by Guest Writer, Glenna Smith of Smith Consulting
Have you recently analysed your internal policies and procedures to make sure not only they are compliant with regulations but also effective?
We all know that if you don’t include enough controls you land in hot water with the regulator. However, too many, and you risk being in breach of your own requirements. Think of your policy manual like traffic lights. Too many controls and the flow of traffic grinds to a halt. Too few, and eventually someone gets hurt.
The average regulated business now has a complex web of legislation and regulatory guidelines with which to adhere. If you are a financial services company operating in multiple jurisdictions, the complexity increases. In addition, regulators are issuing mind-numbing penalties for cases of non-compliance world-wide.
The knee-jerk reaction to the complexity and the risk of penalties is to add more controls in your policies. But for many regulated businesses experiencing over a decade of increased legislation, this has created a pile on effect within their policies and procedures weighing down the compliance function and reducing the effectiveness of their controls.
With recent legislation being imposed on many, now is the time for compliance managers to step back, look at all of the legislation, and ensure their policies are effective. Without a review, compliance becomes more difficult to manage, costs increase, and in worst-case scenarios, paralyze the business’s ability to grow.
Where to start with a policy and procedures review?
- List all products and services your business provides and note the risks for each.
- List all regulatory requirements in each location you do business.
- Map your internal controls to each piece of legislation.
- Determine if you have any gaps or overlap in controls for compliance.
- Determine if you have any controls in place that are unnecessary or overly burdensome.
- Revise your policies and procedures to reflect your review.
Finally, implement a system for compliance managers to monitor risks. The compliance manager should be more like the traffic helicopter being able to monitor conditions from a birds-eye perspective, looking for the dangerous motorist. They should not be the traffic copy stopping every other car from moving forward for a minor infraction. Often a monitoring system can be done through system automation, or if unavailable, periodic reporting from the various business areas.
Going forward, compliance managers should always participate in meetings in which new business products and services are being developed. Further, when even more regulation and compliance obligations impact the business, before simply adding to their policies and procedures, the compliance manager should ensure any new controls are effective and not overly burdensome to the business.