Reminders are sent out well in advance for responsible parties to approve their policies (our Risk Management department has ellucid Policy Manager). Our two critical access hospitals review annually, and for our acute care hospital, it's every two years. However, there are managers/directors that do not get to each policy before the due date. The Risk Management staff do their best to hold everyone accountable, but currently there really aren't any consequences for those who are late. Personally, I think they should be reported to their VP and their lack of timely completion should be addressed.
I shared a similar experience when I worked for a healthcare system. Policies were reviewed every 3 years for joint commission purposes, 2 for critical access. While the policy management system did a good job of sending out automatic reminders as to upcoming deadlines, they were ignored by many. It created a lot of problems until the joint commission window approached when it was a sudden race to chase people down to do their policy updates. A policy is great but definitely educate on the "why" behind it because unless that's clearly understood the cycle is likely to repeat in my opinion because people will just continue to rank this low on their list of priorities.