By: Thomas Garrubba, Senior Director, The Santa Fe Group
So, you just walked out of a meeting with the C-suite and you’ve been tasked to implement a new program across the organization. You get back into your office and reality sets in as you mumble to yourself, “How do I start this?”
I have been getting this question for years from professionals tasked to implement similar programs (most notably, third party risk management programs) which are required to address not just internal compliance concerns but regulatory ones as well. I quickly realized it was far more beneficial to write down something simple for them that could be easily remembered and used as a guide instead of having them take copious notes of my monologue. What I derived at (with guidance from CVS Health’s then CPO Ken Mortensen) was the following Order of Implementation formula that anyone stumped by such a task could quickly reference:
P = p1 (p2 + p3)
Let’s review the components and put them into their proper context:
- P – the Program you plan to implement
- p1 – the policy
- p2 – your processes
- p3 – your practices
Now, recall from your basic algebra class the “order of operations” (that is; parenthesis first, then left to right) and you’ll begin to see why the formula is developing a solid track record as the Order of Implementation when instituting a new program.
Order of Implementation
Following the Order of Implementation, it’s essential to focus first on establishing and documenting your processes (your p2). Processes are a series of documented actions or steps that are taken in order to achieve the objective for your program. These are the whos, whats, wheres and whens for the program and these need to be documented, filed for ease of access, reviewed periodically and modified when augmentations are required.
Next, let’s look at your practices (p3) which are your way of “doing things.” These are items that you or your team performs on a daily or normal basis. Though these don’t necessarily need to be documented, these must be consistent and understood by your management and even other business lines if required.
Now, when you put your processes and your practices together (that is; p2 + p3) you’ve probably noticed these become your operating procedures for executing your program. This is what your compliance folks and regulators will most likely want to review for soundness, if and when they darken your door.
Lastly, we have your organization’s policy (p1) which is the course or principle of action adopted or proposed by your company. Though these are generally communicated by the C-suite and are referred to as “guidance,” not following the policy usually results in a disciplinary action, including termination, in some cases.
Pitfalls of Not Following the Formula
Many people have tried to implement their programs by enacting their policy (p1) first; this almost always turns out to be a mistake. There are many reasons why this is the case but the most common tend to be either (A) organizations want to put their strongest efforts into creating the policy first — viewing it as an easy win to show to compliance officers or regulators (i.e., “We have to show we have policy for doing this”), or (B) the policy becomes too detailed, often having p2 and p3 embedded into it, thus making it unreadable and unsustainable as new processes and practices are added or when existing ones change.
The biggest danger most commonly witnessed in implementing p1 first is that once the policy is in place, these organizations then tend to hide behind the policy as an excuse for not having to go into further detail as to the inner workings of their program. Remember, compliance — and more importantly, regulators — want to see the entire picture in order to get a true gauge as to a program’s functionality and later on, its maturity. This means you must have guidance and evidence to back up your p2s and p3s.
Another pitfall I’ve seen, though not as common, is once an organization has established and documented their processes and practices (p2s and p3s), they have either failed to establish a policy or the policy is hanging in limbo awaiting further review by either the C-suite executives or legal counsel. I’m sure we’ve all either been in a situation or seen a department head that when told to comply with a program has retorted to saying, “show me the policy.” To avoid this trap, be sure to have your policy readily on file after you’ve established your p2s and p3s and have it communicated throughout the enterprise and understood by all appropriate business leaders. By failing to do so the organization has created a “paper tiger” effect; a program without any teeth.
Getting it Right the First Time
We are all cognizant as to the importance of getting our programs off on solid footing and the Order of Implementation formula (aka: Garrubba-Mortensen formula) can assist in providing high-level guidance to help ensure you’re setting the basic groundwork the first time around.
In upcoming columns, I will continue this discussion on governance models, touching on the successes and challenges of implementing both centralized and decentralized programs.
Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn
Originally posted on Huffington Post blog.