Compliance Policies, Procedures, and Codes of Conduct

By Sarah Elizabeth Campbell^[1] ; Steven Ortquist^[2] ; Greg Radinsky,^[3] JD, MBA, CHC, CCEP; Alexandre C. Serpa,^[4] CCEP, CFE, CPC-A; Caroline K. McMichen,^[5] CCEP, CIA; Scott Robinson,^[6] CFE, CHC, CPA; Vickie L. McCormick^[7] ; and Dawn Ward,^[8] MBA, CIA, CISA, CRMA, CFE

One of the core elements of a compliance program is having policies and procedures that promote the organization’s commitment to compliance and address specific areas of risk. Compliance guidance documents from the Office of Inspector General (OIG) state that the development and distribution of written standards of conduct in addition to written policies and procedures should be created and address specific risk areas of potential misconduct.^[9] In developing such standards, policies, and procedures, the compliance officer should seek input from applicable business departments and individuals impacted by the policy in addition to any internal compliance committees, senior leaders, and the board of directors as appropriate.

Policy vs. Procedure

Organizations often use the term “policy” fairly loosely. Sometimes a “policy” may actually be more of a list of procedures an employee must follow to accomplish something, rather than a position statement about the company’s view on a particular topic. Organizations may create a meta-policy to define the criteria for what constitutes a policy vs. a procedure or work instruction. This meta-policy defines terms such as policy, procedure, work instructions, policy owner, subject matter expert, and approver. Sample term definitions may include:

Policy: A written document or statement reflecting standards or rules that regulate or guide organizational action and employee conduct. Global policies generally apply to the entire organization and will outline who has specific authority or assigned accountability and what actions are required in specific situations.
Procedure: The process followed to comply with a policy. A procedural document describes the specific steps necessary to complete a particular process intended to implement and/or support a policy. Procedures include rule-based information and can vary between functions and business units.
Work Instructions: These are step-by-step instructions, including information and equipment needed to complete a specific task.
Approver: The person or department whose approval is required to implement the policy.
Policy Owner: The individual or department responsible for the content and administration of the policy.
Subject Matter Expert: A person who has a deep understanding of the topic or process.

The meta-policy also typically explains the process that must be followed for developing, approving, implementing, and maintaining the company’s policies and procedures. Depending upon applicable regulatory requirements, an organization will want to set up a time period to periodically review its policies and procedures, such as every year or two. Defining the governance process is an important step toward ensuring a consistent approach to company policies.

In some cases, an organization may want to bring awareness to a regulatory area and provide guidance to its workforce. While organizations may differ in their approach, a policy typically includes rules that should be enforced. If an organization wants to provide guidelines that are not mandatory, it may prefer to issue a guidance document such as a “Question and Answer,” an email guidance notification, or some other communication document to bring awareness to recommendations in addressing a regulatory situation. Organizations should avoid implementing policies they cannot adhere to or are not willing to enforce.

Code of Conduct

After a risk assessment is conducted, and before any other activity or pillar is put in place, the next step is usually drafting policies and procedures. The code of conduct is the first document created. It is an industry standard for an organization to have a code of conduct that sets forth an organization’s commitment to compliance. The code of conduct will also focus on the organization’s commitment to comply with applicable federal and state laws, including laws related to fraud and abuse. A code of conduct allows the organization to have a central overview or summary document that serves to guide all other efforts in the design and operationalization of the compliance program. It doesn’t require too much detailing of each relevant topic, allowing the organization to set out the most relevant principles to be followed by employees before trying to detail every single policy and procedure that make up a compliance program.

Why have a code of conduct? A good code of conduct can be a powerful tool for an organization. It is a way for a company to tell employees about the company’s requirements and expectations. The code can also be the employees’ primary resource concerning:

Conduct that is or is not acceptable
How to decide what to do when there is not a rule that applies
What to do if they have a question
Who to tell if they suspect misconduct

The code can also encourage and empower employees. Employees may be more loyal to employers they believe are ethical. Such employees may also be less likely to engage in misconduct that can get the company into trouble or conduct that hurts the company, such as employee theft. Finally, employees who have been given guidance and tools that help them make compliant and ethical business decisions may feel more empowered to do so—and they may be more likely to do what is right.

Writing a Code of Conduct

An organization’s code of conduct should be drafted based on the organization’s needs, culture, and current times; it also should be unique to the organization. Otherwise, the code of conduct will not serve its purpose of being a useful guiding document for the organization’s employees.

Drafting an adequate code of conduct from scratch is not an easy task, but neither is it too complex. It should be approached as a multipart and finite task. Here are things to consider when writing a code of conduct.

Include a statement of values: In a rules-and-values-based program, the code should contain a statement of the values that employees can use to interpret how the rules should apply and determine what to do in the absence of a rule. Explicitly address management’s position that, although it is important for the company to be vigorously competitive and successful, it must do so using compliant and ethical business practices. Consequently, the “sale at any cost” approach is not acceptable. This can be a difficult message for employees to believe, so they need to see it backed up by management’s conduct.

Additional tips include:

Do not include a statement of values if it is not an honest reflection of the company’s culture and management. A statement of values that is broadly perceived as untruthful may be worse than no statement at all.
Align the statement of values with any other values and mission statements the organization has adopted. Explain how to handle situations that are not addressed by a rule.
Identify ways that employees can figure out the right thing to do, e.g., the newspaper test—would employees want to read about their conduct in the newspaper?

Choose media type and layout: There is no rule or legal requirement stating that a code of conduct needs to be in text or video format. No rules exist about having the code as a document hosted in a network folder or as an interactive, three-dimensional shape that can be rotated, zoomed in and out, clicked on, and moved around. Therefore, feel free to decide which format and media type will have the most impact, will be most useful, and will best engage the organization’s employees. More organizations have begun to modify their codes of conduct to make them interactive and include video content to further educate and train applicable individuals. Of course, there is always the matter of resources, which may limit options.

Make the format user-friendly and look attractive, with a well-organized layout that has plenty of white space. Employees are turned off by codes that look and read like legal documents. The code will not have the desired impact if employees do not read it because of its format. Ask a graphic designer to help with the layout and format. If a graphic designer is not available, use word art and graphic features available in Microsoft Word. Even if just the spacing and font type and size change, it will look better than a long narrative in regular font.

Design Tips

Use the talent you have in the organization. Your marketing and communications departments are experts at taking complicated information and communicating it in an easy-to-understand and appealing manner.
Use the compliance program’s brand to help “sell” the code to employees.
Try different formats within the document to move the reader’s eye.
Have plenty of white space, even if it adds a couple of pages to the length.
Use headers and titles for new topics.
Change font size, colors, and formatting.
Do not use the usual business document font.
Use bulleted and numbered lists.
Periodically change the format, so that some information is in full-width narrative and some in columns or tables.
Call out important information in some way to get readers’ attention. For example, use sidebars to provide illustrations or other information.
Incorporate graphics—even if it is just clipart.

Determine length: Again, there are no rules related to the length of a code of conduct. Think about what you want to achieve with the document. Do you want it to be a quick guide about your organization’s principles (short document) or do you want it to be comprehensive guidance on each relevant topic (long document)? Shorter codes tend to be easier to remember, are cheaper to print, allow for more flexibility in terms of format and platform, and will probably be more useful to colleagues.

Think about readability: The code of conduct should be written at an appropriate reading level and translated into other languages as appropriate. Aim for a readability level of 7th to 8th grade. Many codes have a post-graduate reading level. This can happen when codes are written by lawyers and are very legalistic in their tone and language. Use plain, direct language and uncomplicated syntax.

Readability Tips

Use an active voice rather than passive voice. Turn on “check grammar” in Word to help you. Go to Tools/Spelling and Grammar/.
Avoid repeated long references. Instead of using “Directors, officers, employees and contractors” repeatedly, use “you” or “staff” or “everyone.” This will make it a more personal and friendly document and lower your readability score.
Keep sentences to 14 words or less and paragraphs to no more than five lines. Use one- and two-syllable words.
Use the right word rather than the long word.
Be concise, using as few words as possible.
Avoid assumptions—define acronyms—and avoid jargon.
Check the readability statistics in Word. Choose the option to “show readability statistics” by going to Tools/Spelling and Grammar/Options. With this feature on, you can check the grade level of the text.

Think about tone: Use a consultative and helpful tone—not a series of threatening phrases, such as “thou shalt” and “thou shalt not.” Convey that the company wants to be successful, while also being compliant and ethical. Make the employee feel guided, not threatened. Additional tips include:

Use pronouns and other “friendlier” terms when referring to employees.
Use “us,” “we,” “our,” instead of “the company”—this promotes a sense of being in it together, rather than an “us vs. them” mentality.
Talk about how everyone can be successful and feel good about working for the company, not just how to avoid problems and legal violations.

Involve others: Involve a variety of people from different departments when writing the code. Select them from as many locations as possible and be mindful of including people from different cultural backgrounds. The compliance officer will still remain accountable for the final product but should not be the sole person responsible for its content. Involving more people will result in a code that is useful to all colleagues in your organization. It will also be seen as a group achievement and not just something that was created by the compliance folks.

Get feedback and revise: Keep in mind that this is an iterative process. Plan to review and discuss drafts of the code as frequently as possible with the organization’s top management. A useful code takes time to be completed. Don’t expect to have a code of conduct ready in a month. Plan to complete the code according to the size and complexity of the organization. The more complex the organization, the longer it will take to ensure that enough people, departments, and locations are involved and that adjustments are discussed and agreed upon. Host workshops, do online voting, run a competition, or use other creative ideas to both engage the organization and ensure the final content is relevant.

Content to Include

Don’t copy another organization’s code but do try reading various existing codes from different companies to understand the interesting and useful components of a code of conduct. A number of standard components are usually included in codes of conduct. Choose ones to include in your organization’s code. The most common and basic components are:

Letter from the CEO (or top executive): This should emphasize the organization’s commitment to its compliance program, urge all employees to be active agents in the organization’s journey to be compliant, include a call to action, and have a good example of what the company expects from its employees.

Organization’s values: Consider adding the organization’s mission and vision statement here, including how they relate to the code of conduct.

Definition of the code, including its purposes and objectives: This section will outline that the code of conduct serves as a reference document, where employees will get an overview of the organization’s compliance program and how to approach relevant risks. It should not provide all the answers to every question employees might have, but it should tell them how to find answers.

Questions and answers and/or scenario-based examples of relevant situations: Try to include tangible examples of good compliance practices or cases that may have occurred in the past, either from one of the founders or one of the employees of the organization. These could be spread throughout the document or concentrated in a separate section of the code.

Details on reporting misconduct: Given the relevance of this pillar of compliance programs, one section in codes of conduct is usually dedicated to providing details about how to report misconduct. Employees need to know that they are expected to notify the company if they think there is misconduct. They also need to know how to ask questions and report any concerns they have. Include answers to the following questions:

Whom do they contact?
Can they go to someone other than their boss?
Can they report a concern anonymously?
What will happen when they report a concern—what is the process?
Will anyone else know they reported a concern?
What if it is an employment issue?

You also want employees to believe the company takes their reports of possible misconduct seriously and that it will stop any misconduct. Placing this information after the statement of values and before the description of risks tells employees that the company wants to know about problems and fix them.

Information about Reporting—Tips

Employees are nervous about reporting problems—make them feel comfortable and secure in doing so.
Explain what an employee can expect when he or she reports a concern. Answer all of the questions listed, as well as any others your employees may have.
Tell employees what they can expect to be told or not be told about investigation results. For example, tell them they will not be told about employment action that resulted from a report because of the other employee’s right of confidentiality.
Tell employees that there can be instances in which there is additional information they are not aware of that can result in a decision that something is not misconduct—and that you may not be able to share that other information with them.
Provide multiple alternatives for reporting a concern so that if they are uncomfortable with one option, they have others.
Explain how they can anonymously report concerns.
Let employees know that there are times when an anonymous caller’s identity may be known. For example, if an employee who has been working with Human Resources also makes an anonymous call to the hotline, the company may be able to identify the anonymous caller. Explain how the company will deal with that type of situation.
Tell employees that if they report something anonymously, additional information is sometimes required to complete an investigation and if the anonymous reporter does not provide the requested information, the case may have to be closed.
Let them know that there are some types of issues, such as many employee relations issues, that may not be able to be handled anonymously.

Non-retaliation promise: Because employees are afraid of retaliation if they report a problem, the code must assure them that the company has, and strictly enforces, a non-retaliation policy. Employees are very concerned and sensitive about what can happen to them if they report a problem—especially about something management is doing. They are even more concerned if their boss is involved. The promise should include a commitment to discipline anyone who retaliates against another employee. The non-retaliation promise is not very meaningful if there are no real consequences to the retaliator. For example, include in your disciplinary policy a provision for disciplinary action for anyone who retaliates against another employee. The code should also instruct employees what to do if they think they are a retaliation victim. Tell employees to immediately contact Human Resources and/or call the hotline. Remind them that this type of issue cannot be addressed on an anonymous basis.

Other resources: Usually this section links to several other resources, such as the policies repository or a directory of compliance personnel, to which colleagues may refer to when the information they are seeking can’t be found in the code.

Risk area topics: This should include the requirements and guidance around each risk area. From this point forward, we will be talking about how to develop the risk content of the code.

Sample Codes of Conduct

If a company posts its code on its website, it is often, but not always, available on the “Corporate Governance” page. Codes of conduct from other organizations, even if they are from different industries, can be helpful to decide on the type of code your organization wants to develop. The following companies’ codes of conduct are available online. They tend to be for larger companies. Even if you are a small organization, these codes can still provide ideas about what may or may not work for your organization.

Baxter Pharmaceutical: baxter.com/our-story/our-governance/code-conduct
Cleveland Clinic:my.clevelandclinic.org/-/scassets/files/org/about/for-employees/code-of-conduct.ashx?la=en
CVS: cvshealth.com/sites/default/files/cvs-health-code-of-conduct.pdf
Mayo Clinic:mayoclinic.org/about-mayo-clinic/governance/policies
Northwell Health: northwell.edu/sites/northwell.edu/files/2019-10/code-of-ethical-conduct.pdf
UnitedHealth Group: unitedhealthgroup.com/content/dam/UHG/PDF/About/UNH-Code-of-Conduct.pdf

Developing Risk Content

The code of conduct is expected to address key risk topics applicable to an organization.

Remember—do not make the code the sole source of information about the company’s policies. Complete policies should be available elsewhere—typically a company intranet site. Include summaries of the most important policies in the code. Organize and write the policy summaries so they are intuitive and easy for the reader to follow and understand. Do not summarize all of the company’s policies—only those that are highest-risk issues or applicable to most employees. Either omit or include only a very brief discussion about any policies that are low risk or applicable to only a limited number of employees.

Here’s how you can begin writing those summaries. Make a list of the highest risk topics/areas and use them as a starting point. This list should be in the form of very direct/short statements and put in a sequential order based on the risk rating identified during the risk assessment phase. The next step is to create one direct summary statement for each of the risks listed. This statement summarizes what the organization wants to achieve or believes is the correct way to approach the topic. With the summary statement ready and agreed to by the group in charge of the code’s creation, it is time to further develop the message. For each of the summary statements, you will create one introductory paragraph detailing what your organization wants to ensure or achieve.

Try to avoid the impulse to turn the code into a procedural document. Keep the code as an organization’s guiding principles to mitigating key compliance risk areas. Here are some additional policy content tips:

If length is an issue, refer to the location of the other policies and focus attention on the highest risk issues for your business.
Organize the policies so that the flow is logical and intuitive to the reader.
Provide examples of appropriate and inappropriate conduct that the employees can recognize.
If possible, explain why the policy is good for them.

Possible Risk Areas/Topics to Include

Business Practices

Accurate Coding and Billing Practices
Accreditation and Surveys
Preventing Anti-Kickback/Bribes
Credentialing
Cost Reports
Business Courtesies (Receiving and Giving Gifts, Gratuities, and Entertainment)
Charitable Contributions
Deficit Reduction Act of 2005—False Claims Acts
Emergency Treatment (EMTALA)
Environmental Protection
Fraud, Abuse, and Theft
Government Contracting
Government Interviews of Company Employees
Information Practices, Including Health Information Privacy (Confidentiality)
Protecting Shareholder Rights or Nonprofit Tax Exempt Status
Regulatory Compliance
Research
Sales Agents, Consultants, or Other Professional Services
Truth in Advertising, Marketing, and Sales
Using Agents, Representatives, Contractors, and Consultants

Company Property, Records, and Procurement

Accurate Books and Records
Procurement Practices
Protecting Company Information, Ideas, and Intellectual Property
Records Retention
Software Protection, Acquisition, and Distribution
Trademarks, Service Marks, Use of Company Names, and Endorsements

Competition

Antitrust
Competitor Relations and Disparagement

Compliance Program

Compliance Hotline and Resources
Reporting Possible Misconduct
Investigations and Corrective Actions
Responding to Potential Compliance Issues
Making Ethical Decisions
Response to Governmental Inquiries
List of Compliance-related Policies

Conflicts of Interest

Avoiding Conflicts of Interest
Honoraria
Insider Trading
Outside Directorships

Employment Practices and Employee Conduct(focused only on compliance-related issues)

Child Labor
Community Activity
Discrimination and Harassment
Drug-Free Workplace
Employee Privacy
Labor Relations
Non-retaliation and Non-intimidation

Global Business

Accounting
Anti-Boycott
Export/Import Control
Foreign Corrupt Practices Act
Global Data Protection Regulation
International Boycotts

Health, Safety, and Security

Contagious Diseases, Including Bloodborne Pathogens
Emergency Action
Fire Safety
First Aid
Hazard Communication Program
Injury Records
Safety Committee
Severe Weather Information Services
Systems Computer Information Security

Computer Equipment and Resource Use

Electronic Mail Security
Employee Termination Encryption
Equipment Change Control
Firewall Management
Individual Accountability
Information Security Awareness
New Employee Security Awareness
Password Control
Portable Computer Security
Remote Access
Unauthorized Software Virus Detection
Wireless Technology

Political and Community Activities

Community Support
Lobbying
Personal Community Activities
Political Activities

Property Rights of Others

Competitive Information
Patient Privacy

Public Communications and Relations

Crisis Communications
Disclosure of Information to the Public, the Media, and Analysts
Responsible Use of Social Media

Distribution and Certification

Once the code of conduct is finished, the compliance officer needs to make sure that employees have access to it—either through distribution of a paper copy and/or posting it on the organization’s intranet. If an organization has an intranet, consider posting the code there and include links to other related documents available on the intranet (i.e., the employee manual).

Regularly and repeatedly remind employees about the code. Do not do so just once a year during annual training. Consistently speak or write about the issues addressed in the code in newsletters, meetings, emails, and any other employee communication avenues available. It keeps the code a priority in employees’ minds and informs new employees who did not receive previous messages.

Decide whether or not to require employees to acknowledge or certify that they received, read, and understood the code. If requiring acknowledgments or certifications, consider alternatives to the typical paper chase. For example, consider a web-based acknowledgment or making certification part of the annual review processes. Whatever methodology you adopt, make sure it is manageable.

Also decide whether to post the code on the organization’s website. An increasing number of companies do so, probably because they believe it reflects a significant commitment by the organization.

Code Document Maintenance

Codes of Conduct should be periodically reviewed to update areas impacted by modified federal and state laws and regulations. Maintain versions of the code as it is revised and updated. Note when new versions are created and archive older versions. This information may be important if an organization is investigated or subject to an enforcement action. Fines and penalties can be reduced under the organizational sentencing guidelines if an effective compliance program was in place at the time of the misconduct. To prove an effective compliance program, a compliance officer needs to know what was in effect when the misconduct happened. Clearly identify the version of the code on the document. Although there should be some type of reference within the code that identifies the version, track more detailed information (such as when it became effective) in a separate log. If not maintaining a separate log, include the effective date in the document.

Developing and Implementing Policies and Procedures

The U.S. Federal Sentencing Guidelines state that an organization must “establish standards and procedures to prevent and detect criminal conduct” and “take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program,” to all people in the company (employees, senior management and the board) and potentially outside agents or third parties who act on behalf of the company. In the context of discussions about active and effective compliance programs, standards and procedures generally include a code of conduct and other written policies and procedures a company uses to mitigate compliance risks, educate employees, and provide guidance. Together, these written documents provide a framework for consistent business practice across an organization and are the foundation of the ethics and compliance program. Note that not all subjects need to be set out in policies.

Policies and procedures each have a specific function:

Policies describe expectations; they are controls regulating organizational action and employee conduct. Policies outline specific authority or assigned accountability and the actions required in specific situations. Policies take a position; policies set rules.
Procedures describe the specific steps necessary to complete a particular process intended to implement and/or support a policy. Procedures include rule-based information and can vary between functions and business units.

Be careful when drafting your policy and procedure content to put it in the proper functional document. Consider whether your content rises to the level of a policy or if it is process-related and belongs in a procedure or protocol. Develop an organization-wide written standards matrix outlining the purpose of each document. Include documents with enforceable content such as policies and procedures as well as guidance documents. See the Resource: Sample Written Standards Matrix after this article.

Prosecutors in the Department of Justice (DOJ) are charged with evaluating a company’s compliance program in the context of certain investigations of corporate wrongdoing. In some cases, this evaluation is a required element of a DOJ investigation as prosecutors consider whether to make a decision to charge a corporation, or as they evaluate settlement options. In recent years the DOJ has developed and updated guidance to assist prosecutors “in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective.”^[10] Core to the evaluation process outlined for prosecutors in the DOJ Effectiveness Document is an evaluation of a corporation’s policies and procedures. The DOJ Effectiveness Document outlines several factors that prosecutors should consider:

As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees. As a corollary, prosecutors should also assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations.

Design: What is the company’s process for designing and implementing new policies and procedures and updating existing policies and procedures, and has that process changed over time? Who has been involved in the design of policies and procedures? Have business units been consulted prior to rolling them out?
Comprehensiveness: What efforts has the company made to monitor and implement policies and procedures that reflect and deal with the spectrum of risks it faces, including changes to the legal and regulatory landscape?
Accessibility: How has the company communicated its policies and procedures to all employees and relevant third parties? If the company has foreign subsidiaries, are there linguistic or other barriers to foreign employees’ access? Have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?
Responsibility for Operational Integration: Who has been responsible for integrating policies and procedures? Have they been rolled out in a way that ensures employees’ understanding of the policies? In what specific ways are compliance policies and procedures reinforced through the company’s internal control systems?
Gatekeepers: What, if any, guidance and training has been provided to key gatekeepers in the control process (e.g., those with approval authority or certification responsibilities)? Do they know what misconduct to look for? Do they know when and how to escalate concerns?^[11]

Knowing what the DOJ may look for as it evaluates a compliance program provides a good roadmap for evaluating the policies, procedures, and related management processes that your organization is currently utilizing – and provides a good roadmap for achieving more effective management of this important compliance program element.

A good place to start an evaluation of what policies and procedures may be required for your organization’s compliance program, is a review of your company’s risk assessment. Identify the areas of significant compliance and ethics risk for your organization. Next, take an inventory of your organization's existing policies and procedures. Are there any gaps between the identified risks and risks that existing policies address? If so, consider adding or revising policy and procedure content. Some things to consider as you do this are:

Is this risk area adequately covered in your code of conduct?
Will an employee know how to comply with the principles outlined in the code of conduct?
Is this standard or expectation specifically required by a law or other commitment?
To whom will this standard or expectation apply?
What has been done in the past to provide direction to employees or resolve issues related to this risk area?
Will you be able to monitor and enforce the requirements, and is enforcement necessary to achieve company goals?
Is the investment required to properly develop, communicate, and enforce the requirements reasonable in relation to the benefits/risk mitigation obtained?
Are there other options, such as combining content with another document or creating support materials?
Rather than add a new policy, do you need to add additional training or education programs or additional training procedures for specific departments?
Is the creation of this policy consistent with the company’s culture?

Development and Management Process

Companies may take different approaches to policy and procedure development and management. Whether your process is centralized or decentralized, it is important to establish ownership and a clear and consistent process so people understand their roles and responsibilities.

In a centralized approach, policy and procedure development typically begins at the organization’s headquarters and follows this process:

The compliance team or a cross-functional committee identifies the need for a policy or procedure.
A draft is prepared and may be circulated to designated people with subject matter expertise in the business units for review.
The business units may submit feedback, including possible revisions to address differences in local law or practice.
A central team or committee generally has final approval responsibility and authority to adopt policies for the organization.

A centralized approach to policy development and management has the advantages of avoiding duplicate or conflicting policies and procedures, promoting consistency of practice across an organization, and ensuring that the organization’s overall values and culture are represented. A disadvantage may be that achieving a common approach may make it more difficult to provide specific local guidance on the application of policy requirements.

Some organizations utilize a more decentralized approach, in which policy and procedure development begin at the local or business unit level and follows a process that may include:

Local subject matter experts (SMEs) identify a need for a policy or procedure.
SMEs draft policy content that interprets and adapts the organization policy to local laws and practices.
A central team or committee may review the policies and procedures before final approval.

In some organizations, a centralized approach may be utilized for core compliance issues, and a more decentralized approach may be utilized to develop application guidelines for corporate policy requirements or to develop policies to address more localized issues of compliance. Whatever the approach, a clear process should be developed, and process owner identified. The process owner may be the compliance department, legal department, or a cross-functional committee. The responsibility of the process owner is to ensure that a formal process is developed and is consistently followed. The process should include steps such as:

Establishing criteria to determine what should be a policy, procedure, guidance, or other form
Maintaining a consistent naming convention for all policies in the policy library
Identifying the subject matter expert or content owner for each policy
Defining the process for development, review, and approval
Formatting policies into a standard template and posting updates to the centralized policy library
Planning for communication, training, and education
Identifying and maintaining a central document storage location that is easily accessible to employees and that ensures one “source of truth”
Establishing compliance criteria
Defining a process for ongoing maintenance, such as periodic review and revision
Encouraging cross-functional involvement in the policy-management program

This process may be manual or can be automated using a platform such as SharePoint or a commercial policy management system. These systems often include document tracking, workflow, and storage capabilities, along with automated alerts for revision and ongoing maintenance.

Centralized Repository

In addition to having a policy team, another important step is to find ways to streamline and centralize documentation of policy development, approval, and even acknowledgment and review of policy documents. For some organizations this can be as simple as creating an intranet page or an internal server folder where responsible personnel can easily access, review, and complete all necessary review and approval steps (and where documentation of completion can be maintained.)

The best practice for policy management is to house an organization’s policies and procedures in a common online repository, with organization-wide and department-specific policies all stored and managed according to the same policy management protocols. A centralized process for all policy and procedure documents makes the policy and procedure process easier to manage—from initiation of a new policy, to the policy development and approval process, to review and acknowledgment of policies by affected workforce members when the policy has been finalized and is effective.

Drafting Policy and Procedure Content

When drafting policy and procedure content, keep in mind the organization’s culture and work to ensure that the tone of policies and procedures is consistent with the tone and approach of other organizational communications. Policies and procedures should be comprehensive, consistent, and easily accessible and applicable to the target audience. Consider the following tips:

Use plain language; avoid legalese.
Be clear and concise.
Write in active voice.
Explain expectations for employees and workforce members.
Avoid gender-specific language.
Fully define acronyms and unfamiliar terms.
Use graphics or tables to organize content and to make it easier to read and locate important details.
Avoid overly long policy and procedure documents.
Use attachments for examples.
Consider creating separate policy and procedures documents.

Use a consistent format for your organization’s policies and procedures. A typical policy format includes the following elements:

Title: Give a short (10 words or less), descriptive name that will be meaningful to readers. Readers (and searchers) should be able to quickly identify the policy they are looking for by the title.
Scope: Describe who or what the policy covers—all employees or a subset, an enterprise-wide policy or applicable to only a specific business unit? Is the policy applicable to all physician compensation relationships or to all gifts from vendors?
Owner: State who is responsible for the policy content and administration.
Approver: State the individual or group who approved the policy; for example, the Compliance Committee, Chief Compliance Officer, or the Board of Directors.
Effective Date: State the date the policy becomes effective. Use an actual date and not a month, for example, use “01/01/2021” and not “01/21.”
Purpose: Provide a short statement explaining the policy’s objective. For example, the purpose of a policy on intellectual property may be “this policy safeguards the intellectual property assets of ABC Company and its subsidiaries.”
Policy Statement: Describe the company’s position and the standard of behavior it expects of its employees. In the policy statement or another section, include a statement as to the consequences for noncompliance.
Definitions: Explain the meaning of special terms and acronyms used in the policy.
References: Include references or links to other related documents or policies.
Amendments: Include the dates and purpose of any revisions.
Headers: Use a header with multipage numbering (Page # of ## Pages) format to help the reader keep track of common content elements.

A typical procedure format includes some, but not all, of the same elements as a policy format. Organizations should create consistent templates for other written standards documents such as frequently asked questions (FAQs), guidelines, and guidance memos. Templates help drafters provide consistent content. See the Resource:Sample Policy Template after this article.

Feedback, Review, and Approval Process

For most policies and procedures, it is crucial to gather feedback on the content during the drafting stage. Gathering feedback helps confirm that proposed processes will work, content is understood, and potential issues are identified before a document is approved and launched, thus enhancing the drafting process credibility. Imagine launching a policy without gathering feedback, only to find significant operational obstacles make the policy inoperable. Asking for feedback during the drafting process helps avoid these situations.

Don’t be afraid to gather feedback. Use the feedback process to strengthen your content and establish support for the subject matter. You could use a number of methods to gather feedback, including these ideas:

Identify a “review group” within the subject matter area who will review and comment on all content (policies, procedures, guidelines). This review group would represent a larger group and could be chosen via vote, self-selection (for example, the first five to respond), nomination, or some other method.
Send the draft content to employees with selected job titles or in positions in which they work with the topic.
Post the draft content on the company’s internal web page and ask for comments.

Regardless of the method you choose, include questions to help drafters identify issues. Ask reviewers questions such as:

Does the [policy, procedure] make sense?
Do you understand your role?
Does the [policy, procedure] conflict with your operational responsibilities?
Are there any operational barriers to your duties with the [policy, procedure]?

Give the reviewers a specific time period for providing the feedback. Ten days to two weeks is generally a reasonable time. Thank reviewers for their responses.

Once you have reviewed the feedback and updated the draft, move the draft through all required approval channels. Approval channels will vary based on the organization type and content subject matter. For example, the policies of a small, privately-owned home health agency will have a different approval process than the policies of a large, state-owned health system with hospitals that have achieved Magnet designation from the American Nurses Association. Generally, an organization should have a high-level group authorized by the organization’s governing body or executives to approve routine policies, with certain policies needing the governing body’s approval. The group should be multidisciplinary, with representatives from the organization’s business units. This approach allows greater support and ownership of policies. Unless the organization is very small, policy approval should not rest with one person. A single person is less likely to understand all the nuances of how the policy will affect the entire organization than a multidisciplinary group.

Carefully review the regulations and accreditation standards driving each policy to confirm that you request all pertinent approvals. Patient-care policies require medical staff approval, for example. Shared-governance models have their own approval requirements for policies. Create an approval plan for each policy.

The approval for other types of content—procedures, job aides, frequently asked questions, guidelines—may differ from the process for policies. By having a standardized approval matrix for all content as part of an organization-wide policy on how written standards are developed, you can identify the common approval requirements for routine content.

Policy Distribution and Implementation

There are many considerations when preparing for distribution. It is important to define the appropriate target audience to understand the scope of the distribution and any challenges that may exist.

Will you be rolling out the new policy to all employees or to a subset that will be affected by it?
Do you need to communicate the policy to any group outside the company?
Are there any local requirements, such as vetting with unions or works councils prior to implementation?
Will the delivery process be online or printed (or a combination)?
What languages do the people in the target audience speak and how do they best receive communication?
How will you track receipt and acknowledgment of the policy by workforce members?
Will there be required affirmation or training that accompanies rollout of the policy?
Are there systems or procedures in place to monitor compliance with the policy?

The answers to these questions and more will help you to define your implementation and communication plan. A policy implementation tracker document can be used to document your plan. See the Resource: Sample Policy Implementation Master Tracker after this article.

Communicate policy implementation using a launch plan. Customize the plan for each policy; don’t merely recycle the process from policy to policy. Ensure that unique characteristics of each policy are addressed in each policy launch plan. The plan should include:

The objective of the communication that will accompany the policy distribution
The various vehicles used to communicate the message to employees (e.g., email, intranet story, newsletters, FAQs)
The different audience groups and all required languages
Key messages for leaders, supervisors, and any others supporting the launch effort
Persons responsible for either creating or delivering messages
A timeline for planned communication
Appropriate training and education tools and complete expectations for those tools

In a multinational organization, it is critical to translate the policy and all related communications, training, and education into the local languages of the target audience. As with any translation, have a local person review the translation to ensure its accuracy and appropriateness prior to the rollout of any policy.

In your launch plan, consider using an automated distribution process. Automation allows organizations to streamline document distribution by automatically delivering the proper documentation to the appropriate workforce members. This reduces the email and information fatigue of blast email distributions. As different departments are required to acknowledge/comply with policies and procedures specific to their roles, an automated system ensures that each department receives its relevant and required documentation.

This process is crucial for organizational change management. As policies and procedures are updated, having an automated distribution system allows teams to efficiently distribute the updates. In many cases, these systems can be configured to automatically send out any updates as they are added to the centralized policy library. The result is real-time distribution of pertinent information to all relevant parties.

Many automated systems have the capability to create records of the distribution and acknowledgment of organizational policies. By creating a centralized system of record with this information, team leaders can quickly identify what information has been sent out as well as who has and/or has not seen it. Such information allows team leaders to conduct personalized follow-ups on policy acknowledgments, where needed, as well as provides quick access to all records should a compliance audit occur. Two other helpful data points are how frequently documents are accessed and then downloaded by unique users. These data points identify topics of interest to your users, and by extension, could indicate potential risk areas.

In the context of a potential review of your compliance processes by the DOJ or another regulatory or enforcement agency, or even in context of a third-party review of effectiveness, a process that results in documentation of the receipt and acknowledgment of receipt of new policy requirements by all affected workforce members will help to persuade evaluators that your organization is operating an effective compliance program. Regardless of whether a structured policy management system is utilized – the distribution process should be designed to document both distribution and acknowledgment of the policy by all affected workforce members.

Educating and Training Employees on Policies and Procedures

A key element for successful policies and procedures is to provide employees with education and training as you launch each document and periodically thereafter. “Training” and “education” are often used interchangeably in the compliance program context – but there are important distinctions you should understand as you create an appropriate policy rollout plan. Education explains why you have the policy or procedure. Education gives employees the theory or context and the larger picture—the goal, the purpose, etc. Are you safeguarding protected personal information? Or trying to improve safety? Education tells your employees why compliance is important. Training, meanwhile, explains how to accomplish the policy’s objectives. Training tells employees this is how we execute the safeguard and this is how we improve safety.

The launch of every policy and procedure should include some education and/or training to ensure employees are able to perform their duties. Details will vary by topic. Changes to policies on high-risk topics may require lengthy in-person sessions, while routine updates to long-standing procedures might be adequately addressed by a short video update. Here are some considerations for selecting delivery methods:

Is this a new policy or procedure or a change to an existing policy or procedure?
Is the subject matter of the policy on the annual compliance work plan?
Who needs to better understand the policy requirements?
Does the education/training need to happen as a stand-alone program or could it be combined with another program? Could it be a staff/team meeting or shift-change topic?
How much time does the topic need? Could the training be presented in an existing/already structured meeting or program? Should nonproductive work hours be considered?
Could the program be accessible for repeat use? Could a podcast, a video, an online education program be created?
Are collateral materials such as slides, job aids, posters needed?

Key policies and procedures, such as those addressing high-risk areas, should be included in annual employee education and training requirements.

Encourage Employee Engagement

Compliance programs rely upon an employee’s receipt and acknowledgment of new and updated policies, but finding ways to get employees to take the time to review the materials is often difficult. For larger, mandated initiatives, such as workplace safety programs or sexual harassment training, this is likely not an issue, because an employee’s job status is often contingent upon completion of this training. In these cases, employees know that they have to review and complete accompanying materials for these policies within a certain time frame to ensure their ongoing employment. But what about the “less important” policies that many employees may overlook—social or technology policies, short- and long-term disability policies, or even policy updates—that may occur at any time and thus require employee input outside of regular training programs?

In these situations, many have found success in gamification. From offering up prizes or perks to, say, the first 50 employees to review and acknowledge a policy change to organizing full departmental outings, identifying ways to bring a spirit of fun to these processes can alter an employee’s perception and willingness to review, acknowledge, and complete necessary documentation. In some instances, it may be as simple as providing points or badges to employees upon completion of policy review, attestation, and/or demonstration of understanding (e.g., quizzes).

If considering this approach, take the time to speak to your employees to determine what would make the process more entertaining. Knowing what motivates and drives your employees—and what they consider to be fun—can strengthen your relationship with them while also boosting their engagement.

Keeping Policies Current and Ensuring Effectiveness

Once policies and procedures have been created and distributed, you need to ensure they remain current and effective. Establish a process for ongoing maintenance of company policies and procedures and identify ways to indicate a need to add, modify, or retire policy requirements. Events such as new or amended legislation or regulatory requirements, a change in business strategy, or a merger or acquisition may result in the need to add or revise a policy or procedure. Risk assessments and regular periodic reviews of existing policy and procedure content by owners or subject matter experts may help identify necessary additions or revisions.

Policies and procedures may require revisions if compliance failures indicate that a policy may be ineffective in driving the right behavior. Internal audits or other methods of monitoring compliance (such as helpline calls) may indicate that employees are inconsistently following the policy or procedure. When trying to understand why noncompliance is happening, you may find that the policy or procedure is unclear in a certain area, employees do not understand it, or employees didn’t know it existed. To improve the policy or procedure document, gather feedback from employees in the target audience. Feedback may also reveal that a process or practice has changed and the policy or procedure document no longer achieves the originally intended objective. When a revision is needed, the revision and the reason for its revision should be documented as part of the amendment history.

2Steven Ortquist is the president of Arete Compliance Solutions LLC.

3Greg Radinsky is senior vice president and chief corporate compliance officer at Northwell Health, the largest health system and private employer in New York. He is responsible for the management and operation of Northwell Health’s Corporate Compliance Department. He began his career as a fraud and abuse attorney in the Office of Inspector General for the Department of Health & Human Services. There, he coordinated efforts with the Department of Justice, state attorneys general, Centers for Medicare & Medicaid Services and other government agencies on civil and criminal healthcare fraud matters. A frequent contributor to professional journals, Radinsky often shares his expertise via compliance and legal presentations at conferences for national and regional organizations.

4Alexandre C. Serpa is regional compliance head for Latin America and Canada for Allergan PLC in São Paulo, Brazil.

5Caroline K. McMichen is principal at McMichen Consulting.

6Scott Robinson is director of compliance at Superior Vision.

7Vickie L. McCormick is the vice president, health care compliance for DePuy Synthes companies of Johnson & Johnson, a medical device manufacturer. She has been involved in healthcare compliance since 2000.

8Dawn Ward is a delivery manager for GRC Riskonnect in Boca Raton, Florida.

9 “Compliance Guidance,” U.S. Department of Health & Human Services Office of Inspector General, accessed January 29, 2021, https://oig.hhs.gov/compliance/compliance-guidance/index.asp.

10 U.S. Dep’t of Justice Criminal Div., Evaluation of Corporate Compliance Programs (updated June 2020), 2, https://www.justice.gov/criminal-fraud/page/file/937501/download.

11 U.S. Dep’t of Justice Criminal Div., Evaluation of Corporate Compliance Programs, 4-5.

1Sarah Elizabeth Campbell is a director with Arete Compliance, a management consulting group that assists organizations with the design, implementation, and operation of effective compliance programs. She also is president of OnPoint Policy, a boutique consulting firm that focuses on helping organizations establish sustainable compliance by creating, maintaining, and training on effective organizational policies and written standards. An adjunct professor of compliance studies for Loyola University Chicago School of Law, Campbell teaches three program courses: Drafting Policies & Procedures, Conducting Internal Investigations, and Health Care Compliance.