This blog is about policy.
Now you might wonder why anyone in their right mind would write about policy. What makes a good policy? Nothing, you might say. Policy is boring, it is irrelevant, it is meaningless, it is dry and it is old-fashioned.
To a point I agree. In the digital age what really is the point of writing out a few tired phrases purporting to be “the way things should be done” to sit in a forgotten corner of the web taking up space and interesting no-one.
Nobody reads it, nobody owns it, nobody updates it, nobody tests compliance against it. It is a hostage to fortune at best, a ticking time bomb at worst. It adds no value, it gives no insight, it does not help. Why bother?
The answer to these valid challenges is: this is the way our policy often is – but not the way it needs to be.
Good policy is a good thing
Time to disclose: I am a fan of policy. I like it, I believe in it, I think done well it enriches and illuminates our work, guides, explains, clarifies. Done badly it is no use at all. It is confusing, inefficient, misleading, dangerous even. Bad policy is worse than no policy. But good policy is much much better than no policy. We just have to set and follow some simple guidelines – policy on policy, if you like – and we start to benefit.
From good policy we get a clear exposition of what our organisation is all about. We get the expectations that our owners or shareholders or managers have about what we are doing and – just as important – why. We get a reference point for the culture we are trying to live by in our everyday work. Policy gives us the foundations of our daily activity in a way that is clearly understood by everyone in our organisation across the board. It is enlightening, transparent, democratic.
Here are Prism-Clarity’s five watchwords for good policy:
– Clear hierarchy
These watchwords can be applied against the entire range of policies in a financial firm: from Front Office Conduct and Supervision, Models, Risk, Valuation and Product Control through to Regulatory, Back Office, IT and Information Security, Compliance and Audit: anything you care to name which needs to be governed by a policy.
Five watchwords for good policy
Right-sizing a policy is crucial. There is no good size for it, only the right size. That depends on the size of the business, the size of the policy topic (and its importance to the business), and the size and nature of the audience, whether they are external as well as internal and how much detail they need to see. A small consultancy might have no policies at all except a one-line mission statement that encapsulates everything you need to know about the company. A small or medium-sized firm might have a few short policies. A major bank or insurance firm or government department might have hundreds including some quite long ones. It depends on the need. Don’t fall into the trap of one-sizing.
2. Clear hierarchy
You can think of the policy hierarchy as being a spectrum from a one-line mission statement down through values, strategies, business plans, policies, standards, guidance, process maps, procedures and operational manuals. It doesn’t actually matter which and how many of these levels you adopt, as long as your hierarchy is both right-sized and clear.
Now this idea of a policy spectrum or hierarchy raises an interesting definitional question. You will notice I snuck in the word “policies” halfway down the list. That word “policies” is a sub-component of the wider group of documents which together represent the policy spectrum. In this sense policy can have a wide meaning (policy spectrum) or a narrow meaning (individual policies). Actually it doesn’t matter too much in the end. The watchwords and guidelines in this blog apply pretty much whichever group of documents on the policy spectrum you are using. If you take this broad definition and apply these guidelines to your entire population of broad policy components, it means you at least are forced to think about having clear relationships – and maybe even cross-references – between them. This applies to content, style, ownership and governance. So don’t get too hung up on whether we are talking big “policy” (the spectrum of documents listed above) or small “policy” (one of the individual components of this spectrum). Our guidelines apply all round.
Just for illustration let me try and explain what I mean by each of the components above and how they fit with each other. This assumes a large organisation with tens of thousands of staff globally, but would be right-sized to fit a smaller company.
And in capital letters after each component is the question it is trying to answer.
Mission statement: A one-line summary of your over-riding strategic aim: the WHY
Values: Five or six statements representing expected behaviours across your organisation: the HOW
Strategies: High-level descriptions of your long term business objectives and focus points, your value proposition, what you are trying to achieve: the WHAT
Business plans: Detailed shorter term plans for practical implementation of your strategies: the WHEN, the WHERE and the HOW
Policies: A principles-based framework setting out how you go about achieving your strategies and business plans in a controlled and compliant way: the HOW
Standards: A more detailed framework of how key policies map to key external (regulatory) and internal (Audit and other control) conditions of doing business: the WHAT
Guidance: Indicative non binding statements or factors you need to take into account in determining decisioning and governance treatment: the WHAT, the WHERE, the WHEN and the WHY
Process Maps: Visual structure diagrams and decision trees to highlight in summary form the relationship between teams, processes or functions: the WHAT and the WHO
Procedures: Detailed textual and visual descriptions of WHAT needs to be done, HOW and WHO does it; with explanations of context and meaning
Operational Manuals: Step by step instructions on precisely how a procedure or process is executed; without much explanation of context or meaning: the WHAT, the HOW and the WHO
The next three watchwords apply mainly to our Policies in the narrow sense, the principles-based framework setting out how we achieve our strategies and business plans in a controlled and compliant way.
It follows directly from the above that good policies are principles-based. To the extent a document calling itself a “policy” contains more detailed guidance, standards or procedures, those elements probably belong in one of the other document types lower down the hierarchy. Even taking into account my earlier warning about right-sizing and one-sizing, this probably means most good policies tend to be short. You want policies to be widely-known and well-understood, completely embedded in the hearts and minds of your employees, and there are only so many principles people are able or willing to absorb. Make them widely applicable, identifiable back to the fundamental mission statement and values you have set out further up the policy spectrum. Most of all make them understandable and clear. Clarity, transparency and consistency – both internally and with other elements of the policy spectrum – are the features that mark out a good policy document from a bad one.
Of all the problems with policy I observed in my risk and regulation career, the most common, frustrating and damaging was lack of provenance. Organisations that don’t have good policy DNA make a habit of this. By provenance I mean the basic metadata around the policy: dates, owners, authors, reviewers, versions, coverage, status, review frequency and process, governance. A policy without these parameters is useless. It can be disavowed on so many grounds that it cannot claim to have any effect or meaning at all. It cannot be part of your heart and mind if its basic tenets are not completely transparent. This kind of policy gets written because someone – often an internal auditor or regulator – tells the perpetrator it is needed. Rather than being needed because it is really needed for its own sake, for internal reasons, to provide principles-based guidance on what we are trying to do. Luckily policies displaying this lack of provenance are becoming less common – as policy gets more heavily scrutinised by governance bodies, auditors and regulators. But it is still surprising that large organisations can get it so wrong, often where the policy has been developed at legal entity or subsidiary level, outside the confines and constraints of a Head Office policy-making construct.
The final watchword relates to the delivery and internal publicisation of the policy – which needs to be carefully thought through and organised. And this goes well beyond traditional decisions of format and precise web-location. These days it might be critical for both a firm and its senior managers and key staff that the policy has been disseminated to the right people in the right way; that it has been subjected to the right level and depth of training if necessary; and that individuals have acknowledged it applies to them, given their responsibilities. The new regulatory Senior Managers Regime now in place in the UK banking and insurance sectors puts a tremendous onus on accountability, and part of this is being accountable to the wider principles and culture of the firm. Which, if we follow the precepts set out earlier in this blog, is nowhere better articulated than in a sound well-organised policy framework. Policy really matters to the Senior Managers Regime. Even though the burden of proof hasn’t quite switched as a result of the new regime, a manager or even a more junior member of staff will no longer be able to rely on excuses that he or she “didn’t know what the policy was”, if – by the standards of a reasonable person – he or she should have known.
Training is key to this, but just as key is wide availability of the policy to everyone it applies to, set out in the clearest possible way and bang up-to-date. Hence my choice of the term “publicise”. The delivery and availability of policy in a prominent place on a firm’s intranet is now more important than ever. Ideally in association with a really good “content management system” which keeps track of who has seen, opened and signed off which version of which policy; centrally managed with metrics, follow-ups, an escalation process and reports. We live in an attestation culture now, sadly, but if attestation is what is really needed to demonstrate adherence and acknowledgment, then that is what we must use. And we must have the necessary systems behind the attestation process to support it, and to evidence it if needed.
Transparent, prominent internal publicisation of our policy framework is an essential element which sometimes gets forgotten, and if a delivery partner is needed to enable this, then invest in one. It will be worth the investment when it comes to demonstrating – to clients, counterparties, auditors, regulators and even investors – how the culture of the firm is disseminated. It may even be worth it from the point of view of the bottom line if all players in a firm are pulling together on the same basis, using common principles and commonly-understood ways of doing business. So far as I know there is no independent documented research evidence on the impact of a good policy – and a good policy delivery mechanism – on the bottom line. But it wouldn’t surprise me that there is such a relationship waiting to be found, in the same way that it is now widely accepted that a management culture of accountability clearly benefits the bottom line as well as regulatory relationships.
How to get there?
And so to the hard bit: how to deliver this desirably robust framework which will make such a difference to our regulatory relationships and our bottom line?
This may be an old-fashioned view but my view is that three things are key: centralisation, empowerment and investment.
Centralise policy ownership and delivery in a central team. Perhaps the COO or Enterprise Risk. Either way ensure the team is suitably empowered in terms of seniority, influence and reporting structure. It needn’t be a huge team but it needs to be a good one. Invest in both the content and the delivery. Bite the bullet. It is a long term investment but it will have unintended consequences. Good ones. Ensuring everyone is on the same page as to what the firm really stands for and how it does business, a kind of internal playbook of essential principles which help bring transparency to different roles and processes; tease out historic or hidden problems, inconsistencies and unclarities; and define the culture of the firm in the most direct fashion available.
As ever clarity is the key. With clearly-articulated policy in a clearly organised delivery framework you won’t go far wrong. And the benefits could go well beyond keeping the auditors and regulators happy.
We can advise you on all your policy framework needs: either the broad spectrum of policy-type documents described earlier in this blog, or the detailed execution of your “policies” in the narrow sense. We can enhance your existing framework. Or set up something from scratch. Either way we would be pleased to help.