If you work in the financial services industry, you know how important it is to have clear, consistent, and compliant policies and procedures. Policies and procedures enable firms to align operations with strategic objectives, meet regulatory requirements, and foster a culture of accountability and transparency.
But managing policies and procedures is often easier said than done. It can be a complex and challenging endeavor to create, update, communicate, and enforce policies and procedures across the firm—and to ensure policy stays up to date in times of flux and uncertainty.
In the webinar Best Practices in Policy and Procedure Management for Financial Services, Michael Rasmussen from GRC 20/20 provided insight on developing effective policies and procedures that will enable the firm to meet business and regulatory objectives, manage and mitigate risk and adhere to ethical obligations.
The potential negative consequences of having inadequate, outdated, or conflicting policies are real and enduring. Policy risks that Rasmussen has seen firms face include:
Adopting a systematic and holistic approach to policy management can help firms avoid the operational inefficiencies, reputational damage, and regulatory fines these issues can lead to.
According to Rasmussen, a core issue with policy management he often sees in financial services firms is that too many people from too many departments are sending too many different messages about too many policies. Complexities in the work environment, including global operations, mergers and acquisitions, layoffs, and remote and hybrid work, only add to the challenge.
To move past the chaos, creating, reviewing, approving, distributing, and enforcing policies and procedures in your organization must start with defining accountabilities. That involves outlining the roles and responsibilities of policy and procedure owners, authors, reviewers, approvers, and users.
Rasmussen often sees carelessly written policies causing issues for firms. Implementing standards around drafting policy, including templates and style guides, is a core part of the framework that governs the entire policy management life cycle.
And policies must be clearly mapped to the risks that they are there to avoid. If effectively written, policies are risk documents that establish responsibility, communication, appetites, tolerance, boundaries, controls and risk ownership.
A policy audit will uncover current deficiencies in the firm's policies, procedures and processes and identify areas that need to be improved. Conducting a comprehensive policy and procedure inventory and assessment will allow compliance teams to:
Establishing the standards, formats, and workflows for policy and procedure development and maintenance sets the stage for effective ongoing policy management.
A Lack of Compliance Evidence Means it Didn’t Really Happen
It's critical to document and manage policy exceptions and track edits made to policy in response to regulatory change. Regulators will want to see an audit trail, including reasons for exceptions and updates and supporting documentation.
Another core tenet of good policy management is communication with stakeholders. Employees must be made aware of the policies that apply to their roles and responsibilities and trained to ensure that they understand the implications. To do this, use clear, concise, and plain language to explain the purpose, scope, and expectations surrounding the firm's policies and procedures. And to close the loop, regular attestations provide documented proof that employees were provided with relevant policy and procedure information and that they understand the content that was delivered.
Rasmussen calls this the human firewall, which he sees as the most crucial element of the firm's corporate culture—making sure people understand what the policies are and how to apply them to the context of their role in the organization.
And as Rasmussen points out, you can't take six months to implement policy updates from one new or updated regulation. Updates must be both swift and comprehensive to ensure consistent compliance with the most current requirements.
Technology is critical here. In a large global organization, there are far too many moving parts to be able to review and audit changes in regulations, industry standards, customer expectations, and market trends that will have an impact on policies and procedures. Technology that can provide automated review and identification of areas of concern allows firms to efficiently identify and implement corrective and preventive actions to address regulatory change and identify gaps in policies, procedures and controls.
At a conference he was keynoting, Rasmussen polled a crowd of 200 attendees and asked them if they could pull an index of all official policies across their firm. Only two people raised their hands and asserted that they could easily obtain that complete list of policies. It's critical that firms can easily access this information to comply with requests from regulators, auditors and the board.
The right policy and procedure technology enables firms to effectively manage the creation, maintenance and updating of policy so that level of information is easily accessible. Compliance technology allows firms to centralize, automate, and simplify the policy and procedure management process and:
Michael Rasmussen and GRC 2020 wrote a Solutions Perspective that provides an analyst's insight into current compliance challenges and how MCO's MyComplianceOffice solution helps firms navigate those challenges. Download it here.
Policy management is a critical component of the compliance program. MCO's Policy Content Governor, part of our Know Your Obligations solution, helps firms automate and streamline the process of creating and managing policy while ensuring the coverage and effectiveness of obligations, risks and controls.
Ready to learn more? Contact us for a demo today!