I have seen many, many corporate policies and frameworks in my time. The one great tendency of the authors of policies and frameworks is to put way too much information into them and not focus enough on their main purpose – influencing decisions of staff.
Nobel Prize winner Herbert A. Simon authored Administrative Behaviour first published in 1947. It has been said, his was a first attempt to describe what an organisation is. I summarise the main tenets of his book simply as:
An organisation is a group of people coming together to fulfil a purpose. They then make decisions to act or not act in fulfilment of that purpose. Those at the helm of the organisation define the purpose, then influence the decisions of others through policy, processes, frameworks and systems.
That’s it. That is an organisation!
What of these policies, processes, frameworks and systems? I once sat down to sort out the difference between them. In doing so I began to think that all of them are features of a framework.
In applying this thinking to Risk Management Frameworks, I eventually settled on features captured in Figure 1.
Adopting a driving analogy it shows: Policy sets direction; a RAS establishes the boundaries in between which we can travel; a document I now call a Standard which establishes the high level roadmap to help staff navigate their responsibilities; and Procedures are the driving instructions, the processes we need to follow – how to plan a trip, how to book accommodation as examples.
Looking within the Standard you will see I hone in on decision making. Getting the right information to the right people at the right time to get the best possible decision. Which means I also bring in the need to be clear on the support provided and the outcomes sought, the culture you want to see come alive.
I also recommend having each of the four key elements of Policy, RAS, Standard and Procedures as separate documents to avoid any feeling of overwhelm by the intended audience. This allows them to discover all the features of the framework at their own pace.
Just in case this helps as well, in my experience a Policy is 1 to 2 pages, a RAS is up to 5 pages, a Standard is 5 to 15 pages and there can be many different Procedures of varying length covering topics like how to use the risk system or how to conduct risk assessments as two simple examples.
I’m always open to new ideas, in particular on how we can make our frameworks most relevant and valuable. Please, let me know your ideas when you have a moment.