Risk and Improvement
Top Compliance Risks for Businesses in 2025 and How to Address Them
In today’s fast-changing technological and regulatory environments, compliance risks for businesses are significant. Businesses face increasing scrutiny from regulators, customers, and other stakeholders to meet legal obligations and uphold best practices. As 2025 unfolds, here are the top compliance risks businesses need to be aware of—and strategies to address them effectively.
1. Data Privacy and Cybersecurity
With the growing prevalence of data breaches and stricter privacy laws, data protection strategies are non-negotiable for all businesses. Laws like the Privacy Act 2020 and global regulations such as the GDPR are evolving, placing higher demands on businesses to safeguard customer and employee data.
How to Address It:
- Conduct regular audits of your data handling processes.
- Implement robust cybersecurity measures, such as encryption and multi-factor authentication.
- Provide training for staff/kaimahi on data privacy and security protocols.
- Ensure your policies reflect the latest regulatory requirements and technological advancements.
2. Workplace Health and Safety Compliance
Health and safety remain top priorities, with regulators closely monitoring workplace standards. This includes ensuring compliance with the Health and Safety at Work Act 2015, particularly for higher-risk industries. Our Health and Safety regulatory system including the Health and Safety Act is currently being reviewed. The review may result in changes affecting your policies and processes.
How to Address It:
- Regularly review and update your health and safety policies and processes.
- Engage kaimahi/staff in health and safety training and drills.
- Stay informed about the Health and Safety Review and industry-specific guidelines and best practices.
3. Environmental, Social, and Governance (ESG) Obligations
ESG compliance is no longer optional. Stakeholders demand transparency about how businesses impact the environment and society and stakeholder accountability. We all play a vital part in reducing emissions, waste management, and sustainable practices and organisations across every sector have responsibilities.
How to Address It:
- Create or update your ESG policies to align with current regulations and industry standards.
- Prevent harm to current and future generations
- Recognise that business assets and profitability rest, in the long run, on environment, social and cultural respect.
- Monitor your environmental impact and sustainable practice.
- Communicate ESG efforts to stakeholders, showcasing accountability and progress.
4. Anti-Money Laundering and Countering Financing of Terrorism
Financial regulations require businesses to identify and mitigate risks related to money laundering and terrorism financing. Non-compliance can lead to severe penalties and reputational damage.
How to Address It:
- Ensure your policies comply with the Anti-Money Laundering and Countering Financing of Terrorism Act 2009.
- Implement robust customer due diligence processes.
- Train kaimahi/staff on identifying suspicious activity and reporting obligations.
5. Employment Law Compliance
Employment law violations, such as failing to meet wage and holiday requirements or mishandling workplace disputes, can result in costly penalties and harm to workplace morale. Recent and proposed changes in Aotearoa to employment law relating to employment status, the minimum wage and personal grievances highlight the importance of staying current.
How to Address It:
- Review workplace policies regularly and employment agreements to ensure agreements align.
- Ensure all your kaimahi/staff are familiar with your policies and procedures and kept informed about changes.
- Provide training to all management levels on fair treatment and dispute resolution.
- Monitor updates to employment legislation and ensure your policies are kept current.
6. Consumer Protection and Marketing Compliance
Misleading advertising, false claims, or breaches of the Fair Trading Act 1986 and the Consumer Guarantees Act 1993 can lead to legal action and loss of consumer trust.
How to Address It:
- Ensure marketing materials comply with advertising standards and consumer laws.
- Train staff on ethical sales practices and accurate representation of products or services.
- Monitor feedback channels to identify and address consumer complaints promptly.
How We Can Help
Keeping up with regulatory changes can be overwhelming, but you don’t have to do it alone. Our policy management service takes the guesswork out of compliance. We provide:
- Policy content updated to reflect the latest laws and standards.
- Tools to track staff awareness and adherence to policies.
- Regular policy reviews to ensure your business remains compliant.
By outsourcing your policy management, you save time, reduce risks, and gain peace of mind knowing your policies are always current and compliant.
Final Thoughts
Compliance risks are an ever-present challenge for businesses, but they’re manageable with the right approach. By staying proactive and partnering with experts, you can protect your business, maintain trust, and focus on growth in 2025 and beyond.
Contact us today to learn how we can support your compliance needs!
Aligning with Family Violence Standards: Policy Reviews
At The Policy Place, we are committed to regularly reviewing and updating our online policies to ensure they meet the highest standards and reflect the latest developments in the field. Our next review will focus on policies related to abuse, child protection, and safeguarding vulnerable adults.
These policies are crucial for compliance with the Social Sector Accreditation Standards, Health and Disability Standards, and legislation such as the Children’s Act 2014.
Our Review Process
When we review and update our online policies, we take into account feedback from our members, as well as current laws, regulations, and best practice codes. This comprehensive approach ensures that our policies are not only compliant but also practical and effective for our diverse membership.
In the upcoming review, we will be incorporating two significant developments: the Specialist Family Violence Organisation Standards and the Recommendations of the Royal Commission on Abuse in Care. These updates are essential to ensure our policies remain relevant and effective in addressing the needs of those we serve.
The Importance of Specialist Family Violence Organisation Standards
The Specialist Family Violence Organisation Standards (“the Standards”) are a set of comprehensive guidelines developed as part of Te Aorerekura: The National Strategy to Eliminate Family Violence and Sexual Violence. These standards aim to guide consistent and high-quality practice among organizations providing services to individuals affected by family and sexual violence.
Key Features of the Standards
The Standards reflect extensive collaboration and insights from professionals in the family violence and sexual violence sectors, tangata whenua, community representatives, agencies, and victim-survivors. For organisations like ours, they provide a valuable framework for revising and updating policies and procedures. Key criteria include:
- Recognition of various forms of family violence: Including child abuse, elder abuse, and sexual violence, and the differing impacts based on cultural, gender, and care dynamics.
- Ensuring safety and autonomy for victim-survivors: Entailing provision for direct and indirect service users and for the safety and wellbeing of tamariki even when children are not direct service users.
- Victim and whānau-centered risk assessment and safety planning: Conducted in a culturally responsive manner and reflecting knowledge of family-violence related risk factors (eg separation, pregnancy).
- Supporting a trauma and violence-informed approach: a focus on the impact of violence (distinct from other causes of trauma) on individuals and communities and recognising interconnected experiences of interpersonal and systemic violence.
- Reflecting a ‘primary victim-survivor, predominant perpetrator’ analysis: – Reflected in policies and procedures around risk assessment, planning and service delivery.
- Recognising and addressing the rights and interests of deaf and disabled individuals and adults needing safeguarding – addressing the contexts of care and impacts of stigma and misinformation.
- Promoting culturally safe and appropriate practices: – Recognising intersectionalities and impacts for people of diverse genders, ethnicity and abilities.
How The Standards Apply
The Standards are vital for organisations providing specialist family violence responses but can also be utilised by any organization wanting to enhance their response capabilities and organisational practices. They complement existing accreditation and practice frameworks from agencies like the Ministry of Justice, Te Kāhui Kahu and the Ministry of Social Development.
The Policy Place Abuse and Protection policies are already aligned with many aspects of the Standards, such as cultural responsiveness, safety planning, and legislative references.
However, we strive to do more. Through review and updating, Policy Place members operating in social service, health, disability and justice sectors will have their policies more specifically aligned to the Standards. Members will therefore gain the assurance that their policies:
- Comply with legal and regulatory requirements: And reflect best practices.
- Are endorsed and utilised by different sectors: And comply with different accreditation criteria
- Guide the delivery of safe, inclusive, and responsive services: To diverse communities.
This helps build support national consistency in the application of the Standards because, as a leading provider of policies and procedures for agencies in NZ, our reviews and updates positively impact many organisations in Aotearoa. Nationwide, we are helping build a safer and more effective network of services and supports for those impacted by family and sexual violence.
Conclusion
Regularly reviewing and updating our policies is not just about compliance; it’s about ensuring that our members are equipped with the best tools and practices to provide safe, effective, and inclusive services. By aligning with the Specialist Family Violence Organisation Standards and incorporating feedback and new developments, we can support our members in delivering high-quality care and protection to those who need it most. Together, we can make a significant impact in the fight against family and sexual violence.
New- Policy Tracking and Reporting for Compliance and Efficiency Gains
We’ve just introduced Policy Tracking and Reporting for members of the Police Place’s online policy service.
This new function provides managers with valuable information about the views and use of organisational policies and procedures. It also offers evidence of compliance that organizations can use for audits and assessments, ensuring adherence to the Social Sector Accreditation Standards, Ngā Paerewa Health and Disability Standards and other relevant laws and regulations.
In this post, we’ll cover what Policy Tracking involves, its benefits and how to impelement and use this new function.
If you are a member of the online policy service let us know if you want access to the new function. If you are not yet a member, contact us NOW to discuss joining.
What is Policy Tracking
Policy Tracking reports on the use and views of an organisation’s policies. It tells you which of your policies have been viewed and by whom, within chosen timeframes.
Here’s an example of a Policy Report:
- The report can be specific to a staff member or group of staff.
- It can be specific to policy pages.
- It can consider policy views within your chosen timeframe. .
The Benefits
We added this function because clients were asking for it. Policy Tracking and Reporting will bring the following benefits:
- Enhanced Compliance: Policy tracking provides records of policy views that can be used to evidence compliance with policies and laws during audits and inspections. This transparency can protect an organisation from liability and shows a proactive approach to compliance.
- Risk Management: Ensuring that all staff have viewed and understood critical policies like the Code of Conduct, Health and Safety, and Complaints reduces the risk of non-compliance with laws and regulations and harmful consequences.
- Operational Efficiency: By automating the tracking of policy views, organisations can save time and resources that would otherwise be spent manually monitoring compliance.
- Improved Transparency and Responsibility: Policies should be a single source of truth for an organisation. Policy Tracking reminds staff of the need to keep themselves informed about revisions and updates to policies and helps steer organisational members in the same direction.
- Continuous Improvement: Policy Tracking will provide information that can help investigate workplace incidents or complaints and plan training and service improvements.
Beware of privacy implications
Policy Tracking involves handling staff personal information, so applying privacy safeguards is crucial:
- Inform Staff: Before implementing the Policy Tracking function, let staff know you are going to do it and the purpose behind it.
- Anonymise Data: When using the Tracking data for audit and assessment purposes, remove identifying information. Anonymised and aggregated data provides as good evidence of policy use as identifying data.
- Restrict Access: Only allow authorised personnel to access Tracking data to ensure personal information remains secure. Usually, access will be confined to management.
- Limit Data Use: Tracking data must not be used for any purpose unrelated to the reason it is gathered unless allowed by law.
- Transparency: Inform staff they can request access to the tracking data you collect about their access and use of policies.
Limitations of Policy Tracking
We’ve previously posted about the limitations of a compliance-focused approach to policy. The limitations apply to the new Policy Tracking function.
While policy tracking tells you if a person has looked at a policy, it does not tell you whether they understood the policy or whether the policy has been applied. That’s where our online courses come in. Check them out here. They are short online courses that support members and non-members of the online policy service in understanding and applying policies and procedures in a range of areas.
Conclusion
The new service for tracking staff views of policies and procedures promises many benefits for our online policy members. It will support our policy clients in building service quality and efficiency, reducing risk, and fostering a culture of transparency and responsibility.
If you want to use the Policy Tracking function and you’re one of our online policy service members, then just let us know. If you’re not an online policy service member but are interested in joining, contact us to discuss your policy needs and how we can assist.
Contact us NOW to enhance your compliance and operational efficiency with our new Policy Tracking and Reporting service.
Fostering Organisational Justice: Strategies for Workplace Fairness and Wellbeing
At the Policy Place, we aim through our workplace policies to support clients to achieve organisational justice. In line with this focus, we recently updated our health and safety and risk management policies for our online clients to recognise and address the impacts of psychosocial hazards and risks on work.
In this post, we will explore what organisational justice is, and why its important, explore examples of organisational injustice and how these can be addressed to achieve a fairness and wellbeing in the workplace.
What is Organisational Justice?
Organisational justice was developed within social psychology and refers to perceived fairness in a workplace/organisation. It focuses on how workers judge the behavior of an organisation and how organisational behavior affects their own attitudes and behaviors. Organisational justice is a widely accepted as an essential aspect of health and safety at work and contributes to job satisfaction, and commitment (see Baldwin, S Organisational Justice; Poor Organisational Justice).
Signs of Poor Organisational Justice
Signs of poor organisational justice can include:
- Privacy Breaches: Failing to treat workers’ information sensitively or maintain their privacy (e.g., having performance discussions in front of others or sharing personal information about staff with third parties without their consent)
- Inconsistent Policies: Policies or procedures that are unfair, biased, or applied inconsistently (e.g., promotion based on favoritism, or applying disciplinary policies inconsistently or discriminatorily).
- Unfair Penalties: Penalising workers for things outside their control.
- Cultural Insensitivity: Cultural insensitivity in decision-making processes.
- Lack of Accommodations: Not accommodating the reasonable needs of workers (e.g., failing to provide an accessible workplace).
- Discrimination: Discriminating against particular groups or not applying policies fairly to some groups.
- Inadequate Handling of Misconduct: Failing to appropriately address (actual or alleged) underperformance, inappropriate or harmful behavior, or misconduct (eg not investigating allegations of sexual harassment or not providing procedural justice for workers accused of bullying).
- Unfair Work Allocation: Allocating work, shifts, and opportunities in a discriminatory or unfair way (eg giving ‘good’ shifts based on friendships with supervisors).
- Lack of Decision-Making Processes: No or inadequate processes for making decisions affecting workers (eg policies and processes do not set out the key considerations for disciplinary decisions).
Strategies to Address and Prevent Organisational Injustice
- Monitor Bias in Workplace Processes: Regularly review decision-making, recruitment, and promotion processes in consultation with your staff to identify and mitigate biases.
- Ensure Staff understand Expectations: Ensure everyone in the workplace understands the Kaupapa, the Code of Conduct and other expected standards of performance and that these are consistently and fairly applied across the board.
- Ensure Privacy and Confidentiality: Ensure through policies, procedures and training that everyone in the workplace understands and can comply with privacy and confidentiality obligations.
- Make Reasonable Accommodations: Ensure that the workplace is equitable and accessible and accommodates the needs of all employees, especially during onboarding and throughout employment.
- Clear Reporting & Follow-Up: Provide clear, accessible processes for staff to raise and report issues or concerns and seek reviews of workplace decisions with prompt management responses.
- Transparent Communication: Maintain regular, transparent communication with staff regarding policy updates and organisational changes.
- Prevent Nepotism: Implement transparent and accountable processes for recruitment and tendering to prevent nepotism and favoritism and ensure there’s a good understanding at management level of policies and procedures around managing conflicts of interest.
- Regular feedback and reviews: Apply a no-surprises approach to managing performance so that staff are provided with regular feedback – good and bad- about their performance and given fair opportunity to rectify issues. e
- Fair disciplinary processes: Follow policies and procedures when dealing with alleged and actual misconduct so that disciplinary outcomes are substantively and procedurally fair.
- Cultural Competency Training: Provide policy guidance and training to promote self-aware practice and raise awareness and understanding of diverse cultures and unconscious biases.
- Wellbeing focus: Promote a focus on Hauora and safety in the workplace and ensure that everyone has opportunity to participate in health and safety plans and decisions and understands these apply to pyschosocial hazards and risks.
- Inclusive Policies and Procedures: Regularly review and revise policies and procedures to ensure they are inclusive and equitable for all employees and promote appropriate use of te reo me ngā tikanga Māori and other relevant cultural practices.
- Support Employee Initiatives: Encourage peer supervision and other workplace initiatives that provide staff with opportunities to debrief and participate in planning and continuous improvement initiatives.
- Mentorship and Support: Provide workplace processes to support new workers’ onboarding and the advancement and support of staff from underrepresented groups with experienced mentors to support inclusion and support their career advancement and skill development.
- Open Communication Channels: Make sure there are plenty of opportunities for workers to express concerns about organisational justice through team hui, anonymous suggestions and feedback sessions and engage in solution planning.
- Celebrate Diversity: Organise events and celebrations to recognise and appreciate workforce diversity.
- Leadership Commitment: Promote positive and accountable leadership in the organisation and that there is one set of standards for all.
The Risks
Poor organisational justice can lead to health and safety breaches and broader operational risks. It can cause a stress response that if frequent, prolonged or severe, can cause physical or psychological injury to a worker. Left unaddressed, it can lead to high staff turnover and poor collective morale in the workplace.
Like all hazards, the risks of organisational injustice must therefore be monitored and managed by managers and governors of an organisation. When identified, risks should be eliminated. If elimination is not possible, the risks should be actively managed. (See above and the following for risk management strategies – Work-related Stress Poor Organisational Justice; Do nothing at your peril!
Conclusion
We strive for wellbeing and productivity in the workplace. Organisational justice is how we get there.
When staff perceive fairness in their workplace, they are more likely to experience higher levels of trust, job satisfaction, and organisational loyalty. This can lead to a safer workplace, increased productivity, reduced turnover, and a more cohesive and motivated workforce. Additionally, fair treatment helps to minimise workplace conflicts and promotes a culture of mutual respect and collaboration.
Why You Need a Comprehensive AI Policy
Artificial intelligence (AI) is becoming integral to many industries in Aotearoa, including social and health services. While AI offers benefits, it also poses significant risks that need to be addressed through comprehensive AI policies. That’s why we at the Policy Place have recently released our new AI policy for our online policy clients.
In this blog we consider the importance of having an AI policy in social and health service agencies, the risks of not having a policy and some of the key things to cover in an AI policy for community, social and health services. For our previous post on AI use in social and health services see here.
The Rise of AI in Workplaces
Artificial intelligence is no longer a futuristic concept; it is actively shaping how organisations operate.
The 2024 Work Trend Index Annual Report from Microsoft and LinkedIn released in May this year, found that AI is prevalent in the workplace worldwide. Key findings highlighted that AI use is pervasive in global workplaces and that AI use is beneficial in terms of time-saving, efficiency gains and adding to the enjoyment of work.
However, the Report also identified pervasive risk with AI use; that, in workplaces without an AI policy or other guidance 78% of employees had taken things into their own hands and were bringing and using their own AI tools at work.
The Risks of AI Use without AI policies and guidance include:
- Data Security Risks: AI systems can be vulnerable to cyber-attacks, which can lead to data breaches and loss of sensitive information. Without an AI policy, staff may input personal information and sensitive organisational data.
- Ethical and Legal Risks: AI use can lead to ethical dilemmas and legal issues, such as unauthorised use of personal data, breach of copyright and AI-driven decisions that are biased and breach human rights.
- Operational Risks: Relying on AI without proper oversight can lead to operational inefficiencies, errors, and potential harm to clients.
- Cultural Risks: AI data may not be sufficiently responsive to diverse cultural contexts and needs of different communities. Without proper AI policies and guidance, AI use risks undermining important cultural practices and values, particularly those protected by Te Tiriti o Waitangi.
The Importance of an AI Policy
An AI policy is basically the starter or minimum for a workplace to address some of these risks:
- Ensuring Ethical Use of AI: An AI policy helps ensure that AI tools are used ethically and responsibly. This is crucial in social, community and health services, where decisions made by AI can significantly impact individuals’ lives and well-being.
- Protecting Client Privacy: An AI policy guides how staff should use AI in alignment with the Privacy Act 2020 and privacy policies. This is particularly important for social, health and community services dealing with highly sensitive and confidential data.
- Maintaining Accountability: Clear guidelines within an AI policy guide staff on how they may use AI in their decisions and their duty of reasonable care. This is particularly important in health and social services, where transparency and trust are paramount.
- Preventing Discrimination: An AI policy will include checks that staff must do on AI generated data before relying on it and prohibitions against reliance on unbiased and unverified data.
- Honoring Te Tiriti o Waitangi: AI policies must recognise and protect Treaty of Waitangi rights. This includes ensuring that AI use does not disadvantage iwi and whānau Māori that health and community services work with and that data sovereignty and cultural considerations are respected.
Strategies to support an AI Policy
An AI policy is just the beginning for a workplace wanting to use AI. Like any policy, your AI policy needs to be backed up by a strong implementation strategy that includes the following
- Regular Audits and Assessments: Conduct regular audits of AI systems to ensure they operate as intended and comply with ethical standards.
- Training and Awareness: Provide training for staff on the responsible use of AI and raising awareness about potential risks and ethical considerations.
- Bias Mitigation Strategies: Implement strategies to identify and reduce biases in AI systems eg data checking, surveys and if affordable, bias detection algorithms.
- Robust Security Measures: Apply strong cybersecurity protocols to protect AI systems from threats and ensure the integrity of data.
- Transparent Decision-Making: Ensure through training and policy that staff responsibilities for AI use are clearly articulated, and AI-driven decisions are transparent and explainable.
- Cultural Safety and the Treaty: Use strategies like training, bias detection systems and iwi/community consultation to ensure that the rights of tangata whenua under the Te Tiriti o Waitangi are respected and protected with AI use.
Conclusion
AI brings benefits as well as risks especially for the social, community and health services we work with. To get the most out of AI and help protect against the risks, an AI policy is a “must.” It’s arguably the beginning of a new policy era when, in response to rapidly evolving technology, we need to revise and evolve policies at an equally fast pace.
Learning v Compliance Reporting and Tracking
In organisations of many types, compliance reporting and tracking have led to a compliance-driven approach to operations.
However, a paradigm shift is now underway in the not-for-profit sector. Having long struggled to get staff on board with compliance and policy implementation, many nonprofit agencies are shifting from a compliance-driven approach to a learning-focused one.
In this blog, we’ll explore why a learning approach to compliance is superior to compliance tracking and reporting for an organisation that is required to meet regulations and standards like the Social Sector Accreditation Standards, Community Housing Performance Standards and Ngā Paerewa Health and Disability Service Standards.
1. Fosters a Culture of Continuous Improvement
Unlike compliance reporting, which often focuses solely on meeting minimum requirements and is backward looking, a learning approach to compliance encourages ongoing growth and development. By prioritising learning, agencies can foster a culture of continuous improvement, where kaimahi/staff members are empowered to seek out new knowledge, skills, and best practices.
2. Learning approach aligns with non-profit kaupapa
Nonprofit agencies typically have a person/whānau centred kaupapa and value the concept of voluntariness highly. A learning approach to compliance aligns with this, particularly, these short online courses developed specifically for non-profit agencies in Aotearoa. The learning approach to compliance assumes that most people want to meet their obligations. It allows the broadest possible compliance at the least cost both to the agency and to the individual.
3. Compliance reporting and tracking
Agencies accept these as a necessary evil. But compliance reporting and tracking can incentivise fast tracking and a tick-box mentality in an organisation. This can ultimately undermine an organisation’s capacity to improve and build quality of service and reduce staff motivation to innovate and “go outside of the box.” Check out our previous blog about the disadvantages.
4. Drives Innovation and Creativity
Compliance reporting tends to focus on maintaining the status quo—ensuring that existing processes and procedures meet regulatory standards. In contrast, a learning program encourages staff members to think outside the box, explore new ideas, and experiment with innovative approaches. This is facilitated by interactive content like scenarios and quizzes in the Policy Place’s online courses.
5. Supports Engagement and Retention of Kaimahi
Research consistently shows that organisations that invest in employee learning and development experience higher levels of engagement and retention. A learning approach to compliance demonstrates to kaimahi that their growth and professional development are valued as much as the organisation values compliance with external standards. This contributes to greater job satisfaction and loyalty and to an organisation’s ability to retain and attract quality staff.
6. Builds skills and ability to comply
Interactive elements and engagement in online courses can help reinforce key concepts and information retention about requirements for compliance. They provide real-world examples and practical scenarios to illustrate how policy content is applied in different contexts.
This practical application helps staff understand the relevance of policy content and how it translates into everyday practices and decision-making. Ultimately, it means that staff are better prepared for and empowered to meet their obligations.
Conclusion
While compliance reporting serves an important function in ensuring accountability and regulatory adherence, its limitations are increasingly apparent in the nonprofit sector. By embracing a learning-focused approach, nonprofit agencies can unlock a wealth of benefits—from fostering a culture of continuous improvement to driving innovation and creativity.
Ultimately, investing in learning programs isn’t just about checking boxes; it’s about empowering staff, enhancing organisational resilience, and advancing the kaupapa of human service agencies.
RiskManagement with the help of good policies and procedures
Risk management is a key reason for policies and procedures – risks like financial mismanagement, accidents, cyberthreats, privacy.
Take a broad view. No need to be afraid of risk. The wider your view of risk the better prepared you can be and the more able and confident you can feel in your business/organisation.
While risks will be unique to your operation, there are also risks that all of us in business need to manage. At the Policy Place, we help organisations manage these risks with online policies that are regularly reviewed and updated and with other strategies like guidelines and checklists.
Some of the common risks for organisations are listed below, with some of the more common policies and strategies to help manage these risks:
Financial Risk Management
- Policy and procedures relating to financial planning and controls
- Fraud and Corruption policy
- Protected Disclosures policy
- Financial Planning and Investment policies
Information Risk Management
- Preventative & Troubleshooting Maintenance Contracts
- Privacy and Confidentiality policy
- Record Management and Archiving system
- Privacy Breach Procedure
- Information Safeguards policy and procedure
Managing Economic & Political Risks
- Media-related policies and processes
- Hazard-management policy and procedure
- Staff and Governance Recruitment Policies and Procedures
- Strategic & Business Planning
- Hazard & Risk Register
Health and Safety Risk Management
- Wellbeing policy and procedure
- Health and Safety procedures including Hazard and Risk Register; Staff Participation
- Induction and ongoing staff training
- Pandemic Planning
- Infection Control policy and procedures
- Cultural Safety and Responsiveness policy and training
- Harassment and Bullying policy and procedure
Service-related Risk Management
- Complaints and Feedback Policy and Procedures
- Performance and service planning and review processes
- Quality Management policy and procedure
- Training and development of staff
- Policies to guide delivery
- Business Continuity Plan
Risky business – when offending hits the workplace
The case of Philip Barnes was recently laid bare in New Zealand media when his name suppression order was lifted. It’s a good reminder about what not to do when, as a manager, you learn that a staff member may have been involved in offending.
The case
In 2017, International Accreditation New Zealand (IANZ) management learned that Barnes (a General Manager) was involved in a Police investigation of spying in a gym changing room. Police uplifted Barnes’ computer from IANZ and returned it a few days later.
In June 2018, Barnes pleaded guilty to making an intimate visual recording. He sought and got name suppression. In 2020, he was discharged without conviction and granted permanent name suppression. Both orders were successfully appealed by Police and recently, the name suppression order was lifted.
While Barnes was being investigated by Police, IANZ conducted an investigation. A minimal investigation. They questioned Barnes and accepted his assurances that he was involved, basically, as “someone in the wrong place at the wrong time.”
3 lessons
Don’t turn a blind eye
In this case, offending occurred outside work. Even so, as a manager, you can’t assume that the offending will not impact on the business.
An employee’s conduct outside of work may bring an agency into disrepute. This was clearly a risk for IANZ.
Turning a blind eye, by accepting Barnes’ explanation for the Police investigation without checking objective facts, exposed IANZ to significant risk.
Even if offending is alleged to have occurred outside work, as a manager, it’s important that you make reasonable inquires to apprise yourself of the facts.
You don’t have to duplicate the Police investigation. It’s important not to interfere with it.
But it is important that you make sufficient inquiry to fully understand the nature and possible consequences of the allegation(s) to your staff, organisation and client base.
Don’t assume innocence or guilt
We all want to believe the best of people, particularly of staff who we work beside each day and we know to be hardworking. Conversely, we may be more inclined to think a staff member is guilty if we don’t like them.
Either way, hold off. Resist any such assumption.
Your best bet is to be as dispassionate as possible about the allegation(s), while being compassionate and fair to the staff member concerned and any affected staff or others. This will enable you to undertake a reasonable and balanced inquiry into the nature of the allegation(s) and scope the risks associated with them.
Assess and manage risk
The major omissions in the IANZ/Barnes case were the failure to make a reasonable inquiry into the Police investigation. Secondly, IANZ failed to fully scope, assess and manage risks, including risk to its reputation as an agency that’s all about upholding standards.
Risk assessment and management are key tasks for management when confronted with alleged offending by an employee.
Risks to the victim(s), staff member, clients, colleagues, and to the reputation of the agency must all be assessed.
Mitigations established as necessary. They might involve suspension, a change of duties, extra supervision, change of workplace or work hours, etc – depending on the situation, level and nature of risk(s). Mitigations need to be worked out with the employee concerned and their effectiveness monitored and adjusted accordingly.
So…
Learn from what IANZ didn’t do.
Review your policies and procedures to make sure they guide you and your staff to respond if staff become involved in a Police investigation.
At the Policy Place we’ve got you covered if you’re a member of our online policy service. Risk management is an important feature of our online policies eg policies on Background and Child Safety Checking, Quality Assurance, Service delivery and Health and Safety.
If you want to know you’re covered with good policies that are reviewed and kept up-to-date contact us to join the online policy service or book a free consultation to talk about your needs.
When the martians come: policy and procedure tips for cybersecurity
No matter what business you’re in, you’re likely to rely on information technology(IT).
In social service, health and education agencies, we use IT for a multitude of functions – enrolments, intakes, planning etc. Essentially, we would be lost without it.
But have you given sufficient thought to preventing and defending against cyber threats?
If you think that cyber attacks are still the stuff of sci-fi movies then think again. It was only 6 weeks ago that the New Zealand Stock Exchange was rendered inoperative because of a cyber attack. Not just once but multiple times.
We are all vulnerable and need to be on guard to prevent and defend against attacks. We need to become cyber-brave!
A good start
For cyber smart week, CERT NZ has published some basic tips to help each of us improve our defence against cybersecurity attacks. These include password protection, install updates and using multifactor authentication for login access.
We all need to be cyber-aware but it’s especially important if you’re an organisation. Awareness means understanding and regularly reviewing your cyber risks. There may be risks to individuals, your functions, finances, reputation and/or to your agency’s very existence.
Knowing the risks, will guide the safeguards you need to take and what your policies and procedures should address to help you prevent and respond to cyber-attacks.
You need policies and procedures
Given the rate of change in the IT world, it’s important to review and update your policies and procedures to cover off the “must-dos” for your organisation’s security. Key areas to cover include:
- acceptable use of information and communications technology
- access to data
- remote working
- incident planning.
Staff should be trained to implement the policies and to maintain cyber awareness.
Acceptable/unacceptable use of electronic devices at work
Your policies should cover the use of personal devices eg cellphones, as well as what may or may not be done on work computers eg internet and email access not to be used to download unauthorised software and install games and prohibitions against activities such as gambling and use of pornography.
Access to data
As a general rule, access to data should be restricted to those who need it for work purposes. This helps prevent data breaches. It also helps protect privacy which can be jeopardised by unauthorised access to client or staff personal information.
You should have clear procedures in place for removing and changing access rights as people change and leave roles. No one should have access to data and systems they don’t need for their work purposes.
Remote working
With COVID-19, remote working is much more prevalent. But with remote access, there’s potentially more pathways for cyber attacks. Your policies and procedures can help manage these risks. For example:
- outline organisational responsibilities like organising a VPN
- state the safeguards to be taken by staff/remote workers – that they use their home internet to access the work network and notify management immediately of any unusual events on the system.
If personal devices are used, precautions by remote staff can include:
- keeping their operating system up-to-date
- using a strong password and multi-factor authentication
- uploading documents they save locally to the network
- running and updating their antivirus software regularly.
Incident planning and responses
Your policies and procedures should guide staff when responding to a cybersecurity issue, in particular:
- who they should notify if concerned
- who will manage recovery from the incident
- who should be told (eg Privacy Commissioner from 1 December for serious privacy breaches)
- how to use data backups and resume operating
- steps to mitigate and prevent a recurrence of the incident.
Become cyber-brave
Even though it may feel like a minefield, grow your awareness and become cyber-brave.
The Martians may or may not be coming. But either way, it’s best to be prepared.
If you’re wanting your policies and procedures reviewed and updated, contact us. We aim to protect social service, childcare, health and tertiary education agencies from risks of non-compliance with regulations and standards.
We want to help you become cyber brave!
5 ways to increase the effectiveness of your complaints process
So you’ve got a complaints process but how effective is it?
Is receiving no complaints the best you can hope for as a sign of effectiveness? Or is it the complaint outcome that matters most – ie that you were right or wrong?
Here’s 5 things that we think are important to a good complaints process:
- Your policy
- Your culture
- Accessibility
- Your process of escalation, and
- Your resolution approach.
1. Good policy
Staff need to understand the process and rationale for your complaints process. That’s where your policy comes in. It should cover the legal and regulatory imperatives, your commitment to client/customer responsiveness and participation and to organisational learning and improvement. The insertion of some principles like equality, timeliness and fairness will also help staff navigate the process for themselves and with clients/customers.
2. Welcoming and receptive culture
Most of us struggle with criticism and complaints can feel like criticism. So it’s understandable if we feel negative about complaints. But taking a negative approach is deeply problematic.
Negativity can lead to behaviours that stop or prevent people from giving feedback and risks poor quality client service. It can mean that we don’t promote the process, we might respond defensively to feedback and we could minimise and avoid concerns rather than addressing them.
A tendency towards or risk of negativity should therefore be offset in a workplace by strategies such as these:
- adopt a broad focus – invite both positive and negative feedback and make it easy for people to give feedback. Feedback can be as simple for a client as answering a question every now and then about how they’re finding the service and if they would like to see any changes made to improve their experience. Keep a record, consider the feedback with the client and/or others and respond to it;
- take a learning and improvement ethos in the organisation where mistakes and complaints, as much as feedback, are regarded and treated as opportunities to learn and improve;
- share and celebrate feedback and use it to assist team collaboration and planning;
- ensure that staff understand they have rights in the complaints process and that they will be treated fairly and be able to access support if they are involved personally in the process.
3. Easy access and use
How many times, have you gone to make a complaint or raise a concern with an agency to find that there’s no real mechanism for complaining despite claims they have a process.
This might mean you don’t get complaints. But it’s also disastrous in terms of being able to provide a good service as you don’t end up knowing where you’re customers are feeling let down by your service. Some key lessons then:
- Lesson 1 – if you’ve got a complaints process, make sure your clients/customers can easily find it and use it. Yes, it’s important to have a complaints process, it’s also important to have multiple channels for clients and customers to give feedback.
- Lesson 2 – make sure your staff understand the process and can help people with it. It should be part of staff induction and regular staff training.
- Lesson 3 – anticipate and address potential barriers to clients making complaints by making sure that information about the feedback and complaints process is appropriate to your client group (eg age and developmentally appropriate; different languages); there is access to external advocates and there are multiple ways for giving feedback and complaints.
4. Appropriate escalation
A complaints process needs to recognise that people like to deal with conflict and concerns in different ways. Most prefer early and quick resolution.
Promoting and providing a pathway for the early raising and resolution of concerns is important. Remind and encourage clients/customers to share their concerns directly with staff and offer support if needed. This can be a part of the complaints process or separated out from a more formal “complaints” process.
At the other end of the process, provision should also be made for a right of internal and/or external review if a party to the complaint is not happy with the complaint outcome or the process.
5. Systemic approach
Problems rarely arise in a vacuum. They are likely to be systemic and to reflect context. Even if there seems to be an immediate and obvious cause and answer to a complaint there will often be more to it. Certainly, it’s worth thinking about.
Consider how wider systems, organisational norms, work schedules etc may have contributed to the behaviour or attitude that is being complained about and what can be done to address the deficiency(ies). This, plus addressing the more immediate cause, will help prevent recurrence of the matter in the long term.
Conclusion
So going back to start – how do you know if your complaints process is effective? Not receiving complaints is not a reliable indicator. It may indicate top-notch service but if you’re not getting any feedback or complaints then it may well signal the need for more opportunities for client/customers to participate and provide feedback.
Complaint outcome or, who won or lost, is also unreliable. The value and benefits of good feedback and complaints processes are to help an organisation learn and improve and be responsive and relevant to clients/customers.
When assessing effectiveness, think instead about access, use and participation in the process, client/customer feedback on their experience of the process and cost/benefits of resourcing the process against the short and long term benefits of learning and improvement.