Do You Know Your Department’s Processes?
One of the major issues facing companies from a compliance and risk management standpoint is the failure of companies to adequately map out the company processes as well as the scope and duties of its employees. Over time, many employees naturally add to or change or modify their roles and responsibilities.The problem becomes one of identifying each and every process that each and every employee handles so that an accurate picture of day to day responsibilities emerges.
What happens if several employees of the same department get sick at a department dinner? Is management aware of all the department processes that have to be handled by other employees? If the company wants to conduct compliance training, how can it tailor compliance training to specific needs of individuals if it doesn’t have a grasp on the actual responsibilities of the specific employee. In fact, if the company does not know what exactly each employee does and how the employee does it- how can a compliance program or risk management process be effectively put in place?
Each department of a company has its own unique processes. It has certain responsibilities. But how are the processes created, modified, even disseminated to other departments? On what basis are processes created or changed? It is likely that the employees of each department do not have a firm understanding of the department processes and what is expected of each position. Nor do they probably know how each processes is actually implemented.
Take the Law Department, for instance. One of the first matters a General Counsel or Chief Legal Officer should do is to have a Law Department Manual created. I suggest each department should have a department manual. The Law Department Manual should specifically discuss the role and responsibility of each position, the processes that each position must follow as well as the procedure for implementing each process. Why? Only if the employees are fully aware of what is expected of the department as well as the policies that control the process, can they make informed decisions on how best to handle any situation. For example:
- What is the role and responsibility of the General Counsel?
- What is the role and responsibility of the Assistant General Counsel?
- What is the role and responsibility of the Senior Counsel?
- How is a new legal matter handled?
- How is a new legal matter assigned to the appropriate attorney?
- How is a new legal matter entered into the Law Department database and who does it?
- Is there a checkpoint in place to trigger a process or procedure?
- What is the procedure for the law department to retain outside counsel and who does it?
- Is there a process in place to review law firm invoices or invoices from Law Department service providers?
- What type of reference documents are needed by the staff to confirm the right contract template is being used?
The list goes on and on. But the fact is that once each department is forced to review its processes and procedures, it might realize the processes are not following the policy behind them. It might see the gaps in processes that pose serious compliance or risk management issues. After all, if there is a policy in place to review all pricing decisions because of antitrust concerns, but there is no process on how to review pricing decisions, or no procedures outlining which employee or which department is responsible for product pricing review, the review will probably not get done, at least in a methodical manner. Which of course defeats the purpose of the policy. In fact, departments may find out the processes they have in place do not address the policies the processes were designed and created for.
What many successful companies do is to map out all processes each department or division in the company has, define the policy behind the processes, list the procedures to make the processes happen, describe in detail which position is responsible for implementation of the processes and also list the checkpoints that would trigger the processes. Only when a company has mapped out the purpose, policy, processes, procedures and checkpoints of its departments can it then make appropriate changes to handle the risks facing the company. Once the procedures are identified a risk management audit covering those procedures and processes can be effectively implemented.
Consider the Risk Management Department of a company. What are the processes and procedures of the Risk Management Department? Who monitors the processes and why? What procedures are in place and why? If the Risk Management Department is responsible for product safety claim handling procedures- what are the procedures ? What is the process or mechanism in place to ensure the procedures are being followed? What process is in place allowing the Risk Manager or Compliance Officer to review the relevant IT processes. Does anyone know which server product complaints are saved in? What about emails? Is there an email process in place? Does IT have the right processes to adequately handle and save the complaints? How do you track them?
Map out your company’s processes. Make certain each department is aware of all of the processes and procedures it should be implementing and why. Everyone should be knowledgeable about their position but also what their department’s role is and why. Everyone should have access to the materials and documents necessary to implement the processes that their duties requires. Once you have mapped out or diagramed out the process, you can then implement a compliance program that addresses your company’s needs.