How to use SOPs and Procedures
Why should I care about Procedures at all?
Ever been in a company that tried to fail? Or tried to complete useless activities or even break the law as part of daily operations? As ridiculous as this sounds or perhaps something you have joked about in the past, these things inadvertently happen all the time. Either through lack of training, lack of understanding or lack of visibility. Left undefined, the operations of any Department run the risk of ineffectiveness and exposure.
Procedures provide the baseline understanding of how the various areas of an organization operate. Small businesses to large Corporations, not-for-profit to for-profit, highly regulated industries to non-regulated operations, they all have one thing in common; the need for base policies and procedures. Of course, understanding the difference between policies, procedures and SOPs (Standard Operation Procedures) is fundamental to effective operations. In short, policies are the “what” and procedures are the “how”. Sometimes the “how” is sufficient, but be careful you are not incorporating the “what” into your procedures.
Procedures are often thought of as necessary evils that are only needed in regulated organizations. The term SOP is even worse! The reality is that every type and size of organization needs to have Procedures. The key is to find the balance within the Policies and Procedures for your specific organization.
I am in a non-regulated business. Why does it matter?
To get from point a to point b in any organization requires people to complete a series of tasks in a particular order. It doesn’t matter if the tasks are documented or not, people are following some form of a process. As soon as leadership is delegating responsibility of a process to someone else, two critical success factors come in play:
1. Does the person know what to do?
2. How do you know it was done right?
Obviously training addresses the first critical success factor to make sure people know what to do. Although documentation for training is extremely helpful and highly recommended, it is possible to train someone on a process without it.
The second critical success factor is more challenging; knowing if it was done right. Most processes have multiple steps, perhaps even different decision points. When a process is in your head it is human nature to focus only on the end result, not how something can break along the way. This is even more relevant for processes that you have been doing yourself for a long time and now you need to train someone else. There is inherit knowledge that is mostly likely in your head, that is not actually in the training. Documenting the process as a procedure allows you to use it a checklist. At each step, ask yourself “How can someone mess this up?”. If you come up with a way, you need to decide whether you are willing to live with it or if the procedure needs to be changed.
Finally, even in a small business, business continuity should at least be a consideration. What happens if a key person is not here tomorrow? Documenting critical processes related to key individuals provides a safety net to help the organization continue in the event of an unexpected absence.
I am in a Regulated Environment. Why am I even reading this?
If you are in a Regulated environment (and compliant!) then you most likely have put Policies and SOPs in place already. Whenever compliance is involved, it is a natural tendency to focus on it, but even so the bedrock of compliance is always well structured procedures. Looking at the different components that make up a compliance framework, they are connected back to a set of procedures. The procedure is the only component that is in your compliance framework that tells you how to do something, who does it, how to make sure it is right, what are the risks, what to test and how to measure it. The only components not found in a procedure are unaddressed Risks. This makes managing your SOPs and procedures the single most critical item in your control framework.
Let’s look at the individual components:
How something gets done and who does it
As discussed in the non-regulated example, even without compliance, there is value in documenting your operational procedures. As organizations grow beyond a few individuals, the need for documented procedures grows exponentially. At minimum, clear concise, organized procedures provide the business continuity and confidence to leadership needed by successful organizations. The extra challenge that can occur with Regulated organizations is to not focus exclusively on SOPs. There are many procedures that do not fall directly under compliance, but are important to daily operations of the organization.
Making sure it is done right
Whether you have a formal Control Framework in place or not, Regulated environments not only require you have steps to verify you are getting the expected result along the way, but also require that you have evidence proving it. Your procedure is the delivery mechanism for both these items. Your procedures should be producing all of the evidence for testing and Regulatory documents needed to be compliant. Achieving a balance between efficient procedures, mitigating controls and generation of Regulatory documents is the largest challenge in this area.
What to test
It doesn’t matter if it is an external customer audit, internal audit or third party audit, your SOPs are always requested at the beginning of the process. Assuming there are not any material flaws in your procedures themselves, audits are conducted against the output and evidence created in an individual procedure. Organizations are not audited against what the auditor thinks the process should be, but your actual SOP. If there are no SOPs, then there can’t even be an audit, which of course would lead to failure.
Although it is possible to operate an organization without any documented procedures, the risks to the organization become significant as soon as there are more than a few people involved. In a Regulated environment, your entire compliance framework is based on your SOPs. All of your regulatory compliance, risk mitigation, testing and performance measurement are based on effective procedures and SOPs. Therefore, organizing and structuring your SOPs and procedures is one of the most important activities an organization can complete. Putting in place SOP and Procedure standards for consistency and using a Policy and Procedure Management System for the organization and deployment of your procedures ensures the proper support is provided to all other areas of the organization.