The core purpose of an organization’s knowledge management —
its system for creating, maintaining, and communicating the policies and
procedures — is to provide employees with the information
they need to do their work.
The objectives of the governance management system are:
- To ensure that the information provided is correct. If employees
do their work according to the information, their actions will
be consistent with applicable policies and compliance requirements.
- To ensure that the information is clear, simple, and short. There are
always complexities in meeting a set of compliance requirements: ambiguities,
contradictions, and duplications are common. The challenge is to identify
and resolve these problems at management level so they are not passed
down to end-user employees.
The steps set out below are one approach to building a governance management
system to achieve these objectives. Each of these steps will be explained
in more detail in a future newsletter.
Step 1. Define your governance objectives
Governance objectives are assertions that you want to be able to make about
your organization, that define what you mean by ‘well-governed’. For example:
- Our activities are ethical.
- Our activities are safe.
- Our activities are legal.
These objectives are the starting point and justification for your
governance system: everything else within the system is there to achieve these objectives.
Step 2. Get the compliance requirements under control
Create a register of compliance requirements
A compliance requirement is any regulation, standard, or set of
rules that guides or constrains how your organization operates
and how its personnel should behave.
The register will include:
- regulatory requirements
- stay-in-business requirements such as accreditations, operator certificates, and professional standards
- management system standards like ISO 9001, ISO 14001, ISO 29001, etc
- industrial standards that you must comply with, or that you choose to comply with for commercial reasons
- standards issued by the board or senior management, such as the code of conduct.
Assign accountability for each requirement
Nominate the position with accountability for each requirement, and define
their responsibilities. These include:
- Determining what the organization must do to meet the requirement, such as:
design or control of particular activities, employee awareness, and
external reporting and filing.
- Managing third-party audits if required
- Determining how non-compliance will be detected and actioned.
Step 3. Get the policies under control
Policies exist to give effect to your compliance requirements. A policy may:
- Provide guidance on, or set rules for, particular kinds of decision-making.
- Authorize employees to take action outside the normal hierarchy of authority
(for example, to authorize any employee to stop an activity if they think it unsafe).
- Set performance criteria for particular classes of activity.
To get the policies under control:
- Create a rule for who may issue a policy: Board only? CEO? Any C-level manager?
- Establish a rationale for what policies you need. (Most organizations
have too many.) Many governance objectives and compliance requirements
need to be supported by a policy; but not necessarily a separate policy for each.
- Get all the policies in one place. There should not be the
slightest doubt about what policies are in effect at any time.
- Make sure that the successive versions of each policy are accurately tracked.
Policies are legal documents. In the event of an incident or litigation
you may be required to produce every policy that was in effect
at the time (which might well be a couple of years in the past).
Such a demand should not be embarrassing.
Step 4. Chart the organization’s activities
Create activity charts or similar to define the processes used to achieve
the organization’s performance objectives. The set of activities will
form a hierarchy, from ‘run the organization’ (or the part of the
organization you are governing) down to front-line operations. In each case:
- What is the objective?
- What are the inputs and outputs?
- Who is accountable?
- Who is involved?
Defining the activities is not a mammoth undertaking. This is not end-user
documentation or work instructions, telling people how to do
things. These are management statements of processes and sub-processes.
The concern is only with the identification and control of those tasks
within the structure of the organization’s activities as a whole.
And regardless of the scale of effort required, it’s essential. Governance
means ensuring that your activities are consistent with your compliance
requirements. You can’t do this unless the activities are defined.
The simplicity and clarity of your activity statements is an indicator of
the quality of your organizational design. The individual tasks you carry out might
be extremely complex; but how those tasks fit together should not be.
Step 5. Map the compliance requirements to the activities
For each compliance requirement, work through the detail to
identify the activities to which the requirement is relevant
and through which compliance is achieved. This might entail:
- Control tasks, to ensure that particular things happen, or do not
happen, when the activity is carried out.
- Notification and reporting tasks.
- Awareness requirements for the people carrying out the task.
The first element of governance assurance is achieved when the people with
accountability for the compliance requirements are satisfied that all
relevant clauses in the compliance requirement are adequately addressed.
Step 6. Get the employee awareness under control
Collate the information required for each position
This information will comprise:
- policies with which the position must be familiar
- the awareness element for each compliance compliance requirement
relevant to the position
- the guidelines, standard practices, work instructions, operating procedures,
how-to guides, etc, that explain the tasks to be carried out by the position.
Divide the information into:
- Required knowledge: things employees must know in order to be doing their work.
- Instructions and guidelines: information that employees must be able to access while doing their work.
Define the information delivery methods
Specify how the the information will be provided to each position,
such as knowledge items provided through induction and training,
and reference items provided through a documentation delivery system.
The specification should cover:
- Changes: how do people become aware of new information, such as a new policy
or an updated compliance requirement?
- Revision: Many organizations stipulate that policies be reviewed annually; and
in some jurisdictions it’s a legal requirement that every procedure touching on
employee safety be reviewed annually. This implies a corresponding requirement
that employee familiarity with those items should also be refreshed annually.
- Verification: how do you check — and prove — that your employees do, in fact, have the required awareness.
The delivery of information to your front-line employees is the single
most important component of your organization’s knowledge management.
If this step fails, everything else is irrelevant.
You need to be confident that:
- The number and complexity of the knowledge items is within the delivery
capacity of your induction and training methods, and within the
learning capacity of the targeted employees.
- The instructions and guidelines are readily available in a form that your
employees can and will use. (Bearing in mind all the challenges of poor
reading skills, non-native language speakers, and unfamiliarity with
technical documents; and in many organizations, the mediocrity of managerial writing.)
- You can prove — to a forensic standard if necessary — that your employees have the
necessary awareness to do their work in compliance with the applicable requirements.
There have been several prosecutions in recent months, of organizations and executives
personally, for failing on this point. The organizations had well-documented
safety systems, but the information never made it to the employees
who needed it. Apart from the financial penalties, those executives
have deaths and injuries on their conscience.
The above steps might seem like a mountain of work, one of the awful
management burdens: too hard to do, too important to skip. If you’re
trying to manage your corporate knowledge as a collection of
documents, it will indeed be challenging.