Putting policies in place: Seven principles of policymaking practice (1/5)

NEW YORK (Thomson Reuters Regulatory Intelligence) - There are almost as many ways to approach developing, governing, maintaining, storing and communicating financial services policy libraries as there are institutions that have to manage the effort.

A generic picture of a diary. REUTERS/Catherine Benson CRB

Whatever the approach — e.g., a central group, hub-and-spoke, centralised or distributed approvals, distributed maintenance, committees, working groups, individual responsibility, local storage, enterprise-wide GRC — there are a few principles to keep in mind.

In my nearly 25 years working with financial services policies (the last five building a system from the ground up for one of the global systemically important banks (G-SIBs)), I have focused on seven interrelated principles.

Whether you are building a policies and procedures library from scratch, overhauling an existing system, or looking to critique and tweak the processes and documents you have in place, it pays to keep these principles in mind. The seven “Cs”, are: centrality/culture, competency, consistency, coordination, communication/closeness, completeness and currency/continuity. Together they can help you avoid the eighth: costly and counterproductive.


If policies and procedures are to be an effective part of the governance, they have to be part of the DNA of the firm, part of what we hear referred to as “the culture of compliance”, or the “risk management culture.” Culture has to come from the top; it has to radiate from the centre out. The first principle of successful policies management, therefore, is to keep the process of policymaking and maintenance from being marginalised. Policy work must be part of the “day job” of the people who do it. It is not work that can be done hanging off the side of the desk.

This means that managers, from the top down, but most importantly the direct managers of policy workers, must allow time for the policy work and give credit for it. Policy work, whether providing subject expertise, reviewing drafts, or writing and communicating the policies, must be part of the plans and goals of the people with policy responsibility.

While both the policies themselves and the policy-making process must be supported from the top, centrality does not mean that policies must be written from a singular central group. It does mean that the policymaking and maintenance processes must be supported from the centre. Centrality does not mean having a centralised system, it means having a centrally-driven culture.


The principle of competency touches on clarity and content.

The job of a policy is to tell people what they may or may not do. A policy must be written in clear, simple language. It must be directive, unambiguous and actionable. It must be devoid of extraneous or distracting material, and it must be structured clearly and consistently with other policies, so that readers get used to where to find things.

It is fine to be clear, but clarity is counterproductive if the content is not correct. Therefore policymakers must make sure that the right people have contributed to and reviewed the document. This includes both the subject experts and the people who are subject to the document or who may have significant roles in its implementation.

Not all policies relate to regulation, but where a policy does reflect regulation, the role of the policy is to translate the regulation into specific activities which, if they are correctly followed by employees, will ensure compliance with that regulation. Competent policies focus on only those areas of regulation relevant to the firm’s business. In short, they are regulations in context.


Consistency operates on two levels: internal consistency and library consistency.

Internal consistency is about the structure of the documents themselves. It requires that the structure and the look and feel of each document follow a consistent and reliable pattern. This makes it much easier for readers to find what they need from a document.

It implies creating a template with the main elements laid out in a repeatable pattern. Exactly what that template looks like is a subject all to itself, but it is important to make sure that a reader can quickly find out whether the document applies to him/her and how to find the important material.

A consistent structure also has the advantage of making policies easier to write. A consistent and logical template will help subject matter experts, who may not be writers by trade, draft usable documents from the get-go.

Library consistency is about horizontal consistency across lines of business and vertical consistency between high-level enterprise- or region-wide policies and related policies written at the line-of-business level. Horizontal consistency asks whether policies across a firm handle similar subjects in similar ways. Vertical consistency asks whether line-of-business or jurisdictional policies correctly reflect the requirements of firm-wide documents.

The rule of thumb for vertical consistency is that lower-level policies may provide implementing details for the higher-level documents in a particular business context, or introduce additional requirements. The lower-level documents must not contradict the firm-wide versions unless required by local regulation, however. For instance, you may have an enterprise policy on surveillance or background checks that would have to allow carve-outs in jurisdictions where they could violate privacy regulations.

Library consistency cannot be achieved without coordination, which is the next principle.


Coordination is about two things: content and efficiency.

Library consistency, mentioned above, demands that authors of policies review polices that touch on similar matters, especially higher-level policies that may govern their topics. Authors are best to consult with the authors of the related policies regarding questions, potential conflicts, forthcoming changes, et al. The principle of coordination also requires that there be a systematic connection between interdependent policies. Authors of local policies must be informed of substantive changes to broad-based policies, so those authors can make any conforming changes required at the local level. The policy database should facilitate finding documents on related topics.

Coordination, both horizontal and vertical, also avoids inefficiencies by avoiding the writing of multiple versions of the same material or writing documents that are going to have to change almost before they are completed.


A policy cannot influence behaviour if no one knows where it is, how to find it, or even that it exists at all. Those responsible for writing policy must, therefore, also be responsible for communicating it. An enterprise must have an enterprise-wide channel available for communicating enterprise-wide policies. Likewise, authors of regional or line-of-business level policies must have (and use) a means of communicating to their target audiences.

That is where the principle of closeness comes into play. Policies are best written and owned by people close to those to whom the policies apply. Consider: 1) Policies are more likely to be written in a language that speaks directly and clearly to (and will be best understood by) their intended audience if they are written by people close to, or part of, that audience. 2) The writer has skin in the game, has a vested interest in making sure that his/her work is valued by his/her peers. 3) Policies written locally are easily be supported by local managers and are, therefore, more likely to be effective. When your own manager looks you in the eye and says, “do this”, there is a good chance you will do it.


The principle of completeness speaks to whether the library of policies has any gaps, topics or rules that are missing from the library, and it presents two formidable challenges. First, proving completeness is proving a negative, and that is nearly impossible. Secondly, it is chasing a moving target: the library could be complete today, and have new gaps tomorrow.

Those challenges do not mean that the effort toward completeness is wasted effort, but as you set completeness goals, you will have to get comfortable with the notion that complete completeness is not going to happen. Then focus on obtainable and fruitful objectives. Start by checking whether all the activities of your lines of business are covered by policy. Make it someone’s job in each policy area to keep watch for new requirements: regulations, business activities, products, et al. Then, enlist the help of others in the organisation, e.g., legal, compliance, risk, regulatory relations, business managers/supervisors.

Consider, also, using or at least monitoring an outside source. Thomson Reuters and others provide services that monitor regulator developments and feeds that can be configured to your businesses. Use these services to look for significant gaps you may be overlooking.

Finally, take a risk-based approach; consider whether your main risks are addressed by policy.

Keep in mind that completeness is a macro consideration, separate from the quality of existing documents. Individual policies or groups of policies can be written efficiently and competently, and communicated effectively irrespective of whether the entire library is complete.


Getting it all right is different from keeping it all right. In fact, there is a good argument that keeping it right is more difficult. Compelled by a concerned senior management, or by the right regulatory or audit finding, it is possible to mount a major effort to get policies and procedures in shape. But there is, however, a danger that, when finished, everyone involved takes a victory lap and goes back to his/her “day job”, never to think about policies again.

As the president of a G-SIB (with whom I worked) who sponsored such an effort said in the closing meeting of a two-year policy remediation project, “Don’t let this be a rubber band.” In other words, s/he didn’t want to look at the status of policies in two or three years to find that the policies had snapped back to the poor condition they were in when the project began. Three years later, our business-as-usual (BAU) processes still had us at 98+ percent on-time maintenance.

Here are some things to consider as you move from project to BAU. You may recognise many of them as calling on the previous six principles:

1) Continuous commitment from management (reflected in the culture of risk and compliance). Seek a commitment from the top of the organisation that maintenance of policies is a requirement, and from managers down the line of command as well. Unless people responsible are given credit by their managers for the time they spend on policy maintenance, the rubber band will snap.

2) Establish a central function. That central function does not have to be directly responsible for all the policies, but it has to keep watch, and keep the process organised and transparent.

3) Assign a single individual to be responsible for each policy, for making sure it is maintained with the help of the right subject experts and that is approved properly.

4) Establish and use a system that can:

-Track policy maintenance and provide basic metrics.

-Help the central function report policy status to both senior management and to the managers of the people responsible for the individual policies.

-Keep track of the individuals assigned to each policy; fill vacancies as people change responsibilities or leave the company.

5) Identify and track the interrelationships among policies and establish a mechanism for communicating required changes among the owners of those policies.

6) Assign responsibility for filling gaps and responding to regulatory or business process change. It is not enough to know something has to be done; someone has to be responsible for doing it, and someone else has to track progress.


Whether you are working on an individual policy, tweaking policy process within a business unit, or establishing a global policy practice, keep an eye to these principles, and your results are more likely to fulfil your goals.

-Tony (Anthony) Stein LinkedIn profile(here).

(Mr. Stein has been a leader in policy development, management and governance for more than two decades, establishing and leading the policies efforts first at Goldman Sachs, where he introduced the notion of enterprise-wide policies and helped establish and manage the regulatory change effort, and then BNY Mellon, where he built the function literally from the ground up. He is currently an independent consultant in the program management and policies space. The views expressed are his own.)