• Skip to primary navigation
  • Skip to main content
  • Skip to footer
The Evolution of ESG RegulationThe Evolution of ESG RegulationThe Evolution of ESG Regulation

CUBE global

  • Products
        • RegPlatform product overviewOur enterprise product, providing regulatory intelligence for large, global financial institutions looking to tackle complex compliance.
        • RegAssure product overviewOur highly intuitive, seamless compliance product, that grows with your small or medium sized business.
        • CUBE's technology
  • Solutions
        • PrivacyGlobal governance for data privacy regulations, the world over
        • RecordsHolistic oversight of ever-growing regulations for records
        • CybersecurityAutomated workflows for up to date, relevant data on cyber
        • Technology riskEffective policies and controls to mitigate technology risk
        • Financial crime and AMLWatertight audit trails to show risk-based rationale
        • View all solutions
  • Resources
        • Resource hubLifting the lid on financial services, compliance, and regulation
        • Read

        • Case Studies
        • Blog posts
        • Reports
        • RegNews
        • Brochures
        • Find

        • Compliance Corner
        • Compliance Confessions
        • ESG Conference
        • CUBE’s regulation game
        • Listen

        • Videos
        • Webinars
        • Podcasts
  • Partners
        • Advisory and consulting partnersEnhance your regulatory compliance offering with the entire suite of CUBE regulatory data.
        • Integration partnersCompliance is complex enough without over-complicated integration procedures.
        • Technology partnersAdd value to existing customer applications with a unified window into regulatory intelligence.
        • Partners overview
  • About us
        • About usThe story of who we are, how we got here and why we’re exceptionally proud of what we do
        • TeamThe visionaries and leaders powering CUBE’s success
        • NewsThe latest news from CUBE
        • CareersOur movement to transform regulatory data into regulatory intelligence
        • ContactWant to know more? Get in touch
  • Request a demo
Customer login
Home » Resources » Compliance Confessionals – The Policy on Policies

February 1, 2023 | Amanda Khatri

Estimated reading time: 6 minutes

Compliance Confessionals
Chief Compliance Officers – The Policy on Policies

Compliance expert and former Head of Compliance, Sylvia Yarbough, shares secrets and insights from the heart of the compliance team.

If you have a compliance confession or are worried about emerging regulations, visit our Compliance Confession Booth.

sylvia

Over the last several months, I have been consulting on several different initiatives that seem to all have a connection to policy on policies. Some organizations are finding themselves on the brink of becoming large enough for regulatory scrutiny, some are working through correcting some long-standing shortcomings, and some just know they need to do better.

When it comes to organizations that are engaged in activities that have federal and/or state regulations, it becomes important that the organization (1) understands these regulations and (2) has appropriate policies in place for those presenting the most significant risk to the organization. It doesn’t matter what industry you are in (payment services, healthcare, financial services, etc.) this rule of thumb pretty much applies.

You may have noticed that I said the ‘most significant’ risks to the organization. I have had some nightmare experiences where policy governance teams can run a mock and think there should be policies for everything. Unfortunately, in highly regulated industries this sometimes becomes difficult to create them, train on them, and expect employees to know and execute them in supporting procedures.

Don’t get me wrong, organizations should be able to identify and understand all regulatory requirements that apply to their various operations and have appropriate procedures and controls in place. But making a clear distinction on what requires a policy is very important, especially in the Compliance arena.

The first step in navigating this process is to establish a Policy Governance team at the enterprise level; And, yes, a team can be a team of one to get started. You want someone who is responsible for thinking about this topic, so it doesn’t get lost in the shuffle. Depending on the size of the organization, this responsibility may fall under Chief Risk Officer, Enterprise Risk Management, or Legal.

It needs to report to a high enough level at the organization to have enough clout to make things happen. Your team of one may need to be the facilitator to get corporate agreement on best practices and ultimately craft that Policy on Policies (PoP) document. Every time I use the term I cringe, it sounds like the ultimate level of bureaucracy. However, establishing a framework, standards, guidance, and some level of oversight will lead everyone down the path of solid policies that are managed, accurate, and up-to-date.

Once you have a team in place, there are a few key points that should be addressed in developing your PoP and governance routines, that I have seen move organizations in the right direction:

Highlights on creating good policy Governance and PoP standards

  • Identify the purpose of having policies (aka why does your organization need policies).
  • Define what rises to the policy level (e.g., significant operational impact, data and/or information security, high-risk regulatory matters, etc.).
  • Determine the different levels of policies. A policy could be enterprise-wide or business line(s) specific.
  • Identify the areas in the enterprise that should own policies and the ownership should be in line with their corporate responsibilities.
  • Establish guidelines on the policy review and approval process based on the level of ownership and risk related to the policy. Some policies can be approved by the business line head while some may need risk committee or board-level approval.
  • Develop a standardized policy template with mandatory sections and optional sections to ensure the flow, look, and feel work but provide some optionality because not all sections might apply.
  • Define policy content expectations. (e.g., a policy should focus on the Who, What, and Why, not the How).  The How is left for procedural documents.
  • Identify a standard location for policies. This could be a SharePoint site, policy tool, or a module in a GRC. However, it should be an identified location where everyone in the organization needing access to the policy can find it.
  • Inventory existing policies across the organization. Unless you are a brand-new start-up, you should already have some baselines including policies on business continuity, information security, privacy, etc.
  • Establish review cycles. Another very bad practice I have seen in organizations is all policies must be reviewed and updated every year – talk about overload.
  •  Create the risk criteria that the policies will be assessed against to aid in determining review and approval levels as well as update cycles.

These are just some highlights of good policy governance and the supporting PoP.

 I will take a moment to speak more on Compliance related policies.  If you are the owner of regulatory compliance policies, here are a few tips.

Regulatory compliance policy tips

  • Regardless of where the Enterprise Policy Governance office sits, Corporate Compliance should also have a policy governance team that works in collaboration with the Enterprise Policy Governance team – again this may be one team member. Why? Most policies are created based on a regulation and someone within Compliance should be fluent in ensuring governance standards exists to ensure compliance policies are on point.
  • Corporate Compliance does not need to own every policy related to regulations, see my previous point on establishing ownership. There are regulatory compliance policies that are related to a specific division and that division also has primary oversight. If Corporate Compliance governance routines exist, there isn’t any reason why the division can’t own the policy. If Regulatory compliance policies impact multiple business lines, it may be best the Corporate Compliance to own it so that way there is one voice on policy and oversight.
  • Policies related to regulations at a minimum should be reviewed for updates each time the regulation is amended (another reason for good regulatory change management practices).
  • For topical areas where there are both Federal and State regulatory requirements that must be addressed, make every effort to create one policy with highlights to the areas of the state regulatory requirements that are more restrictive than the federal.
  • If your Corporate Compliance area has a tremendous number of policies, hire someone with an eye for detail and well-versed in writing to support your policy governance team. They can be a real asset – all SMEs are not good writers.

After all these years, I must admit I am a converted believer in having a Policy on Policies as a strong guidepost to keeping the organization on the right track.

CUBE can help you create a robust regulatory change management system, get in touch today.


Speak to the team

Related resources
View all articles
Blogs

The crackdown on crypto continues 

Recent US and UK crypto regulation developments
Blogs

Taming the crypto wild west: the US and UK strengthen regulation

SEC cracks down on fraudulent crypto activity
Blogs

The SEC’s crackdown on fraudulent crypto activity

cryptocurrency and global financial inclusion
Blogs

How will embracing cryptocurrency bring global financial inclusion?


Want CUBE updates and latest industry news sent straight to your inbox?

Footer

Add CUBE logo here

  • Products
    • Partners
    • Solutions
  • Resource hub
    • Blogs
    • Reports
    • Brochures
    • Compliance Corner
    • Webinars
    • Podcasts
    • Videos
  • Behind CUBE
    • About us
    • Meet the team
    • Careers
    • News
    • Contact us
  • The legal bits
    • Privacy policy
    • Cookie policy
    • Terms of use
    • Accessibility
Follow us:
  • LinkedIn
  • Twitter
  • YouTube

© 2023 CUBE Content Governance Global Limited

  • English
  • US

envelope

Want CUBE updates and latest industry news sent straight to your inbox?

Sign up to our Newsletter here