Compliance Confessionals
Chief Compliance Officers – The Policy on Policies

Compliance expert and former Head of Compliance, Sylvia Yarbough, shares secrets and insights from the heart of the compliance team.

If you have a compliance confession or are worried about emerging regulations, visit our Compliance Confession Booth.

Over the last several months, I have been consulting on several different initiatives that seem to all have a connection to policy on policies. Some organizations are finding themselves on the brink of becoming large enough for regulatory scrutiny, some are working through correcting some long-standing shortcomings, and some just know they need to do better.

When it comes to organizations that are engaged in activities that have federal and/or state regulations, it becomes important that the organization (1) understands these regulations and (2) has appropriate policies in place for those presenting the most significant risk to the organization. It doesn’t matter what industry you are in (payment services, healthcare, financial services, etc.) this rule of thumb pretty much applies.

You may have noticed that I said the ‘most significant’ risks to the organization. I have had some nightmare experiences where policy governance teams can run a mock and think there should be policies for everything. Unfortunately, in highly regulated industries this sometimes becomes difficult to create them, train on them, and expect employees to know and execute them in supporting procedures.

Don’t get me wrong, organizations should be able to identify and understand all regulatory requirements that apply to their various operations and have appropriate procedures and controls in place. But making a clear distinction on what requires a policy is very important, especially in the Compliance arena.

The first step in navigating this process is to establish a Policy Governance team at the enterprise level; And, yes, a team can be a team of one to get started. You want someone who is responsible for thinking about this topic, so it doesn’t get lost in the shuffle. Depending on the size of the organization, this responsibility may fall under Chief Risk Officer, Enterprise Risk Management, or Legal.

It needs to report to a high enough level at the organization to have enough clout to make things happen. Your team of one may need to be the facilitator to get corporate agreement on best practices and ultimately craft that Policy on Policies (PoP) document. Every time I use the term I cringe, it sounds like the ultimate level of bureaucracy. However, establishing a framework, standards, guidance, and some level of oversight will lead everyone down the path of solid policies that are managed, accurate, and up-to-date.

Once you have a team in place, there are a few key points that should be addressed in developing your PoP and governance routines, that I have seen move organizations in the right direction:

Highlights on creating good policy Governance and PoP standards

• Identify the purpose of having policies (aka why does your organization need policies).

• Define what rises to the policy level (e.g., significant operational impact, data and/or information security, high-risk regulatory matters, etc.).

• Determine the different levels of policies. A policy could be enterprise-wide or business line(s) specific.

• Identify the areas in the enterprise that should own policies and the ownership should be in line with their corporate responsibilities.

• Establish guidelines on the policy review and approval process based on the level of ownership and risk related to the policy. Some policies can be approved by the business line head while some may need risk committee or board-level approval.

• Develop a standardized policy template with mandatory sections and optional sections to ensure the flow, look, and feel work but provide some optionality because not all sections might apply.

• Define policy content expectations. (e.g., a policy should focus on the Who, What, and Why, not the How).  The How is left for procedural documents.

• Identify a standard location for policies. This could be a SharePoint site, policy tool, or a module in a GRC. However, it should be an identified location where everyone in the organization needing access to the policy can find it.

• Inventory existing policies across the organization. Unless you are a brand-new start-up, you should already have some baselines including policies on business continuity, information security, privacy, etc.

• Establish review cycles. Another very bad practice I have seen in organizations is all policies must be reviewed and updated every year – talk about overload.

•  Create the risk criteria that the policies will be assessed against to aid in determining review and approval levels as well as update cycles.

These are just some highlights of good policy governance and the supporting PoP.

 I will take a moment to speak more on Compliance related policies.  If you are the owner of regulatory compliance policies, here are a few tips.

Regulatory compliance policy tips

• Regardless of where the Enterprise Policy Governance office sits, Corporate Compliance should also have a policy governance team that works in collaboration with the Enterprise Policy Governance team – again this may be one team member. Why? Most policies are created based on a regulation and someone within Compliance should be fluent in ensuring governance standards exists to ensure compliance policies are on point.

• Corporate Compliance does not need to own every policy related to regulations, see my previous point on establishing ownership. There are regulatory compliance policies that are related to a specific division and that division also has primary oversight. If Corporate Compliance governance routines exist, there isn’t any reason why the division can’t own the policy. If Regulatory compliance policies impact multiple business lines, it may be best the Corporate Compliance to own it so that way there is one voice on policy and oversight.

• Policies related to regulations at a minimum should be reviewed for updates each time the regulation is amended (another reason for good regulatory change management practices).

• For topical areas where there are both Federal and State regulatory requirements that must be addressed, make every effort to create one policy with highlights to the areas of the state regulatory requirements that are more restrictive than the federal.

• If your Corporate Compliance area has a tremendous number of policies, hire someone with an eye for detail and well-versed in writing to support your policy governance team. They can be a real asset – all SMEs are not good writers.

After all these years, I must admit I am a converted believer in having a Policy on Policies as a strong guidepost to keeping the organization on the right track.

CUBE can help you create a robust regulatory change management system, get in touch today.