If you work in the financial services industry, you know how important it is to have clear, consistent, and compliant policies and procedures. Policies and procedures enable firms to align operations with strategic objectives, meet regulatory requirements, and foster a culture of accountability and transparency.
But managing policies and procedures is often easier said than done. It can be a complex and challenging endeavor to create, update, communicate, and enforce policies and procedures across the firm—and to ensure policy stays up to date in times of flux and uncertainty.
In the webinar Best Practices in Policy and Procedure Management for Financial Services, Michael Rasmussen from GRC 20/20 provided insight on developing effective policies and procedures that will enable the firm to meet business and regulatory objectives, manage and mitigate risk and adhere to ethical obligations.
How to avoid policy risk
The potential negative consequences of having inadequate, outdated, or conflicting policies are real and enduring. Policy risks that Rasmussen has seen firms face include:
- Rogue policies that are created or modified by unauthorized or unqualified individuals without proper review or approval
- Outdated policies that are not aligned with current regulations, risks, and the firm's business environment
- Conflicting policies that are inconsistent or contradictory across different sources, departments, or jurisdictions
- Poorly written policies that are unclear, ambiguous, or complex and that use passive voice, legalese, or jargon
- Lack of ownership and accountability for policy creation, review, approval, and enforcement
- Lack of defensibility and evidence trail for policy activities, such as revisions, approvals, attestations, and exceptions
Adopting a systematic and holistic approach to policy management can help firms avoid the operational inefficiencies, reputational damage, and regulatory fines these issues can lead to.
Effective policy and procedure management starts with a clear message
According to Rasmussen, a core issue with policy management he often sees in financial services firms is that too many people from too many departments are sending too many different messages about too many policies. Complexities in the work environment, including global operations, mergers and acquisitions, layoffs, and remote and hybrid work, only add to the challenge.
To move past the chaos, creating, reviewing, approving, distributing, and enforcing policies and procedures in your organization must start with defining accountabilities. That involves outlining the roles and responsibilities of policy and procedure owners, authors, reviewers, approvers, and users.
Rasmussen often sees carelessly written policies causing issues for firms. Implementing standards around drafting policy, including templates and style guides, is a core part of the framework that governs the entire policy management life cycle.
And policies must be clearly mapped to the risks that they are there to avoid. If effectively written, policies are risk documents that establish responsibility, communication, appetites, tolerance, boundaries, controls and risk ownership.
Mind your gaps
A policy audit will uncover current deficiencies in the firm's policies, procedures and processes and identify areas that need to be improved. Conducting a comprehensive policy and procedure inventory and assessment will allow compliance teams to:
- Identify and document all existing policies and procedures across the firm including sources, owners, formats, and statuses
- Evaluate their relevance, accuracy, completeness, and consistency
- Pinpoint any gaps, overlaps, or conflicts
- Prioritize the policies and procedures that need to be updated, consolidated, or retired based on importance, urgency, and impact
Establish a clear framework to govern policy development across the organization
Establishing the standards, formats, and workflows for policy and procedure development and maintenance sets the stage for effective ongoing policy management.
- Define the scope, objectives, and principles of your policy and procedure management system
- Assign accountabilities and the roles and responsibilities of the policy and procedure stakeholders
- Develop a policy and procedure hierarchy and taxonomy that organizes policies and procedures into categories and subcategories based on regulation, purpose, scope, and applicability
- Create a policy and procedure template and style guide that standardizes the format, structure, language, and tone of your policies and procedures
- Set up a policy and procedure workflow that defines steps, timelines, and approvals for policy and procedure creation, review, approval, and distribution
A Lack of Compliance Evidence Means it Didn’t Really Happen
Document, document and then communicate
It's critical to document and manage policy exceptions and track edits made to policy in response to regulatory change. Regulators will want to see an audit trail, including reasons for exceptions and updates and supporting documentation.
Another core tenet of good policy management is communication with stakeholders. Employees must be made aware of the policies that apply to their roles and responsibilities and trained to ensure that they understand the implications. To do this, use clear, concise, and plain language to explain the purpose, scope, and expectations surrounding the firm's policies and procedures. And to close the loop, regular attestations provide documented proof that employees were provided with relevant policy and procedure information and that they understand the content that was delivered.
Rasmussen calls this the human firewall, which he sees as the most crucial element of the firm's corporate culture—making sure people understand what the policies are and how to apply them to the context of their role in the organization.
As regulatory needs and business imperatives shift, policies and procedures must evolve right alongside
And as Rasmussen points out, you can't take six months to implement policy updates from one new or updated regulation. Updates must be both swift and comprehensive to ensure consistent compliance with the most current requirements.
Technology is critical here. In a large global organization, there are far too many moving parts to be able to review and audit changes in regulations, industry standards, customer expectations, and market trends that will have an impact on policies and procedures. Technology that can provide automated review and identification of areas of concern allows firms to efficiently identify and implement corrective and preventive actions to address regulatory change and identify gaps in policies, procedures and controls.
Read about selecting compliance technology in the white paper Getting IT Done - Optimize the Software Selection Process for the Best Outcome.
How technology enables effective policy management
At a conference he was keynoting, Rasmussen polled a crowd of 200 attendees and asked them if they could pull an index of all official policies across their firm. Only two people raised their hands and asserted that they could easily obtain that complete list of policies. It's critical that firms can easily access this information to comply with requests from regulators, auditors and the board.
The right policy and procedure technology enables firms to effectively manage the creation, maintenance and updating of policy so that level of information is easily accessible. Compliance technology allows firms to centralize, automate, and simplify the policy and procedure management process and:
- Create and edit policies and procedures using predefined templates and style guides
- Collaborate and communicate with policy and procedure stakeholders using online tools and notifications. Having standard tools like Microsoft Word embedded right in the policy system makes the process even more efficient
- Track and manage policy and procedure versions, revisions, and approvals using audit trails and logs
- Distribute and publish policies and procedures to the right employees at the right time
- Attest that employees received the required information and training
- Monitor and measure policy and procedure controls and performance using dashboards and reports
- Integrate policy and procedure management across compliance functions
Michael Rasmussen and GRC 2020 wrote a Solutions Perspective that provides an analyst's insight into current compliance challenges and how MCO's MyComplianceOffice solution helps firms navigate those challenges. Download it here.
Policy management is a critical component of the compliance program. MCO's Policy Content Governor, part of our Know Your Obligations solution, helps firms automate and streamline the process of creating and managing policy while ensuring the coverage and effectiveness of obligations, risks and controls.
Ready to learn more? Contact us for a demo today!
