This article was first published in the November issue of the Journal of Investment Compliance - VOL. 8 NO. 4 2007, pp 7-11. You can find the online version at:

http://www.emeraldinsight.com/Insight/ViewContentServlet?Filename=Published/
EmeraldFullTextArticle/Articles/3130080402.html

Sound policies and procedures: the basis of a sound compliance program

The Authors

Linda Wolosz, Senior Compliance Advisor, Financial Services Practice, QUMAS, Florham Park, New Jersey, USA

Abstract

Purpose – The purpose of this paper is to: emphasize the importance of sound policies and procedures to support a sound compliance program; define the relationships among rules, policies, and procedures; and recommend a detailed, step-by-step approach for implementing a strong rules, policies, and procedures infrastructure.

Design/methodology/approach – The paper discusses the nature of rules, policies, and procedures and how they relate to one another, and recommends an approach to implementing a strong rules, policies, and procedures infrastructure broken down into four phases: discovery, rationalization, implementation, and ongoing maintenance.

Findings – The study finds that financial services organizations need to take steps for creating, controlling and distributing the right policies and procedures to the right audience based on the right interpretation of laws, regulations and guidance à propos to their businesses. In large complex firms today, the ongoing maintenance of rules, policies, and procedures cannot exist without the assistance of an automated solution.

Originality/value – The paper provides practical advice from experienced systems consultants.

Article Type: Technical paper
Keyword(s): Financial services; Regulation.

Journal of Investment Compliance
Volume 8 Number 4 2007 pp. 7-11
Copyright © Emerald Group Publishing Limited ISSN 1528-5812

So you think policies and procedures are the same thing when it comes to your compliance program? Think again, since making that mistake could seriously affect your standing with regulatory bodies, customers, and shareholders.

The two are different, yet related. Financial services organizations need to take steps for creating, controlling and distributing the right policies and procedures to the right audience based upon the right interpretation of laws, regulations and guidance à propos to their businesses. But how is this accomplished?

Rules defined

We should first take a step back and review the importance of rules. Regulators care about three overall principles, listed in order of importance:

1. the safety and soundness of the financial system;
2. the eradication of financial crime; and
3. customer protection.

Rules in support of this framework arise from a variety of global sources, are aligned with various specific purposes, and present diverse degrees of prescription.

Rules imposed by forces external to the firm might take the form of formal laws or regulations. Regulatory guidance, speeches by prominent industry leaders, and widely accepted business practice often help the market understand the formal requirements and sometimes form the basis for more informal rules.

In addition to external drivers, firms generate internal rules in support of corporate strategies and principles. Making a change to a new business model initiates the review of all the rules associated with new product or service offerings.

Given the various external and internal stimuli, rules can rapidly change to reflect best practices Globally there is a long list of financial institution regulatory agencies. Table I exemplifies the volume of change industry participants' experience. While each notice or publication can vary widely in impact, review time and implementation energy following the numbers give a small view into the volume of information crossing compliance officers' desks.

Policies defined

Policies are clear statements fostering consistent observation of directives dictated from the board and senior management to all employees. To the extent possible, policy statements should express directives that apply to a broad spectrum in the firm. Policies are generated based on the laws, regulations, and industry best practices applicable to the business focus of a firm.

Procedures defined

Procedures are working instructions mapped to the firm's policies, tailored to cover unique requirements for a product, a country, and legal entities. Procedures form the guidelines for how a policy is implemented. Procedures should express the tools (manual and automated) required to perform the function, the positions responsible for execution, reconciliation and approval, and the associated detailed workflows.

How are rules, policies, and procedures related?

There is a logical and progressive workflow inherent in the association of rules, policies, and procedures. In general, the following steps are incorporated into the rules, policies, and procedures workflow:

1. Laws, regulations, or best business practices are obtained from sources as noted above.
2. Business units, the compliance and legal departments, and other areas of the firm evaluate the application of these laws, regulations or best practices to the firm's businesses.
3. Applicable policies are created or amended, as necessary, and then reviewed, and approved. Approval from the board level of the firm sets the compliance tone in the firm.
4. Procedures and workflows are written to ensure the effective implementation of policy.
5. Policies and procedures are distributed to appropriate employees with appropriate control.
6. Policies and procedures are reviewed on a periodic basis or upon activation of a change driver, and revised if necessary. Amendments are then approved when needed and distributed to the appropriate employees.

An approach to implementing a strong rules, policies, and procedures infrastructure

Let's take a look at one approach to the implementation of a well-controlled and maintained rules, policies, and procedures infrastructure in a complex firm. We can break down the challenge faced by a firm into four parts with the project owners acting as compliance managers throughout all phases:

1. discovery;
2. rationalization;
3. implementation; and
4. ongoing maintenance.

Discovery is a critical mapping of rules to policies and policies to procedures across a complex organizational structure. The goal of discovery is to ensure you have every document that your firm needs. This phase has two main components:

1. establishing the framework for polices and procedures; and
2. collecting all available documents.

Discovery should be managed by compliance with support from the business units. Answers to the following types of questions can support this phase:

1. Rules to policies:
   • Do you know all the risk themes/categories that apply to each of the firm's businesses?
   • Is there an inventory of rules that address each risk theme/category?
   • Where rules in various jurisdictions cover similar topics, to avoid duplicate and possibly contradictory policies, has the firm grouped these various national and international rules and associated them with relevant themes/categories? For example, customer suitability will be addressed by regulators in various geographic locations with the issuance of different rules but the firm might need only one policy to state the firm's position on that overall theme/category.
   • Is there a one-to-one correspondence between the rule themes/categories and the associated policies? If not, do the deviations make sense?
   • Are existing policies approved by the firm's board of directors and senior management?
   • Is there a list of missing, duplicate, and unapproved policies?
2. Policies to procedures:
   • Are procedures mapped to policies to ensure that each approved policy is carried out by the firm?
   • Are procedures accompanied by workflow diagrams, reviewed for efficiency and effectiveness, and then approved by business management?
   • Is there a list of missing, duplicate, and unapproved procedures?

Rationalization is the process of evaluating the value of the existing documents based upon the framework developed in the discovery phase. The rationalization phase defines formats for writing policies and procedures, gathering required supporting data, and documenting workflow processes. The rationalization phase continues to be managed by compliance with support from the business units and interpretations from legal. Answers to the following types of questions can support this phase:

• Is there commonality in format to ease the identification and use of the various types of documents?
• What information should be collected for each document type? For example: roles responsible for review, approval, and execution; association of information among rules, policies and procedures; creation, review, retirement dates; version control information; distribution lists; business units effected by the document; etc.?
• Are existing policies written in a consistent style containing sufficient information to communicate board decisions for consistent implementation without prescribing specifics methods to achieve the desired outcome?
• Is there a clear workflow for the creation, editing, review, approval, distribution and retirement of policies and procedures?
• Are existing procedures clear and descriptive enough to ensure that the process (adding “how” to the policy's “what”) achieves the policy goal?
• Are those positions responsible for the execution of procedures clearly defined?
• Are necessary tools for execution clearly defined within existing procedures?
• Where organizational responsibility or tools vary within the organizational structure, do procedures allow for these variations?

Implementation brings together the framework established in discovery and the data decisions made in rationalization. The implementation phase ratchets up involvement by business owners, senior management and the board while the overall implementation project remains firmly in the control of the compliance department. The final goal of this phase is to have complete board-approved policies supported by effective business owner-approved procedures distributed to the appropriate employees in the firm. Answers to the following types of questions can support this phase:

• Have all rules related to business units across product, country, and legal entities been identified and categorized thematically?
• Has the process for rule interpretation and evaluation of impact on businesses been created and approved by the board and senior management?
• Is there a board approved policy covering each rule or rule category?
• Has the process of establishing new future policies been created and approved by the board?
• Has each business-unit senior manager across product, country, and legal entities participated in the establishment and approval of procedures to ensure compliance with each policy as appropriate for their business?
• Has the process for establishing new future procedures been created and approved by the board and senior management?
• Is there evidence that the policies and procedures have been distributed and consumed by the correct audience?
• Are all rules, policies and procedures applicable to a business unit easily accessible to the appropriate employees?

The implementation phase can be onerous as it forces structure and accountability into the document workflow. The most difficult of these changes is the enforcement of a regimen of review and approval responsibilities and the recording of the related decisions where these processes might have been significantly less structured in the past.

Congratulations on a project well done, or is it done?

Congratulations on the completion of the discovery, rationalization, and implementation phases! However, the euphoria is short lived because the ongoing maintenance of the framework and data structure, and the continuous review of all policies and procedures cannot stop at the end of the project. The project has produced a compendium of rules, policies, and procedures to the firm's specification but, as noted in the beginning of this article, change driven by external and internal forces is constant. The hundreds or thousands of rules, policies, and procedures must be reviewed as changes occur and periodically even when an overt change driver does not exist.

In large, complex firms today, the ongoing maintenance of rules, policies, and procedures cannot exist without the assistance of an automated solution. Historical repositories are not up to the dynamic controlled workflow requirements in today's regulatory world. Discovery, rationalization and implementation can be performed without integrating automation. However, knowledge of the capabilities of automated solutions commingled with the project's specification for framework and data structure can work to maximize the strength of decisions all around and ease the implementation phase. Answers to the following types of questions can support the integration of an automated solution into the project:

• What repository will be used for all rules, policies, and procedures?
• Can related rules, policies, and procedures be associated together to support quick review and amendment in times of rapid change?
• Does the solution allow the mapping of the documents to the hierarchy of the business units across product, country, and legal entities?
• Is the search engine strong and flexible? On what attributes do you want to search or report?
• Where one document applies to multiple business units, does the solution support one-step changeability?
• Does the solution include strong workflow functionality supporting serial and parallel editing, review, and approval paths with collaboration captured within the system?
• Are roles easily defined and are access controls strong?
• Are distribution lists easily defined?
• Do e-mail notifications and reports include exception warnings where a workflow has bottlenecked or employees have not “read and understood” critical documents?
• Does the solution support minor and major version-control identification?
• Are all actions in the solution, including changes to documents, recorded in an audit trail?
• Does the solution make responding to regulatory requests for information simple? Does it assist the firm in providing a regulatory defense by documenting who was expected to be aware of distributed information when?

We started this article with the key message that the compliance department in a complex firm must rise to the challenge of creating, controlling, and distributing the right policies and procedures to the right audience based upon the right interpretation of laws, regulations and guidance à propos to the firm's business. The very intensive project outlined above, coupled with automated solutions, can accomplish this feat and enable companies to realize easier ongoing maintenance and sustainable compliance on an ongoing basis.

Table 1

About the author

Linda Wolosz is a Senior Compliance Advisor in the Financial Services Practice at QUMAS with expertise in risk-based monitoring and compliance. Linda Wolosz can be contacted at lwolosz@qumas.com