In our first, second and third articles in this series, we introduced the concept of risk silos and what you can do about them, discussed an integrated approach to risk management and then discussed compliance silos. In this article, we will take a closer look at policy silos.

Are there policy silos in your organisation?

• Policies are developed and managed by frontline staff and frontline managers to support compliance requirements associated with those frontline activities with little oversight from top management.
• Some operational areas have well developed policy documentation due to substantial compliance requirements associated with those operations, while other areas have little policy engagement or development.
• There are unwritten policies i.e. cultural understandings of how to do things in particular areas but which are not captured in written form.
• Rogue policies exist that have not had any formal approval process outside of the business unit/operational area.

If you have answered yes to any of the above, then it is possible that you, like many other organisations, have policy silos in your organisation.

What exactly is a policy silo?

What types of factors lead to policy silos developing?

As organisations grow, so does the risk that policy silos will develop. For example, the more business units and locations that are created, the more chances that localised policies will be created, and information will stop flowing to other areas and levels in the organisation.

This can be exacerbated by the following factors:

• a lack of an overarching technology solution for policy management and policy delivery to staff
• policies are paper-based, not distributed, and/or not regularly updated
• where top management and the board lack commitment to policy management as an essential aspect of risk management and compliance activities.

What can you do to help break down policy silos?

A useful way of breaking down policy silos is to approach policy development and implementation in an integrated way. Some simple steps to get you started include:

1. Find and list all policies across all business activities – capture information including title, what parts of the business the policy applies to, when it was last reviewed or updated, who the policy was created by and approved by (if available).
2. Develop a policy management and distribution system to enable top management visibility of policies and their operation – this should include a system for policy approval and frequency for review.
3. Support policy implementation with training – ideally online training supported by face- to-face training – so the right people know what is expected of them.
4. Develop a checklist for managers to use when reviewing policies – often managers don’t know what they should focus on when they are asked to review policies leading to them avoid doing this task. By telling managers what is expected, in an easy-to-follow framework, everyone can be assured that policies across the organisation are current and fit for purpose. This checklist may include:
   • references to legislation are current, and any legislative changes are integrated into the policy if applicable
   • the policy is still aligned to the organisation’s strategy and operational profile
   • key stakeholders have been consulted or given an opportunity to consult on changes made to policy
   • appropriate feedback from key stakeholders and other mechanisms (complaints, incidents, near misses, etc.) is considered, and if appropriate, integrated into the policy to ensure that it is effectively mitigating risk.

Conclusion

Policy silos can happen easily, especially as organisations experience growth in teams and locations. If you start to recognise policy silos developing in your organisation, consider some of the steps that you can take to bring the management of policies back to an integrated approach. Ensuring that the executive and the board have oversight of policies and how they are being managed is critical to their role in managing risk and compliance, as well as ensuring that the strategy of the organisation is being achieved.