Student Discipline Policies

🚀 Today I’m proud to share the first paper from The Policy Update community: “The Colorado AI Act: A Compliance Handshake Between Developers and Deployers.” The Colorado AI Act (SB 24-205) is the first comprehensive, enforceable U.S. state law on high-risk AI systems. It takes effect February 1, 2026, and sets clear obligations for both developers and deployers to prevent algorithmic discrimination. This paper, co-authored by an extraordinary group of practitioners and thinkers across law, auditing, design, strategy, and governance, offers: ⚖️ A breakdown of legal duties for developers and deployers 📑 Practical compliance checklists and templates 🤝 A “compliance handshake” model that shows how these obligations fit together 📈 Insight into why strong AI governance is not just regulation, but a driver of value creation I started The Policy Update as an outlet for "continuous learning in the age of AI", but found something bigger: an amazing interdisciplinary community of people committed to advancing responsible AI. This collaboration is proof of what happens when diverse expertise comes together with shared purpose. Read the full white paper, which is linked in the comments. #ColoradoAIAct #AIRegulation #ResponsibleAI #AIGovernance #AICompliance #AIandLaw Sheila Leunig, Edward Feldman, Ezra Schwartz, Nadine Dammaschk, Dr. Cari Miller, Patrick Sullivan, Abhinav Mittal, Jovana Davidovic

The Policy-Control Gap - Why Good Intentions Aren’t Enough Organizations often mistake policies for control. They draft guidelines, issue directives, and assume compliance will follow, without ensuring there is anything in place to enforce them. The result? A false sense of security and increased exposure to risk. Policies alone don’t drive behavior, while effective controls do. Internal audit and risk leaders can bridge this gap by embedding real, measurable mechanisms that detect and deter noncompliance. This would require moving beyond policy reviews and tick-box exercises to testing whether controls actually function in practice. Also assessing the organization’s culture of compliance by determining: - Are employees aware of the policy? - Do they understand the consequences of noncompliance? - Are there clear accountability measures in place? To me, a policy without enforcement is like a shop that sells only right-handed gloves. Strong governance means ensuring that what’s written on paper translates into action. This also means shifting from passive oversight to proactive assurance, testing effectiveness, challenging assumptions, and ensuring that policies don’t just exist but actually work. I welcome your thoughts. #InternalAudit #RiskManagement #theiia #Governance #Compliance #internalauditors #ERM

COURT OF APPEAL AWARDS 36 MONTHS' SALARY FOR WRONGFUL AND UNFAIR DISMISSAL The Court of Appeal upheld a High Court ruling awarding 36 months’ salary to a dismissed employee, reinforcing the courts' departure from the traditional or normal measure of damages in cases of wrongful and unfair dismissal. 🔍 Key Takeaways: • The dismissal was found to be both wrongful and unfair, stemming from systemic failures in the employer’s centralized procurement system (SAP), not the employee’s conduct. • The disciplinary process relied on conflicting internal policies, and the employee was placed on a Performance Improvement Plan despite meeting performance benchmarks. • The Court emphasized that disciplinary action must be grounded in enforceable codes, not administrative policies lacking procedural safeguards. • The award was justified due to the unconscionable nature of the dismissal and the scarcity of comparable roles in the labour market. 📚 Why this matters: This case sets a powerful precedent for enhanced damages where internal inefficiencies and procedural irregularities unfairly penalize employees. HR teams and legal advisors should revisit their disciplinary frameworks to ensure clarity, fairness, and compliance with statutory obligations.  💡Lesson for Employers, HR Teams, and Legal Advisors This case is more than a cautionary tale. It is a clear signal that Zambian courts are holding employers to a higher standard of accountability in disciplinary matters. The traditional notice pay or normal measure of damages is no longer the default remedy. Courts are consistently awarding enhanced damages where dismissals are procedurally flawed, substantively unfair, or rooted in internal dysfunction. Here is what this means in practice: • ✅ Policies must be enforceable, not just well-written Internal guidelines that lack legal grounding or contradict the disciplinary code will not protect an employer in court. • 🔍 Procedural fairness is non-negotiable Disciplinary processes must follow clear steps, offer the employee a fair hearing, and be free from bias or ambiguity. • 📊 Performance management must be evidence-based Placing employees on improvement plans without objective justification especially when they meet performance targets can be seen as punitive and unfair. • ⚖️ Legal compliance must align with operational realities Systemic failures (like procurement bottlenecks) cannot be used to justify disciplinary action. Employers must distinguish between individual accountability and organizational shortcomings. • 🧭 Strategic HR is proactive, not reactive Regular audits of internal policies, training for line managers, and legal reviews of disciplinary procedures are essential to mitigate risk. • 💰 The cost of getting it wrong is rising Awards of 36 months’ salary are no longer exceptional. They reflect the courts’ growing emphasis on justice, proportionality, and the real-world impact of wrongful and unfair dismissals.

A ₹5 crore ($570k) fine. One of the biggest in IRDAI's history. That’s what landed on Policybazaar’s desk. India’s leading online insurance aggregator. The reason? A list of violations that could’ve been avoided: • Conflicts of interest - senior leaders holding unauthorised directorships elsewhere • Products promoted as "best" or "top" without independent verification • Irregular outsourcing payments • Sales calls not mapped to authorised verifiers • Premium payments delayed to insurers But the part other companies need to hear: This isn’t just about Policybazaar. It’s a warning. If you’re building in a regulated space - like fintech - you can’t treat compliance as an afterthought. Because regulators are watching. And they’re stepping up scrutiny. The founders who’ll sleep well in 5 years are reading cases like this now. And making changes before the knock on the door comes. Now here's what you, as a fintech founder, can learn from Policybazaar's ₹5 Crore Penalty 1) Governance Must Be Strong • Get regulatory approval for ANY external directorship or advisory role for key management • Document and disclose all potential conflicts upfront • Review your leadership team’s external commitments quarterly 2) Product Promotions Need Transparent Backing • Never rank products without clear, disclosed methodology • Use independent, verifiable data for any product comparisons • Include disclaimers explaining your ranking criteria • Avoid language that implies regulatory endorsement 3) Premium/Payment Handling is Sacred • Set up automated systems to ensure 24-hour premium transfers • Never use customer funds for operational cash flow • Build redundant payment processes with real-time monitoring • Document every payment flow for audit trails 4) Record-Keeping Cannot Be "Good Enough" • Tag every single transaction to a responsible person • Maintain complete audit trails for all customer interactions • Set up systems that allow instant regulatory access to records • Run regular internal audits to catch gaps before regulators do 5) Outsourcing Agreements Need Crystal Clear Terms • Define exact services, deliverables, and pricing in all vendor contracts • Ensure all outsourcing complies with regulatory guidelines • Regularly audit third-party relationships • Document how outsourced services relate to your core business 6) Commission and Fee Structures Must Stay Within Limits • Set up automated controls to prevent over-limit payments • Reconcile monthly, not annually • Document all fee structures clearly • Build buffers to stay below regulatory maximums The companies that survive in regulated spaces don’t just follow rules. They build compliance into their DNA from day one. Start now. Before the inspection. Before the penalty. Because in regulated industries, the cost of “fixing later” isn’t just money - it’s your entire business. --- ✍ Tell me below: What’s one compliance process you’ve delayed that could cost you big in the future?

Dear IT Auditors, Auditing Data Loss Prevention (DLP) Process Data is every organization’s crown jewel. yet it’s Data is constantly in motion, either they are emailed, uploaded, shared, and stored in the cloud. Every movement creates a potential leak point. That’s why Data Loss Prevention (DLP) is vital. It’s both a cybersecurity tool and a control framework that protects sensitive information from unauthorized disclosure. For auditors, the challenge is confirming that DLP isn’t just deployed, but truly effective and enforced. 📌 Understand the DLP Objective: DLP solutions monitor and control how data is used, shared, and transferred. Auditors must confirm whether the DLP strategy aligns with data classification policies, protecting PII, PHI, financial data, and intellectual property across endpoints, networks, and cloud services. 📌 Policy Design and Coverage: Review whether DLP rules are comprehensive and risk-based. For example, are policies configured to detect credit card numbers, personal identifiers, or confidential files leaving the organization? Ensure separate rules exist for email, USB devices, and cloud storage. 📌 Data Classification Integration: DLP is only as smart as the data classification behind it. Auditors should assess whether data is correctly tagged and categorized. If sensitive data isn’t labeled, DLP tools can’t protect it. 📌 Incident Response and Escalation: What happens when DLP detects a violation? Validate that alerts trigger the right response workflows, from notification and triage to investigation and resolution. Review whether these incidents are logged, analyzed, and used for policy refinement. 📌 Testing and Tuning: False positives can frustrate users and weaken compliance. Confirm whether the organization periodically tests and tunes DLP rules to balance detection accuracy with business usability. 📌 Coverage Across Channels: DLP should extend beyond on-premises email. Check if it covers endpoints, mobile devices, cloud storage, and collaboration tools like Teams or Slack. Incomplete coverage equals incomplete protection. 📌 User Awareness and Training: DLP can’t succeed if users don’t understand its purpose. Verify that employees are trained to handle data responsibly and recognize DLP warnings as guardrails, not obstacles. 📌 Audit Evidence: Key evidence includes DLP policy configuration screenshots, incident reports, alert logs, and exception approvals. Evidence should show both proactive prevention and responsive remediation. Effective DLP auditing ensures that sensitive information stays where it belongs, inside trusted boundaries. When done right, it transforms data protection from a technical checkbox into a culture of digital responsibility. #DataLossPrevention #CyberSecurityAudit #ITAudit #RiskManagement #CyberVerge #CyberYars #InformationSecurity #GRC #DataProtection #Compliance #InternalAudit #Assurance

🚨 The 2:00 AM Call: "We have a public S3 bucket." It's every Platform Engineer's nightmare. A compliance scan just flagged a critical security breach: S3 buckets across multiple environments are set to public read. How do you find the root cause, identify the blast radius, and push a fix across your entire estate before the auditors arrive? Most teams face a weekend of firefighting: ❌ Manually tracking down the source configuration. ❌ Calling developers to ask them to update their module versions. ❌ Patching environments one by one. ❌ Hoping no one introduces the same bug again. The Orchestrated Fix: 15 Minutes to Global Remediation; Here is how a self-hosted Platform Orchestrator (like Humanitec) handles this at scale, turning a multi-day incident into a 15-minute fix: 1.) AI Pinpoints the Issue: Using an HCTL CLI integration, we immediately query the orchestrator's state to see exactly which environments are affected by the public ACL module. 2.) Root Cause Found: The orchestrator reveals the single, centralized module definition that mistakenly set the ACL to public-read. 3.) Global Policy Enforcement: The Platform Team updates the module (ACL set to private) and pushes it back to the orchestrator. 4.) Auto-Remediation: The system flags all affected environments for a pending update. We trigger a single fleet deployment, and the orchestrator forces the new, compliant configuration across all affected environments—guaranteeing compliance and eliminating the risk. This process shifts security policy management from slow manual patching to centralized, instant policy enforcement at the infrastructure layer. We built this for high-security, high-compliance environments (Finance, Defense) where speed and auditable compliance are non-negotiable. #PlatformEngineering #Security #Compliance #DevOps #S3

Oga Compliance, drop that regulation and go learn the business! Too many compliance professionals hide behind regulations without understanding the business they support. They recite rules they can’t apply, enforce, or defend and then wonder why they don't generate IMPACT. Regulations are open-source. Anyone can read them. Your value lies in applying them effectively and guiding the business on compliant execution which requires deep operational and technical knowledge. If you’re in fintech, you MUST understand: 1. Product management – How products are designed, launched, and iterated. 2. InfoSec – Data security, fraud prevention, and infrastructure risks. 3. Dispute & settlements – How transactions flow, chargebacks work, and liabilities are assigned. If you’re in Traditional Finance (banking, etc.), you MUST understand: 1. Branch & Treasury Operations – The nuts and bolts of transaction processing and internal workflows. 2. Trade finance – How cross-border deals, LC issuance, and supply chain financing work. 3. Relationship & Private Banking – Processes for engaging clients, structuring deals, and manage portfolios. 4. ERM – The fundamentals of lending, risk assessment, and risk appetite. My ideology is that we don’t just "enforce" compliance, we co-create solutions. - We don’t just say NO. We offer better, more compliant alternatives. - We don’t reject business from a distance. We sit with the business/their customer, discuss, and align. (If you know your stuff, everyone leaves that meeting convinced, even the customer.) - We champion initiatives, co-own projects and provide firm risk-aware postulations/advisory that enable Executives support decisions with less worry of negative outcomes. - We iterate. We modify our compliance programs as many times as needed to adapt to new ventures and initiatives the Business are interested. Yes, compliance is about adherence but its not a spectator sport and businesses speak in acquisitions, turnover, and strategy. Drop the "regulation recitation" mindset and start mastering the language of the business you support, tie your advisory to risk-reward dynamics, and drive home the ultimate goal: Cost-saving and strategic enablement.

Fired for working from 'home'. That’s what happened to Nick Kitaruth, a security manager who was dismissed after being found to have completed no work, while working remotely without agreement...........from 200 miles away! Sounds fair right?....WRONG! When the case reached the Employment Tribunal, it found that the employer had failed to conduct a fair investigation, missing key steps like interviewing his line manager and clarifying the 'informal' remote work arrangements. Key points: ❌ Lack of formal agreements: Kitaruth had a longstanding verbal agreement with his manager to work remotely. ❌ Flawed investigation: No formal interview with the manager and unclear disciplinary processes. ❌ Poor practice: Six weeks for the investigation and a seven-month delay for the appeal. The tribunal found that the process was fundamentally flawed and ruled the dismissal unfair. Compensation award = 17k. Key takeaways? A fair investigation and clear communication about workplace policies are essential to avoid costly mistakes and legal challenges. This kind of case isn’t uncommon. Even organisations that truly value their people can make these mistakes......not out of negligence, but because the right foundations aren’t in place, or because tough conversations are avoided. When the process isn't robust, it’s not just legal risk that increases; it starts to chip away at trust, consistency, and psychological safety across the whole organisation. Fair disciplinary procedures aren’t about bureaucracy for its own sake. They’re about creating an environment where people know they’ll be treated reasonably, even when things go wrong. So here’s the real question: If a situation like this arose in your organisation tomorrow, would your managers know what to do? And just as importantly, would they handle it fairly?

SOLICITOR'S 'MISCONDUCT' - personal culpability must be present. The Court of Appeal recently allowed an appeal by a solicitor who was found guilty of misonduct by the Disciplinary Board and suspended for 6 months - the Grounds of Decision below. The 'misconduct' in short: the solicitor was a partner in the firm, handling a winding up matter; his LA had emailed an order that was not accurate and premature. The DB held that this was a misconduct by the solicitor as he was in charge of the matter. The High Court had upheld the DB's decision amongst others on the basis of vicarious liability. The Court of Appeal however disagreed and allowed the appeal. It was held amongst others that: ■ In a misconduct allegation, there must be personal culpability on the part of the solicitor. ■ 'guilt' is inseparable from personal culpability, reflecting individual moral and legal fault, whereas civil liability can exist without personal blame e.g vicarious liability? ■ the foundation of disciplinary responsibility lies in personal culpability. ■ A finding of misconduct cannot rest solely on the fact that the solicitor had authority/responsibility over the 'erroneous' subordinate. ■ Disciplinary process is not intended to impose vicarious liability, as in civil proceedings. ■ Disciplinary process is to determine whether the individual legal professional has, by act or omission, fallen below the standards of integrity, competence, or diligence expected of members of the legal profession. ■ Unlike civil liability, which may arise without proof of fault, disciplinary sanctions are inherently personal and reputational, as they put the legal practitioner’s integrity in issue. ■ The disciplinary tribunal must determine not only whether misconduct occurred within the firm, but whether the legal practitioner personally bears responsibility for it. ■ To hold otherwise would blur the line between civil responsibility and professional discipline, punishing individuals not for their own failings but for those of others. ■ The integrity of disciplinary justice demands that liability be anchored in personal fault. ■ The Appellant could only have been found guilty of misconduct if personally culpable. This decision clarifies once again that disciplinary proceedings is personal in nature in that there must be actual 'wrongful ' act or omission by the said professional and vicarious liability - a concept of attaching liability even without actual personal fault or ommission - has no place in disciplinary proceedings.

⚖️ Inconsistency Costs Employers Dearly ❌ Labour Court confirms: fairness means treating like cases alike. 💰 The misconduct: An employee was dismissed for authorising an incorrect petty cash payment — despite admitting the error. ⚠️ Employer’s stance: Dismissal justified due to gross negligence and an existing final written warning. 🔍 The problem: Other employees who made similar cash shortages were allowed to repay the amounts instead of facing discipline. 📌 Key issue: Inconsistent application of discipline — one employee punished, others effectively excused. 🧾 Evidence matters: The Court accepted oral testimony explaining how comparators were treated, even without written proof. ⚖️ Legal principle applied: Employers may not act capriciously or arbitrarily — similar misconduct must attract similar sanctions. ❌ Review fails: The Labour Court found the arbitrator’s decision reasonable and upheld the finding of substantive unfairness. 🔄 Outcome: Reinstatement confirmed and the employer ordered to pay costs. 👉 Employer takeaway: If you allow some employees to “fix” mistakes while disciplining others, expect serious legal consequences — even where a final warning exists. Cashbuild SA Ltd v Mamogale N.O and Others (JR546_2023) [2025] ZALCJHB 572 (3 December 2025).pdf