How to build a governance management system

The core purpose of an organization’s knowledge management — its system for creating, maintaining, and communicating the policies and procedures — is to provide employees with the information they need to do their work.

The objectives of the governance management system are:

1. To ensure that the information provided is correct. If employees do their work according to the information, their actions will be consistent with applicable policies and compliance requirements.
2. To ensure that the information is clear, simple, and short. There are always complexities in meeting a set of compliance requirements: ambiguities, contradictions, and duplications are common. The challenge is to identify and resolve these problems at management level so they are not passed down to end-user employees.

The steps set out below are one approach to building a governance management system to achieve these objectives. Each of these steps will be explained in more detail in a future newsletter.

Step 1. Define your governance objectives

Governance objectives are assertions that you want to be able to make about your organization, that define what you mean by ‘well-governed’. For example:

• Our activities are ethical.
• Our activities are safe.
• Our activities are legal.
• ...

These objectives are the starting point and justification for your governance system: everything else within the system is there to achieve these objectives.

Step 2. Get the compliance requirements under control

Create a register of compliance requirements

A compliance requirement is any regulation, standard, or set of rules that guides or constrains how your organization operates and how its personnel should behave.

The register will include:

• regulatory requirements
• stay-in-business requirements such as accreditations, operator certificates, and professional standards
• management system standards like ISO 9001, ISO 14001, ISO 29001, etc
• industrial standards that you must comply with, or that you choose to comply with for commercial reasons
• standards issued by the board or senior management, such as the code of conduct.

Assign accountability for each requirement

Nominate the position with accountability for each requirement, and define their responsibilities. These include:

1. Determining what the organization must do to meet the requirement, such as: design or control of particular activities, employee awareness, and external reporting and filing.
2. Managing third-party audits if required
3. Determining how non-compliance will be detected and actioned.

Step 3. Get the policies under control

Policies exist to give effect to your compliance requirements. A policy may:

• Provide guidance on, or set rules for, particular kinds of decision-making.
• Authorize employees to take action outside the normal hierarchy of authority (for example, to authorize any employee to stop an activity if they think it unsafe).
• Set performance criteria for particular classes of activity.

To get the policies under control:

1. Create a rule for who may issue a policy: Board only? CEO? Any C-level manager?
2. Establish a rationale for what policies you need. (Most organizations have too many.) Many governance objectives and compliance requirements need to be supported by a policy; but not necessarily a separate policy for each.
3. Get all the policies in one place. There should not be the slightest doubt about what policies are in effect at any time.
4. Make sure that the successive versions of each policy are accurately tracked. Policies are legal documents. In the event of an incident or litigation you may be required to produce every policy that was in effect at the time (which might well be a couple of years in the past). Such a demand should not be embarrassing.

Step 4. Chart the organization’s activities

Create activity charts or similar to define the processes used to achieve the organization's performance objectives. The set of activities will form a hierarchy, from ‘run the organization’ (or the part of the organization you are governing) down to front-line operations. In each case:

• What is the objective?
• What are the inputs and outputs?
• Who is accountable?
• Who is involved?

Defining the activities is not a mammoth undertaking. This is not end-user documentation or work instructions, telling people how to do things. These are management statements of processes and sub-processes. The concern is only with the identification and control of those tasks within the structure of the organization’s activities as a whole.

And regardless of the scale of effort required, it’s essential. Governance means ensuring that your activities are consistent with your compliance requirements. You can't do this unless the activities are defined.

The simplicity and clarity of your activity statements is an indicator of the quality of your organizational design. The individual tasks you carry out might be extremely complex; but how those tasks fit together should not be.

Step 5. Map the compliance requirements to the activities

For each compliance requirement, work through the detail to identify the activities to which the requirement is relevant and through which compliance is achieved. This might entail:

• Control tasks, to ensure that particular things happen, or do not happen, when the activity is carried out.
• Notification and reporting tasks.
• Awareness requirements for the people carrying out the task.

The first element of governance assurance is achieved when the people with accountability for the compliance requirements are satisfied that all relevant clauses in the compliance requirement are adequately addressed.

Step 6. Get the employee awareness under control

Collate the information required for each position

This information will comprise:

• policies with which the position must be familiar
• the awareness element for each compliance compliance requirement relevant to the position
• the guidelines, standard practices, work instructions, operating procedures, how-to guides, etc, that explain the tasks to be carried out by the position.

Divide the information into:

• Required knowledge: things employees must know in order to be doing their work.
• Instructions and guidelines: information that employees must be able to access while doing their work.

Define the information delivery methods

Specify how the the information will be provided to each position, such as knowledge items provided through induction and training, and reference items provided through a documentation delivery system. The specification should cover:

• Changes: how do people become aware of new information, such as a new policy or an updated compliance requirement?
• Revision: Many organizations stipulate that policies be reviewed annually; and in some jurisdictions it’s a legal requirement that every procedure touching on employee safety be reviewed annually. This implies a corresponding requirement that employee familiarity with those items should also be refreshed annually.
• Verification: how do you check — and prove — that your employees do, in fact, have the required awareness.

Reality check

The delivery of information to your front-line employees is the single most important component of your organization’s knowledge management. If this step fails, everything else is irrelevant.

You need to be confident that:

• The number and complexity of the knowledge items is within the delivery capacity of your induction and training methods, and within the learning capacity of the targeted employees.
• The instructions and guidelines are readily available in a form that your employees can and will use. (Bearing in mind all the challenges of poor reading skills, non-native language speakers, and unfamiliarity with technical documents; and in many organizations, the mediocrity of managerial writing.)
• You can prove — to a forensic standard if necessary — that your employees have the necessary awareness to do their work in compliance with the applicable requirements.

There have been several prosecutions in recent months, of organizations and executives personally, for failing on this point. The organizations had well-documented safety systems, but the information never made it to the employees who needed it. Apart from the financial penalties, those executives have deaths and injuries on their conscience.

The above steps might seem like a mountain of work, one of the awful management burdens: too hard to do, too important to skip. If you’re trying to manage your corporate knowledge as a collection of documents, it will indeed be challenging.