Best Practices for Corporate Policies and Procedures


Corporate governance, quality management, and regulatory compliance all require companies and organizations to maintain documentation on their policies and the procedures that ensure policies are adhered to. Publishing and editorial practices for authoring, approving, disseminating, updating, and monitoring policies, procedures, and regulatory filings evolved before information technology. Therefore, many companies rely on governance processes that are bureaucratic and revision management approaches that were designed for lithographic printing. This results in processes that are inflexible and slow to respond to regulatory, competitive, or technology changes. Ultimately this creates compliance, operational, or financial risk for companies.

Business process automation, natural language processing, collaboration software, digital publishing, and content management technologies can work together to provide platforms for agile and responsive compliance processes. This paper describes a business process framework for compliance and a systems framework for creating compliance systems from commercially available information technologies.

A Business Process Framework for Compliance Documents

Many industries require formal approaches to maintaining policies and procedures, including banking and financial services; healthcare; pharmaceuticals and biotechnology; commercial aviation; military and defense; transportation; food and beverage; consumer products; and precision manufacturing. Regardless of industry, there are common business processes involved.

Compliance Intelligence is the process of monitoring for changes in standards and regulations across multiple markets and predicting impending changes to regulations and standards, based upon social, political, economic, environmental, or technological trends. Compliance Intelligence is responsible for notifying other business processes about changes or impending changes to regulations and standards.

Compliance Cataloguing is the process of maintaining the list of regulations and standards that need to be adhered to. The catalog needs to reflect the versioning of the various standards and regulations. Compliance Cataloguing should be notified when Compliance Intelligence detects a change to a standard or regulation and alerted when Compliance Intelligence determines a change is imminent. Compliance Cataloguing can include maintaining a taxonomy of regulations and standards that is synchronized across systems within the organization.

Policy Writing is the process of developing and maintaining the actual text of policies. Policy Writing manages versions of policies and manages references between policies, standards, and regulations. Policy Writing should be notified when Compliance Intelligence detects a change to a standard or regulation and alerted when Compliance Intelligence determines a change is imminent. Policy Writing consumes the registry of standards and regulations maintained by Compliance Cataloguing.

Procedure Writing is the process of developing and maintaining the actual text of policies. Procedure Writing manages versions of procedures and manages references between procedures, policies, standards, and regulations. Procedure Writing should be notified when Compliance Intelligence detects a change to a standard or regulation and alerted when Compliance Intelligence determines a change is imminent. Procedure Writing should be notified when Policy Writing changes a policy, and alerted when Policy Writing determines a change is imminent. Procedure Writing consumes the registry of standards and regulations maintained by Compliance Cataloguing.

Compliance Certification & Communication is the process of disseminating policies and procedures throughout the organization and communicating and certifying personnel. Compliance Certification & Communication will be responsible and accountable for tracking which individuals were notified and/or trained on new or revised policies and procedures.

Compliance Governance is the process of inspecting and reporting adherence to policies and procedures. In some industries, Compliance Governance may be responsible and accountable for reporting revisions to policies and procedures to regulatory agencies, as well as incidents and exceptions when regulations were not followed.

Regulatory Submissions is the process of developing and filing regulatory submissions as electronic records or document formats (or both). Regulatory Submissions manages versions of submissions and may assemble submissions from components of policies or procedures, training, communications, or compliance data. Regulatory Submissions may need to be notified when Policies, Procedures, or Training change for regulated processes (e.g. manufacturing SOPs for drugs; controls for financial reporting processes; aviation safety procedures; etc.).

We find that this business process framework is useful in several ways. First, each step of the process has a different rhythm and business cycle. Second, each step has unique needs for workflow and communication. Lastly, each step has different needs for information technology systems and platforms.

A Systems Framework for Compliance Documents

Given a reference business process model for policies and procedures we can describe the common components for a technical solution for end-to-end management of compliance and policies and procedures.

Compliance Intelligence & Research Platform

A technical solution for compliance intelligence provides capabilities for searching the public internet, private databases, and standards and legislative libraries for changes in regulations and standards. The solution consists of natural language search (also called “semantic search”) to search web pages, online libraries, and databases for information related to regulations and standards of interest. The solution would automatically identify articles of interest, tag them, create abstracts using gisting technology, and route them to individuals performing compliance research. In addition, these workers could compile notes about their research, tag them, and communicate briefings or alerts to others in the compliance workflow that need early warning of scheduled or anticipated compliance changes.

Compliance Catalog System

A platform for compliance catalog management would include a facility for creating a taxonomy of rules, regulations, and standards of interest to the organization. The system would maintain information about the standards and regulations including their full text and metadata, such as versions, effective dates, governing bodies, and so on. A taxonomy and content management solution would enable syndicating the full text and metadata for regulations and standards to other enterprise systems that consume them, such as content management systems (CMS), quality management systems (QMS), enterprise resource planning systems (ERP), regulatory filing systems, and product information management systems (PIM).

Policies & Procedures Management System

Policies and procedures are very structured documents, and there are complex, many-to-many relationships between them, standards, and regulations. Systematically controlling and auditing the changes to policies and procedures in response to regulatory changes requires component content management. Component content management is the process of managing parts of documents separately and assembling them into the whole.

For example, a step in a procedure may reference an industry standard. If the industry standard changes in a way that requires that step to change, the rest of the document may remain unaffected.

The component content management system consumes the taxonomy of regulations and standards, which authors use to tag individual components. This enables the system to easily search and retrieve components that are impacted by regulatory changes.

Managing policies and procedures as component documents has advantages:

  • The system manages references and relationships between policies, procedures, regulations, and standards at the component level. This provides traceability for dependencies. Given a change to a standard or regulation, the system can automatically list the dependent policies and procedures and highlight the components that require updates or review.

  • Writing only needs to update individual components, not entire documents, reducing work.

  • Writing can be prevented from making changesthat are not required and which may introduce compliance issues, avoiding risk.

  • Review and approval focus only on changes. The system can provide reviewers with context using redlines or change bars, which it generates automatically without manual formatting, saving time and eliminating errors. The system can also automatically generate revision summaries or change tables.

  • The system can track who made and approved changes, providing an audit trail.

  • The system simplifies revision management and version control with features built specifically for release management.

  • The system can publish the final policy or procedure document in multiple formats and to multiple systems and maintain synchronization across formats and systems.

Learning Content Management System (LCMS)

Learning content management systems provide capabilities to manage the content of training programs as components. Like component content management, an LCMS can manage relationships between learning components, policies, procedures, standards, and regulations using simple tagging. The LCMS can consume the taxonomy of regulations and standards so that it can easily retrieve training modules that are impacted by regulatory changes.

Learning Management System (LMS)

The Learning Management System delivers modular training on policies and procedures. Using an LMS that – like the LCMS – consumes the compliance taxonomy enables people to take only the training modules required with the compliance update. It also provides a method for recording who completed training. Training records can be consumed by ERPs, QMSs, and work management systems to ensure only trained personnel are assigned to perform tasks requiring certification.

Electronic Notification & Acknowledgement Systems

Simple systems can be built from existing enterprise workflow platforms for routing notifications to personnel about changes to policies and procedures, and for tracking notification receipt and sign-off as required for compliance. Like training records, receipt and sign-off records can be consumed by ERPs, QMSs, and work management systems to assure only notified personnel are assigned to perform tasks.

Regulatory Submission Reporting & Filing Systems

Certain industries like Pharmaceuticals and horizontal functions like corporate reporting have routine regulatory filings that need to meet governmental standards. New Drug Applications and corporate financial filings have standards for content formats, metadata, and even require XML as part of the submission, and often require electronic submission through a portal. A regulatory submission reporting and filing system helps to assemble the submission from component content; coordinates workflow and data collection across departments and functions; tracks progress on the preparation of the submission; automates content formatting, XML generation, and metadata generation; and may even integrate directly with regulatory submission portals to automate filing with regulators. These systems eliminate labor-intensive and error-prone manual reporting and collation tasks and help to avoid missed deadlines with workflow and project tracking.

Phasing of Compliance Systems Deployment

The business process model we outline above is useful for thinking about how to phase a policy and procedures systems project. Any given organization will have priorities in one of the major processes depending upon their process and systems maturity and their unique compliance gaps. In general, however, we see the phasing for most organizations will be in roughly this order:

1. Procedure Writing (supported with component content systems)

2. Regulatory Submission Reporting & Filing Systems

3. Electronic Notification & Acknowledgement Systems

4. Policy Writing (supported with component content systems)

5. Component training and compliance certification supported with an LMS and LCMS

6. Compliance Intelligence & Research

7. Compliance Cataloguing & Taxonomy Management

Copyright © 1999-2023 Dakota Systems, Inc.

35 E. Wacker Drive, Suite 1970, Chicago, 60601 USA

+1 312 263 4400