familiar with the defined terms used among team members.

  • Format: Know what your policies look like. Standardize the form and keep the format consistent to make it understandable. Policies should be published in a searchable format for easy reference. Policies are not marketing materials, although they can be. Rather, they address and identify risks; they are used as practical guides for employees who need an answer or solution to a situation. Simplicity is the key. The pragmatic value always outweighs a fancy format.

Review and management

Policy management plays a fundamental role in the long-term success of the company’s business practices. Whether your organization uses spreadsheets, paper, or other basic methods, it is imperative that there is a process in place. It requires continuous attention, cross-functional collaboration, and a sustainable approach that focuses on departmental contribution, buy-in, and teamwork. It takes an integrated approach to achieve the end goal. With diligent review and continual assessment, policies and management thereof can be enhanced, thus making compliance more dynamic, effective, vigorous, and engaging.

Develop an overarching framework. Mapping out the process and schedule—including categorizing policies and specifying the subject matter experts who will be responsible for reviewing their respective policies, due dates, and/or the policy review frequency—can be helpful for the compliance team to oversee and track progress. Regardless of whether your company uses a software program to conduct policy reviews, creating a review schedule can be beneficial, as it summarizes and highlights the major focus areas. It can be a simple table with particular policies in each month or quarter sorted by department or policy category (Table 1).

Table 1: Example of a table for managing policy review schedules.

Category*

Department

Responsible party

(Name)

Due date/Annual review date

Workplace safety

Risk Management

Last name, first name

January 10th

Anti-discrimination, anti-harassment, and anti-retaliation

Human Resources

Last name, first name

February 10th

Conflict of interest and vendor relations

Purchasing and Procurement

Last name, first name

March 10th

* If the number of policies is limited, then each policy can be listed in the table above. However, if the number exceeds a certain limit (e.g., 500 policies or more), it may be infeasible to list every single policy in a table. Instead, categorizing them will be more efficient. On the departmental level, each team can itemize all of their specific policies in their own documents. Unfortunately, policy review and management is that type of necessary ritual that is hard to maintain but easy to break. Creating a policy review schedule can help the policy owners internalize the process and truly make it a habit (Table 2).

Table 2. Example of a department-specific table for managing policy review schedules.

Policy name

(Compliance policy)

Responsible party

(Name)

Month of review

Code of conduct

Last name, first name

January

Hotline policy

Last name, first name

February

HIPAA privacy policy

Last name, first name

March

Lastly, people tend to stop noticing things when they see them all the time, including policy reviews. To bring in new ideas and attain insightful input, try inviting a different person to read the policies. With a fresh set of eyes and different perspectives, you may receive an unexpected harvest. Also, inviting members of the workforce who are directly affected by the policies to participate in the review process and seeking their constructive feedback will be another way to assess and validate the clarity, intelligibility, and practicality of the policies.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings