As a starting point, many organizations make the initial mistake of using
a shared drive or a traditional document management system
to store their policies and procedures.
On the surface the approach of simply documenting the operating policies and
procedures using a shared drive or a document management system may seem logical but,
in many cases, it's giving senior management a false sense of security.
That's because in and of themselves, the policy and procedure documents are only
part of the associated effort since they actually do very little to influence whether or not
employees actually adhere to them.
While the functionality found in a document management system is appropriate for managing
the policy and procedure documents, it is insufficient as it relates to the people-related
activities and their measurable accountability.
To successfully establish internal control, the required functionality needs to extend
beyond simply managing the policy and procedure documents to include a more holistic,
start-to-finish approach that measures and tracks the accountability of the people
responsible for defining the content as well as those responsible for executing it.
In other words, documenting the policies and procedures is one thing - actually putting them
into practice, holding people accountable for adhering to them, tracking continuous
process improvement efforts, and periodically auditing operations to assess compliance - is another.
When using a shared drive or a document management system, employees may have
access to the policy and procedure documents but management does not have easy access to the
data and reports that relate specifically to the people and their measurable accountability. And, governing without being able to measurable the accountability of employees is
similar to driving an expensive car without a good insurance policy. When an accident occurs,
you really wish you had it.
|
