Policies & Procedures: The Document Nobody Reads

Chapter 8. I know you have many of these.

Training only works if there’s something worth training people on. That sounds obvious, but it’s worth saying plainly, because the order matters: before you can teach someone how to behave, you need a clear, accurate, and findable statement of what the organization expects. That’s what a policy is supposed to be. Most organizations have plenty of them. Far fewer have policies that anyone actually uses.

What the Department of Justice Actually Wants

The DOJ’s Evaluation of Corporate Compliance Programs has, for years, treated policies and procedures as one of the seven pillars of an effective program, alongside training and reporting structures. But the language prosecutors are instructed to apply has gotten more specific, and that specificity tells you something about where enforcement attention is heading.

The current guidance doesn’t just ask whether a company has policies. It asks whether those policies are published in a format that’s easy to search, and whether the company can show, through real usage data, that employees actually go to those policies when they have a compliance question. In other words, the DOJ has moved from “do you have a document” to “do people use the document.” That’s a meaningfully higher bar, and it’s one most compliance programs aren’t built to meet.

I think that shift is right, and overdue. A policy sitting in a folder on the intranet that nobody opens isn’t a control. It’s a liability with a table of contents.