NEW YORK (Thomson Reuters Regulatory Intelligence) - No matter what the policies are, and no matter who in your organisation writes them, they have to get approved. That approval process is vital to their validity and enforcement. Without a strong approval process, your policies are open to challenge. I have had senior managers ask me, with no small edge, “Who the h*ll approved that!?” The ability to answer that question is essential for a policy manager’s survival.
While approval processes can differ in different situations, there are a few principles that adhere, regardless of the specifics.
1) The approval process must be authorised at the highest levels of the firm. And that authorisation must be documented.
2) Approvals should take place at the level at which the policy is written.
3) The right input prior to and during the approval process is critical, not only to the approval process itself, but also to implementation.
4) All approvals must be documented.
5) Policy approval must be a process, not an impediment.
6) An alternative or exception process must be available.
1. Establishing the authority for the approval process
Whoever is going to approve documents, and whatever the details of the process, the authority for the process must come from the highest level of the firm. Without that authority, policies can be difficult to enforce, and may be subject to the “not in my lifetime” reaction from some employees.
Think of it this way: the authority for a policy must come from a higher level than anyone who might challenge it. If the approval process is authorised by the board, executive committee, or similar august body or person, no employee is in a position to ignore a policy approved in accordance with that process.
The process and the approval of that process at the top of the house must be documented in a policy on policies or similar document. Anyone working on policy should be able to reference that document to know what s/he has to do before s/he can release the policy as part of the official rules of the firm. Anyone objecting to a policy can be referred that documentation, as well.
2. Approvals at the right level
Policies are written at many levels. Some apply to the entire enterprise, some to single business units, and, of course, there can be levels in between. Approvals should take place at a level appropriate to the applicability of the policy. A policy that affects the entire firm must be approved at a high level of seniority by an individual or body with a combination of firm-wide view and an appropriate understanding of the subject matter.
Policies with narrower scope need be approved at the level of the governance of the group or groups those policies affect: e.g., a policy for a single unit might be approved by the manager of that unit; policies applicable to a corporate region must be approved by individuals or bodies with authority over that region. The key here is that each level must be described clearly and the approval requirements specifically prescribed and documented.
Also, consider the qualifications of the individuals or groups called upon to approve. This is a risk-based consideration but depending on the exposure that the policy is trying to address, different expertise might be required in the approval process. Policies against regulation might require compliance or legal department approval; policies designed to help protect against operational risk might require the risk department’s blessing; technology policies by technology, etc. So the process must require that the approvers fit the content of the policy.
3. Ensure the right input: the importance of review
There is a distinction between “review” and “approval”; both are needed, but the roles are different, and they require different procedures. In simplest terms, approvers provide the thumbs up or down. Approvers have veto power, reviewers do not. Reviewers frequently negotiate content and language. Approvers typically do not.
Reviews take place prior to approvals. They are actually part of the policy development process, but they are discussed here because approvals do not (or should not) happen without thorough review. Consider:
- All groups affected by a policy – whether the policy applies directly to the group, the group has some role in its implementation, or it is monitoring against the policy – are stakeholders and must be included as reviewers.
- A thorough review can raise a wide set of issues. Reviewers are invited to raise questions about implementation, surface elements that the drafters may have overlooked, flag potential unintended consequences, comment on unclear language, suggest other reviewers whom you may not have thought to include, and may raise regulatory issues in specific jurisdictions – all things you want bring to light and addressed before approval. The point of the review is to avoid post-publishing comments like, “You forgot to consider …” or “If we do that we’ll be in violation of local regulations!”
- Make sure to cover all basis, all areas of expertise, and reach all corners of your organisation. Do not assume that a U.S. working group has reached out to Hong Kong.
- Review means review the document. It’s not enough to have a concept meeting with representatives of a group, describe the policy you are working on, watch a few heads nod up and down, and then drop the policy on them four months later.
Another benefit of the review is that it broadens the sense of ownership, which benefits implementation, especially in the first line of defence. Finally, a solid, documented review makes it much easier for your approvers to approve. They will be able to take comfort from the key stakeholders who have opined on the document.
Assuming you have done everything right up to the approval step, approval should be relatively easy. A few things to keep in mind:
- The document must be in excellent shape when it goes into approval. Final approval, especially for broad-based policies, should not, as a rule, entail a lot of questioning of assumptions or rewriting. That should be handled during review.
- The approval of a policy should not come as a surprise to the approvers. They should be aware that the policy is in development. Provide highlights of the main points along the way. The more they know in advance about what they are being asked to approve, the better. This includes making sure they are aware of all the reviewer input you have already received.
- Leave sufficient time. The more senior the reviewers, the more time you should leave. It can be helpful to let them know beforehand when the request will hit their desks and when you expect their reply.
- If a committee is the approver, check the frequency of the meetings, and work with the committee secretary to arrange for agenda time well in advance. (If committee meetings are infrequent, leverage that to get reviewers to provide their reviews quickly, as well. Try an email to reviewers along the lines of: “If we miss the [date] committee meeting, it will be Y-3K before the policy is approved”.
4. Document the approval
Approval of policies must be documented in writing (or within a workflow system if you are using one) and the documentation must be stored in a safe and retrievable space. You can be sure that when audit time rolls around, approval documentation is going to be one of audit’s first requests. If approval is by a committee, get a copy of the minutes or a confirming note from the chair or secretary of the committee.
5. Make approvals a process, not an impediment
Approval without careful consideration and authority is worthless. At the same time, the approval process itself should be simple. It can’t be a multi-step maze or an administrative nightmare. It should basically be a single step — approval by the individual(s) or governing body. If it will take a series of individuals, be prepared to handle the hand-offs from one to the next; if a governing body, let that body determined its internal process. All you want is the official, documented result.
If the process is handled by an automated workflow, that workflow must be simple and straightforward with a zero-training interface. If it’s not completely clear to a senior manager what s/he is supposed to do, the result will likely be mistakes and delays. Best practice is to have an alternative to the automated workflow available.
Finally, some suggestions about approval by boards of directors.
- Boards tend to meet infrequently, and it can be difficult if not impossible to keep them apprised of progress beforehand. They also may be divorced from day-to-day operations, and their agendas may be crowded with strategic issues. So avoid board approvals if you can.
- If board approval is required (as it may be by regulation) consider asking whether the board can delegate policy approvals to a sub-committee that can be convened more frequently and with whom you can develop a working relationship.
- Prepare a sharp, clean presentation to a board. Think two slides, perhaps a maximum of 10 bullet points for each. Focus on why the policy is needed, the main action points of the policy, and who, by position, has drafted and reviewed it. Details should be provided in an appendix.
6. Create an escape/exception route for your top-level policies
There are times when audit or regulatory deadlines make it impossible for the regular course approval process to be completed in time. Therefore, the approval process should have an escape clause, a way to get approval on an exception basis in exceptional circumstances. When establishing the exception process, consider:
- Final approval should be at the level of a member of the firm’s executive committee or similar body.
- The approver should consult with senior managers with appropriate expertise, and that consultation should be recorded as part of the record of the approval.
- Upon approval, the individual(s) or the body responsible for approval under the regular course must be informed of the policy’s approval.
Keep in mind that, while there should always be a balance between efficiency and thoroughness, the point of the exception is to allow for speedy approval under what should be rare and clearly defined circumstances. You do not want the exception to become the rule. And make sure that the exception process isn’t complicated enough to defeat its purpose.
Tony (Anthony) Stein LinkedIn profile(here).
(Mr. Stein has been a leader in policy development, management and governance for more than two decades, establishing and leading the policies efforts first at Goldman Sachs, where he introduced the notion of enterprise-wide policies and helped establish and manage the regulatory change effort, and then BNY Mellon, where he built the function literally from the ground up. He is currently an independent consultant in the program management and policies space. The views expressed are his own.)
This article was produced by Thomson Reuters Regulatory Intelligence and initially posted on Aug. 9. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters