An effective governance model will define activities, actions, and decisions made by teams. Working with different decision makers, variation will happen in any operating, financial, or data model. In the absence of documented processes around how to address variation to the norm, rework or compliance issues will occur. Creating a framework for variation review is vital for management. It creates consistency in addressing ambiguous situations. For example, if a new director comes from outside the company, he or she may make different decisions than another leader.
There must be controls in place to support and document these process changes. Often, portions of these controls are overlooked or assumed to be in place. The model below emphasizes consistency in documenting and communicating governance across an organization.
A strong operational compliance model consists of these five activities:
- Documented policies and procedures
- Training of personnel on these policies and procedures (including organizational change management activities)
- Auditing of personnel to ensure compliance with policy and procedures
- Reporting of audits and corrective actions taken to ensure compliance
- Management review of policies, procedures, reports.
The fifth is most often overlooked. Successful companies have dashboards and reporting, and look for outliers to the norm. Even then, it is vital to regularly review procedures to ensure a feedback loop. It offers an opportunity to improve and document changes to the policies as business needs evolve.
By adopting these steps, leadership establishes better controls over updates to the process. Management exceptions to the process must be documented under appropriate scope control procedures. Often we find companies overlooking documentation, as they try to move faster or be agile. Neglecting to document procedures or train people on how to deal with variations can cause internal chaos and team frustration.
Implementing a framework on the front end can save a significant amount of time and rework. It can also put the company at significant risk in a regulated environment, as in the case study below.
Case Study: Governance Model Prevents Fines
A past client had been operating with unbelievable success for nearly 20 years. They considered themselves very flexible, specifically in their policies and procedures. Their focus was on getting the sale and pleasing the customer. While customer focus is a winning strategy, the client neglected to document management exceptions and decisions.
Customer complaints caught the attention of state and federal regulators. In an audit, regulators noted over 120 enterprise-wide non-compliant findings. Due to poor procedures and documentation, the client could not explain many decisions made. Regulators imposed financial penalties, and the company agreed to an action plan. The agreement allowed time to clean up the issues. The risk was significant additional fines and potential removal of state operating licenses if issues were not remedied.
The Board hired a new CEO, who acknowledged the precarious position of the company. Employing change management methods, the new CEO re-galvanized teams around the customer in a unique way. He took personal accountability on behalf of management. He stated lack of a governance model and oversight was causing unhappy customers. They would have to do better.
The governance model above was implemented in every department over the next six months. A PMO was established to support the enterprise wide effort. The project managers ensured procedural documentation improved and managed various technical solutions. Most importantly, they defined and trained management on situational variability, and documenting decisions.
Management was emboldened by knowing better when a situation required an exception. They also could recognize when a process change should occur. This relieved the stress of continuous one-off decisions. Report outs during quarterly business reviews (QBRs). This held department leaders accountable to improved communication and sharing best practices. When the regulators returned, they evaluated the company based on new processes. At the end, the final audit recommended no financial penalties. Based on the implementation of the above criteria, there were zero critical findings.