How many policies and procedures you develop depends on your acceptance of risk and variation within your organization. This acceptance of risk combined with your policies and procedures make up your governance model for how senior management manages risk. How do you identify policies and procedures that are needed?
You already use policies and procedures, they are all around us every day. Businesses have employee policies for attendance, dress codes and office behavior. Standard operating procedures are used each day in accounting to close your books, in finance to pay for working capital, and in production for fulfilling order.
Yes, policies and procedures exist, are understood, and are used every day. Without them, what would your business really be like?
Your employees need to know when to come to work, how long the work day is, how vacation, sick days, and holidays are used, along with a host of government mandated requirements for health, safety, and other non-discrimination rules. Your employee manual provides answers to these important employee policy questions.
Standard operating procedures (SOP) are used each day in many areas within your company. Your employees perform procedures every day, but are they standard operating procedures – SOP?
Every area in your company has some type of policies and procedures that are being used, even if they are not written down in a procedure manual. They still exist.
Most businesses wait to standardize them until after a negative event. Don’t wait until after you lose a customer over poor customer service. Start writing down what daily procedures are being used right now. Now that we know how important procedures are, how do we determine how many we need?
There are a number of variables that can help us determine needed procedures for your company. The steps include: your vision and mission, map core processes, define your policies and metrics, identify internal controls, write necessary procedures and “Review, Improve and Adjust”.
Let’s look at each one.
The first part of risk management starts with your vision and mission. Your vision is about you while your mission is about your customers. By defining your vision and mission you are also defining what processes are critical to achieving your goals.
For example: if you are a pizza delivery business, then your mission might be Good Pizza Fast.
Your core business processes include product manufacturing/service delivery, purchasing, and product development. Other core processes may include sales, marketing, finance, quality, human resources, information technology, and management responsibility depending on your business model, size or industry.
For example: if your mission is Good Pizza Fast, then your mission defines food preparation, purchasing, and delivery as critical processes.
Metrics are a critical control item for how you are going to measure and manage those processes and the achievement of your vision and mission. Metrics make the difference between strategic platitudes and actually realizing your vision.
For example: if your critical processes are purchasing, food preparation, and delivery, then your policies may include fresh ingredients used within 48 hours; pizzas made within 10 minutes; and delivered within 30 minutes.
Internal controls are used to prevent process failure, which are needed to reduce risk, decrease variation, and focus on results. Your internal controls are the check step to ensure your process is under control.
For example: if your policies include fresh ingredients used within 48 hours; then your internal controls may include time stamping all ingredients, FIFO inventory, and temperature alarms.
Can you manage all of this with just your process maps? If your processes are more complex than a process map then you can add the process map detail to a procedure. If your process possess a lot of risk or is complex then this process is a good candidate for writing a procedure. If you need more detail then add work instructions or job aids to add more detail.
For example: if your internal controls include time stamping all ingredients, FIFO inventory, and temperature alarms, then do you need to explain these controls in a procedure, work instruction or job aid?
f you have a lot of ingredients or critical temperatures that could cause spoilage, then more detail might be necessary to avoid waste, food safety issues, or maintain customer satisfaction.
How do you know if you have enough procedures? You can determine needed procedures by monitoring, reviewing and adjusting. This is the Plan, DO, Check, Act (PDCA) process approach to policies and procedures management. Metrics provide the measures that can be monitored for review.
For example: if your internal controls are not working then you might see increased waste, spoilage or decreased customer satisfaction. By monitoring these measures, you should see changes that can trigger an action to adjust your internal controls and improve service levels.
Can You Lead an Organization Without Policies and Procedures? Yes it’s possible. Companies do it all the time. The question is: how much risk can you absorb before it fails?
Companies with high profit margins can absorb a lot of risk (in other words throw away a lot of pizza ingredients) before they document their processes. As long as your profits are greater than your risks, then you can get away with it.
But as soon as an unacceptable risk appears, it’s all over. And that is when the steps above for determining needed procedures come into play.