By Nina Youngstrom
This tool appears in the Complete Compliance and Ethics Manual 2023.[1]
Topic |
Task |
Function Responsible |
Next Steps |
Completion Date |
---|---|---|---|---|
Policy approval process |
Create “policy on policies” that defines approval process for policies, including any intermediary approval requirements and who has final approval authority | |||
Outline policy approval process steps and approval “gates,” including approval by policy owner, Legal, and final approver (e.g., senior management and/or compliance governance committee) | ||||
Communicate policy approval policy and process to relevant stakeholders | ||||
Policy drafting |
Create standard policy format | |||
Identify risk(s) for which a policy is needed (i.e., which risk will this policy help mitigate?) | ||||
Determine scope of persons affected by the risk (e.g., size of audience, geographical locations, job functions, departments) to determine policy audience | ||||
Identify relevant subject matter expert(s) to assist in drafting of new policy | ||||
Create initial draft of policy using standard policy format and identified policy audience | ||||
Assign policy owner (may be the subject matter expert) | ||||
Circulate initial draft for comment from relevant stakeholders | ||||
Create final policy draft and submit through policy approval process | ||||
Following approval, determine whether translations will be needed and if so, obtain them | ||||
Policy implementation |
Determine appropriate communication method based on urgency and audience, including consideration of any translations needed for communication pieces | |||
Create communication plan with rollout dates and effectiveness measures | ||||
Draft communication pieces and submit for approval through corporate communications approval process | ||||
Once approved, obtain any needed translations | ||||
Launch policy communication campaign and assess effectiveness | ||||
Ensure new policy is posted to policy library and easily accessible to all affected persons | ||||
Policy maintenance |
Create versioning protocol to track revision dates and versions of policies | |||
Assign an owner for each policy | ||||
Choose a review cadence for review of each policy based on comparative risk | ||||
Policy review |
Review policies based on a set review cadence for each (e.g., annually) | |||
Ensure subject matter expert/policy owner conducts content review for each policy to ensure adequate risk mitigation | ||||
Conduct legal review for each policy to ensure policy language is adequate and current | ||||
Document all revisions, including reasoning/basis for each change | ||||
Implement versioning protocol to track and communicate current version and replace/archive outdated versions |