Writing procedures is an exercise in controlling compliance costs. You’re trying to comply with customer expectations, management objectives, government regulations, and/or industry standards, making compliance expensive. Regardless of the reason for compliance, wouldn’t you want to write as few procedures as possible if you could still conform to the compliance mandate and keep your compliance costs to a minimum?
There are three elements that drive up your compliance costs: cost of improvement, cost of review, and cost of scale. Your cost of improvement can be managed by the improvement projects you choose. Your cost of review is a relatively fixed, ongoing yearly expense, based on your cost of scale. Your cost of scale defines how expensive your entire compliance program will be, now and in the future. Ergo, the more procedures you write, the more compliance costs you face.
Writing procedures for internal control can produce diminishing returns. Every procedure written carries with it a lot of overhead. Overhead in this case consists of more than the original documentation effort — the design and development. It includes implementation and review — document control, training, usage, auditing, management review, and regular updates.
Writing more procedures costs more money, and it also reduces risk, but only up to a point. The point of diminishing returns is where the time and effort you spend on a task stops yielding rewards. You reach a break-even point, and when you reach that point varies according to your situation. The common perception is that as you write more procedures, you reduce risks (compliance risk, for instance) further. This would be true if you followed all implementation steps; the reality is that most companies do not follow all implementation steps.
Any implementation step you leave out increases your risk; you lose all the intended benefits of your procedures. You might think you’re saving money by foregoing certain steps in the implementation process. Think again. The opportunity for quality defects, customer complaints, and material weaknesses rises when you take shortcuts. The likely result is a corrective action loop due to user complaints that your policies and procedures don’t work.
Starting with a clear, compact scope is key to controlling your compliance costs. The size or scale of your operation — the number of operating locations, number of employees, and the number, complexity, and interconnections of processes — means more risk management, internal controls, and processes to be understood, documented, and controlled. Learn to pick your battles — focus on the most important processes first!
Map out your core processes with a “big systems perspective” process map. ISO 9001 certification requires six procedures — document control, record control, internal auditing, control of nonconformities, corrective action, and preventive action — so if ISO 9001 certification is what you’re after, start with those processes. Sarbanes-Oxley compliance is risk-based, so identify the greatest risks to your company, prioritize them, and write procedures that address those risks first. This will give you the greatest return on your procedure investment.
Quality defects are to ISO 9001 as financial risks are to regulations like the 8th EU Directive and Sarbanes-Oxley. You can reduce the scope of your compliance program by addressing the areas with the most defects or the greatest risks first. As legislative bodies and enforcement agencies have often said, you shouldn’t try to address everything all at once.
Start by reviewing the importance or materiality of the risks to your company. Decide on a threshold, or cutoff, for materiality. Don’t worry if you miss the mark on your early attempts: Improvement is an ongoing process, not an event.
Be agile and think about the speed of your procedures implementation. Most process procedures projects stall because they’re overtaken by current events. Immediate business needs take precedence, of course, but you risk losing focus and that sense of purpose with your procedures project when you shelve it, so you’re less likely to achieve compliance or those other benefits you were looking for when you took on the project in the first place.
Only write procedures you know you can implement fully. A written procedure nobody uses is worse than none at all. It’s a wasted effort and only adds to your compliance costs. Starting with a manageable scope will help you realize your goals and keep your compliance costs down. Work through your procedures incrementally; next year, lower your risk threshold and address more risks, then a few more the year after, and so on, until you’re comfortable.
Management decides on the internal controls needed to cover the identified defects and risks. If they decide wrong and pick a threshold that’s too high, you’ve identified a material weakness in your quality or risk control framework. That can be a very good thing, as long as you work on improving your internal controls. Do so, and you have a working management system that ensures compliance. Isn’t that what you wanted in the first place?
Using prewritten procedures saves time researching, writing, and implementing accounting policies, procedures, and internal control. Download free policies and procedures now and get started on your procedure development project today!