ORDER FROM CHAOS?
In theory, policies and procedures bring order and consistency to an organisation's activities and decisions. They make everyone's life easier by establishing clear standards and expectations and describing the means by which they will be achieved. Essentially, they automate routine activities and decisions, leaving those few 'hard' cases to be flagged for consideration by appropriate persons when it is not clear what the policy or procedure requires in the circumstances. In practice, a policy or procedure can sometimes fall short in bringing about such order.
I discuss here some of the common problems I come across.
BLURRED LINES 1 - POLICY OR PROCEDURE?
Policies and procedures serve two related, but distinct, functions. Policies focus on standards, expectations and outcomes (i.e. what? why?), whereas, procedures focus on the processes by which relevant policies will be achieved (i.e. how? when? where? by whom?). An analogy I often use is that policies focus on the destination, but procedures focus on the journey. Sure, you can mix the two if felt appropriate, but it should be done in a considered manner rather than just happening that way by accident. For example, sometimes legal or regulatory obligations will specify not only the required standard, but also prescribe aspects relating to how it is to be achieved.
SAY WHAT YOU MEAN - TOO VAGUE
Policies often contain a number of high-level commitments or aspirations. For example, "the organisation is committed to preventing financial crime". Other common words that appear in such statements are "excellence", "proportionate", "robust" or "appropriate". Using the journey analogy again, it is akin to telling someone that they need to travel "far, far away" - How far? Do you have a specific location in mind? Any locations to avoid? Are all modes of transport acceptable? You get the idea.
There is nothing inherently wrong with such high-level statements. However, without more, such policies are open to interpretation and such statements should be supported by more concrete standards. Without this degree of specificity, not only is it unclear to those who need to comply with the policy what is expected, but anyone performing monitoring/audit activities (including regulators) is left to interpret and apply their own standard. That may not be the same as what was intended by the policy author.
HIDING IN PLAIN SIGHT - TOO LITTLE STRUCTURE
People do NOT read policies and procedures! Not exactly a shocking revelation, I know. At least, they do not read them like a book from start to finish in a sequential manner. Such documents are used primarily as reference tools and people tend to refer to them seeking clarity on how to proceed in a scenario that has arisen, find the answer and then exit.
With this in mind, it is helpful to the potential reader to keep related requirements together or, at least, to clearly cross-reference. I have seen numerous occasions where genuine efforts have been made to follow policy or procedure and relevant documents have been consulted, but a 'hidden' requirement buried away in a different section was not applied and is, perhaps, only picked up when it is too late via an audit or by a regulator. Unless the reader is expected to read the entire document, considered use of structure (e.g. headings, table of contents, cross-references) can minimise this kind of situation arising.
Forms and checklists can be helpful here too, but that's a topic for another day maybe.
YOU TELL ME BLACK THEN TELL ME WHITE - INTERNAL CONSISTENCY
Issues of internal consistency and unintended differences in meaning can arise for a variety of reasons. Too many authors (without adequate editorial review) is an obvious factor, but sometimes it can arise simply because the document is written in an overly wordy narrative style making it harder to detect such inconsistencies. It also makes updating the document much harder than necessary as all related instances must be found and amended.
BLAH, BLAH, BLAH - TOO MANY WORDS
An overly wordy style also tends to lead to inclusion of guidance and/or contextual/background information mixed up within the policy or procedure. I have waded through pages of procedure sometimes when the core of the procedure could have been contained in just a few paragraphs. By requiring more time and effort to read, it is tantamount to inviting it to be ignored. I have no problems with the inclusion of guidance or contextual information, however, make it clear which elements are actual requirements and which are mere guidance or context. Bear in mind also that if it is unclear, an auditor or regulator may apply guidance as if it were mandatory.
BLURRED LINES 2 - WHOSE RESPONSIBILITY?
In keeping with the concept that policy and procedure serve two related, but distinct, functions, it is often advisable to separate responsibility for the policy and associated procedures.
Let's take the example of an organisation's Anti-Money Laundering (AML) Policy. One might reasonably expect this to include statements requiring due diligence to be performed on clients, describing the nature/extent of such due diligence taking into account the perceived risks and stating the frequency/triggers for updating due diligence. An organisation's client onboarding procedure should reflect the AML Policy, but is likely to also need to reflect many other policies - bribery and corruption, fraud, treating customers fairly, data protection etc. Strategic and operational considerations will also impact upon the design of the client onboarding procedure. A general rule that I apply is that policies are the responsibility of those that 'know' (i.e. subject specialists) and procedures are the responsibility of those that 'do' (i.e. perform that procedure/process).
A logical solution would be for the AML function (or similar function depending on the structure) to be responsible for the AML Policy. The other policies mentioned would, likewise, be the responsibility of the respective 'subject specialist' teams. In developing the procedure, there may well be considerable input in the form of advice, guidance and, perhaps, approval, from a range of subject specialists, but responsibility for the procedure does not lie with any of those subject specialists, but with those that perform the procedure.
Of course, there may be circumstances in which rigid application of this distinction is not necessary or even detrimental. For example, in smaller organisations where there isn't such granular division of functions. It should also be remembered that subject specialist teams will need to have procedures for the activities they 'do'. For example, an AML function may be responsible for a procedure which covers aspects such as submitting suspicious activity reports to the appropriate Financial Intelligence Unit (FIU) and dealing with any subsequent communications. If the AML function does indeed perform due diligence on new clients, then it may be appropriate for the AML team to be responsible for the client onboarding procedure. However, where onboarding is performed by another function (e.g. front office, dedicated onboarding team), it may be desirable for that function to be responsible for the onboarding procedure.
FINAL THOUGHTS
These are just a few observations and frequently problems do not exist in isolation - one problem leads to another which leads to another. What problems have you come across with policies and procedures? What solutions did you find?
A LITTLE ABOUT THE AUTHOR…
My financial services career began in 1998 and spans many sectors including life & pensions, asset/wealth management, accountancy, corporate finance, banking (retail/private, business/commercial) and online gaming/gambling.
Since 2003 I have specialised in financial crime prevention, focusing on money laundering in several managerial roles including MLRO/CF11 and since 2012 working as a freelance consultant.
If you need assistance with drafting/reviewing financial crime related policies and procedures, training or other support, then feel free to get in touch via any of the options below. I can provide support for a single day or many months depending on what you need. Click on my picture to learn more about previous client activities and my professional background.
Phone: +44 (0)7946 614698
E-mail: [email protected]