David Cowland
previously Head of Compliance Operations, Fidelity International
February 16, 2021

Part 3: The policy journey only works if you consider it end to end

Part 3

First up, controls.

Policy should help define the controls in your business. These controls allow you to undertake self assessments on a regular basis. Failure of controls, especially bad ones, can lead to regulator intervention. At best it leads to a flurry of internal activity to put things right. Often, but not always, it is a failure of a control or the lack of one.

Connecting your policy management system to your controls (risk management) system should allow you to have new controls flagged for implementation more speedily. Again, it takes the reliance out of the hands of individuals who need to remember to connect the dots when they are often very busy with day to day processing.

Secondly, surfacing the data contained in policies to staff. I am going to say that no-one looks at a policy document when it is sent out. Given that the standard for video communications to staff is approximately 1.5-2 min before you lose them, I'm going to go out on a limb and say most are not going to read a 20+ page document on policy (they can be dry subjects), unless it is part of your annual mandatory training requirement.

Evolving from folders to chatbots

I remember the day when policy documents came round the office in a folder and you had to initial that you had read them. If you were truly unlucky, there would be 3 or 4 of them in one folder and there went an entire afternoon.

Fortunately, the tech world has again found a solution - virtual assistants or chatbots. Even the most basic entry level chatbot can achieve a 90% success rate on answering questions to basic policy documents and that is before you get sophisticated and start tying them directly into underlying systems or applying artificial intelligence into the process.

These 'assistants' can sit on desktops becoming easily available to staff for when they need answers. They can pull up sections of the policy based on the questions or even provide direct links into the policy, should you suddenly find you need to read the whole thing.

Chatbots have a much wider use but they can help pull strands of information together of which policy is fundamental.

In part 1 of this series, I said that policy management is often the forgotten little gem in the RegTech space and maybe it still is, but don't forget about it. Often you will find that policy management has a thread throughout your organisation and any delays or inaction as a result of internal or external changes, may result in serious adverse consequences. Internal policy sets out the standards and expected behaviours of staff. Unless these documents are maintained and accurately reflect the expectations of all stakeholders then the business is at risk of failure.

A systemised approach to policy management

Without a systemised approach to policy management the administrative burden on compliance, risk and controls teams is too vast for most organisations to manage using only Word, email and SharePoint sites. The business can become frustrated and bogged down as they are continually asked to review and provide input to proposed policy and procedural changes. Their efforts to simplify and streamline their own processes are interrupted by the slow and clumsy methods of managing and documenting changes that are still deployed by compliance departments today.

The user journey only works if you consider it end to end. Horizon scanning or risk management systems might be the burning issue that you have to resolve today, however you need to keep a good eye on the overall strategy and that end-to-end process.

The time is now for this often forgotten process to have its day and to be prioritised as we all now realise that internal policy underlies core decision making and actions taken throughout an organisation.

Policy not only 'sets the tone', it impacts the decisions and actions taken that affect critical processes throughout the organisation, from revenue generating activities to setting laptop password standards.

Without a policy there's no guidance for marketing and promotions. Without foundations for a home, there is nowhere to place the TV!